[Snyk] Fix for 13 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Prototype Pollution SNYK-JS-AJV-584908	No	No Known Exploit
	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	No Known Exploit
	Prototype Pollution npm:extend:20180424	No	No Known Exploit
	Denial of Service (DoS) npm:mem:20180117	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	Denial of Service (DoS) npm:qs:20140806	No	No Known Exploit
	Denial of Service (DoS) npm:qs:20140806-1	No	No Known Exploit
	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit
	Denial of Service (DoS) npm:superagent:20170807	No	No Known Exploit
	Information Exposure npm:superagent:20181108	No	No Known Exploit

Commit messages

Package name: postcss-cli

The new version differs by 193 commits.

• 1bf8822 5.0.0
• dc5df26 Rename authors to contributors in package.json to comply with spec
• 916c9b8 Don't mutate global config object
• 205a83b Changes to prettier config
• b570fee Upgrade chokidar to v2.0.0
• 908817a Update CI configs
• aa0088d BREAKING: Remove -v alias for --version
• 06aa6ee BREAKING: Be silent, add --verbose, change logging format
• f16d0d4 BREAKING: Don't exit watch mode when a plugin errors
• 72557a9 Update fs-extra to version 5.0.0 (Jetpack Scan: add message for VaultPress users that have the security feature Automattic/wp-calypso#183)
• 1fa3574 Update prettier to version 1.9.2 (Jetpack Scan: allow VaultPress users with SSH creds entered to use Jetpack Start Automattic/wp-calypso#184)
• fecf832 BREAKING: Update globby to version 7.1.1; expand directories
• 4b2421b User-friendly error message when --watch and writing to STDOUT
• cc3f696 BREAKING: Revamp args parsing
• f0af2e4 postcss should exit with code 1 when there's an error; even with --watch (Site Settings: bring over timezone setting Automattic/wp-calypso#178)
• 596b1f4 Update prettier to version 1.9.1 (Jetpack Monitor: Use mapped domains on multisite Automattic/wp-calypso#180)
• f94496f Pin ora to 1.3.0 to fix tests
• 49bb585 Update ava to version 0.25.0 (Purchases: Fill credit card form with data upon loading Edit Card Details page Automattic/wp-calypso#193)
• c8544ad Update yargs to version 11.0.0 (Server Side Rendering: Stub components that depend on component.js Automattic/wp-calypso#192)
• 077364f Update dependency-graph to version 0.7.0 (Purchases: Update domain price after cancelling privacy Automattic/wp-calypso#189)
• 6134947 Update prettier to version 1.9.0 (Server Side Rendering: Use JSX instead of Jade Automattic/wp-calypso#179)
• b4d5d3d Update ava to version 0.24.0 (Jetpack Scan: do not show saved password in plaintext when editing settings Automattic/wp-calypso#174)
• 85daee9 Update prettier to version 1.8.2 (Jetpack Scan: use "Jetpack" instead of "VaultPress" in SSH Key Automattic/wp-calypso#172)
• c3131b6 Update prettier to version 1.8.1

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 213226e 4.0.0
• fde0183 Merge pull request Upgrades: record google analytics events for google-voucher. Automattic/wp-calypso#6081 from webpack/formating/prettier
• b6396e7 update stats
• f32bd41 fix linting
• 5238159 run prettier on existing code
• 518d1e0 replace js-beautify with prettier
• 4c25bfb 4.0.0-beta.3
• dd93716 Merge pull request Plans: state/plans test deepfreeze fix Automattic/wp-calypso#6296 from shellscape/fix/hmr-before-node-stuff
• 7a07901 Merge pull request Sharing: Gracefully fail on bad message JSON Automattic/wp-calypso#6563 from webpack/performance/assign-depth
• c7eb895 Merge pull request Analytics: Add utm URL params to page view event Automattic/wp-calypso#6452 from webpack/update_acorn
• 9179980 Merge pull request Add guards to decodeEntieties so it is not called with undefined. Automattic/wp-calypso#6551 from nveenjain/fix/templatemd
• e52f323 optimize performance of assignDepth
• 6bf5df5 Fixed template.md
• 90ab23a Merge branch 'master' into fix/hmr-before-node-stuff
• b0949cb add integration test for spread operator
• 39438c7 unittest now also walks the ast
• 15ab027 Merge pull request CPT: Display notice when permanent deletion succeeds or fails Automattic/wp-calypso#6536 from jevan0307/sideEffects-selectors
• 1611ce1 Merge pull request Signup: fix wp-content classes. Automattic/wp-calypso#6561 from joshunger/patch-1
• 6e175bc Merge pull request Signup: Free wordpress.com addresses not shown for customers in CAD, GBP, JPY Automattic/wp-calypso#6549 from webpack/md4_hash
• 0637531 Add a hyperlink to create a new issue
• 0e1f9c6 Merge pull request Framework: Upgrade React to 15.3.0 Automattic/wp-calypso#6554 from webpack/deps/end-of-beta
• 72477f4 upgrade versions to stable versions
• ed30285 Merge pull request Remove quotes around CSS keyframe identifiers Automattic/wp-calypso#6546 from webpack/bot/review-permission
• 40ee8c7 Use MD4 for hashing

See the full diff

Package name: webpack-dashboard

The new version differs by 77 commits.

• 5b65faa 2.0.0
• 8a32cd1 [Major] Integrate inspectpack3 - faster, better, and more colorful! (Domain Management: Domain Locking doesn't refresh automatically on Transfer page Automattic/wp-calypso#249)
• 9a9a020 1.1.1
• 719dd0c Allow better fallback for real metrics. (Me: Layout issues on Scan-the-QR-Code page on narrow screens Automattic/wp-calypso#232)
• 6738152 1.1.0
• 7f99b31 Feature: Enable opt-out of minified, gzip calculations. (Me: Button stacking on narrow screens needs improvement Automattic/wp-calypso#230)
• 812f072 1.0.2
• 338cc53 fix issue when bundle don't have metrics at all (Purchases: improve feedback when updating payment details Automattic/wp-calypso#221)
• 4f56a22 1.0.1
• 839fbde Wait until apply to create inspectpack daemon (Framework: document the layout and rendering order Automattic/wp-calypso#215)
• 44efac4 Update yarn.lock.
• 9c532ff v1.0.0
• 2f24fe9 Feature - Add plugin host option (Server Side Rendering: Create a new ThemesList, Dispatcher, and likely Themes instance for each request Automattic/wp-calypso#188)
• 3f558c3 Added OS support section (Stats: static front page stats are labeled with the page title instead of "Home page" Automattic/wp-calypso#210)
• c9be427 Add basic tests. (Posts: post-count tests in wpcom api test suite should be updated Automattic/wp-calypso#208)
• 7f02ea9 Merge pull request .org Plans: Confirmation page should link to specific sections of the support page Automattic/wp-calypso#204 from FormidableLabs/node-env-support
• 9bfeab3 Use getOr and fix minor error in readme
• b8f0a49 Added docs and simplifed prod warning messaging.
• f5645a8 Fixed spacing.
• a73fa95 Added support for node env provide plugin.
• f686a02 Merge pull request Framework: Account for Preferences settings 2FA refresh response Automattic/wp-calypso#202 from FormidableLabs/inspectpack-reporting-sizes
• 6141b80 Use path.sep for path separator
• f723dcd Merge pull request .org Plans: Receipt sometimes not sent / emailed for plan purchases Automattic/wp-calypso#203 from FormidableLabs/keyboard-log-nav
• 9de6469 Added keyboard navigation for main log.

See the full diff

Package name: wpcom

The new version differs by 24 commits.

• 1d279d2 Bump version to 5.4.2
• a2c4b26 Upgrade wpcom-xhr-request to 1.1.2 and reshrinkwrap (Stats: Stats page does not load in Safari, iOS 6. Drop support for iOS 6?  Automattic/wp-calypso#224)
• 58fc193 Fix audit vulnerabilities (Editor: Paste not an option from right-click menu when content area empty Automattic/wp-calypso#223)
• 97f8398 Update qs to ^6 (Purchases: improve feedback when updating payment details Automattic/wp-calypso#221)
• 7be461c Update to debug@3
• 3786104 Merge pull request Standards: CSSTransitionGroup Automattic/wp-calypso#220 from Automattic/update/wpcom-xhr-request
• 6d3177f Update wpcom-xhr-request to 1.1.1 and use a caret version
• 3859658 Merge pull request Upgrades: General: Remove duplicate information from all readme files Automattic/wp-calypso#217 from Automattic/update/browser-fs
• 3002ca2 Add newline to end of file
• 8f77412 remove beta
• d4dd912 updates according to feedback. simplify webpack config
• 893e1d0 fix directory issue
• c65ff02 bump to new major version beta
• 92d9551 throw error if using incorrect args in browser
• 0634613 beta ver bump
• 61af605 Minimize amount of code split between browser and node
• 0c39913 skip another test related to plugins
• b1a19ba skip another failing test...
• 81ed74e skip failing tests
• 3356b9a reference the build version
• c88288d fix filepath
• c5e83a0 update package version to beta
• 7a5bb66 update README
• dfa64de Browser Compatibility: follow standard practices for isomorphic javscript

See the full diff

Package name: wpcom-oauth

The new version differs by 8 commits.

• de5c238 Merge pull request [Snyk Update] New fixes for 20 vulnerable dependency paths #13 from Automattic/upgrade-deps
• 2f641c4 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path #12 from spen/update/include-extension-in-json-reference
• 590b015 update history
• 0466e0d Update superagent dependency
• 4d8a8a1 Add .json extension when referencing default.json
• ee3ccbd Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path #11 from Automattic/add/port-setting
• f22824a Fix typo
• a531d29 Example app: Allow changing port, set default to 3001

See the full diff

Package name: wpcom-proxy-request

The new version differs by 10 commits.

• 704816b Patch File objects sent as form data to work around a bug in Chrome ([Snyk] Fix for 1 vulnerabilities #36)
• 0032ca8 bump chokidar-cli too
• ff35c91 Fix vulnerabilites from npm audit
• 758e8a6 Update the rest-proxy URL to version 2.0 and release the 5.0.0 version of the package
• 7b21a0c Merge pull request [Snyk] Fix for 1 vulnerabilities #31 from Automattic/update/4.0.6
• cd40ff4 Bump to 4.0.6 and add blowery to contribs
• 3210fed Merge pull request [Snyk] Fix for 1 vulnerable dependencies #30 from Automattic/unbind-messages
• c5ad83d Unbind window.message when uninstalling
• d31b02d Fix/bad status code ([Snyk] Fix for 1 vulnerable dependencies #29)
• ca8bffc Merge pull request [Snyk] Fix for 1 vulnerable dependencies #27 from Automattic/bump/4.0.4

See the full diff

Package name: wpcom-xhr-request

The new version differs by 2 commits.

• f2d66bb Bump to 1.1.2
• 0bd206a Upgrade superagent, debug, webpack and serve packages

See the full diff

With a Snyk patch:

Severity	Issue	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic