[Snyk] Fix for 19 vulnerabilities

[MarcelRaschke]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Improper Privilege Management SNYK-JS-SHELLJS-2332187	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:eslint:20180222	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples (PDF generation: Setting TOC title readthedocs/readthedocs.org#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (readthedocs+recommonmark still does not get code highlighting readthedocs/readthedocs.org#1859)
• 723cbc4 Docs: Fix syntax in recipe example (Improve the documentation about domain and translation readthedocs/readthedocs.org#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (Spam on readthedocs.org readthedocs/readthedocs.org#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (Refactor oauth utils and managers readthedocs/readthedocs.org#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (Handle logged out users on build detail page readthedocs/readthedocs.org#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (Replace vendored theme with commonjs import and bower sources readthedocs/readthedocs.org#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (Build failing with "text file busy" readthedocs/readthedocs.org#1609)

See the full diff

Package name: gulp-eslint

The new version differs by 8 commits.

• a398838 4.0.0
• 18a4299 emit an error when it fails to load an ESLint plugin
• b8bf261 update ESLint from v3 to v4 (opencomparison.rtfd.org returns a 403 readthedocs/readthedocs.org#198)
• c0e82ce use `Buffer.from` instead of `new Buffer`
• e6c67a2 drop support for linting `Stream` contents
• 132d5cc Fix formatting issues in README.md (Not sure what all uses it, but our only reference to the github API refers to v2 which will be sunsetted in a month. readthedocs/readthedocs.org#194)
• 7f65378 remove link to config file `globals` doc
• 8ddfb84 correct the type of `globals` option in README

See the full diff

Package name: gulp-less

The new version differs by 11 commits.

• 9d9e96f chore: update deps, publish v5
• ea13d8a Merge pull request docs stuck readthedocs/readthedocs.org#313 from MisterLuffy/master
• 7ce4b9b feat: support less v4
• 1a9d694 Merge pull request Doc deletion request readthedocs/readthedocs.org#314 from stamminator/master
• b1a3e18 Update .travis.yml
• ecacdf7 Fix links after moving repo
• 403b696 4.0.1
• 0678856 Upgrade less version to 3.7.1
• 6114989 Update README.md (How to delete account on readthedocs.org? readthedocs/readthedocs.org#292)
• 7d9df97 4.0.0
• cde149b Update accord to support [email protected] - closes search in projects is not filtered by project, although result page claims so. readthedocs/readthedocs.org#269

See the full diff

Package name: gulp-watch

The new version differs by 5 commits.

• 959128a 5.0.0
• 9208d48 Bump chokidar to ^2.0.0
• 02bd06d Update to newest vinyl for gulp 4 support (pdf builds failing readthedocs/readthedocs.org#296)
• 4ced696 Add Node.js 9 and increase timeout to 5 secs
• aa8146f Remove unsupported versions of Node.js

See the full diff

Package name: less

The new version differs by 127 commits.

• b873737 Merge pull request Add an advertising screen readthedocs/readthedocs.org#3177 from Kartoffelsalat/master
• bd2a93f chore(package): update request to 2.83.0
• 3699921 Merge pull request Wiping has no effect readthedocs/readthedocs.org#3170 from thorn0/patch-1
• 6985541 Having `inline` and `less` imports of the same name lead to a race condition
• 2f1386f Merge pull request Different Online/offline PDF readthedocs/readthedocs.org#3168 from matthew-dean/master
• 4272871 Fixes Doc build killed during pip installation of large (~190 MB) dependency readthedocs/readthedocs.org#3116 - lessc not loading plugins in 3.0
• ba5ad9c Point badges at master branch
• 4962988 Update CHANGELOG.md
• 12fe0c6 Update README.md
• 45d06b9 Merge pull request Fix a minor HTML issue - ul can't be a child of ul readthedocs/readthedocs.org#3163 from matthew-dean/master
• 9590b7b Add dist files
• 0b6536b Merge branch '3.x'
• a48c24c calc() fix - fixes MkDocs builds: RTD theme styles are broken readthedocs/readthedocs.org#974 (partially Cannot import with self-signed certificate readthedocs/readthedocs.org#1880)
• 367b46a Merge pull request Custom robots.txt support? readthedocs/readthedocs.org#3161 from matthew-dean/3.x
• 4508495 Remove legacy upgrade
• 2a4a63a Update CHANGELOG.md with 3.x list
• bb6da28 Update README.md
• f80a021 Merge pull request Build passed but no documentation or downloads readthedocs/readthedocs.org#3159 from matthew-dean/3.x
• 8b4524f Bump to 3.0.0-RC.1
• d30e3a6 Merge pull request conda version used at RTD contains bug -- newer version available readthedocs/readthedocs.org#3150 from anthony-redFox/3.x
• 0b7c81c Removed install npm 2 version for appveyor. It was hotfix for old node version.
• 5d230dd Drop node 0.10 and 0.12 and added node 9 matrix testing
• 385da8f Update stale.yml
• d384779 Create stale.yml

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:hawk:20160119	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Timing Attack npm:http-signature:20150122	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	No Known Exploit
	469/1000 Why? Has a fix available, CVSS 5.1	Remote Memory Exposure npm:request:20160119	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:semver:20150403	No Known Exploit
	741/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.4	Command Injection npm:shell-quote:20160621	Proof of Concept
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the effected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Improper minification of non-boolean comparisons