[Snyk] Fix for 27 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	Prototype Pollution SNYK-JS-GETOBJECT-1054932	Yes	No Known Exploit
	Arbitrary Code Execution SNYK-JS-GRUNT-597546	Yes	No Known Exploit
	Prototype Pollution SNYK-JS-INI-1048974	Yes	Proof of Concept
	Arbitrary Code Execution SNYK-JS-JSYAML-174129	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-590103	Yes	No Known Exploit
	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-73638	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	Arbitrary Code Injection SNYK-JS-MORGAN-72579	No	Proof of Concept
	Insecure Defaults SNYK-JS-SOCKETIO-1024859	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
	Arbitrary Code Injection SNYK-JS-XMLHTTPREQUEST-1082935	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:clean-css:20180306	Yes	Proof of Concept
	Prototype Pollution npm:deep-extend:20180409	Yes	Proof of Concept
	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	Timing Attack npm:http-signature:20150122	Yes	No Known Exploit
	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit
	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Yes	Proof of Concept
	Buffer Overflow npm:validator:20160218	Yes	No Known Exploit

Commit messages

Package name: anchor

The new version differs by 78 commits.

• e42acb7 1.3.0
• 4e519da Nabbed one other one I missed
• 7d77b02 Finish the rest of the TODOs began in d6f82e75d3827ceee6e0000b9e98cc752f461f51
• f05f536 Take care of some of the TODOs from previous commit. Also add an isError check when handling errors thrown from validation rules to prevent potential issues in extreme edge cases (where something weird gets thrown)
• d6f82e7 Add validator upgrade TODOs, and remove old commented out isNotNull thing (it's no longer relevant)
• ea3a236 Added a few more tests.
• 238d362 Reroll isBefore and isAfter the dumb, explicit way.
• f72ef98 Clean up checkConfig for isBefore and isAfter, and clarify another comment.
• 167a02d Tweak checkConfig error msgs for isBefore+isAfter
• ee27777 Add todo for future
• 0e2805c Fix out of date test label
• 55d9fbe Clean up tests so they report more helpful stuff.
• 144d872 Bump validator version re https://snyk.io/test/npm/anchor?severity=high&severity=medium&severity=low#npm:validator:20160218 (without applying any of the necessary changes yet, if there are any). Also upgrade to latest eslintrc file, etc, and bump eslint dep.
• 41dd3e0 1.2.1
• 10c7e86 Fix build status urls
• f6b689b Avoid confusion
• b429872 More of the same
• 63fe204 Trivial
• 35d4011 1.2.0
• d20861d Add configuration-checking functions for rules
• 938ce25 1.1.2
• 2c0d09a Remove a bunch of unused stuff.
• 8934faa Fix leftover 'npm run bench' from copy/paste
• ee55d54 fixed missing require that eslint revealed

See the full diff

Package name: glob

The new version differs by 168 commits.

• 3a7e71d v5.0.15
• 841fda0 use latest minimatch
• 4ba54a8 Skip some tests on Windows, make others pass
• 3936e1e Build: Add build for node v4
• c47d451 v5.0.14
• 821fac8 Handle ENOTSUP for sync glob as well as async
• 9625618 Test for when readdir raises ENOTSUP
• 0a2b519 Generate fixtures more effectively, with -O instead of eval
• f96190b Use js for benchmark cleanup
• 957fd93 Fix some 'use strict' errors
• bf3381e Treat ENOTSUP like ENOTDIR in readdir
• 507733d v5.0.13
• f5878af Do not emit 'match' events for ignored items
• 9439afd v5.0.12
• 6071f3a Revert "Use graceful-fs if available"
• 38ff16c v5.0.11
• f09292b Use graceful-fs if available
• 4f39b60 Remove duplicate option description
• e3cdccc v5.0.10
• 480da05 ignore .nyc_output, upgrade tap, use coverage, rm fixtures
• 155124b add more sync cb thrower tests
• f7302ca Test base-matching
• 7530e88 v5.0.9
• b185987 reduce cases where tests need to be regenerated

See the full diff

Package name: sails-disk

The new version differs by 85 commits.

• 15faa44 1.0.0
• a2b7ee6 1.0.0-12
• 9d7118c Only set footprint keys for uniqueness violations.
• a2c2261 Add some assertions.
• a222824 Update gitignore and scripts
• 3b3c334 1.0.0-11
• cef95b4 Support updating the primary key value, as long as it's not using _id as the column.
• aad2a15 Set _id column to value of primary key when creating records.
• 333e2d1 1.0.0-10
• c8a26c5 Add shim to replicate MongoDB's behavior w/ `{ $ne: null }` and empty arrays.
• bf92cb8 1.0.0-9
• af97943 Workaround issue with projections including only `_id`
• b5b985b Relax restrictions on using `_id` column in sails disk.
• f4adfd7 Add an entry in the `refCols` dictionary for every model, so we don't have to short-circuit checks for it later
• b494fd9 In `find`, deserialize Buffer objects into `ref` attributes where possible.
• 7aaaaa4 Merge pull request Update command line tool w/ a few defautl policies balderdashy/sails#58 from balderdashy/expose-lib
• 70ead96 (whoops) Add back 0.10 and 0.12 in appveyor.yml
• beabe7a Merge pull request 403 for performing action without permission balderdashy/sails#57 from balderdashy/expose-lib
• 9c80187 1.0.0-8
• f7a349d Actually, don't expose the static lib. (No reason to do so, and better to not introduce something experimental if there's any chance it could make an app dependent on random stuff in a dev-only adapter)
• 2d4d97e 1.0.0-7
• f2dd761 Rename afterwards function to avoid perceived scope conflict (whether or not it'd ever actually be a big deal, this avoids any potential future scope issues from refactoring, etc).
• 4051e5e 1.0.0-6
• 250c32e Handle stray error (and a couple of other trivial changes just from when I was reading through the code)

See the full diff

Package name: socket.io

The new version differs by 250 commits.

• 873fdc5 chore(release): 2.4.0
• f78a575 fix(security): do not allow all origins by default
• d33a619 fix: properly overwrite the query sent in the handshake
• 3951a79 chore: bump engine.io version
• 6fa026f ci: migrate to GitHub Actions
• 47161a6 [chore] Release 2.3.0
• cf39362 [chore] Bump socket.io-parser to version 3.4.0
• 4d01b2c test: remove deprecated Buffer usage (how can retrieve multi-file from skipper-gridfs balderdashy/sails#3481)
• 8227192 [docs] Fix the default value of the 'origins' parameter (13 vulnerabilities found in 59 packages balderdashy/sails#3464)
• 1150eb5 [chore] Bump engine.io to version 3.4.0
• 9c1e73c [chore] Update the license of the chat example (Add coverage status for the master branch balderdashy/sails#3410)
• df05b73 [chore] Release 2.2.0
• b00ae50 [feat] Add cache-control header when serving the client source (.find() return only first value from array balderdashy/sails#2907)
• d3c653d [docs] Add Touch Support to the whiteboard example (document redis version for sails adaptor to work balderdashy/sails#3104)
• a7fbd1a [fix] Throw an error when trying to access the clients of a dynamic namespace (Testting controllers will always timeout on CircleCI balderdashy/sails#3355)
• 190d22b [chore] Bump dependencies
• 7b8fba7 [test] Update Travis configuration
• e5f0cea [docs] Use new JavaScript syntax inside the README (Log level is not logged in production mode for v0.11 balderdashy/sails#3360)
• 7e35f90 [docs] fix `this` scope in the chat example
• 2dbec77 [chore] Update issue template
• d97d873 [docs] update README.md ([Feature] GraphQL Support balderdashy/sails#3309)
• e0b2cb0 [chore] Release 2.1.1
• 1decae3 [feat] Add local flag to the socket object (Getting current locale balderdashy/sails#3219)
• 0279c47 [docs] Convert the chat example to ES6 (Lodash issue, works fine locally fails @ heroku balderdashy/sails#3227)

See the full diff

With a Snyk patch:

Severity	Issue	Exploit Maturity
	Prototype Pollution npm:lodash:20180130	Proof of Concept

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic