[Snyk] Fix for 30 vulnerabilities

[crew-security]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-COOKIEJAR-3149984	Yes	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Arbitrary File Overwrite SNYK-JS-FSTREAM-174725	Yes	No Known Exploit
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HOSTEDGITINFO-1088355	Yes	Proof of Concept
	644/1000 Why? Has a fix available, CVSS 8.6	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-JSYAML-173999	Yes	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-JSYAML-174129	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary File Overwrite SNYK-JS-TAR-174125	Yes	Proof of Concept
	524/1000 Why? Has a fix available, CVSS 6.2	Regular Expression Denial of Service (ReDoS) npm:brace-expansion:20170302	Yes	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:sshpk:20180409	Yes	Proof of Concept
	646/1000 Why? Mature exploit, Has a fix available, CVSS 5.2	Uninitialized Memory Exposure npm:stringstream:20180511	Yes	Mature
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: auth0

The new version differs by 207 commits.

• c2f18fd Merge pull request #482 from davidpatrick/prepare/2.25.0
• 992fcf1 Release v2.25.0
• b20b54d Merge pull request #481 from auth0/davidpatrick-patch-1
• c19f29b Npm audit
• 7bc4a43 Fix typos
• 32f0001 Merge pull request #475 from davidpatrick/deprecate-request
• 41962eb Migrate to Axios
• 43b33a1 Merge pull request #473 from akvamalin/update-documentation
• 3724e52 Update getRulesConfigs docs to include callback
• 7859f69 [Security] Bump acorn from 6.2.1 to 6.4.1
• 0a2fff0 Merge pull request #468 from davidpatrick/prepare/2.24.0
• 01beb4c Release v2.24.0
• 4235906 Fix type of upsert and send_completion_email
• 057063f Mark upsert and send_completion_email are optional
• 6aaf3b9 Mark users and users_json are optional
• e4954aa Fix name and description of connection_id
• 6ebfd6c Illustrate alternative way to specify users in example
• 964ded0 Remove optional parameter from example
• 577ca68 Fix method name in jsdoc of JobsManager#errors
• b2b3b06 Update jsdoc of ManagementClient#importUsers
• c1b4ea4 Merge pull request #465 from davidpatrick/passwordless-secret
• 58ba5e1 Merge branch 'master' into passwordless-secret
• d89574e Fixes test on supportedAlgorithms
• fcd099f Add client secret to options for passwordless

See the full diff

Package name: blipp

The new version differs by 38 commits.

• bcc572a v4.0.0 (searchbar implementation #42)
• 361ee7e 3.1.3
• 7362274 Updated hoek dep (Unit tests #40)
• 467c34a 3.1.2
• 278f9bb Merge pull request Group roles #38 from Dennis-Emmental/master
• 60fa7e4 ignore queueMicrotask leak
• 38ddb6d modify printing scope information format and add test cases
• 2ada053 Fix displaying auth scope
• d8143dc update example
• b9557e1 Merge pull request Edit Group should show a Save button #36 from danielb2/examples
• d7116b9 add example of using the plugin directly
• 8a9e684 add examples folder and update readme
• 07d05a5 3.1.1
• 33d1a0f 3.1.0
• ec79d93 Merge pull request You cannot edit permissions when adding/updating a Role #34 from danielb2/daniel/table
• b239a71 format display using easy-table
• a4e04b9 Merge pull request Group mapping #32 from Y-LyN-10/master
• d1ec8dc Added "showScope" feature to the docs
• 98e2744 Merge pull request resource-server #31 from Y-LyN-10/feat.showscope
• 4e867be Updated lab version to the latest (16.x.x)
• 1ddad24 Added feature to show scope and tests
• 67cfe16 Updated dependencies due to vulnerable packages (npm audit fix)
• 68b9266 Update README.md
• 2327ecc 3.0.0

See the full diff

Package name: hapi-auth-jwt2

The new version differs by 81 commits.

• 4bcae9e Final Dependency Update for Hapi v.16-compatible Apps. No Code changed. See: https://github.com/Final v16 Release before Migrating to V17 dwyl/hapi-auth-jwt2#255 preparing for Hapi v.17
• 232ee57 explicitly remove support for node v.4 from package.json (min is v6 now as per .travis.yml) see: https://github.com/Update version of Node.js in .travis.yml file (to ensure that we are testing with latest node) dwyl/hapi-auth-jwt2#257
• 59cdc94 update version of Hapi to v16.6.2 to test with *Final* version of v16 "stream" before updating to v17 see: https://github.com/Final v16 Release before Migrating to V17 dwyl/hapi-auth-jwt2#255#issuecomment-356415709
• e90bdd1 adds node.js version 8 & 9 to .travis.yml to test the *latest* node versions on CI fixes https://github.com/Update version of Node.js in .travis.yml file (to ensure that we are testing with latest node) dwyl/hapi-auth-jwt2#257
• faf7805 remove node.js v.4 from .travis.yml as per https://github.com/Final v16 Release before Migrating to V17 dwyl/hapi-auth-jwt2#255#issuecomment-356409619
• eec2ee6 update version of boom to 6.0.0 for Expand character limit for group name #255
• aacc9a5 update version of jsonwebtoken dependency to latest version (8.1.0) for https://github.com/Final v16 Release before Migrating to V17 dwyl/hapi-auth-jwt2#255
• f2560e6 Merge pull request add groups/roles to user by id or name #241 from nrotta/master
• e4ba8f1 Returns 'Expired token' when trying to authenticate with an expired token
• b8f62ac Merge pull request 2.1.4 #236 from dwyl/update-hapi-version
• f5f9199 maintenance update: version of dependencies to latest. no code changed. https://github.com/update version of boom (dependency) dwyl/hapi-auth-jwt2#242
• 9a8d654 Merge branch 'update-hapi-version' of github.com:dwyl/hapi-auth-jwt2 into update-hapi-version
• 9c96080 update version of Hapi to 16.4.3 fixes https://github.com/update version of hapi  dwyl/hapi-auth-jwt2#235
• 34f8db4 Merge branch 'master' into update-hapi-version
• b365d2c update version of boom to 5.1.0 fixes https://github.com/update version of boom (dependency) dwyl/hapi-auth-jwt2#242
• ad6cb16 Added/fixed test removed in Roles and Permissions tied to single Client #166
• 969ece2 update versions of devDependencies to latest for https://github.com/update version of hapi  dwyl/hapi-auth-jwt2#235
• b5906c9 update version of Hapi (in devDependencies) to latest 16.1.1 for https://github.com/update version of hapi  dwyl/hapi-auth-jwt2#235
• 2307a92 update version of Hapi (in devDependencies) to latest 16.1.1 for https://github.com/update version of hapi  dwyl/hapi-auth-jwt2#235
• 9abe5b3 Merge pull request 500 from Api #221 from dwyl/add-CONTRIBUTING.md-file
• 1c1f059 📝 adds CONTRIBUTING.md file so everyone knows how to contribute! 🎉 fixes https://github.com/add CONTRIBUTING.md file to repo dwyl/hapi-auth-jwt2#212
• e96665a Merge pull request Added script for load testing #216 from dwyl/update-devDependency-on-Hapi-to-v16
• fa5b3be update hapi version compatibility in the readme to v16
• 1dee895 update devDependency on Hapi to v16. confirms that no update to code is required. put token to the localStorage for sharing between tabs #215

See the full diff

Package name: joi

The new version differs by 250 commits.

• b3833c4 17.1.1
• ed5990a Fix domain validation in relative uri. Closes #2316
• 1d1fd3f Merge pull request #2314 from jsoref/api-schema-object-foo-number-min-error
• c4d072b Update API.md - correct sample - fails because is gone
• b0ab57c Merge pull request #2305 from cbebry/patch-1
• d9738fb Update API.md - valid() no longer takes arrays
• 6ec7131 Merge pull request #2293 from hapijs/consider-changeless-forks
• e9f1865 Fix error on changeless forks. Fixes #2292.
• a9b5c3c Merge pull request #2281 from moonthug/patch-1
• 17118ce Fix example joi extension
• 48a3006 17.1.0
• 2417a42 Better annotate handling. isError. Closes #2279. Closes #2280
• 26206ed Merge pull request #2278 from Bjorn248/master
• 9768802 fix typo in LICENSE
• 8d72fac 17.0.2
• 038854b Consistent keys term. Closes #2269
• a7102c6 17.0.1
• 90a2b19 Move flag back to proto. Closes #2268
• 86636f3 17.0.0
• 9acff1d Update deps. Closes #2263
• 3bcab3a Move annotate() our of browser. Closes #2261
• c75a8f0 Merge branch 'master' of github.com:hapijs/joi
• 057248b Clarify rename(). For #2216
• fa9dd37 Merge pull request #2259 from nwhitmont/master

See the full diff

Package name: jsonwebtoken

The new version differs by 10 commits.

• f313850 8.0.0
• f38bd8e updated changelog
• 2ec3263 Merge pull request #393 from ziluvatar/migration-notes-to-readme
• 12cd8f7 docs: readme, migration notes
• cfc04a9 Merge pull request [Snyk] Fix for 1 vulnerabilities #349 from ziluvatar/fix-max-age-number-and-seconds
• 3305cf0 verify: remove process.nextTick (Bump y18n from 3.2.1 to 3.2.2 #302)
• 0be5409 Reduce size of NPM package ([Snyk] Fix for 4 vulnerabilities #347)
• 2e7e68d Remove joi to shrink module size ([Snyk] Security upgrade hapi-auth-jwt2 from 7.0.1 to 10.4.0 #348)
• 66a4f8b maxAge: Add validation to timespan result
• b61cc34 maxAge: Fix logic with number + use seconds instead of ms

See the full diff

Package name: jwks-rsa

The new version differs by 121 commits.

• 26e2fa3 Merge pull request Userpicker connections #137 from auth0/davidpatrick-patch-1
• a9c179f Update package-lock.json
• 02d6e80 Release 1.8.0 (The user picker should show the connection name #136)
• 8cc9410 Added timeout with default value of 30s (Open link in new tab gives blank page #132)
• 1ec5217 Migrate from Request (Add sample to the documentation showing how to call the policy endpoint #135)
• a3ba52e Allow JWT to not contain a "kid" value (multiselect issues #55)
• 398c05e Merge pull request Allow end users to manage groups/roles/permissions #130 from auth0/prepare/1.7.0
• be9600a Release 1.7.0
• d0c5787 Merge pull request Trying to determine api-key (for use in rules configuration settings) #129 from auth0/fix-linter-issues
• d122f08 fix linter issues
• 31177e3 Merge pull request Creating a Role/Permission in v2 requires an Application #125 from Ogdentrod/feat/add-proxy
• 51d99e9 Merge branch 'master' into feat/add-proxy
• 5fc0f15 Merge pull request upgrade extension-ui #128 from auth0/lbalmaceda-patch-1
• 6d304e5 Send the explicit commit SHA to Codecov
• 70efc54 Merge branch 'feat/add-proxy' of github.com:Ogdentrod/node-jwks-rsa into feat/add-proxy
• bc915d7 test: better testing for proxy
• 0988ccc Merge branch 'master' into feat/add-proxy
• b8ffdb6 Merge pull request Role update fix #127 from auth0/add-ci
• 6663fc2 add badges to the README
• 7650ecb add CircleCI build and generate coverage
• c7c7ba5 feat: add proxy option to jwksClient
• 73a087d Merge pull request Group / Members tab has error if you delete a user in the Dashboard that's been assigned to the group #123 from auth0/cacheChanges
• 17e83df Modify Cache Defaults
• 998a32d Merge pull request Docs: manage user's roles screenshot shows 'undefined' for username #121 from auth0/prepare-release

See the full diff

Package name: npm

The new version differs by 250 commits.

• 3b4ba65 7.0.0
• bbfc75d chore: fix weird .gitignore thing that happened somehow
• 8a2d375 docs: changelog for v7.0.0
• 365f2e7 [email protected]
• fafb348 [email protected]
• 9306c68 [email protected]
• 569cd64 [email protected]
• ac9fde7 Integration code for @ npmcli/[email protected]
• 704b9cd @ npmcli/[email protected]
• 3955bb9 [email protected]
• da240ef fix: patch config.js to remove duplicate values
• 9ae45a8 [email protected]
• 41ab36d [email protected]
• c474a15 [email protected]
• efc6786 fix: make sure publishConfig is passed through
• 1e4e6e9 docs: v7 using npm config refresh
• 5c1c2da fix: init config aliases
• 5bc7eb2 docs: v7 npm-install refresh
• 1a35d87 7.0.0-rc.4
• 7a5a557 docs: changelog for v7.0.0-rc.4
• f0cf859 chore: dedupe deps
• 0273745 [email protected]
• 7bd47ca @ npmcli/[email protected]
• 9320b8e only escape arguments, not the command name

See the full diff

Package name: webtask-tools

The new version differs by 2 commits.

• 4806a34 Version bump package-lock.json
• e79adb1 Bump pug (You cannot edit permissions when adding/updating a Role #34)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Arbitrary Code Execution
🦉 More lessons are available in Snyk Learn