[Snyk] Fix for 10 vulnerabilities

[piranna]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	Yes	Proof of Concept
	504/1000 Why? Has a fix available, CVSS 5.8	Prototype Pollution SNYK-JS-HIGHLIGHTJS-1045326	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	741/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.4	Command Injection npm:shell-quote:20160621	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: browserify

The new version differs by 170 commits.

• e19f256 12.0.0
• c881c07 update devdeps
• c77bf33 update glob and shell-quote
• c35f73e update builtins deps
• da949a1 update deps for streams3
• e3fbe7d update module-deps & fix symlink bug (also uses streams3)
• df43933 remove unused deps
• dca78a6 update browser-pack & fix charset bug (also uses streams3)
• 46aba9f use latest node in travis
• 76b60a9 remove node 0.8 from travis
• f5a82d8 Merge pull request #1362 from mnichols/master
• 185be39 Merge pull request #1393 from emilbayes/patch-1
• d48ec61 Merge pull request #1396 from stevemao/patch-3
• d847221 travis: test on node4 not "4.0.0"
• a212016 Links to the wrong querystring module
• b7cf5be 11.2.0
• bb2a99d Merge pull request #1361 from substack/fix-bare
• e781d9d Merge pull request #1377 from demohi/patch-2
• 05d7861 update package.json version
• 85e4b9d 11.1.0
• c1c6b72 browserify adds the '.' in case you forget it
• 97a122e Update travis Node.js version & remove io.js
• 1b73d9b bump buffer to 3.4.3 to fix maximum call stack exceeded errors
• cf32d77 Exclude "process" and "buffer" when "bundleExternal === false"

See the full diff

Package name: uglifyify

The new version differs by 21 commits.

• 73e72d8 5.0.2
• 662f60a Fix github security warning (#93)
• 496d3ca 5.0.1
• 10d02cc Switch to uglify-es fork (#86)
• 43967dd 5.0.0
• 9eed149 Merge pull request #62 from casr/gh-61
• 8662585 Default debug to false and simplify logic
• e84c056 Maintain opts._flags for different transform runs
• e2a4105 Add a failing test case
• 72296cd 4.0.5
• 7b02b44 use uglify-es inline source map detection (#81)
• cfeb16c 4.0.4
• 17422a5 Complete error message (#80)
• fd494c0 4.0.3
• 0780ac7 fixes (#79)
• 7fa54a7 4.0.2
• dd8548a map out uglify argv to API acceptable opts (#71)
• dff447b 4.0.1
• 0c4378a fix source map properties names (#67)
• 4cf696d 4.0.0
• b76756a upgrade to uglify-es (#65)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn