[Snyk] Fix for 71 vulnerabilities

[OdinsHat]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-1312313	No	No Known Exploit
	869/1000 Why? Mature exploit, Has a fix available, CVSS 8.8	Access of Resource Using Incompatible Type ('Type Confusion') SNYK-JS-ELECTRON-1312314	No	Mature
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-1312315	No	No Known Exploit
	869/1000 Why? Mature exploit, Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-1313765	No	Mature
	529/1000 Why? Has a fix available, CVSS 6.3	Use After Free SNYK-JS-ELECTRON-1313767	No	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-1314896	No	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-1315151	No	No Known Exploit
	704/1000 Why? Has a fix available, CVSS 9.8	Out-of-bounds Write SNYK-JS-ELECTRON-1315668	No	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-1533614	No	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-1534881	No	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-1534882	No	No Known Exploit
	869/1000 Why? Mature exploit, Has a fix available, CVSS 8.8	Type Confusion SNYK-JS-ELECTRON-1534883	No	Mature
	550/1000 Why? Has a fix available, CVSS 6.5	Heap-based Buffer Overflow SNYK-JS-ELECTRON-1534884	No	No Known Exploit
	529/1000 Why? Has a fix available, CVSS 6.3	Use After Free SNYK-JS-ELECTRON-1536579	No	No Known Exploit
	761/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-1536581	No	Proof of Concept
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-1536587	No	No Known Exploit
	694/1000 Why? Mature exploit, Has a fix available, CVSS 5.3	Out-of-Bounds SNYK-JS-ELECTRON-1585619	No	Mature
	654/1000 Why? Has a fix available, CVSS 8.8	Type Confusion SNYK-JS-ELECTRON-1586050	No	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Buffer Overflow SNYK-JS-ELECTRON-1656742	No	No Known Exploit
	869/1000 Why? Mature exploit, Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-1656743	No	Mature
	539/1000 Why? Has a fix available, CVSS 6.5	Improper Input Validation SNYK-JS-ELECTRON-2932172	No	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Protection Mechanism Failure SNYK-JS-ELECTRON-2934721	No	No Known Exploit
	859/1000 Why? Mature exploit, Has a fix available, CVSS 8.6	Heap-based Buffer Overflow SNYK-JS-ELECTRON-2946881	No	Mature
	654/1000 Why? Has a fix available, CVSS 8.8	Type Confusion SNYK-JS-ELECTRON-2946891	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ELECTRON-2961655	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Information Exposure SNYK-JS-ELECTRON-2977510	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-ELECTRON-2977512	No	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Buffer Overflow SNYK-JS-ELECTRON-2978483	No	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Access Control Bypass SNYK-JS-ELECTRON-2978519	No	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-2992453	No	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-2992478	No	No Known Exploit
	429/1000 Why? Has a fix available, CVSS 4.3	Improper Authentication SNYK-JS-ELECTRON-2992482	No	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-2994414	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ELECTRON-3014402	No	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-3014405	No	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-3014407	No	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-3014409	No	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-3014411	No	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-3028028	No	No Known Exploit
	869/1000 Why? Mature exploit, Has a fix available, CVSS 8.8	Type Confusion SNYK-JS-ELECTRON-3091122	No	Mature
	529/1000 Why? Has a fix available, CVSS 6.3	Improper Input Validation SNYK-JS-ELECTRON-3097694	No	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-3097832	No	No Known Exploit
	504/1000 Why? Has a fix available, CVSS 5.8	Information Exposure SNYK-JS-ELECTRON-3107036	No	No Known Exploit
	594/1000 Why? Has a fix available, CVSS 7.6	Use After Free SNYK-JS-ELECTRON-3111876	No	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Heap-based Buffer Overflow SNYK-JS-ELECTRON-3111878	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ELECTRON-3111879	No	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-3111880	No	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-3111881	No	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Use After Free SNYK-JS-ELECTRON-3160317	No	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Heap-based Buffer Overflow SNYK-JS-ELECTRON-3237489	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	No	Proof of Concept
	344/1000 Why? Has a fix available, CVSS 2.6	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	No	No Known Exploit
	464/1000 Why? Has a fix available, CVSS 5	Cross-site Scripting (XSS) SNYK-JS-HEXO-1932976	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HIGHLIGHTJS-1048676	Yes	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	XML External Entity (XXE) Injection SNYK-JS-JSTOXML-1017039	No	No Known Exploit
	414/1000 Why? Has a fix available, CVSS 4	Arbitrary File Read SNYK-JS-MACADDRESS-567156	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	No	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Command Injection SNYK-JS-SIMPLEGIT-2421199	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') SNYK-JS-SIMPLEGIT-2434306	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-SIMPLEGIT-3112221	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-SIMPLEGIT-3177391	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Cross-site Scripting (XSS) SNYK-JS-STRIPTAGS-1312310	Yes	No Known Exploit
	661/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.8	Cross-site Scripting (XSS) SNYK-JS-VDITOR-2359056	No	Proof of Concept
	651/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.6	Cross-site Scripting (XSS) SNYK-JS-VDITOR-2422324	No	Proof of Concept
	519/1000 Why? Has a fix available, CVSS 6.1	Cross-site Scripting (XSS) SNYK-JS-VDITOR-2438403	No	No Known Exploit
	626/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.1	Cross-site Scripting (XSS) SNYK-JS-VDITOR-3329409	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: ali-oss

The new version differs by 242 commits.

• b0f5930 chore: publish 6.17.0
• 96141c6 chore: publish beta version
• 4790a19 chore: build 6.17.0
• e65ec97 chore: update 6.17.0 changelog
• b2cef94 chore(release): 6.17.0
• 7ece938 Merge branch 'master' of github.com:ali-sdk/ali-oss
• a759699 chore: release 6.17.0 (#1047)
• c884299 chore: document the completion
• 45a0730 chore: rebuild
• 95abe3b chore: rebuild
• 7cf195f chore: use stream-http 2.8.2
• 4f19fe6 fix(test): test case optimized (#1045)
• e8eed0a fix(test): test case optimized (#1044)
• 4fc3bd4 fix: fix list() and listV2() params and test case (#1043)
• 9b0e299 chore:merge master
• c60ae46 chore(test): test case optimized (#1041)
• 17206a1 chore(CI):github action optimized (#1039)
• 2bfd726 chore(CI):github action optimized (#1040)
• 8e35cad chore(test case): fix test case (#1037)
• f7e9255 chore: remove 6.17.0 changelog
• 374231c chore: develop merge master (#1035)
• 102f362 add multipartUploadCopy method (#1032)
• 2678db8 fix: to append method signatureNotMath (#1033)
• 78ffb5d fix: fix some test error and variable (#1030)

See the full diff

Package name: axios

The new version differs by 58 commits.

• 0d87655 Releasing 0.20.0
• cd27741 Updating changelog for 0.20.0 release
• ffea034 Releasing 0.20.0-0
• fe147fb Updating changlog for 0.20.0 beta release
• 16aa2ce Fixing response with utf-8 BOM can not parse to json (#2419)
• c4300a8 Adding support for URLSearchParams in node (#1900)
• bed6783 add table of content (preview) (#3050)
• c70fab9 Fix stale bot config (#3049)
• 5b08fc4 Add days and change name to work (#3035)
• 1768c23 Update close-issues.yml (#3031)
• 3dbf6a1 Add GitHub actions to close stale issues/prs (#3029)
• a9010e4 Add GitHub actions to close invalid issues (#3022)
• 36f0ad2 Replace 'blacklist' with 'blocklist' (#3006)
• 0d69a79 Refactor mergeConfig without utils.deepMerge (#2844)
• 4879416 Allow unsetting headers by passing null (#382) (#1845)
• 4b3947a Add test with Node.js 12 (#2860)
• 0077205 Adding console log on sandbox server startup (#2210)
• ee46dff docs(): Detailed config options environment. (#2088)
• 17a6886 Include axios-data-unpacker in ECOSYSTEM.md (#2080)
• 3f2ef03 Allow opening examples in Gitpod (#1958)
• f3cc053 Fixing overwrite Blob/File type as Content-Type in browser. (#1773)
• f2b478f Revert "Fixing default transformRequest with buffer pools (#1511)" (#2982)
• d35b5b5 Remove axios.all() and axios.spread() from Readme.md (#2727)
• 6d36dbe Update README.md (#2887)

See the full diff

Package name: electron-google-analytics

The new version differs by 7 commits.

• 4167e34 0.2.0
• 6ebe705 Updated to use fetch-electron
• fc6878b Merge pull request [Snyk] Security upgrade electron-google-analytics from 0.1.2 to 0.2.0 #21 from ilyin371/electron-net
• bc29dfe Merge branch 'master' into electron-net
• 4f252ba Added session duration in pageview as the 5th param so you can force start/end a session
• 26084eb Updated README dependencies badge
• b9b9725 Add Electron networking support

See the full diff

Package name: hexo

The new version differs by 250 commits.

• c749815 Hexo 6.0.0 (#4750)
• 5977928 chore: bump actions/stale from 3 to 4 (#4828)
• 8ac908a Cleanup dependabot (#4820)
• 11b145c Switch to picocolors (#4825)
• 3ed6fd9 fix(post): escape swig full tag with args (#4824)
• 902cd70 chore: bump sinon from 11.1.2 to 12.0.1 (#4810)
• 0c6380c refactor: native Array.flat() (#4806)
• ed0f239 perf(tag/helper): memoize (#4789)
• 2ec4f63 chore: bump eslint from 7.32.0 to 8.0.0 (#4799)
• 0f534b2 chore: bump hexo-log from 2.0.0 to 3.0.0 (#4794)
• 098cf0a perf(external_link): optimize regexp (#4790)
• 02cbfe3 fix(processor): remove race condition failsafe (#4791)
• 9edbc99 fix(#4780): empty tag name correction (#4786)
• b56ba65 refactor/perf: use nanocolors (#4788)
• b3bd7d4 chore: bump husky from 4.3.8 to 7.0.2 (#4763)
• 9c9b2a5 fix(#4780): curly brackets (#4784)
• a342422 perf: overall improvements (#4783)
• 6f702fc feat: load hexo plugin in the theme's package.json (#4771)
• a2ec6b2 feat(open_graph): different URLs for og:image and twitter:image (#4748)
• 0c979bf refactor(post): use state machine to escape swig tag (#4780)
• 67fc844 doc: add homebrew install (#4724)
• 6164db1 chore: bump sinon from 10.0.1 to 11.1.2 (#4747)
• c18d575 chore: bump mocha from 8.4.0 to 9.1.1 (#4765)
• bb61f15 chore: drop Node 10 (#4779)

See the full diff

Package name: macaddress

The new version differs by 26 commits.

• 6654c93 Add node_js: lts/* to travis build job
• 05416db v0.4.3
• 90a3b7d fix [Snyk] Security upgrade vditor from 3.6.2 to 3.8.11 #29
• 0f329b4 fix [Snyk] Security upgrade electron-google-analytics from 0.1.2 to 0.2.0 #22, fix [Snyk] Security upgrade axios from 0.19.2 to 0.20.0 #27
• 27054c5 More identifiers for possible network interfaces
• 0eb0bdc fix list;
• 462ce99 v0.4.2
• c5e09f8 Merge pull request [Snyk] Security upgrade electron-google-analytics from 0.1.2 to 0.2.0 #31 from micaelmbagira/fix/incorrect-promise-support
• 92b974d fix(): macaddress.one() should return a Promise
• 14398c5 bump version: 0.4.1
• 8dd2d30 Merge pull request [Snyk] Security upgrade electron-google-analytics from 0.1.2 to 0.2.0 #30 from micaelmbagira/fix/typescript-definitions-promise
• da4276f docs(): add Promise examples
• 0daae05 fix(): update typescript definitions with Promise support
• 13f2d53 Create npmpublish.yml
• 59267da v0.4.0
• e916c58 Merge pull request [Snyk] Security upgrade electron-google-analytics from 0.1.2 to 0.2.0 #26 from Jungwoo-An/promise
• 766aa15 Update README.md
• b449c73 v0.3.0
• e56d57d Add promise support code
• 63b9f87 Merge pull request [Snyk] Security upgrade electron-google-analytics from 0.1.2 to 0.2.0 #25 from Jungwoo-An/master
• 3713931 Add typing file
• 7501998 Merge pull request [Snyk] Security upgrade electron-google-analytics from 0.1.2 to 0.2.0 #23 from philraj/patch-1
• 6853940 Update README.md
• ee37051 Added other node versions to .travis.yml

See the full diff

Package name: simple-git

The new version differs by 250 commits.

