[Snyk] Fix for 26 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • js-sdk/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ENGINEIO-3136336	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	Yes	Proof of Concept
	344/1000 Why? Has a fix available, CVSS 2.6	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	591/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.4	Cross-site Scripting (XSS) SNYK-JS-KARMA-2395349	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-KARMA-2396325	Yes	No Known Exploit
	489/1000 Why? Has a fix available, CVSS 5.5	Information Exposure SNYK-JS-LOG4JS-2348757	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-2863123	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Insecure Defaults SNYK-JS-SOCKETIO-1024859	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary Code Injection SNYK-JS-XMLHTTPREQUESTSSL-1082936	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Access Restriction Bypass SNYK-JS-XMLHTTPREQUESTSSL-1255647	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: globby

The new version differs by 33 commits.

• 878ef6e 10.0.0
• 3706920 Upgrade `fast-glob` package to v3 (Restyle [Snyk] Fix for 1 vulnerabilities #126)
• 8aadde8 Add `globby.stream` ([Snyk] Security upgrade node-sass from 4.12.0 to 7.0.2 #113)
• 2dd76d2 Remove `**/bower_components/**` as a default ignore pattern
• 9f781ce Require Node.js 8
• 04d51bf Upgrade `ignore` package ([Snyk] Fix for 1 vulnerabilities #120)
• 2b61484 Readme tweaks
• ff3e1f9 Tidelift tasks
• 31f18ae Create funding.yml
• 33ca01c Fix using the `gitignore` and `stats` options together ([Snyk] Security upgrade @vue/cli-service from 3.12.1 to 5.0.1 #121)
• c737820 Minor TypeScript definition improvements
• 82db101 Add Node.js 12 to testing ([Snyk] Fix for 2 vulnerabilities #117)
• 766b728 9.2.0
• dc0a49c Refactor TypeScript definition to CommonJS compatible export ([Snyk] Security upgrade globby from 8.0.2 to 10.0.0 #115)
• 89cee24 9.1.0
• 59f4b48 Add check to ensure `cwd` is a directory ([Snyk] Fix for 2 vulnerabilities #110)
• 9a9cf1e Add TypeScript definition ([Snyk] Fix for 2 vulnerabilities #111)
• eb26c7e Meta tweaks
• d77a623 Add failing test for [Snyk] Security upgrade nuxt from 2.8.1 to 2.15.0 #105 ([Snyk] Security upgrade @vue/cli-service from 3.12.1 to 5.0.1 #108)
• 2294618 Deduplicate identical file patterns ([Snyk] Security upgrade eslint from 5.16.0 to 9.0.0 #102)
• ba9c267 Add failing test for [Snyk] Security upgrade karma-webpack from 4.0.0-rc.2 to 5.0.0 #97 ([Snyk] Security upgrade eslint from 4.19.1 to 9.0.0 #100)
• 71b9c58 9.0.0
• 39ad0d9 Update dependencies
• d804228 Fix compatibility with latest `dir-glob` release ([Snyk] Fix for 2 vulnerabilities #99)

See the full diff

Package name: karma

The new version differs by 214 commits.

• ab4b328 chore(release): 6.3.16 [skip ci]
• ff7edbb fix(security): mitigate the "Open Redirect Vulnerability"
• c1befa0 chore(release): 6.3.15 [skip ci]
• d9dade2 fix(helper): make mkdirIfNotExists helper resilient to concurrent calls
• 653c762 ci: prevent duplicate CI tasks on creating a PR
• c97e562 chore(release): 6.3.14 [skip ci]
• 91d5acd fix: remove string template from client code
• 69cfc76 fix: warn when `singleRun` and `autoWatch` are `false`
• 839578c fix(security): remove XSS vulnerability in `returnUrl` query param
• db53785 chore(release): 6.3.13 [skip ci]
• 5bf2df3 fix(deps): bump log4js to resolve security issue
• 36ad678 chore(release): 6.3.12 [skip ci]
• 41bed33 fix: remove depreciation warning from log4js
• c985155 docs: create security.md
• c96f0c5 chore(release): 6.3.11 [skip ci]
• a5219c5 fix(deps): pin colors package to 1.4.0 due to security vulnerability
• de0df2f test: fix version regex in the CLI test case
• eddb2e8 chore(release): 6.3.10 [skip ci]
• 0d24bd9 fix(logger): create parent folders if they are missing
• b8eafe9 chore(release): 6.3.9 [skip ci]
• cf318e5 test: add test case for restarting test run on file change
• 92ffe60 fix: restartOnFileChange option not restarting the test run
• b153355 style: fix grammar error in browser capture log message
• 8f798d5 chore(release): 6.3.8 [skip ci]

See the full diff

Package name: karma-coverage

The new version differs by 36 commits.

