[Snyk] Fix for 16 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	387/1000 Why? Proof of Concept exploit, CVSS 5.6	Remote Code Execution (RCE) SNYK-JS-HANDLEBARS-1056767	No	Proof of Concept
	387/1000 Why? Proof of Concept exploit, CVSS 5.6	Prototype Pollution SNYK-JS-HANDLEBARS-1279029	No	Proof of Concept
	365/1000 Why? CVSS 7.3	Prototype Pollution SNYK-JS-HANDLEBARS-469063	No	No Known Exploit
	300/1000 Why? Medium severity	Denial of Service (DoS) SNYK-JS-HANDLEBARS-480388	No	No Known Exploit
	405/1000 Why? CVSS 8.1	Arbitrary Code Execution SNYK-JS-HANDLEBARS-534478	No	No Known Exploit
	300/1000 Why? Medium severity	Prototype Pollution SNYK-JS-HANDLEBARS-534988	No	No Known Exploit
	432/1000 Why? Proof of Concept exploit, CVSS 6.5	Prototype Pollution SNYK-JS-HANDLEBARS-567742	No	Proof of Concept
	/1000 Why?	Cross-site Scripting (XSS) SNYK-JS-JSONEDITOR-575026	Yes	No Known Exploit
	/1000 Why?	Server-side Request Forgery (SSRF) SNYK-JS-NETMASK-1089716	No	Proof of Concept
	/1000 Why?	Prototype Pollution SNYK-JS-TYPEORM-590152	No	Mature
	/1000 Why?	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	No	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	No	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	No	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: cfenv

The new version differs by 3 commits.

• fb0a2aa update dependencies, now at version 1.2.4
• 63e072a version 1.2.3
• 02bb92d Issue 45 Remove '.cfignore'

See the full diff

Package name: hbs

The new version differs by 107 commits.

• 00764e0 v4.1.2
• 8dcac86 tests: add test for layout that does not exist
• 1046191 test: add test for layout using async helper
• 9c6ee6f test: add test for async helper with layout
• b109867 lint: fix redeclared variable
• 7920ac6 build: Node.js@12.22
• 5623682 deps: handlebars@4.7.7
• 81ee48a build: supertest@6.1.3
• c90ac58 build: eslint-plugin-markdown@2.0.1
• 5179777 build: eslint@7.24.0
• 4c73a69 build: mocha@8.3.2
• 0826373 build: Node.js@14.16
• 711c4fa build: Node.js@12.21
• a48b2bf build: Node.js@10.24
• c9ba0a3 build: eslint@7.21.0
• dfc44e3 build: eslint-plugin-markdown@2.0.0
• f3f5697 build: Node.js@12.20
• b2a461b build: eslint@7.18.0
• 3852e7c build: supertest@6.1.1
• 67c942d build: eslint@7.16.0
• 14c84ff build: Node.js@14.15
• 1fcbd8b build: mocha@8.2.1
• 20afe45 build: eslint@7.13.0
• bd96ad1 build: Node.js@12.19

See the full diff

Package name: jsoneditor

The new version differs by 18 commits.

• fb99472 Publish v9.0.2
• 400b1ee Small styling fix
• 87bc7b2 Fix [Snyk] Security upgrade node from 14.1.0 to 14.17.1 #1029: XSS vulnerabilities
• 8826c6f Fix [Snyk] Security upgrade snyk from 1.278.1 to 1.518.0 #1017: unable to style the color of a value containing a color. See also [Snyk] Security upgrade node from 14.1.0 to 14.17.1 #1028
• 394432d Publish v9.0.1
• 3a5ddb2 Update devDependencies
• b6235a8 Fix [Snyk] Security upgrade node from 14.1.0 to 14.17.1 #1027: create IE11 Array polyfills `find` and `findIndex` in such a way that they are not iterable
• 70a2f94 Update history
• d71c7b4 FIXE: powered by ace link is updated to https://ace.c9.io/ ([Snyk] Fix for 66 vulnerabilities #1018)
• 3048e71 Bump websocket-extensions in /examples/react_advanced_demo ([Snyk] Security upgrade node from 14.1.0 to fermium-stretch #1007)
• 2d38d0b Bump websocket-extensions from 0.1.3 to 0.1.4 in /examples/react_demo ([Snyk] Security upgrade node from 14.1.0 to fermium-stretch #1006)
• ae84c74 Update devDependencies
• f94589c Update devDependencies
• 901b8aa Describe `onFocus` and `onBlur` in the docs (see [Snyk] Fix for 1 vulnerable dependencies #612)
• 1b259e7 Publish v9.0.0
• 62025c4 Implemented option `limitDragging`, see feat: add cookie session for logged in state #962
• c2fa821 Update example 20 to also show how to customize font color (See [Snyk] Fix for 16 vulnerabilities #990)
• bd69cf9 Remove greenkeeper badge