• d716d32 Merge pull request #877 from steveukx/changeset-release/main
• 1a12952 Version Packages
• 12b8fc3 Merge pull request #864 from steveukx/dependabot/npm_and_yarn/minimatch-3.0.5
• ec97a39 Block unsafe pack (push --exec) (#882)
• 0a623e5 Feat/unsafe pack (#881)
• b45d08b Merge pull request #876 from steveukx/feat/support-checkout-B
• 97fde2c Add support for using the `-B` modifier instead of the default `-b` when using `checkoutBranch` / `checkoutLocalBranch`.
• edfd459 Update readme.md
• 459ec92 Merge pull request #868 from steveukx/changeset-release/main
• c9fc61f Version Packages
• de570ac Fix/non strings (#867)
• 7efdcbc chore(deps): bump minimatch from 3.0.4 to 3.0.5
• e1d66b6 Merge pull request #863 from steveukx/changeset-release/main
• d4764bf Version Packages
• 7746480 Chore: bump lerna, jest and create prettier workflow (#862)
• 47030d5 Merge pull request #861 from steveukx/security/protocols
• 6b3c631 Create the `unsafe` plugin to configure how `simple-git` treats known potentially unsafe operations.
• 3324eed Merge pull request #855 from steveukx/changeset-release/main
• e459622 Version Packages
• 2ea0231 Merge pull request #854 from steveukx/chore/update-lerna
• 5a2e7e4 Add version parsing support for non-numeric patches (to include built… (#853)
• 88fee05 Chore: bump lerna to latest `5.5.1`
• 0f964ba Merge pull request #849 from steveukx/changeset-release/main
• 6460a1f Version Packages

See the full diff

Package name: vditor

The new version differs by 250 commits.

• 17d9af5 📝
• defe210 🐛 fix https://github.com/disabled 后应禁止粘贴 Vanessa219/vditor#1054
• 4ee659c 📝
• 8025ec0 ✨ fix #1203
• 97be8da 📝 https://github.com/支持 dir 设置 Vanessa219/vditor#1197
• 74ad443 Revert "fix 🐛 : fix styles (#1199)" (#1201)
• 172f4c8 fix 🐛 : fix styles (#1199)
• de6d4b7 📝 https://github.com/支持 dir 设置 Vanessa219/vditor#1197
• 1a8d3cb ♻️ https://github.com/支持 dir 设置 Vanessa219/vditor#1197
• 3484d28 📝 #1176
• 6854a51 📝 https://github.com/支持 dir 设置 Vanessa219/vditor#1197
• 5e795f0 📝 https://github.com/支持 dir 设置 Vanessa219/vditor#1197
• fdb810b 📝 https://github.com/支持 dir 设置 Vanessa219/vditor#1197
• 9172671 Fix RTL (#1196)
• e755d8e 🐛 fix #1178
• f01032c ♻️ fix https://github.com/更新代码风格工具&包管理工具 Vanessa219/vditor#1179
• eb4197a 更新代码风格工具&包管理工具 (#1179)
• ae75d52 ⬆️
• 14e0289 ⬆️
• ca5558f 🚨
• fd77125 📝 https://github.com/wysiwyg 模式下，录音渲染出现问题，无法正常显示 audio 组件 Vanessa219/vditor#1184
• 31aee6a 🐛 fix https://github.com/wysiwyg 模式下，录音渲染出现问题，无法正常显示 audio 组件 Vanessa219/vditor#1184
• 18ef889 🐛 fix https://github.com/撤销后大纲不会刷新 Vanessa219/vditor#1182
• 8e0d2c5 Merge remote-tracking branch 'origin/master'

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)
🦉 Access Control Bypass
🦉 Open Redirect
🦉 More lessons are available in Snyk Learn