• 32acafa chore(release): 2.0.2 [skip ci]
• bb8f9ee chore: add semantic-release for project - fix Patching Prototype pollution in webpack loader-utils tronprotocol/sun-network#408 (Bump ua-parser-js from 0.7.20 to 0.7.33 in /demos/DonateNow/front tronprotocol/sun-network#413)
• 9c37de6 chore: add check commit message (TL4q3Pu2J7URo1VQSx2s4e8kgaVBjkKB15 tronprotocol/sun-network#411)
• 27822c9 ci(test): use eslint as ci command and add all js files to check by eslint (Gbn tronprotocol/sun-network#410)
• 1adb27a ci: drop node 8, adopt node 12 (https://troncloud.io/r/57550 tronprotocol/sun-network#409)
• 4962a70 fix(reporter): update calls to match new API in istanbul-lib-report fix Bump express from 4.17.1 to 4.18.2 in /demos/TinyDice/front tronprotocol/sun-network#398 ([hi1](url) tronprotocol/sun-network#403)
• fc6e289 refactor: remove isAbsolute and replace with path.isAbsolute (Bump json5, @vue/cli-plugin-babel and @vue/cli-service in /documentation/home tronprotocol/sun-network#405)
• 83bafc3 refactor: replace migrate coffee unit tests to modern JS (Fixed Improper Neutralization of Special Elements used in a Command in Shell-quote  tronprotocol/sun-network#407)
• 49f174d refactor: onRunComplete method to upgrade on new major version of Istanbul (Satoshi Lion Dark tronprotocol/sun-network#406)
• 4cfa697 chore: Update dev Dependencies eslint and load-grunt-tasks (https://wps.com tronprotocol/sun-network#387)
• 5cf931a fix: remove information about old istanbul lib (Bump json5 and nuxt in /demos/TinyDice/front tronprotocol/sun-network#404)
• 352254a chore(deps): bump handlebars from 4.1.2 to 4.5.3 (Bump express from 4.17.1 to 4.18.2 in /demos/DonateNow/front tronprotocol/sun-network#399)
• 0ee780c chore(deps): bump lodash.template from 4.4.0 to 4.5.0 (TVM does not support return arrays? tronprotocol/sun-network#392)
• d18cde4 chore(deps-dev): bump eslint from 2.13.1 to 4.18.2 (Bump decode-uri-component from 0.2.0 to 0.2.2 in /documentation/home tronprotocol/sun-network#397)
• 55aeead Update Source Map Handling (Bump decode-uri-component from 0.2.0 to 0.2.2 in /demos/DonateNow/front tronprotocol/sun-network#394)
• b23664e Added debug msg whether coverage is in reporters (Bump qs from 6.5.2 to 6.5.3 in /demos/DonateNow/front tronprotocol/sun-network#396)
• d3f53e3 chore(all): Migrate to ES6 (The current API doesn't and that is why it is fine right now. There is no guarantee that this will remain the same in the future. It makes sense that it will remain the same, but it isn't documented as such. tronprotocol/sun-network#385)
• 9c8a222 Make travis file simpler (Mikkael  tronprotocol/sun-network#386)
• b76db9e Remove unused dateformat dependency (>. tronprotocol/sun-network#384)
• 075ece0 Remove unused istanbul dependency (Bump terser from 4.8.0 to 4.8.1 in /documentation/home tronprotocol/sun-network#382)
• 9184fc0 chore: release v2.0.1
• 57d4bd3 chore(deps): npm audit fix --force; update travis.yml (Trx tronprotocol/sun-network#380)
• 0e2800b chore: release v2.0.0
• 99c0c35 chore: update contributors

See the full diff

Package name: karma-mocha

The new version differs by 18 commits.

• 5828416 chore(release): 2.0.0 [skip ci]
• 4e35a55 chore(ci): semantic-release on success (modify stest tronprotocol/sun-network#221)
• 00b24b6 chore(deps-dev): bump eslint from 2.13.1 to 4.18.2 (merge develop to master tronprotocol/sun-network#220)
• f7ec4e7 Merge pull request Add version able tronprotocol/sun-network#218 from karma-runner/semanitic-release
• 5a5b6d5 feat(ci): enable semanitic-release
• 36404cf Merge pull request Add version able tronprotocol/sun-network#217 from franktopel/minimist-update
• bab0416 updated minimum version of minimist dependency to ^1.2.3 instead of 1.2.0
• 3f9e4b7 Revert "updated minimum version of minimist dependency to ^1.2.3 instead of 1.2.0"
• a9bfdf9 updated minimum version of minimist dependency to ^1.2.3 instead of 1.2.0
• 3dd7a56 Merge pull request modify testcase tronprotocol/sun-network#215 from mbaumgartl/update-node-versions
• 844939c Merge pull request Add optimization test case tronprotocol/sun-network#213 from mbaumgartl/fix-travis-build
• fd64f5b Update Node.js versions
• 6eb28de Fix Travis builds
• c8feade Merge pull request add log tronprotocol/sun-network#210 from elpddev/chore/align-node-support-same-as-karma
• ea076c0 test(mock-fs): update mock-fs version
• 2fb6c93 ci(node versions): change running node verison the same as karma package
• 6c63662 Merge pull request [Snyk] Security upgrade nuxt from 2.8.1 to 3.0.0 #122 from maksimr/karma-mocha-109
• e847121 feat: Expose 'pending' status

See the full diff

Package name: mocha

The new version differs by 250 commits.

• 5f96d51 build(v10.1.0): release
• ed74f16 build(v10.1.0): update CHANGELOG
• 51d4746 chore(devDeps): update 'ESLint' to v8 (#4926)
• 4e06a6f fix(browser): increase contrast for replay buttons (#4912)
• 41567df Support prefers-color-scheme: dark (#4896)
• 61b4b92 fix the regular expression for function `clean` in `utils.js` (#4770)
• 77c18d2 chore: use standard 'Promise.allSettled' instead of polyfill (#4905)
• 84b2f84 chore(ci): upgrade GH actions to latest versions (#4899)
• 023f548 build(v10.0.0): release
• 62b1566 build(v10.0.0): update CHANGELOG
• fbe7a24 chore: update dependencies (#4878)
• 2b98521 docs: replace 'git.io' short links (#4877) [ci skip]
• 007fa65 chore(ci): add Node v18 to test matrix (#4876)
• f6695f0 chore(esm): remove code for Node v12 (#4874)
• 59f6192 chore(ci): conditionally skip 'push' event (#4872)
• b863359 docs: fix 'fgrep' url (#4873)
• baaa41a chore(ci): ignore changes to docs files (#4871)
• ac81cc5 refactor!: drop support of 'growl' notification (#4866)
• 3946453 chore(deps)!: upgrade 'minimatch' (#4865)
• 592905b refactor!: rename 'bin/mocha' to 'bin/mocha.js' (#4863)
• b7b849b refactor!: remove deprecated Runner signature (#4861)
• 0608fa3 chore(site): fix supporters' download (#4859)
• 785aeb1 chore(test): drop AMD/'requirejs' (#4857)
• ed640c4 chore(devDeps): upgrade 'coffee-script' (#4856)

See the full diff

Package name: tronweb

The new version differs by 109 commits.

• 93de124 Merge pull request [Snyk] Security upgrade karma from 4.4.1 to 5.0.0 #180 from tronprotocol/develop
• f9f8634 Merge pull request Restyle [Snyk] Fix for 1 vulnerabilities #179 from tronprotocol/feature/v3.2.7
• ab37c8b Update version
• 0b37238 Merge pull request [Snyk] Fix for 1 vulnerabilities #178 from tronprotocol/develop
• a6b9ef7 Merge pull request [Snyk] Security upgrade tronweb from 2.10.2 to 5.3.0 #176 from tronprotocol/feature/v3.2.7
• 0fcd34b update release note
• 2c6afc6 upgrade validator@10.11.0 to 13.6.0
• 801bfd8 Merge pull request [Snyk] Fix for 3 vulnerabilities #174 from folowing/feature/v3.2.7
• 45b36f9 trcToken type error and payable judgement
• 5f507bb Merge pull request [Snyk] Fix for 2 vulnerabilities #171 from tronprotocol/feature/v3.2.7
• 01408db revert commit #573c682
• 573c682 remove parseInt totalSupply in createassetissue
• 98eb6de ignore constructor function when pass the rawParameter
• b6398d0 Merge pull request [Snyk] Security upgrade nuxt from 2.8.1 to 3.0.0 #161 from tronprotocol/feature/v3.2.7
• 5e923ae add triggerSmartContractWithRawParam test
• 5e14f96 Add options when creating or triggering a contract
• 5fa94d0 Merge pull request Restyle [Snyk] Security upgrade webpack from 4.47.0 to 5.94.0 #151 from tronprotocol/develop
• 0668456 Merge pull request [Snyk] Security upgrade tronweb from 2.10.2 to 3.1.0 #147 from tronprotocol/feature/v3.2.6
• 0410872 updata axios version
• 328ae23 Merge pull request [Snyk] Fix for 3 vulnerabilities #146 from tronprotocol/feature/v3.2.6
• f1e0cf4 add event headers options
• 45ddeb5 Merge pull request [Snyk] Security upgrade tronweb from 2.10.2 to 3.1.0 #145 from tronprotocol/feature/v3.2.6
• 28d3c66 update readme
• 55f68a8 add setHeader function