See the full diff

Package name: snyk

The new version differs by 250 commits.

• 8987918 Merge pull request #1781 from snyk/fix/replace-proxy
• eec11b7 test: raise timeout for snyk protect tests hitting real Snyk API
• 8045ceb test: update proxy tests for the new proxy global-agent
• 0d0c76a feat: support lowercase http_proxy envvars
• e597846 test(proxy): acceptance test for Proxy envvar settings
• 6d67579 fix: replace vulnerable proxy dependency
• 1449c57 Merge pull request #1707 from snyk/feat/snyk-fix
• 3d872fb test: assert exact errors for unsupported
• 5ebd685 Merge pull request #1777 from snyk/feat/fix-with-version-provenance
• 17e3431 Merge pull request #1778 from snyk/feat/dont-force-https
• fdd7f1a docs: update SNYK_HTTP_PROTOCOL_UPGRADE description
• 165b4b9 feat: introduce envvar to control HTTP-HTTPS upgrade behavior
• 77e6665 chore: lerna release with exact version
• f14819f Merge pull request #1760 from snyk/feat/support-critical-in-sarif
• b286418 feat: v1 support for previously fixed reqs.txt
• 0384020 feat: basic pip fix -r support
• f94c558 feat: include pins optionally
• 66ca77a feat: do not skip files with -r directive
• bc44f9a refactor: fix individual reqs manifest
• 6e84322 feat: fix individual file with provenance
• 9ed99f3 Merge pull request #1764 from snyk/feat/update-code-client
• c92599b Merge pull request #1774 from snyk/refactor/change-binaries-release-script
• ca508ac test: smoke test for `snyk fix`
• c68c7da feat: add @ snyk/fix as a dep

See the full diff

Package name: validator

The new version differs by 45 commits.

• 24b3fd3 13.6.1
• b986f3d fix: ReDOS in isEmail and isHSL (#1651)
• 2a3a1c3 13.6.0
• 1fa0959 chore: add typeof utility (#1648)
• cf403d0 fix(isMobilePhone): add Sierra Leone phone and fix Sri Lanka phone (#1558)
• 3f70b8e feat(isPassportNumber, isIBAN, isMobilePhone): add Mozambique locale (#1604)
• 05ceb18 isURL(): Allow URLs to have only a username in the userinfo subcomponent (#1644)
• 9ee1b6b fix(isMobilePhone): update china zh-CN locale (#1642)
• b82f4f2 fix(docs): typo in README.md (#1640)
• 615547f feat(isMobilePhone): add Latvia lv-LV locale (#1638)
• d006e08 fix(isMobilePhone): add support for new networks codes in GH (#1635)
• c33fca6 fix(isISIN): optimization (#1633)
• 2ef84e4 fix(isIP): validator patterns for IPv4 and IPv6 RegExp formats (#1632)
• 67a200d feat(isPostalCode): add KR locale (#1628)
• b65ddc5 fix: fix A-z ranges (#1625)
• 39830a9 feat: IR passport and identityCard, respect .gitignore files (#1595)
• 5d6db63 feat(isIPRange): add support for IP version 4 or 6 (#1594)
• a31c116 fix: update isMobilePhone validation for en-SG (#1573)
• 63b6162 chore: add gitter chatroom badge (#1592)
• bb0dba6 feat(isPassportNumber): add MY locale (#1574)
• 7989e5b feat(isLicensePlate): add support for pt-BR locale (#1588)
• 3c771e8 feat(pt-BR): tax id, passport and license plates (#1613)
• 418df05 fix(isMobilePhone): prevent allowing landline numbers in es-CO (#1623)
• 6262f62 chore: improving code coverage to 100% branches (#1624)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic