[Snyk] Fix for 34 vulnerabilities

[wahmed23]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • node/sail.js/containerCosmosDBWithTests/Application/package.json
  • node/sail.js/containerCosmosDBWithTests/Application/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	661/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.8	Arbitrary Code Injection SNYK-JS-MORGAN-72579	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIM-1017038	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	Yes	Proof of Concept
	816/1000 Why? Mature exploit, Has a fix available, CVSS 8.6	Uninitialized Memory Exposure npm:base64-url:20180512	Yes	Mature
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution npm:ejs:20161128	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Cross-site Scripting (XSS) npm:ejs:20161130	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) npm:ejs:20161130-1	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:parsejson:20170908	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	Yes	No Known Exploit
	324/1000 Why? Has a fix available, CVSS 2.2	Uninitialized Memory Exposure npm:utile:20180614	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: grunt

The new version differs by 71 commits.

• 27bc5d9 Merge pull request #1714 from gruntjs/release-1.2.0
• 64a3cf4 Release v1.2.0
• 0d23eff Merge pull request #1570 from bhldev/feature-options-keys
• ee70306 Merge pull request #1697 from philz/1696
• 05c0634 Merge pull request #1712 from gruntjs/fix-lint
• cdd1c19 fix lint in file.js
• bc168e3 Merge pull request #1283 from greglittlefield-wf/recognize-relative-links
• 5f16b5a Merge pull request #1675 from STRML/remove-coffeescript
• 58f80ae Merge pull request #1677 from micellius/monorepo-support
• 1f61427 Add CODE_OF_CONDUCT.md
• 4c6fcd9 Merge pull request #1709 from NotMoni/patch-1
• 169d496 add link to license
• 288ea76 add license link
• d5cdac0 Merge pull request #1706 from gruntjs/tag-neew
• 4674c59 v1.1.0
• 6124409 Merge pull request #1705 from gruntjs/mkdirp-update
• 0a66968 Fix up Buffer usage
• 4bfa98e Support versions of node >= 8
• f1898eb Update to mkdirp ~1.0.3
• 7985b19 Avoiding infinite loop on very long command names.
• 75da17b HTTPS link to gruntjs.com (#1683)
• 5a0a02b support monorepo (relative path)
• 6795d31 Update js-yaml dependecy to ~3.13.1 (#1680)
• 66fc8fa support monorepo (test case)

See the full diff

Package name: grunt-contrib-concat

The new version differs by 8 commits.

• 9e0f72f 2.0.0
• de2b0e9 Merge pull request [Snyk] Security upgrade nodemon from 1.17.5 to 2.0.0 #192 from gruntjs/release-2
• 2f2aeff Release docs
• 63a42a8 Merge pull request [Snyk] Security upgrade nodemon from 1.17.5 to 2.0.0 #191 from gruntjs/update-deps-oct
• 4c4fab8 Update CI
• 71d6edd Update dependencies
• 9054b14 Merge pull request [Snyk] Security upgrade werkzeug from 0.16.1 to 3.0.3 #176 from alexjking/fix-browserify-sourcemap-regex
• b1cf785 fix(sourcemap-regex): fix regex to match browserify sorucemap charset

See the full diff

Package name: grunt-contrib-cssmin

The new version differs by 25 commits.

• 3ff3635 v4.0.0.
• a62ac0e package.json: switch to the caret operator for clean-css
• f8b6a7b Adds "no rebase" test case.
• 5c05f6b Updates clean-css dependency to version 5.
• 83b0c2f Update all dependencies except clean-css
• e6dc6f8 Bump lodash from 4.17.15 to 4.17.19 ([Snyk] Security upgrade express from 4.16.3 to 4.20.0 #305)
• efa725b Bump underscore.string from 3.3.4 to 3.3.5 ([Snyk] Security upgrade sails from 0.12.14 to 1.5.12 #303)
• 6d57138 Merge pull request [Snyk] Security upgrade express from 4.16.3 to 4.20.0 #302 from gruntjs/dependabot/npm_and_yarn/lodash-4.17.15
• 866523c Bump lodash from 4.17.10 to 4.17.15
• 052b0cb v3.0.0.
• 142e850 Update all deps and require Node.js >= 6.
• 07bf23c v2.2.1.
• eb66929 Use new rebase configuration for clean-css@4 ([Snyk] Security upgrade sails from 0.12.14 to 1.5.12 #296)
• 5404a77 Update clean-css to v4.1.1.
• f3e3987 Set required Node.js version to >=4 since clean-css 4.x requires that.
• 22471fe Update URL to clean-css repo.
• e6b2d72 Merge pull request [Snyk] Fix for 31 vulnerabilities #281 from gruntjs/cleancss4
• c4aa531 v2.0.0.
• 47e6ed6 Update clean-css to ~4.0.3.
• 142b040 v1.0.2
• f806e2d Merge pull request [Snyk] Fix for 10 vulnerabilities #271 from hthief/master
• 11e6558 Path implementation changed in node v6 to assert inputs as strings
• 3c13094 Update CI configs from the latest grunt-contrib-internal.
• da1a48b Upgrade grunt and devDeps to 1.0

See the full diff

Package name: grunt-contrib-jst

The new version differs by 11 commits.

• 376f0d0 fix up the line endings on windows
• ed88af9 v2.0.0
• 1bd3d2a Merge pull request [Snyk] Fix for 35 vulnerabilities #65 from shailesh-kanzariya/upgrade_lodash_to_4.17.20
• 0d595c2 updated ci script
• e659f27 modified engine prop to nodejs 4.x
• af22b11 bumped lodash, modified jst and test cases to work with latest lodash version
• 719a961 Normalize line endings.
• 285f3ec Trying to fix Windows tests; one is left broken.
• 806ddbe Minor lint tweaks.
• adb8c04 Add AppVeyor support.
• c8bf51f Update grunt-contrib-internal

See the full diff

Package name: grunt-contrib-less

The new version differs by 25 commits.

• 8842e4f v2.1.0
• 51d03a3 Remove tabs
• 57256e0 Update more deps (Bump Newtonsoft.Json from 6.0.4 to 13.0.1 in /dotnet/aspnet/webappWithTests/Application/SampleWebApplication microsoft/devops-project-samples#357)
• e7a6d59 Remove extra tabs
• 25062cf Update more deps
• b8785aa Switch to Github actions, update deps (Bump rack from 2.0.4 to 2.2.3.1 in /ruby/rails/container/Application microsoft/devops-project-samples#356)
• 94533ed Add a process option to the compiler (Bump grunt from 1.0.1 to 1.5.2 in /node/sail.js/containerCosmosDBWithTests/Application microsoft/devops-project-samples#349)
• 7e8057c Updating lodash patch 4.17.11 (Bump ejs from 2.5.5 to 3.1.7 in /node/sail.js/containerCosmosDBWithTests/Application microsoft/devops-project-samples#348)
• 815cef9 v2.0.0 with dep updates (Bump nokogiri from 1.8.5 to 1.13.4 in /ruby/rails/webapp/Application microsoft/devops-project-samples#342)
• 5b04ca0 Update less to 3.0.0 (Bump bootstrap from 3.0.0 to 3.4.1 in /dotnet/aspnet/mssqldb/Application/SampleWebApplication microsoft/devops-project-samples#340)
• d8231dc Add node 8, remove node 0.10 (Bump bootstrap from 3.0.0 to 3.4.1 in /dotnet/aspnet46/vm-webapp/Application/SampleWebApplication microsoft/devops-project-samples#337)
• 0353e53 accept a function for sourceMapFilename ([Snyk] Security upgrade org.springframework.boot:spring-boot-starter-web from 1.5.7.RELEASE to 3.2.10 #306)
• c81d284 accept a function for sourceMapURL ([Snyk] Security upgrade org.springframework.boot:spring-boot-starter-web from 1.5.7.RELEASE to 3.2.10 #307)
• e0c3722 Update AppVeyor project.
• 459ca0b Update less-options.md
• c282d0d v1.4.1.
• a507646 Rethrow the compilation error after printing the message. ([Snyk] Security upgrade sails from 0.12.14 to 1.0.0 #315)
• 924189e Use path.basename for sourceMappingURL. ([Snyk] Fix for 1 vulnerabilities #322)
• 5501c3b Add a test case for `calc` and `strictMath`.
• a4ef5e1 Reduce lodash usage.
• a50a622 v1.4.0.
• 22720e2 Merge pull request [Snyk] Fix for 1 vulnerabilities #321 from gruntjs/deps
• 88daf05 Update dependencies, including less ~2.7.1.
• 1d749b0 Simplify code.

See the full diff

Package name: grunt-contrib-uglify

The new version differs by 72 commits.

• a3f3f34 5.2.1
• 3c8d904 Update Readme
• 0850dcd update dependencies (#568)
• c27ad5f Bump minimist from 1.2.5 to 1.2.6 (#567)
• 98b4c5f Fix documentation in relation to issue #565 (#566)
• 7228446 Bump minimist from 1.2.5 to 1.2.6 (#563)
• e410511 Update deps, v5.1.0 (#564)
• 2cb31be Update uglify-js to v3.15.2 (#562)
• 12ca0f2 Fix wording in README.md (#560)
• 1f6a012 Bump path-parse from 1.0.6 to 1.0.7 (#558)
• 0e4b1a0 Update uglify-js (#557)
• 9ccf10d Bump hosted-git-info from 2.8.8 to 2.8.9 (#556)
• 4e83e45 Update UglifyJS to 3.13.3 (#554)
• 8674feb Bump ini from 1.3.5 to 1.3.8 (#552)
• 14b71da v5.0.0
• 9259448 Bump lodash from 4.17.11 to 4.17.19 (#550)
• 4645446 Bump js-yaml from 3.5.5 to 3.14.0 (#551)
• b7bcde4 Delete .travis.yml
• cba2631 Delete appveyor.yml
• 3dc53f0 ini github workflow
• f65dbb9 v4.0.1. (#535)
• b33a071 upgrade devDependencies (#536)
• 1e40037 upgrade to uglify-js 3.5.0 (#534)
• 33724cd update links to uglifyJS documentation (#530)

See the full diff

Package name: grunt-contrib-watch

The new version differs by 20 commits.

• 3b7ddf4 v1.1.0
• 72b1214 Updating dependencies, async, lodash and tiny-lr
• 5adb27c Merge pull request #543 from digitalbazaar/master
• 6ec71e9 v1.0.1
• 7d20933 Update copyright year
• e3d19df Update ci configs
• d117574 Updating ci configs
• 99410a7 README.md: Fixed typos (#536)
• f07311b Update tiny-lr dependency to 1.x
• 7f8cf80 Add local grunt-cli
• ab6771e Drop back to [email protected] until the bad test helper can be sorted
• 2e2daa5 Update to [email protected]
• 3d7fa3a Avoid timing issue in tests because of the bad test helper
• 0130a16 Merge pull request #500 from gruntjs/deps
• 5289845 Update devDependencies.
• fd3ed7a Lint tweaks.
• e42386a Merge pull request #501 from cepko33/master
• 8c93077 Updated lodash and changed outdated 'contains' to 'includes'
• 986b8a9 Update CHANGELOG.
• 5e155ec Add AppVeyor for Windows testing.

See the full diff

Package name: sails

The new version differs by 250 commits.

• e46c83b 1.5.1
• 023319e Update version of prompt to 1.2.1 (#7202)
• ed349a1 Add note about supported versions of Postgres
• 15b43ff Merge pull request #7181 from balderdashy/update-upgrading-to-1.0-docs
• 39e34cd Update To1.0.md
• 9c821ec Add note about undefined attributes
• 799f2c0 Update README.md
• 2533f67 Fix broken link in docs
• ead0403 1.5.0
• 6199f96 Merge pull request #7172 from ElizabethForest/master
• 4bc6054 Merge pull request #7176 from sailscastshq/docs-typo-fix
• 71844d4 fix: correct misspelt waterline
• 780864e Merge pull request #7175 from jarodccrowe/master
• 72609ac going over this PR with @ mikermcneil
• b2bcf39 Add documentation regarding a breaking change in SSL connection syntax
• 384e796 Merge pull request #7174 from eltociear/patch-1
• 4a081c7 Fix typo in sails-run.js
• 8c9012c Restore Construction Type
• 869c0f3 disable no-unused-vars check
• 9747d06 add handleConstructingSessionStore to allow for more flexibility
• 0ad5947 Fix tests - avoid having mongo cause issues for later tests
• cc0820b support connect-mongo v4
• f399a2a Merge pull request #7158 from zsteinkamp/patch-1
• 1b1ca7c Small text correction

See the full diff

Package name: sails-disk

The new version differs by 85 commits.

• 15faa44 1.0.0
• a2b7ee6 1.0.0-12
• 9d7118c Only set footprint keys for uniqueness violations.
• a2c2261 Add some assertions.
• a222824 Update gitignore and scripts
• 3b3c334 1.0.0-11
• cef95b4 Support updating the primary key value, as long as it's not using _id as the column.
• aad2a15 Set _id column to value of primary key when creating records.
• 333e2d1 1.0.0-10
• c8a26c5 Add shim to replicate MongoDB's behavior w/ `{ $ne: null }` and empty arrays.
• bf92cb8 1.0.0-9
• af97943 Workaround issue with projections including only `_id`
• b5b985b Relax restrictions on using `_id` column in sails disk.
• f4adfd7 Add an entry in the `refCols` dictionary for every model, so we don't have to short-circuit checks for it later
• b494fd9 In `find`, deserialize Buffer objects into `ref` attributes where possible.
• 7aaaaa4 Merge pull request [Snyk] Security upgrade jsdom from 13.0.0 to 16.6.0 #58 from balderdashy/expose-lib
• 70ead96 (whoops) Add back 0.10 and 0.12 in appveyor.yml
• beabe7a Merge pull request [Snyk] Fix for 34 vulnerabilities #57 from balderdashy/expose-lib
• 9c80187 1.0.0-8
• f7a349d Actually, don't expose the static lib. (No reason to do so, and better to not introduce something experimental if there's any chance it could make an app dependent on random stuff in a dev-only adapter)
• 2d4d97e 1.0.0-7
• f2dd761 Rename afterwards function to avoid perceived scope conflict (whether or not it'd ever actually be a big deal, this avoids any potential future scope issues from refactoring, etc).
• 4051e5e 1.0.0-6
• 250c32e Handle stray error (and a couple of other trivial changes just from when I was reading through the code)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Arbitrary Code Injection
🦉 Cross-site Scripting (XSS)
🦉 More lessons are available in Snyk Learn