[Security] Bump parcel-bundler from 1.5.1 to 1.10.0

[dependabot-preview]

Bumps parcel-bundler from 1.5.1 to 1.10.0. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

High severity vulnerability that affects parcel-bundler
An issue was discovered in HMRServer.js in Parcel parcel-bundler. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1 connection (with a random TCP port number) from any origin. The random port number can be found by connecting to http://127.0.0.1 and reading the "new WebSocket" line in the source code.

Affected versions: < 1.10.0

Changelog

Sourced from parcel-bundler's changelog.

[1.10.0] - 2018-09-25

Added

• Babel 7 support Details
• HTML Bundle loader Details
• Process inline scripts and styles Details
• Added LD+JSON asset Details
• Add support for Elm assets Details
• Support optionally bundling node_modules for --target=node Details
• Import existing sourcemaps Details
• Import GraphQL files from other GraphQL files Details
• Automatically strip flow types Details
• SugarSS Support Details
• Minimal verbose/debug mode Details
• User friendly error on failed entrypoint resolving Details
• Support for SharedWorkers Details
• Add Object Spread to default Babel transforms Details
• Update help message for --public-url Details
• Support HTML5 history mode routing Details
• Split cache into multiple folders for faster FS Details
• Support array in package.json's sideEffects property Details
• Added stub for require.cache Details
• Added dotenv-expand to expand env vars Details
• Update Typescript to v3.0.0 Details
• Add --no-content-hash option to build cli Details

Fixed

• Exit process on Error Details
• Fix non updating asset hashes Details
• Fix Sass url resolving Details
• WorkerFarm Cleanup Details
• Fix infinite loop in resolver when using ~/... imports Details
• Default to Dart-Sass and add backwards compatibility for node-sass Details
• Validate if a PostCSS config is an object Details
• VSCode syntax highlight with PostCSS in Vue Component style tag Details
• Glob support in less imports Details
• Generate unique certificate serial number Details
• Keep name in sourcemaps mappings Details
• Replace slack with spectrum badge Details
• Use esnext with typescript and scope hoisting Details
• Fix sourcemaps failing on refresh/hmr Details
• Support sideEffect: false with CommonJS Details
• Get only existing package main Details
• Load minified built-in if available Details
• Support error strings in workers Details
• Terminate workerfarm when using the API Details
• Fix comment typo Details
• Fix dotenv package error Details

... (truncated)

Commits

• 10960f7 1.10.0
• 4023c84 Fix merging parser plugins in babel 6
• 6c8c231 Don’t add export proposal syntax by default
• 78b9e36 Update changelog
• 5dfef90 Changelog v1.10 (#1949)
• 6844492 Remove wasm-gc from RustAsset (#2048)
• 43a0f5e feat:added no content hashing option to build cli (#1934)
• 92b5c08 fix security vuln (#1794)
• 6ab52e8 Add support for Elm assets (#1968)
• becfd81 Set up CI with Azure Pipelines (#2047)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it). To ignore the version in this PR you can just close it
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.