[Snyk] Fix for 12 vulnerabilities

[neogeek]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-COLORSTRING-1082939	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	Yes	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: css-loader

The new version differs by 136 commits.

• 43179a8 chore(release): 1.0.0
• 3d53968 Merge remote-tracking branch 'origin/master'
• 240db53 version 1.0 (#742)
• 1b7acf7 Merge remote-tracking branch 'origin/master'
• 1703721 docs(README): add more context to `localIdentName` (#711)
• 1c51265 docs(README): fix malformed emoji (#701)
• 50f8ec0 Merge remote-tracking branch 'origin/master'
• 07444ad tests: css custom variables (#709)
• 3de8aa7 tests: css custom variables (#709)
• df497db chore(release): 0.28.11
• c788450 fix(lib/processCss): don't check `mode` for `url` handling (`options.modules`) (#698)
• c35d8bd chore(release): 0.28.10
• 9f876d2 fix(getLocalIdent): add `rootContext` support (`webpack >= v4.0.0`) (#681)
• 0452f26 test: hashes inside `@ font-face` url (#678)
• 630579d chore(release): 0.28.9
• 604bd4b chore(package): update dependencies
• d1d8221 fix: ignore invalid URLs (`url()`) (#663)
• 0fc46c7 chore(release): 0.28.8
• 333a2ce chore(package): update `dependencies`
• 39773aa ci(travis): use `npm`
• 8897d44 fix: proper URL escaping and wrapping (`url()`) (#627)
• 0dccfa9 fix(loader): correctly check if source map is `undefined` (#641)
• d999f4a docs: Update importLoaders documentation (#646)
• 05c36db test: removed redundant `modules` argument (#599)

See the full diff

Package name: less

The new version differs by 250 commits.

• e4f7551 v3.12.0
• 371185c v3.12.0-RC.2 (#3540)
• d5aa9d1 Fixes #3371 Allow conditional evaluation of function args (#3532)
• a722237 Remove lib folder from git (#3531)
• e0f5c1a Move changelog to root (#3530)
• f7bdce7 Duplicate dist files in root for older links (#3529)
• 0925cf1 Test-data module (#3525)
• 51fb02b Fixes #3504 / organizes tests (#3523)
• efb76ec Restore nuked scripts (?), replace dependencies (#3501) (#3522)
• 2c5e4dd Lerna refactor / TS compiling w/o bundling (#3521)
• a3641e4 Resolve #3398 Add flag to disable sourcemap url annotation (#3517)
• e018ba8 fix(#3294): use loadFileSync when loading plugins with syncImport: true (#3506)
• 95b9007 Update changelog
• 6238bbc Fixes #3508 (#3509)
• 8338366 Update README.md
• 6313bc5 Update changelog
• 53bf877 Remove tree caching in import manager (#3498)
• 0f271f3 issue#3481 ignore missing debugInfo (#3482)
• 3bd995b Additional check to avoid evaluating an expression if it is a comment (#3494)
• 0715d90 fix: Use make-dir instead of mkdirp (#3490)
• 2634494 Properly exit calc mode after use (#3493)
• 096dd22 Convert to auto-changelog (#3477)
• 842386b Fixes #3469 - Include tslib dependency (#3475)
• 1adaadb 3.11.0 (#3468)

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 4be093d 2.2.0
• 2278469 2.2.0-rc.8
• b946eb4 Merge pull request #3988 from malstoun/bug/2664
• 260e413 Merge pull request #3986 from webpack/bugfix/revert_use_of_buffer_dot_from
• 0ec7de9 Fix regression with watch cli opt, add tests for this case
• 72226db add missing disable line
• 4d30675 build fresh yarn.lock file to remove buffer polyfill
• 91c1f35 fix(node): rollback changes of Buffer.from to new Buffer() and bump down travis to 4.3 min node v
• 0b47602 2.2.0-rc.7
• db6ccbc Merge pull request #3978 from webpack/bugfix/conditional-reexports
• 82a5b03 Merge pull request #3977 from malstoun/bug/2664
• fc1a43b Merge pull request #3976 from timse/rely-on-defaults
• a44694a hoist exports declarations too
• 682bde8 Fix lint
• c6d7d90 Add tests
• af8d49e remove defaults values to shave a few bytes
• 9796696 2.2.0-rc.6
• e9bdb05 Merge pull request #3971 from webpack/bugfix/fix_available_vars_in_fmtp
• bd45bdc add test case for global in harmony modules
• bfccb20 fix PR
• 5a3a23f fix(nmf): Fix exports for var injection to include free glob exports or arguments
• 437dce4 2.2.0-rc.5
• 91cb1df Merge pull request #3970 from webpack/ci/appveyor
• 9fd55e5 Merge pull request #3969 from webpack/bugfix/issue-3964

See the full diff

Package name: webpack-dev-server

The new version differs by 250 commits.

• 298341f chore(release): 2.11.4
• c42d0da fix: check origin header for websocket connection (#1626)
• 2be7196 chore: update dependencies in V2 branch, fix compatibility with Node 10 (#1715)
• 7cdfb74 2.11.3
• b71137e Increase sockjs-client version for security fix
• f33be5b 2.11.2
• dd32166 Fix support for DynamicEntryPlugin (#1319)
• ab4eeb0 Fix page not reloading after fixing first error on page (#1317)
• 83c1625 2.11.1
• 3aa15aa Merge pull request #1273 from yyx990803/master
• b78e249 fix: pin strip-ansi to 3.x for ES5 compat
• 8c1ed7a 2.11.0
• b0fa5f6 Merge pull request #1270 from yyx990803/client-refactor
• 676d590 revert to prepublish (fix ci)
• 449494f cleanup client build setup
• 6689cb8 adding test for dependency lock-down
• 3e220fe 2.10.1
• aaf7fce rollback yargs to 6.6.0
• ca8b5aa 2.10.0 (#1258)
• 17355f0 transpile client bundles with babel (#1242)
• ce30460 rolling back webpack-dev-midddleware 2.0, as it's node6+
• 00e8500 updating deps and patching as necessary
• 082ddae maint only mode
• c9c61f2 fix(package): Increase minimum `marked` version for ReDos vuln (#1255)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Improper Input Validation
🦉 More lessons are available in Snyk Learn