[Snyk] Fix for 17 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • script/package.json
  • script/package-lock.json
  • script/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-73638	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	No Known Exploit
	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	Arbitrary File Overwrite SNYK-JS-NPM-537603	No	Proof of Concept
	Unauthorized File Access SNYK-JS-NPM-537604	No	Proof of Concept
	Arbitrary File Write SNYK-JS-NPM-537606	No	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-STYLELINT-460283	Yes	No Known Exploit
	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	Time of Check Time of Use (TOCTOU) npm:chownr:20180731	No	No Known Exploit
	Prototype Pollution npm:lodash:20180130	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:plist:20180219	Yes	Proof of Concept

Commit messages

Package name: electron-packager

The new version differs by 38 commits.

• fd237af 13.1.0
• 1e9ba9c Merge pull request Version undefined in menu atom/atom#952 from electron-userland/upgrade-dependencies
• 30c2160 Upgrade yargs-parser to ^13.0.0
• 9392499 Upgrade asar to ^1.0.0
• f304569 serialHooks only takes Promises
• 0eaa8cc Clarify which LICENSE is which in the example
• 395d369 Add 11.2.1 to NEWS file
• 86f1082 Handle inferring electron-prebuilt-compile versions better (Add docs on creating UI elements atom/atom#932)
• e686383 Add support for inferring version from Electron nightlies (Add new helper functions from git-utils@0.26.0 atom/atom#931)
• 0382494 Merge pull request Bump git-utils to 26.0 atom/atom#930 from electron-userland/ava-1.0
• b8d279d Consolidate console.warn testing methods
• 2648610 Upgrade ava to ^1
• a576ed1 Add keywords to package.json
• 38232e0 Update links
• 943b5de Simplify assertFilesEqual
• 5e99a7b Update docs
• 29570ec 13.0.1
• 8d752c2 Ensure relative out dirs are correctly ignored when copying (Test without window atom/atom#919)
• 5e8526a Remove accidentally committed package lock
• 537c27c 13.0.0
• d977deb Update related package links in readme
• a339b24 Use Travis CI for some Windows CI (Add spec-directory command line option atom/atom#917)
• a533d5f Drop callback support (Atom does not work with space in app name atom/atom#916)
• 3cbb080 Remove deprecated target arch API (Remove 'atom -' from title atom/atom#915)

See the full diff

Package name: klaw-sync

The new version differs by 14 commits.

• 2059501 update changelog, bump to v2.0.0
• 84532ab 2.0.0
• 3fc387f Merge pull request [Snyk] Upgrade atom-package-manager from 2.4.3 to 2.4.5 #2 from manidlou/add-filter-opt
• 4323677 update readme
• e76afdf change option name, update readme and changelog
• c4c78c5 remove unnecessary deps
• 2389ab0 update readme and changelog
• 56d1828 update changelog
• dd27335 refactor filter additional option, update readme
• e56432d add more tests for filter, update readme
• 739a6e3 remove ignore option, remove micromatch, refactor filter option, update bm.js
• a8c98ab fix bug: ignore with glob pattern (closes [Snyk] Fix for 17 vulnerabilities #1), add filter option
• ab77725 benchmark/bm.js: set async run to false
• 4d498ea benchmark/bm.js: set async run to false

See the full diff

Package name: mkdirp

The new version differs by 4 commits.

• b2e7ba0 0.5.2
• c5b97d1 bump minimist to 1.2 to fix security issue
• f2003bb test: add v4 and v5 to travis
• b8629ff tools: update tap + mock-fs. Fix broken test

See the full diff

Package name: npm

The new version differs by 250 commits.

• fd29398 6.13.4
• f2aca36 docs: changelog for 6.13.4
• 320ac9a Do not remove global bin/man links inappropriately
• d06f5c0 bin-links@1.1.6
• 52fd210 gentle-fs@2.3.0
• 45482c2 6.13.3
• 118bc96 docs: changelog for 6.13.3
• 1743cb3 read-package-json@2.1.1
• fb4ecd7 pacote@9.5.11
• 59c836a npm-packlist@1.4.7
• 19ce061 bin-links@1.1.5
• 0a0fdff 6.13.2
• dc0178c update AUTHORS
• c6ff3ba docs: update changelog for 6.13.2
• 4429645 makefile: fix docs target typo
• 4c1b16f chore: Warn the user that it is uninstalling npm-install
• ae7afe5 fix: Don't log error message if git tagging is disabled
• 1c65d26 fix(fund): open url for string shorthand
• e4b9796 shrinkwrap: no need to read package.json when read shrinkwrap
• 8676429 fix(packageRelativePath): fix 'where' for file deps
• d480f2c Revert "windows: Add preliminary WSL support for npm and npx"
• b829d62 6.13.1
• 464036b update AUTHORS
• 1d61a3c docs: update changelog for 6.13.1

See the full diff

Package name: stylelint

The new version differs by 250 commits.

• 04af9e4 13.0.0
• 704f6a2 Prepare 13.0.0
• 50ba8a9 Reorder changelog
• 1666bba Update devDependencies (UTF-8 problems: characters mysteriously incorrectly encoded atom/atom#4542)
• 062d298 Reindent nodejs.yml (Uncaught Error: EACCES, open '/home/alex/.atom/compile-cache/cson/5af7724b023a6274b520f79f04fb798a67319ca7.json' atom/atom#4541)
• a24e44a Fix atypical rule README structure (Uncaught Error: spawn pep8 ENOENT atom/atom#4537)
• 616ad71 Bump husky from 4.0.3 to 4.0.6 (Uncaught Error: Minified exception occurred atom/atom#4536)
• 5e58ee7 Bump globby from 10.0.2 to 11.0.0 (FuzzyFinder is double displaying atom/atom#4528)
• eaee6a4 Refactor CLI options definition (Commandline behaviour changed moving from Chocolatey to Squirrl atom/atom#4530)
• 6a2ffbd Fix plugin path
• 644b713 Fix Windows path problem
• 1005cbd Add info about invalid syntax in FAQ (Fixed activateNow when no activation promise atom/atom#4535)
• 18b1f99 Fix help text indentation (Better BufferedProcess error handling atom/atom#4531)
• d3c4a9f Update CHANGELOG.md
• 32f67e7 Update CHANGELOG.md
• 04ec577 Bump globby from 10.0.1 to 11.0.0
• d9dbce2 Process multiple spaces in media-feature-parentheses-space-inside (Uncaught TypeError: Bad argument atom/atom#4513)
• 1dc203e Regenerate package-lock.json (Windows releases late again. atom/atom#4517)
• 36bf292 Bump husky from 3.1.0 to 4.0.3 (getting red notifications when saving keymap.cson with parse error atom/atom#4527)
• f5529d5 Bump @types/micromatch from 3.1.1 to 4.0.0 (Update Chocolatey package to call the new Squirrel based installer atom/atom#4526)
• a254fd2 Bump got from 10.2.0 to 10.2.1 (Uncaught Error: spawn grunt ENOENT atom/atom#4525)
• f2e9f02 Bump remark-validate-links from 9.0.1 to 9.1.0 ("Reveal in Tree View" does not work when there is no folder selected. atom/atom#4524)
• 74d5233 Remove unneeded `@types/meow` package (Uncaught TypeError: Cannot read property 'destroyItem' of undefined atom/atom#4523)
• cef0b95 Update CHANGELOG.md

See the full diff

Package name: yargs

The new version differs by 250 commits.

• 706fc7a chore(release): 13.1.0
• 95700d6 test: add tests for alias behavior, based on conversations today (Make i18n support a setting atom/atom#1291)
• f45a817 chore: slight refactor of approach being used, add support for per-command
• 5be206a feat: add applyBeforeValidation, for applying sync middleware before validation
• cc8af76 chore(release): 13.0.0
• e9dc3aa feat: options/positionals with leading '+' and '0' no longer parse as numbers (Switch Editor to a Telepath Model subclass atom/atom#1286)
• ef16792 chore: drop Node 6 from testing matrix (Tough to understand failure case with CI atom/atom#1287)
• f25de4f chore: update dependencies (Fix grunt download-atom-shell on Windows atom/atom#1284)
• 6916ce9 feat: adds config option for sorting command output (When text is highlighted and find is opened, default to the selected text atom/atom#1256)
• 7b200d2 chore: increase test timeout for windows
• 64af518 fix: middleware added multiple times due to reference bug (Upload releases to atom/atom-master-builds repo atom/atom#1282)
• 61f1b25 doc: update docs to reflect new parserConfiguration method (Copy/Paste don't work in the feedback editor atom/atom#1280)
• 3c6869a feat: Add `.parserConfiguration()` method, deprecating package.json config (Syntax/UI Theme Generator atom/atom#1262)
• da75ea2 fix: better bash path completion (This screenshot is inline. I promise atom/atom#1272)
• e0c62c8 doc: edit help example to align with actual output (Handle deleted files correctly atom/atom#1271)
• bc0ee40 chore: address @aorinevo's code review so that we can land
• f3a4e4f feat: support promises in middleware
• 64a0d7e docs: Testing command modules (git reset leaves old files in tree-view atom/atom#1267)
• 0510fe6 fix(validation): Use the error as a message when none exists otherwise (The multitude of shortcuts for "Editor : Select To  atom/atom#1268)
• 27bf739 fix(deps): Update os-locale to avoid security vulnerability (Handle installation of atom script for users without system privilege atom/atom#1270)
• 54e165d docs(advanced): document non-singleton use, .exit() and parsed (I would love to have a Solarized Light theme for th atom/atom#1251)
• 8789bf4 chore(release): 12.0.5
• dc8d63f chore: explicit update to yargs-parser
• eacc035 fix: allows camel-case, variadic arguments, and strict mode to be combined (Observe editor.tabLength config in TokenizedBuffer atom/atom#1247)

See the full diff

With a Snyk patch:

Severity	Issue	Exploit Maturity
	Man-in-the-Middle (MitM) SNYK-JS-HTTPSPROXYAGENT-469131	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-450202	Proof of Concept
	Prototype Pollution npm:extend:20180424	No Known Exploit
	Prototype Pollution npm:hoek:20180212	No Known Exploit
	Prototype Pollution npm:lodash:20180130	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	No Known Exploit

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:

🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic