[Snyk] Fix for 8 vulnerabilities

[MarcelRaschke]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-GETOBJECT-1054932	No	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Directory Traversal SNYK-JS-GRUNT-2635969	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Race Condition SNYK-JS-GRUNT-2813632	No	Proof of Concept
	569/1000 Why? Has a fix available, CVSS 7.1	Arbitrary Code Execution SNYK-JS-GRUNT-597546	No	No Known Exploit
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Improper Privilege Management SNYK-JS-SHELLJS-2332187	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: grunt

The new version differs by 75 commits.

• 82d79b8 1.5.3
• 572d79b Merge pull request #1745 from gruntjs/fix-copy-op
• 58016ff Patch up race condition in symlink copying.
• 0749e1d Merge pull request #1746 from JamieSlome/patch-1
• 69b7c50 Create SECURITY.md
• ac667b2 1.5.2
• 7f15fd5 Update Changelog
• b0ec6e1 Merge pull request #1743 from gruntjs/cleanup-link
• 433f91b Clean up link handling
• d5969ec 1.5.1
• ad22608 Merge pull request #1742 from gruntjs/update-symlink-test
• 0652305 Fix symlink test
• a7ab0a8 1.5.0
• b2b2c2b Updated changelog
• 3eda6ae Merge pull request #1740 from gruntjs/update-deps-22-10
• 47d32de Update testing matrix
• 2e9161c More updates
• 04b960e Remove console log
• aad3d45 Update dependencies, tests...
• fdc7056 Merge pull request #1736 from justlep/main
• e35fe54 support .cjs extension
• ee722d1 1.4.1
• e7625e5 Update Changelog
• 5d67e34 Merge pull request #1731 from gruntjs/update-options

See the full diff

Package name: grunt-contrib-jshint

The new version differs by 37 commits.

• 1910674 3.1.0
• b7edf02 update jshint to ~2.13.0
• 270d8dd Merge pull request No tests for rules-count? CSSLint/csslint#303 from gruntjs/dependabot/npm_and_yarn/path-parse-1.0.7
• 77dca66 Bump path-parse from 1.0.6 to 1.0.7
• 1028d82 Merge pull request small typo in parserlib.js CSSLint/csslint#301 from gruntjs/dependabot/npm_and_yarn/hosted-git-info-2.8.9
• eb0314f Bump hosted-git-info from 2.8.8 to 2.8.9
• 337623c Merge pull request CSS: "already been defined" on different media CSSLint/csslint#300 from gruntjs/dependabot/npm_and_yarn/lodash-4.17.21
• 51e07d4 Bump lodash from 4.17.20 to 4.17.21
• 9c08ff1 Merge pull request box-model rule emits warning even if box-sizing is set CSSLint/csslint#299 from gruntjs/dependabot/npm_and_yarn/y18n-4.0.1
• 7834701 Bump y18n from 4.0.0 to 4.0.1
• d4359aa Merge pull request box-model rule not respecting box-sizing property CSSLint/csslint#298 from gruntjs/dependabot/npm_and_yarn/ini-1.3.8
• 52f5e31 Bump ini from 1.3.5 to 1.3.8
• 8f597c2 Add changelog
• fc210e7 Merge pull request Rule: font and font-family declarations should always end with sans-serif, serif, or monospace CSSLint/csslint#275 from raddevon/patch-1
• 03f4302 Merge pull request Make CLI accept configuration file CSSLint/csslint#297 from gruntjs/peer-dep
• 01d13d2 Remove Grunt peerDependency
• c78f6ee Merge pull request The repo your repo could be like! CSSLint/csslint#296 from gruntjs/chalk-upt
• 656f31b Update chalk
• 16ee83d Merge pull request Error - Unknown @ rule: @-ms-keyframes CSSLint/csslint#295 from gruntjs/uptdate-deps-oct
• df2b06d Update dependencies, switch to github actions
• 9bb54cd Merge pull request Warning for -webkit-text-stroke CSSLint/csslint#291 from gruntjs/dependabot/npm_and_yarn/lodash-4.17.15
• d2e4063 Bump lodash from 4.17.10 to 4.17.15
• cfd9ade Merge pull request -moz-appearance property suggestion by CSS Lint "not relevant"? CSSLint/csslint#290 from gruntjs/ver
• 12045c1 v2.1.0

See the full diff

Package name: grunt-contrib-watch

The new version differs by 4 commits.

• 3b7ddf4 v1.1.0
• 72b1214 Updating dependencies, async, lodash and tiny-lr
• 5adb27c Merge pull request Flexbox properties trigger “Use known properties” warning CSSLint/csslint#543 from digitalbazaar/master
• f07311b Update tiny-lr dependency to 1.x

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal
🦉 Arbitrary Code Execution