[Snyk] Fix for 15 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • large-file/package.json
  • large-file/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-AWSSDK-1059424	No	Proof of Concept
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JS-AXIOS-174505	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-BROWSERSLIST-1090194	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-CACHEDPATHRELATIVE-2342653	No	Proof of Concept
	591/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.4	Cross-site Scripting (XSS) SNYK-JS-KARMA-2395349	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-KARMA-2396325	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-LOADERUTILS-3043105	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-URLPARSE-1078283	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-URLPARSE-1533425	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: aws-sdk

The new version differs by 250 commits.

• 8875a35 Updates SDK to v2.814.0
• dd83d67 throw at invalid profile name in shared ini file ([Snyk(Unlimited)] Upgrade express-fileupload from 0.0.5 to 0.4.0 snyk-fixtures/npm-lockfiles#3585)
• ee0c5a3 Updates SDK to v2.813.0
• 468d15b Updates SDK to v2.812.0
• c50132f Update README.md with references to JS SDK V3 ([Snyk(Unlimited)] Upgrade errorhandler from 1.2.0 to 1.5.1 snyk-fixtures/npm-lockfiles#3582)
• 3e19b08 Updates SDK to v2.811.0
• f26c00d Updates SDK to v2.810.0
• b393a6e Adds automatic PreSignedUrl generation to RDS.StartDBInstanceAutomatedBackupsReplication ([Snyk(Unlimited)] Upgrade verbosity from 0.9.2 to 0.10.1 snyk-fixtures/npm-lockfiles#3566)
• fa57967 Updates SDK to v2.809.0
• 9a52018 Updates SDK to v2.808.0
• 1958076 Updates SDK to v2.807.0
• ffcad20 Updates SDK to v2.806.0
• 2f37893 chore: remove cognitoidentity customizations to disable auth ([Snyk(Unlimited)] Upgrade mongoose from 4.2.4 to 4.13.19 snyk-fixtures/npm-lockfiles#3543)
• c6fe3c0 Updates SDK to v2.805.0
• 71d6fa9 Fix dual-callback case ([Snyk(Unlimited)] Upgrade dustjs-helpers from 1.5.0 to 1.7.4 snyk-fixtures/npm-lockfiles#3537)
• b981971 Updates SDK to v2.804.0
• 332573f Updates SDK to v2.803.0
• deb7bc7 Updates SDK to v2.802.0
• b6401d0 Remove incorrectly named service named 'Profile' ([Snyk(Unlimited)] Upgrade lodash from 4.17.10 to 4.17.15 snyk-fixtures/npm-lockfiles#3562)
• 3364d4b Updates SDK to v2.801.0
• d400577 Updates SDK to v2.800.0
• 21c7dc0 Updates SDK to v2.799.0
• d2b8964 Updates SDK to v2.798.0
• 44ded82 fix: test IAM.getUser instead of listUsers ([Snyk(Unlimited)] Upgrade consolidate from 0.14.5 to 0.15.1 snyk-fixtures/npm-lockfiles#3542)

See the full diff

Package name: cached-path-relative

The new version differs by 2 commits.

• 07947c4 1.1.0
• 40c73bf Fix other instances of prototype pollution vulnerability

See the full diff

Package name: caniuse-api

The new version differs by 14 commits.

• 1b74c10 3.0.0
• 3ab3a83 updating browserslist to v4
• 11c9091 preparing for 2.1.0
• fb40d95 use yarn and bump dependencies
• 5e41118 remove footnotes related stuff
• 54457e2 add yarn.lock
• ceb721c add tests to isSupported for multiple browsers and throw
• f0c5d88 Change X to lowercase for getSupport
• eaac367 Merge pull request [Snyk] Fix for 1 vulnerabilities #71 from le0nik/update_browserslist_3
• 7e57b2d Update browserslist to v3
• 851c1a3 2.0.0
• 9211b85 Merge pull request [Snyk] Fix for 50 vulnerabilities #59 from ben-eb/caniuse-lite
• b9bb0ac Upgrade Browserslist to 2.0.0.
• 1f10589 Migrate from caniuse-db to caniuse-lite. Closes [Snyk] Security upgrade tap from 11.1.3 to 15.0.0 #57.

See the full diff

Package name: html-minifier

The new version differs by 41 commits.

• 4beb325 Version 4.0.0
• 583e086 handle custom fragments within CSS/JS correctly ([Snyk(Unlimited)] Upgrade node-uuid from 1.4.0 to 1.4.8 snyk-fixtures/npm-lockfiles#1015)
• 47b7042 minify Content-Security-Policy ([Snyk(Unlimited)] Upgrade qs from 0.0.6 to 0.6.6 snyk-fixtures/npm-lockfiles#1014)
• c810fa3 Update Jekyll's ignores. ([Snyk(Unlimited)] Upgrade adm-zip from 0.4.7 to 0.4.13 snyk-fixtures/npm-lockfiles#1013)
• f3f080c Remove eslint-plugin-no-use-extend-native. ([Snyk(Unlimited)] Upgrade node-uuid from 1.4.0 to 1.4.8 snyk-fixtures/npm-lockfiles#1012)
• da5c7a5 Update .gitattributes. ([Snyk(Unlimited)] Upgrade qs from 0.0.6 to 0.6.6 snyk-fixtures/npm-lockfiles#1011)
• c3a9ab7 Travis: remove only gh-pages branch. ([Snyk(Unlimited)] Upgrade debug from 2.0.0 to 2.6.9 snyk-fixtures/npm-lockfiles#1010)
• 5342a06 Drop Node.js < 6 support. ([Snyk(Unlimited)] Upgrade @thebespokepixel/es-tinycolor from 0.3.1 to 0.3.2 snyk-fixtures/npm-lockfiles#1008)
• df65c0c Update .travis.yml ([Snyk(Unlimited)] Upgrade @thebespokepixel/meta from 0.2.3 to 0.2.5 snyk-fixtures/npm-lockfiles#1006)
• ce0e834 implement `continueOnParseError` ([Snyk(Unlimited)] Upgrade sgr-composer from 0.5.0 to 0.5.3 snyk-fixtures/npm-lockfiles#1004)
• fe4f5f8 use semver operators for dependencies ([Snyk(Unlimited)] Upgrade term-ng from 0.8.1 to 0.8.5 snyk-fixtures/npm-lockfiles#1003)
• 862d6a4 update dependencies ([Snyk(Unlimited)] Upgrade lodash from 4.17.10 to 4.17.15 snyk-fixtures/npm-lockfiles#1002)
• 5494091 Version 3.5.21
• c6ecb90 Support <!doctypehtml> in the parser
• c3f5168 Update build
• f625991 Merge pull request [Snyk(Unlimited)] Upgrade term-ng from 0.8.1 to 0.8.5 snyk-fixtures/npm-lockfiles#970 from mathiasbynens/doctype
• cf55c51 Merge pull request [Snyk(Unlimited)] Upgrade node-uuid from 1.4.0 to 1.4.8 snyk-fixtures/npm-lockfiles#965 from mathiasbynens/fix-ampersand
• 7e8406e Use <!doctypehtml> (without the space) where possible
• 9b0c7cc Prevent data loss when using `decodeEntities`
• df720b3 handle `clean-css` errors correctly ([Snyk(Unlimited)] Upgrade @thebespokepixel/string from 0.5.2 to 0.5.10 snyk-fixtures/npm-lockfiles#955)
• dcb6941 fix STDIN handling of CLI ([Snyk(Unlimited)] Upgrade lodash from 4.17.10 to 4.17.15 snyk-fixtures/npm-lockfiles#956)
• 1f8df44 fix `--minify-urls` in CLI ([Snyk(Unlimited)] Upgrade term-ng from 0.8.1 to 0.8.5 snyk-fixtures/npm-lockfiles#957)
• 2d34ad5 Update README.md ([Snyk(Unlimited)] Upgrade node-uuid from 1.4.0 to 1.4.8 snyk-fixtures/npm-lockfiles#954)
• b61dfcc Version 3.5.20

See the full diff

Package name: html-webpack-plugin

The new version differs by 139 commits.

• eb73905 chore(release): 4.0.0
• 42a6d4a Add typing for getHooks
• a1a37cf Release html-webpack-plugin 4.0.0-beta.14
• 97f9fb9 fix: load script files before style files files in defer script loading mode
• e97ce17 Release html-webpack-plugin 4.0.0-beta.13
• e448b5d Release html-webpack-plugin 4.0.0-beta.12
• de315eb feat: Add defer script loading
• 7df269f feat: Provide a verbose error message if html minification failed
• 1d66e53 feat: merge templateParameters with default template parameters
• dfb98e7 Fix typo in template option docts
• 096a760 Fix broken links in examples
• a195c34 docs: Update template-option documentation
• 40b410e docs: Update example for template parameters
• bf017f3 chore: Release 4.0.0-beta.11
• 2549557 test: Don't use minification for speed measurement
• de22fc2 test: Adjust measurment for node 6 on travis
• 24bf1b5 fix: Update references to html-minifier
• f4eafdc chore: Release 4.0.0-beta.10
• a2ad30a refactor: Use getAssetPath instead of calling the hook directly
• 2595a79 chore: Release 4.0.0-beta.9
• c66766c feat: Add support for minifying inline ES6 inside html templates
• 655cbcd Fix README typo
• 6de319b update lodash dependency for prototype polution vulnerability
• 35a1541 Properly encode file names emitted as part of URLs.

See the full diff

Package name: karma

The new version differs by 250 commits.

• ab4b328 chore(release): 6.3.16 [skip ci]
• ff7edbb fix(security): mitigate the "Open Redirect Vulnerability"
• c1befa0 chore(release): 6.3.15 [skip ci]
• d9dade2 fix(helper): make mkdirIfNotExists helper resilient to concurrent calls
• 653c762 ci: prevent duplicate CI tasks on creating a PR
• c97e562 chore(release): 6.3.14 [skip ci]
• 91d5acd fix: remove string template from client code
• 69cfc76 fix: warn when `singleRun` and `autoWatch` are `false`
• 839578c fix(security): remove XSS vulnerability in `returnUrl` query param
• db53785 chore(release): 6.3.13 [skip ci]
• 5bf2df3 fix(deps): bump log4js to resolve security issue
• 36ad678 chore(release): 6.3.12 [skip ci]
• 41bed33 fix: remove depreciation warning from log4js
• c985155 docs: create security.md
• c96f0c5 chore(release): 6.3.11 [skip ci]
• a5219c5 fix(deps): pin colors package to 1.4.0 due to security vulnerability
• de0df2f test: fix version regex in the CLI test case
• eddb2e8 chore(release): 6.3.10 [skip ci]
• 0d24bd9 fix(logger): create parent folders if they are missing
• b8eafe9 chore(release): 6.3.9 [skip ci]
• cf318e5 test: add test case for restarting test run on file change
• 92ffe60 fix: restartOnFileChange option not restarting the test run
• b153355 style: fix grammar error in browser capture log message
• 8f798d5 chore(release): 6.3.8 [skip ci]

See the full diff

Package name: loader-utils

The new version differs by 55 commits.

• 331ad50 chore(release): 1.4.2
• 17cbf8f fix: ReDoS problem ([Snyk(Unlimited)] Upgrade term-ng from 0.8.1 to 0.8.5 snyk-fixtures/npm-lockfiles#226)
• 8f082b3 chore(release): 1.4.1
• 4504e34 fix: security problem ([Snyk(Unlimited)] Upgrade qs from 0.0.6 to 0.6.6 snyk-fixtures/npm-lockfiles#220)
• d95b8b5 chore(release): 1.4.0
• cd0e428 feat: the `resourceQuery` is passed to the `interpolateName` method ([Snyk] Security upgrade tap from 5.8.0 to 11.1.3 #163)
• 06d36cf chore(release): 1.3.0
• 469eeba feat: support the `[query]` template for the `interpolatedName` method ([Snyk] Security upgrade tap from 5.8.0 to 11.1.3 #162)
• 909c99d chore: funding.yml config and CI fix ([Snyk] Fix for 2 vulnerabilities #159)
• b5b74f0 Set up CI with Azure Pipelines
• 7970c48 docs: small grammar change ([Snyk] Fix for 1 vulnerabilities #144)
• b91a76c chore(release): 1.2.3
• 3528fd9 fix(interpolateName): don't interpolated `hashType` without `hash` or `contenthash` ([Snyk] Security upgrade react-tooltip from 3.8.1 to 3.8.3 #140)
• 809b690 chore(release): 1.2.2
• d69c303 test: `interpolateName` util ([Snyk] Security upgrade npmconf from 0.0.24 to 2.1.3 #138)
• f8a71f4 fix: fixed a hash type extracting in interpolateName ([Snyk] Fix for 12 vulnerabilities #137)
• 489ef12 chore(release): 1.2.1
• 73d350a revert: PR [Snyk] Security upgrade qs from 6.0.4 to 6.2.4 #79 ([Snyk] Security upgrade npmconf from 0.0.24 to 2.1.3 #135)
• aca43da fix(isUrlRequest): better handle absolute urls and non standards ([Snyk] Security upgrade karma from 2.0.3 to 5.0.8 #134)
• ba4f0d0 chore(release): 1.2.0 ([Snyk] Fix for 1 vulnerabilities #131)
• c5c7322 test: more ([Snyk] Security upgrade karma from 2.0.3 to 5.0.8 #132)
• c17d9cd refactor: migrate on `jest` ([Snyk] Fix for 29 vulnerabilities #130)
• 3a854ba style: integrate prettier
• 0f2b227 chore(deps): update

See the full diff

Package name: uglify-js

The new version differs by 250 commits.

• bca83cb v3.14.3
• a841d45 fix corner case in `awaits` ([Snyk(Unlimited)] Upgrade dustjs-helpers from 1.5.0 to 1.7.4 snyk-fixtures/npm-lockfiles#5160)
• eb93d92 fix corner case in `awaits` ([Snyk(Unlimited)] Upgrade dustjs-linkedin from 2.5.0 to 2.7.5 snyk-fixtures/npm-lockfiles#5158)
• a0250ec fix corner case in `dead_code` ([Snyk(Unlimited)] Upgrade moment from 2.15.1 to 2.24.0 snyk-fixtures/npm-lockfiles#5154)
• 2580162 parse `let` as symbol names correctly ([Snyk(Unlimited)] Upgrade body-parser from 1.9.0 to 1.19.0 snyk-fixtures/npm-lockfiles#5151)
• 32ae994 fix issues in tests flagged by LGTM ([Snyk(Unlimited)] Upgrade mongoose from 4.2.4 to 4.13.19 snyk-fixtures/npm-lockfiles#5150)
• 03aec89 fix corner cases in `strings` & `templates` ([Snyk(Unlimited)] Upgrade humanize-ms from 1.0.1 to 1.2.1 snyk-fixtures/npm-lockfiles#5147)
• faf0190 document ECMAScript quirks ([Snyk(Unlimited)] Upgrade cfenv from 1.1.0 to 1.2.2 snyk-fixtures/npm-lockfiles#5148)
• c8b0f68 fix corner case in `merge_vars` ([Snyk(Unlimited)] Upgrade express-fileupload from 0.0.5 to 0.4.0 snyk-fixtures/npm-lockfiles#5143)
• 87b9916 fix corner case in `inline` ([Snyk(Unlimited)] Upgrade st from 0.2.4 to 0.5.5 snyk-fixtures/npm-lockfiles#5141)
• 940887f fix corner case in `evaluate` ([Snyk(Unlimited)] Upgrade npmconf from 0.0.24 to 0.2.0 snyk-fixtures/npm-lockfiles#5139)
• 0b2573c fix corner case in `templates` ([Snyk(Unlimited)] Upgrade express from 4.12.4 to 4.17.1 snyk-fixtures/npm-lockfiles#5137)
• 1575210 avoid potential RegExp denial-of-service ([Snyk(Unlimited)] Upgrade body-parser from 1.9.0 to 1.19.0 snyk-fixtures/npm-lockfiles#5135)
• f766bab enhance `templates` ([Snyk(Unlimited)] Upgrade debug from 2.0.0 to 2.6.9 snyk-fixtures/npm-lockfiles#5131)
• 436a293 enhance `dead_code` ([Snyk(Unlimited)] Upgrade color-convert from 1.9.2 to 1.9.3 snyk-fixtures/npm-lockfiles#5130)
• 55418fd fix corner case in `rests` ([Snyk(Unlimited)] Upgrade @thebespokepixel/es-tinycolor from 0.3.1 to 0.3.2 snyk-fixtures/npm-lockfiles#5129)
• 8578688 v3.14.2
• 4b88dfb tweak test & warnings ([Snyk(Unlimited)] Upgrade term-ng from 0.8.1 to 0.8.5 snyk-fixtures/npm-lockfiles#5123)
• c3aef23 fix corner case in `reduce_vars` ([Snyk(Unlimited)] Upgrade @thebespokepixel/string from 0.5.2 to 0.5.10 snyk-fixtures/npm-lockfiles#5121)
• db94d21 fix corner case in `side_effects` ([Snyk(Unlimited)] Upgrade @thebespokepixel/es-tinycolor from 0.3.1 to 0.3.2 snyk-fixtures/npm-lockfiles#5118)
• 9634a9d fix corner cases in `optional_chains` ([Snyk(Unlimited)] Upgrade node-uuid from 1.4.0 to 1.4.8 snyk-fixtures/npm-lockfiles#5110)
• befb99b fix corner case in `inline` ([Snyk(Unlimited)] Upgrade truwrap from 0.8.1 to 0.8.4 snyk-fixtures/npm-lockfiles#5115)
• 02eb8ba fix corner case in `collapse_vars` ([Snyk(Unlimited)] Upgrade term-ng from 0.8.1 to 0.8.5 snyk-fixtures/npm-lockfiles#5113)
• c09f63a fix corner case in `rests` ([Snyk(Unlimited)] Upgrade qs from 0.0.6 to 0.6.6 snyk-fixtures/npm-lockfiles#5109)

See the full diff

Package name: underscore-plus

The new version differs by 19 commits.

• f34bd44 1.7.0
• ac0a8a8 Merge pull request [Snyk] Security upgrade tap from 5.8.0 to 9.0.0 #20 from atom/upgrade-underscore
• af8a026 ⬆️ underscore@1.9.1
• 65e2a43 Merge pull request [Snyk] Security upgrade ejs from 1.0.0 to 3.1.7 #15 from t9md/patch-1
• 57a3f19 1.6.8
• 735b4f0 Restore escaping of dashes in regexes
• ad6b0f4 1.6.7
• 70e8062 Ignore package-lock file
• 7264365 Merge pull request [Snyk] Security upgrade tap from 5.8.0 to 9.0.0 #19 from atom/mb-fix-escape-regex-with-uncode-flag
• ab5b5b4 Update generated JS file
• 1997556 Use node 8 on travis
• bc58e29 Don't put backslashes before dashes in escapeRegExp
• 4a022cf Update appveyor.yml
• 8d69dd1 Remove redundant atom install step
• 5bc964e ⬆️ underscore
• 3536749 Switch appveyor from apm to npm
• 006fd0d Enable Windows builds on AppVeyor
• 7a1a24e Remove invalid homepage field
• a0f33b9 canceling adviseBefore need returning false

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Server-Side Request Forgery (SSRF)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn