[Snyk] Fix for 13 vulnerabilities

[CentralIntel]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • script/package.json
  • script/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HOSTEDGITINFO-1088355	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-INI-1048974	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	671/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7	Prototype Pollution SNYK-JS-PLIST-2405644	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	484/1000 Why? Has a fix available, CVSS 5.4	XML External Entity (XXE) Injection SNYK-JS-XMLDOM-1084960	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Improper Input Validation SNYK-JS-XMLDOM-1534562	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Prototype Pollution SNYK-JS-XMLDOM-3042242	Yes	No Known Exploit
	811/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-XMLDOM-3092935	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: electron-chromedriver

The new version differs by 26 commits.

• 3807adb Merge pull request [Snyk] Security upgrade npm from 6.2.0 to 6.10.1 #62 from electron/9-x-y
• 5a726b8 v9.0.0
• 3d0e75f fix: install npm_config_platform=win32 ([Snyk] Security upgrade atom-package-manager from 2.4.3 to 2.6.1 #61)
• ab6cd41 Merge pull request [Snyk] Security upgrade npm from 6.2.0 to 6.6.0 #59 from erickzhao/chore/migrate-get
• b244950 chore: force node 10.12
• 1e4599b chore: upgrade extract-zip to v2.0.0
• 3c22216 refactor: migrate to @ electron/get
• d25a3ac Merge pull request [Snyk] Security upgrade atom-package-manager from 2.4.3 to 2.6.1 #57 from electron/dependabot/npm_and_yarn/acorn-6.4.1
• 2a0b450 Bump acorn from 6.2.1 to 6.4.1
• 0e494e4 Merge pull request [Snyk] Security upgrade npm from 6.2.0 to 6.10.1 #55 from electron/8-x-y
• 400df8e v8.0.0
• c3f66d6 chore: update for 8.0.0-beta.7 ([Snyk] Security upgrade atom-package-manager from 2.4.3 to 2.6.1 #54)
• 209fa2e chore: set @ wg-releases as CODEOWNERS ([Snyk] Security upgrade stylelint from 9.3.0 to 9.7.0 #53)
• ed80a77 Merge pull request [Snyk] Security upgrade postcss from 5.2.4 to 8.2.13 #50 from electron/7-0-x
• 5cba324 Update for v7.0.0
• 2ca0405 Merge pull request [Snyk] Security upgrade atom-package-manager from 2.4.3 to 2.5.0 #48 from electron/dependabot/npm_and_yarn/eslint-utils-1.4.2
• 0051436 chore: Update to 7.0.0-beta.5
• 4b48320 Bump eslint-utils from 1.4.0 to 1.4.2
• 2f4cca7 Merge pull request [Snyk] Security upgrade atom-package-manager from 2.4.3 to 2.5.0 #47 from electron/update-standard-mocha
• e3feaf5 chore: update standard and mocha
• 148292a Merge pull request [Snyk] Security upgrade yargs from 4.8.1 to 10.0.0 #46 from electron/update-stable-6
• bfb0ce6 chore: add support for Electron v6.0.0
• 8dc45bf Bump js-yaml from 3.12.0 to 3.13.1 ([Snyk] Fix for 1 vulnerabilities #43)
• 2a79a74 Bump handlebars from 4.0.12 to 4.1.2 ([Snyk] Security upgrade electron-packager from 12.2.0 to 13.0.0 #44)

See the full diff

Package name: electron-mksnapshot

The new version differs by 14 commits.

• 9b1abfa fix: Allow downloading of custom versions of mksnapshots ([Snyk] Security upgrade yargs from 4.8.1 to 16.0.0 #30)
• 4c31a01 chore: update to v9.0.0 ([Snyk] Fix for 2 vulnerabilities #28)
• fcba03d chore: update mksnapshot to work with arm*-x64 zips ([Snyk] Security upgrade babel-core from 5.8.38 to 6.9.0 #27)
• baeb2a2 Fix download on ARM ([Snyk] Security upgrade babel-core from 5.8.38 to 6.9.0 #26)
• dfc0cd1 Bump acorn from 7.1.0 to 7.1.1 ([Snyk] Security upgrade publish-release from 1.6.0 to 1.6.1 #25)
• 6d9510e 8.0.0 ([Snyk] Security upgrade babel-core from 5.8.38 to 6.9.0 #24)
• e77fd2c v7.0.0
• 3c4921f 6.0.0 ([Snyk] Security upgrade marked from 0.3.19 to 1.1.1 #21)
• cc99f15 Bump lodash from 4.17.11 to 4.17.14 ([Snyk] Security upgrade marked from 0.3.19 to 1.1.1 #20)
• 4d3798f Bump extend from 3.0.1 to 3.0.2 ([Snyk] Security upgrade request from 2.87.0 to 2.88.0 #19)
• 546c646 build: update for 6.0.0-beta.2 ([Snyk] Security upgrade babel-core from 5.8.38 to 6.9.0 #18)
• 66c95ca build: update for 6.0.0-beta.1 ([Snyk] Security upgrade babel-core from 5.8.38 to 6.9.0 #17)
• 199a6a7 build: update for 5.x.x ([Snyk] Security upgrade publish-release from 1.6.0 to 1.6.1 #16)
• 21a3ed0 build: update for 4.2.x ([Snyk] Security upgrade npm from 6.2.0 to 6.14.6 #15)

See the full diff

Package name: electron-packager

The new version differs by 250 commits.

• b56ea8a 17.0.0
• 34c3c4e docs: update NEWS.md for v17.0.0
• 21bb953 refactor: migrate from asar to @ electron/asar (Clean up atom.coffee atom/atom#1431)
• 274c686 feat!: upgrade electron-osx-sign to @ electron/osx-sign (atom.getVersion() is returning the wrong value atom/atom#1428)
• c02695f fix: remove ElectronAsarIntegrity when asar is disabled (Upload master builds to releases atom/atom#1281)
• f6e353a chore: Revert "chore: bump typedoc from 0.19.2 to 0.23.14 (Drop a basic model out from WorkspaceView atom/atom#1416)" (Shrink the build size atom/atom#1420)
• 713d425 fix(types): add "universal" as a valid arch (If I've selected a block of ruby that is indented and then paste it on a line that is blank (no with atom/atom#1407)
• 18749c7 chore: bump typedoc from 0.19.2 to 0.23.14 (Drop a basic model out from WorkspaceView atom/atom#1416)
• 9124e28 16.0.0
• 88e8173 docs: Update NEWS.md
• 5c0102a fix: properly import info logger (Handle EACCES errors when saving an editor atom/atom#1405)
• 0d692d7 feat!: upgrade Node.js to 14 LTS (Panes stick around when they shouldnt atom/atom#1399)
• a723fa8 build: bump got to 2.0.0 (Select an indented line of text by placing your cursor at the beginning of the line and pressing the atom/atom#1397)
• 8a86df2 15.5.2
• c7ecd1c docs: update NEWS.md
• 1baed70 chore: remove node 10 job (Speed up keymap loading atom/atom#1403)
• 7c01d6f revert: "feat!: upgrade Node.js to 14 LTS (text atom/atom#1393)" (Show low disk space errors when running CI atom/atom#1398)
• b0f27bc fix: ignore node_gyp_bins if it exists (pacman atom/atom#1391)
• a6db65f chore: bump fs-extra from 9.1.0 to 10.1.0 (If I right-click on an item in Atom that has a context menu (like a file in the tree view) I can atom/atom#1358)
• 7dcaf44 chore(deps): bump yargs-parser from 20.2.9 to 21.1.1 (pacman atom/atom#1395)
• c6b4c78 feat!: upgrade Node.js to 14 LTS (text atom/atom#1393)
• e147b5e docs: update SUPPORT.md
• a65eb75 fix: package should not log info on --quiet flag (Atom keeps freezing. When it does, atom renderer is at nearly 100% cpu in activity monitor. atom/atom#1361)
• 4c6c88f chore: bump sinon from 13.0.2 to 14.0.0 (who wants to live forever atom/atom#1364)

See the full diff

Package name: npm

The new version differs by 250 commits.

• 3b4ba65 7.0.0
• bbfc75d chore: fix weird .gitignore thing that happened somehow
• 8a2d375 docs: changelog for v7.0.0
• 365f2e7 read-package-json@3.0.0
• fafb348 npm-package-arg@8.1.0
• 9306c68 libnpmfund@1.0.1
• 569cd64 libnpmfund@1.0.0
• ac9fde7 Integration code for @ npmcli/arborist@1.0.0
• 704b9cd @ npmcli/arborist@1.0.0
• 3955bb9 hosted-git-info@3.0.6
• da240ef fix: patch config.js to remove duplicate values
• 9ae45a8 init-package-json@2.0.0
• 41ab36d eslint@7.11.0
• c474a15 npm-registry-fetch@8.1.5
• efc6786 fix: make sure publishConfig is passed through
• 1e4e6e9 docs: v7 using npm config refresh
• 5c1c2da fix: init config aliases
• 5bc7eb2 docs: v7 npm-install refresh
• 1a35d87 7.0.0-rc.4
• 7a5a557 docs: changelog for v7.0.0-rc.4
• f0cf859 chore: dedupe deps
• 0273745 make-fetch-happen@8.0.10
• 7bd47ca @ npmcli/arborist@0.0.33
• 9320b8e only escape arguments, not the command name

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 XML External Entity (XXE) Injection
🦉 More lessons are available in Snyk Learn