From 467d2e25b229b8463a88373555f9563889a6b1d4 Mon Sep 17 00:00:00 2001 From: Dirk Stolle Date: Tue, 1 Jun 2021 01:10:59 +0200 Subject: [PATCH 1/9] update lodash to 4.17.21 This fixes several vulnerabilities in lodash. - several prototype pollution issues in lodash - see - see - command injection vulnerability (CVE-2021-23337), see --- package-lock.json | 6 +++--- package.json | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index 62c410156..852bb6806 100644 --- a/package-lock.json +++ b/package-lock.json @@ -5582,9 +5582,9 @@ } }, "lodash": { - "version": "4.17.11", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz", - "integrity": "sha512-cQKh8igo5QUhZ7lg38DYWAxMvjSAKG0A8wGSVimP07SIUEK2UO+arSRKbRZWtelMtN5V0Hkwh5ryOto/SshYIg==" + "version": "4.17.21", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", + "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==" }, "lodash._basecopy": { "version": "3.0.1", diff --git a/package.json b/package.json index 18ead7ebc..2950a1874 100644 --- a/package.json +++ b/package.json @@ -48,7 +48,7 @@ "eventsource": "^1.0.5", "iconv-lite": "^0.4.21", "jsdom": "11.12.0", - "lodash": "^4.17.10", + "lodash": "^4.17.21", "mime": "^2.3.1", "ms": "^2.1.1", "request": "^2.85.0", From d38108629d6bf897cace40be10ceb0abfd9d8c82 Mon Sep 17 00:00:00 2001 From: Dirk Stolle Date: Tue, 1 Jun 2021 01:31:11 +0200 Subject: [PATCH 2/9] update mixin-deep to 1.3.2 This fixes a prototype pollution vulnerability in mixin-deep. See for more information. --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 852bb6806..890a2679a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -6172,9 +6172,9 @@ "dev": true }, "mixin-deep": { - "version": "1.3.1", - "resolved": "https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz", - "integrity": "sha512-8ZItLHeEgaqEvd5lYBXfm4EZSFCX29Jb9K+lAHhDKzReKBQKj3R+7NOF6tjqYi9t4oI8VUfaWITJQm86wnXGNQ==", + "version": "1.3.2", + "resolved": "https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.2.tgz", + "integrity": "sha512-WRoDn//mXBiJ1H40rqa3vH0toePwSsGb45iInWlTySa+Uu4k3tYUSxa2v1KqAiLtvlrSzaExqS1gtk96A9zvEA==", "dev": true, "requires": { "for-in": "^1.0.2", From 5cb270078c9629a5e68f6c65a9dc1d0d27fa8062 Mon Sep 17 00:00:00 2001 From: Dirk Stolle Date: Tue, 1 Jun 2021 01:40:31 +0200 Subject: [PATCH 3/9] update union-value package to 1.0.1 + set-value to 2.0.1 Fixes a prototype pollution vulnerability in set-value, see for more information. --- package-lock.json | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/package-lock.json b/package-lock.json index 890a2679a..3e2b0065f 100644 --- a/package-lock.json +++ b/package-lock.json @@ -7866,9 +7866,9 @@ "dev": true }, "set-value": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz", - "integrity": "sha512-hw0yxk9GT/Hr5yJEYnHNKYXkIA8mVJgd9ditYZCe16ZczcaELYYcfvaXesNACk2O8O0nTiPQcQhGUQj8JLzeeg==", + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/set-value/-/set-value-2.0.1.tgz", + "integrity": "sha512-JxHc1weCN68wRY0fhCoXpyK55m/XPHafOmK4UWD7m2CI14GMcFypt4w/0+NV5f/ZMby2F6S2wwA7fgynh9gWSw==", "dev": true, "requires": { "extend-shallow": "^2.0.1", @@ -8553,15 +8553,15 @@ "dev": true }, "union-value": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/union-value/-/union-value-1.0.0.tgz", - "integrity": "sha1-XHHDTLW61dzr4+oM0IIHulqhrqQ=", + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/union-value/-/union-value-1.0.1.tgz", + "integrity": "sha512-tJfXmxMeWYnczCVs7XAEvIV7ieppALdyepWMkHkwciRpZraG/xwT+s2JN8+pr1+8jCRf80FFzvr+MpQeeoF4Xg==", "dev": true, "requires": { "arr-union": "^3.1.0", "get-value": "^2.0.6", "is-extendable": "^0.1.1", - "set-value": "^0.4.3" + "set-value": "^2.0.1" }, "dependencies": { "extend-shallow": { @@ -8574,15 +8574,15 @@ } }, "set-value": { - "version": "0.4.3", - "resolved": "https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz", - "integrity": "sha1-fbCPnT0i3H945Trzw79GZuzfzPE=", + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/set-value/-/set-value-2.0.1.tgz", + "integrity": "sha512-JxHc1weCN68wRY0fhCoXpyK55m/XPHafOmK4UWD7m2CI14GMcFypt4w/0+NV5f/ZMby2F6S2wwA7fgynh9gWSw==", "dev": true, "requires": { "extend-shallow": "^2.0.1", "is-extendable": "^0.1.1", - "is-plain-object": "^2.0.1", - "to-object-path": "^0.3.0" + "is-plain-object": "^2.0.3", + "split-string": "^3.0.1" } } } From b2b77765f889973bdfae66d230af8a9dbc52e473 Mon Sep 17 00:00:00 2001 From: Dirk Stolle Date: Tue, 1 Jun 2021 01:43:25 +0200 Subject: [PATCH 4/9] update acorn to 5.7.4 Fixes a regular expression denial of service vulnerability, see for more info. --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 3e2b0065f..bb0827a84 100644 --- a/package-lock.json +++ b/package-lock.json @@ -238,9 +238,9 @@ } }, "acorn": { - "version": "5.5.3", - "resolved": "https://registry.npmjs.org/acorn/-/acorn-5.5.3.tgz", - "integrity": "sha512-jd5MkIUlbbmb07nXH0DT3y7rDVtkzDi4XZOUVWAer8ajmF/DTSSbl5oNFyDOl/OXA33Bl79+ypHhl2pN20VeOQ==" + "version": "5.7.4", + "resolved": "https://registry.npmjs.org/acorn/-/acorn-5.7.4.tgz", + "integrity": "sha512-1D++VG7BhrtvQpNbBzovKNc1FLGGEE/oGe7b9xJm/RFHMBeUaUGpluV9RLjZa47YFdPcDAenEYuq9pQPcMdLJg==" }, "acorn-globals": { "version": "4.3.0", From f456435b1ff21a25eeb02b0297b78249f9ef9986 Mon Sep 17 00:00:00 2001 From: Dirk Stolle Date: Tue, 1 Jun 2021 01:52:12 +0200 Subject: [PATCH 5/9] update eslint-utils to 1.4.3 This fixes an arbitrary code execution vulnerability, see for more info. --- package-lock.json | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index bb0827a84..1473b4607 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2542,10 +2542,21 @@ } }, "eslint-utils": { - "version": "1.3.1", - "resolved": "https://registry.npmjs.org/eslint-utils/-/eslint-utils-1.3.1.tgz", - "integrity": "sha512-Z7YjnIldX+2XMcjr7ZkgEsOj/bREONV60qYeB/bjMAqqqZ4zxKyWX+BOUkdmRmA9riiIPVvo5x86m5elviOk0Q==", - "dev": true + "version": "1.4.3", + "resolved": "https://registry.npmjs.org/eslint-utils/-/eslint-utils-1.4.3.tgz", + "integrity": "sha512-fbBN5W2xdY45KulGXmLHZ3c3FHfVYmKg0IrAKGOkT/464PQsx2UeIzfz1RmEci+KLm1bBaAzZAh8+/E+XAeZ8Q==", + "dev": true, + "requires": { + "eslint-visitor-keys": "^1.1.0" + }, + "dependencies": { + "eslint-visitor-keys": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-1.3.0.tgz", + "integrity": "sha512-6J72N8UNa462wa/KFODt/PJ3IU60SDpC3QXC1Hjc1BXXpfL2C9R5+AU7jhe0F6GREqVMh4Juu+NY7xn+6dipUQ==", + "dev": true + } + } }, "eslint-visitor-keys": { "version": "1.0.0", From 4d091ffd9562f09f572946cc0c3298657907fc3a Mon Sep 17 00:00:00 2001 From: Dirk Stolle Date: Tue, 1 Jun 2021 01:56:57 +0200 Subject: [PATCH 6/9] update hosted-git-info to version 2.8.9 (CVE-2021-23362) Fixes a regular expression denial of service vulnerability, see for more info. --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 1473b4607..d724bf477 100644 --- a/package-lock.json +++ b/package-lock.json @@ -4905,9 +4905,9 @@ } }, "hosted-git-info": { - "version": "2.7.1", - "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.7.1.tgz", - "integrity": "sha512-7T/BxH19zbcCTa8XkMlbK5lTo1WtgkFi3GvdWEyNuc4Vex7/9Dqbnpsf4JMydcfj9HCg4zUWFTL3Za6lapg5/w==", + "version": "2.8.9", + "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.9.tgz", + "integrity": "sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==", "dev": true }, "html-encoding-sniffer": { From bd4ed4ee2a81bf682d886d891763d1781c1c701b Mon Sep 17 00:00:00 2001 From: Dirk Stolle Date: Tue, 1 Jun 2021 02:16:26 +0200 Subject: [PATCH 7/9] update url-parse to 1.5.1 (CVE-2021-27515) Fixes a path traversal vulnerability in url-parse. See for more information. --- package-lock.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/package-lock.json b/package-lock.json index d724bf477..d47381615 100644 --- a/package-lock.json +++ b/package-lock.json @@ -6998,9 +6998,9 @@ "dev": true }, "querystringify": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/querystringify/-/querystringify-2.1.0.tgz", - "integrity": "sha512-sluvZZ1YiTLD5jsqZcDmFyV2EwToyXZBfpoVOmktMmW+VEnhgakFHnasVph65fOjGPTWN0Nw3+XQaSeMayr0kg==" + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/querystringify/-/querystringify-2.2.0.tgz", + "integrity": "sha512-FIqgj2EUvTa7R50u0rGsyTftzjYmv/a3hO345bZNrqabNqjtgiDMgmo4mkUjd+nzU5oF3dClKqFIPUKybUyqoQ==" }, "random-bytes": { "version": "1.0.0", @@ -8675,11 +8675,11 @@ "dev": true }, "url-parse": { - "version": "1.4.4", - "resolved": "https://registry.npmjs.org/url-parse/-/url-parse-1.4.4.tgz", - "integrity": "sha512-/92DTTorg4JjktLNLe6GPS2/RvAd/RGr6LuktmWSMLEOa6rjnlrFXNgSbSmkNvCoL2T028A0a1JaJLzRMlFoHg==", + "version": "1.5.1", + "resolved": "https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz", + "integrity": "sha512-HOfCOUJt7iSYzEx/UqgtwKRMC6EU91NFhsCHMv9oM03VJcVo2Qrp8T8kI9D7amFf1cu+/3CEhgb3rF9zL7k85Q==", "requires": { - "querystringify": "^2.0.0", + "querystringify": "^2.1.1", "requires-port": "^1.0.0" } }, From 8d219a80120421b2e77db3077f6ab909cc176ed2 Mon Sep 17 00:00:00 2001 From: Dirk Stolle Date: Tue, 1 Jun 2021 02:32:35 +0200 Subject: [PATCH 8/9] update y18n to 3.2.2 (CVE-2020-7774) This update fixes a prototype pollution vulnerability in y18n. See for more information. --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index d47381615..dd0d4b290 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9012,9 +9012,9 @@ "dev": true }, "y18n": { - "version": "3.2.1", - "resolved": "https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz", - "integrity": "sha1-bRX7qITAhnnA136I53WegR4H+kE=", + "version": "3.2.2", + "resolved": "https://registry.npmjs.org/y18n/-/y18n-3.2.2.tgz", + "integrity": "sha512-uGZHXkHnhF0XeeAPgnKfPv1bgKAYyVvmNL1xlKsPYZPaIHxGti2hHqvOCQv71XMsLxu1QjergkqogUnms5D3YQ==", "dev": true }, "yargs": { From 3dada464250950c77deab6ec208b931d39a3d7af Mon Sep 17 00:00:00 2001 From: Dirk Stolle Date: Sat, 3 Jul 2021 22:31:02 +0200 Subject: [PATCH 9/9] update ini to 1.3.8 This fixes a prototype pollution vulnerability in ini. See for more information. --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index dd0d4b290..ab7000ec6 100644 --- a/package-lock.json +++ b/package-lock.json @@ -4977,9 +4977,9 @@ "dev": true }, "ini": { - "version": "1.3.5", - "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.5.tgz", - "integrity": "sha512-RZY5huIKCMRWDUqZlEi72f/lmXKMvuszcMBduliQ3nnWbx9X/ZBQO7DijMEYS9EhHBb2qacRUMtC7svLwe0lcw==", + "version": "1.3.8", + "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.8.tgz", + "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==", "dev": true }, "inquirer": {