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-Side Request Forgery (SSRF)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Denial of Service (DoS)
🦉 More lessons are available in Snyk Learn

[performance-testing-bot]

Unable to locate .performanceTestingBot config file

[pull-request-quantifier-deprecated]

This PR has 12 quantified lines of changes. In general, a change size of upto 200 lines is ideal for the best PR experience!

---

Quantification details

Label      : Extra Small
Size       : +6 -6
Percentile : 4.8%

Total files changed: 1

Change summary by file extension:
.json : +6 -6

Change counts above are quantified counts, based on the PullRequestQuantifier customizations.

Why proper sizing of changes matters

Optimal pull request sizes drive a better predictable PR flow as they strike a
balance between between PR complexity and PR review overhead. PRs within the
optimal size (typical small, or medium sized PRs) mean:

• Fast and predictable releases to production:
  • Optimal size changes are more likely to be reviewed faster with fewer
    iterations.
  • Similarity in low PR complexity drives similar review times.
• Review quality is likely higher as complexity is lower:
  • Bugs are more likely to be detected.
  • Code inconsistencies are more likely to be detected.
• Knowledge sharing is improved within the participants:
  • Small portions can be assimilated better.
• Better engineering practices are exercised:
  • Solving big problems by dividing them in well contained, smaller problems.
  • Exercising separation of concerns within the code changes.

What can I do to optimize my changes

• Use the PullRequestQuantifier to quantify your PR accurately
  • Create a context profile for your repo using the context generator
  • Exclude files that are not necessary to be reviewed or do not increase the review complexity. Example: Autogenerated code, docs, project IDE setting files, binaries, etc. Check out the Excluded section from your prquantifier.yaml context profile.
  • Understand your typical change complexity, drive towards the desired complexity by adjusting the label mapping in your prquantifier.yaml context profile.
  • Only use the labels that matter to you, see context specification to customize your prquantifier.yaml context profile.
• Change your engineering behaviors
  • For PRs that fall outside of the desired spectrum, review the details and check if:
    • Your PR could be split in smaller, self-contained PRs instead
    • Your PR only solves one particular issue. (For example, don't refactor and code new features in the same PR).

How to interpret the change counts in git diff output

• One line was added: +1 -0
• One line was deleted: +0 -1
• One line was modified: +1 -1 (git diff doesn't know about modified, it will
  interpret that line like one addition plus one deletion)
• Change percentiles: Change characteristics (addition, deletion, modification)
  of this PR in relation to all other PRs within the repository.

---

Was this comment helpful? 👍  :ok_hand:  :thumbsdown: (Email)
Customize PullRequestQuantifier for this repository.

[vizipi]

Pull request analysis by VIZIPI

Below you will find who is the most qualified team member to review your code.
This analysis includes his/her work on the code included in this Pull request, in addition to their experience in code affected by these changes ( partly found within the list of potential missing files below )   Feedback always welcome

No other active qualified developers found to review these specific changes. You might consider involving more team members with these code segments.

---

Potential missing files from this Pull request

files commonly committed with a subset of this pr, but not committed this time. (click to collapse)

File	Percentile	rate
js-sdk/dist/SunWeb.js.map	45.45 %	5 out of 11 times
js-sdk/dist/SunWeb.js	45.45 %	5 out of 11 times

---

Committed file ranks

(click to expand)

97.31%[js-sdk/package.json]