[Snyk] Fix for 17 vulnerabilities

[enterstudio]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-AMMO-548920	Yes	No Known Exploit
	671/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7	Remote Code Execution (RCE) SNYK-JS-HANDLEBARS-1056767	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-HANDLEBARS-1279029	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-HANDLEBARS-567742	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Improper input validation npm:call:20160705	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:content:20170908	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:content:20180305	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Cross-site Scripting (XSS) npm:handlebars:20151207	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	CORS Bypass npm:hapi:20151020	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:hapi:20151223	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Potentially loose security restrictions npm:hapi:20151228	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: boom

The new version differs by 88 commits.

• 75de579 7.3.0
• a236a89 add debug mode to reformat() (Fix date copying migration to deal with number strings mozilla/publish.webmaker.org#211)
• 8727b89 Add changelog.md (#5 - Drop the text date columns and test fixes mozilla/publish.webmaker.org#210)
• af5dc90 Update README.md
• 692379a 7.2.2
• 25d4ab8 Remove engines. Closes #4 - Use only the dateTime columns mozilla/publish.webmaker.org#208
• 87d4562 misc
• 9e2c5e4 misc
• bf7ee73 7.2.1
• 8e9e651 Update hoek. Closes #2 - Add entries into the _date column when added to the date column for projects and publishedProjects mozilla/publish.webmaker.org#206
• 2790af3 misc
• e11e99e node 11 + cleanup
• cb994ed version 7.2.0
• c897ab6 424 Failed dependency implementation (Migrate Thimble projects into Publish mozilla/publish.webmaker.org#188)
• 9681132 docs(readme): clarified `boomify` statusCode default option (Fix mozilla/thimble.webmaker.org#1170 - Track date created and updated for published projects mozilla/publish.webmaker.org#187)
• 9fac0ec Fix spelling mistake (Docs probably need an update mozilla/publish.webmaker.org#182)
• e3dc6a9 Corrected minor typo in README.md (Fixed #1168 - Fixed promise bug preventing all files being tarred mozilla/publish.webmaker.org#180)
• 3e25415 Fix typo in README (ERD diagram mozilla/publish.webmaker.org#178)
• 55d8996 Test boomify with instanceof
• 19189a9 7.1.1
• 310c986 Support instanceof Boom. Closes don't inject the "remix" option for readonly projects mozilla/publish.webmaker.org#173
• a47d150 7.1.0
• 9bfefb6 decorate option. Closes Honour readonly mozilla/publish.webmaker.org#172
• a75a104 Clarified usage of new

See the full diff

Package name: hapi

The new version differs by 250 commits.

• b8e64d0 Update version
• 5ced8ae 18.1.0
• 7578f61 Expose bourne settings. Closes #3917
• 3378e78 Update dep. Closes #3922
• 4b59b3f 18.0.1
• 5f6a00b misc
• ccc538d Typo
• 1af289f Update deps. Closes #3912. Closes #3914
• aa3934f Add IDEs
• 75756f6 Fix route assert. Closes #3909
• 06a48ea 18.0.0
• 4da282e Its 2019
• 4bd7c38 Update deps. Closes #3905. Closes #3906. Closes #3907. Closes #3908
• 3350a5c Refactor cache config. Closes #3876, Closes #3904
• 03e03dc Split request.info.responded to responded and completed. Closes #3901
• 7521468 Coverage
• a3a5ca9 Fix close event handling in node 11. Closes #3898
• 7b85840 Fix test
• 17ca301 Exclude vs
• 5e91092 Fix test. For #3900
• 89604b0 Merge pull request #3900 from AdriVanHoudt/fix-test-803
• a4f9121 Merge pull request #3882 from dominykas/validate-cookies-alt
• 04758ac Update API.md
• 413290f For #3897

See the full diff

Package name: hoek

The new version differs by 141 commits.

• 47d6306 6.1.3
• eef9740 cleanup
• fc934af Cleanup
• f2eb7fd Clone without prototype. Closes #290
• 5bfe5b6 6.1.2
• 17fe9a1 Revert all symbol handlings to false by default. Closes #283
• 542939b 6.1.1
• 947a326 Ignore symbols in deepEqual() by default. Closes #281
• 27ac630 6.1.0
• b3b5134 Merge pull request #281 from kanongil/symbol-support
• bec8b86 Update docs
• b159f54 Support symbol properties and keys in cloneWithShallow()
• 9fa34af Support symbol properties for reach(). Closes Bluebird throws rouge promise warning mozilla/publish.webmaker.org#267
• ea1ee6a Support symbol properties in contain()
• b6907ac Support symbol properties in clone()
• c123e61 Merge pull request Bump knex from 0.12.9 to 0.19.5 mozilla/publish.webmaker.org#279 from Nargonath/changelog
• f15fd25 Add changelog.md
• 56f4849 Support enumerable symbol properties in merge()
• 96ab1bc Support enumerable symbol properties in deepEqual()
• 6350261 6.0.4
• 6f02157 Fix clone() for redefined properties. Closes Add utility to delete thimble accounts mozilla/publish.webmaker.org#278
• 73c35e8 Expand tests for exotic objects
• 927974e Update lab 18
• bcfa947 6.0.3

See the full diff

Package name: lout

The new version differs by 139 commits.

• e731e01 11.2.3
• e67220b Restore files
• 286afd6 11.2.2
• 2fd4f7e Fix hapi legacy
• 5efe412 11.2.1
• f0e10ad Fix dep. Closes Fix mozilla/thimble.webmaker.org#1184 - Do not inject remix code for readonly projects mozilla/publish.webmaker.org#185
• e4c445b 11.2.0
• c75bf49 Remove image
• 4c2b5dd Update deps. Closes Do not serialize buffers for response on POST/PUT requests for files mozilla/publish.webmaker.org#184
• 14e98aa Merge pull request additional documentation for running the knex task mozilla/publish.webmaker.org#183 from Nargonath/changelog
• 659eee7 Add changelog.md
• 2522276 11.1.0
• 9630180 Add support for headers schemas. Fixes Fixed #1168 - Fixed promise bug preventing all files being tarred mozilla/publish.webmaker.org#180.
• dd989dd 11.0.1
• e78f87f Merge pull request How can we make migrations better? mozilla/publish.webmaker.org#179 from danieladams456/master
• 015ca7f don't encode method
• 2726f75 tests
• 29ade6f encodeUri handlebars helper
• 2c0b558 11.0.0
• 4f38728 Come back to stricter dependencies
• 1642bae Fixes for Distribute tar file creation across multiple turns of the event loop mozilla/publish.webmaker.org#177.
• ab53183 Merge pull request Distribute tar file creation across multiple turns of the event loop mozilla/publish.webmaker.org#177 from henrikdahl/hapi-v17
• 6a03981 move out deps to export
• 046b68f fix default auth

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)
🦉 Remote Code Execution (RCE)
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn