This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
#### Changes included in this PR
- Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json
#### Vulnerabilities that will be fixed
##### With an upgrade:
Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity
:-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------
 | **696/1000** **Why?** Proof of Concept exploit, Has a fix available, CVSS 7.5 | Regular Expression Denial of Service (ReDoS) [SNYK-JS-ANSIREGEX-1583908](https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908) | Yes | Proof of Concept
 | **586/1000** **Why?** Proof of Concept exploit, Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS) [SNYK-JS-HTMLMINIFIER-3091181](https://snyk.io/vuln/SNYK-JS-HTMLMINIFIER-3091181) | Yes | Proof of Concept
 | **686/1000** **Why?** Proof of Concept exploit, Has a fix available, CVSS 7.3 | Prototype Pollution [SNYK-JS-LODASHSET-1320032](https://snyk.io/vuln/SNYK-JS-LODASHSET-1320032) | Yes | Proof of Concept
 | **681/1000** **Why?** Proof of Concept exploit, Has a fix available, CVSS 7.2 | Command Injection [SNYK-JS-LODASHTEMPLATE-1088054](https://snyk.io/vuln/SNYK-JS-LODASHTEMPLATE-1088054) | Yes | Proof of Concept
 | **506/1000** **Why?** Proof of Concept exploit, Has a fix available, CVSS 3.7 | Prototype Pollution [SNYK-JS-MINIMIST-2429795](https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795) | No | Proof of Concept
 | **601/1000** **Why?** Proof of Concept exploit, Has a fix available, CVSS 5.6 | Prototype Pollution [SNYK-JS-MINIMIST-559764](https://snyk.io/vuln/SNYK-JS-MINIMIST-559764) | No | Proof of Concept
 | **479/1000** **Why?** Has a fix available, CVSS 5.3 | Improper Input Validation [SNYK-JS-POSTCSS-5926692](https://snyk.io/vuln/SNYK-JS-POSTCSS-5926692) | Yes | No Known Exploit
 | **646/1000** **Why?** Proof of Concept exploit, Has a fix available, CVSS 6.5 | Server-side Request Forgery (SSRF) [SNYK-JS-REQUEST-3361831](https://snyk.io/vuln/SNYK-JS-REQUEST-3361831) | Yes | Proof of Concept
 | **619/1000** **Why?** Has a fix available, CVSS 8.1 | Cross-site Scripting (XSS) [SNYK-JS-SERIALIZEJAVASCRIPT-536840](https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-536840) | No | No Known Exploit
 | **706/1000** **Why?** Proof of Concept exploit, Has a fix available, CVSS 7.7 | Arbitrary Code Injection [SNYK-JS-SERIALIZEJAVASCRIPT-570062](https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-570062) | No | Proof of Concept
 | **619/1000** **Why?** Has a fix available, CVSS 8.1 | Cross-site Scripting (XSS) [SNYK-JS-SERIALIZEJAVASCRIPT-6056521](https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-6056521) | No | No Known Exploit
 | **646/1000** **Why?** Proof of Concept exploit, Has a fix available, CVSS 6.5 | Prototype Pollution [SNYK-JS-TOUGHCOOKIE-5672873](https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873) | Yes | Proof of Concept
 | **589/1000** **Why?** Has a fix available, CVSS 7.5 | Prototype Pollution [SNYK-JS-UNSETVALUE-2400660](https://snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660) | Yes | No Known Exploit
(*) Note that the real score may have changed since the PR was raised.
Commit messagesPackage name: css-loader
The new version differs by 71 commits.
13e3ca5 Merge pull request #11602 from webpack/bugfix/shared-runtime-chunk
9c0587e Merge pull request #11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
502d166 Merge pull request #11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4
See the full diff
Check the changes in this PR to ensure they won't cause issues with your project.
------------
**Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.*
For more information:
🧐 [View latest project report](https://app.snyk.io/org/attesch/project/54f4ee92-998c-4470-8c24-77a260feb55b?utm_source=github&utm_medium=referral&page=fix-pr)
🛠 [Adjust project settings](https://app.snyk.io/org/attesch/project/54f4ee92-998c-4470-8c24-77a260feb55b?utm_source=github&utm_medium=referral&page=fix-pr/settings)
📚 [Read more about Snyk's upgrade and patch logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities)
[//]: # (snyk:metadata:{"prId":"dc942a8b-7acd-42dc-ba75-21b710975ab4","prPublicId":"dc942a8b-7acd-42dc-ba75-21b710975ab4","dependencies":[{"name":"css-loader","from":"1.0.0","to":"2.0.0"},{"name":"cssnano","from":"4.1.0","to":"5.0.0"},{"name":"eslint","from":"5.4.0","to":"5.5.0"},{"name":"express-jwt","from":"5.3.1","to":"6.1.1"},{"name":"handlebars","from":"4.0.11","to":"4.7.4"},{"name":"html-webpack-plugin","from":"3.2.0","to":"5.5.0"},{"name":"lint-staged","from":"7.2.2","to":"10.2.0"},{"name":"node-sass","from":"4.9.3","to":"7.0.2"},{"name":"webpack","from":"4.17.1","to":"5.0.0"},{"name":"workbox-webpack-plugin","from":"3.4.1","to":"6.0.0"}],"packageManager":"npm","projectPublicId":"54f4ee92-998c-4470-8c24-77a260feb55b","projectUrl":"https://app.snyk.io/org/attesch/project/54f4ee92-998c-4470-8c24-77a260feb55b?utm_source=github&utm_medium=referral&page=fix-pr","type":"auto","patch":[],"vulns":["SNYK-JS-ANSIREGEX-1583908","SNYK-JS-HTMLMINIFIER-3091181","SNYK-JS-LODASHSET-1320032","SNYK-JS-LODASHTEMPLATE-1088054","SNYK-JS-MINIMIST-2429795","SNYK-JS-MINIMIST-559764","SNYK-JS-POSTCSS-5926692","SNYK-JS-REQUEST-3361831","SNYK-JS-SERIALIZEJAVASCRIPT-536840","SNYK-JS-SERIALIZEJAVASCRIPT-570062","SNYK-JS-SERIALIZEJAVASCRIPT-6056521","SNYK-JS-TOUGHCOOKIE-5672873","SNYK-JS-UNSETVALUE-2400660"],"upgrade":["SNYK-JS-ANSIREGEX-1583908","SNYK-JS-HTMLMINIFIER-3091181","SNYK-JS-LODASHSET-1320032","SNYK-JS-LODASHTEMPLATE-1088054","SNYK-JS-MINIMIST-2429795","SNYK-JS-MINIMIST-559764","SNYK-JS-POSTCSS-5926692","SNYK-JS-REQUEST-3361831","SNYK-JS-SERIALIZEJAVASCRIPT-536840","SNYK-JS-SERIALIZEJAVASCRIPT-570062","SNYK-JS-SERIALIZEJAVASCRIPT-6056521","SNYK-JS-TOUGHCOOKIE-5672873","SNYK-JS-UNSETVALUE-2400660"],"isBreakingChange":true,"env":"prod","prType":"fix","templateVariants":["priorityScore"],"priorityScoreList":[696,586,686,681,506,601,479,646,619,706,619,646,589],"remediationStrategy":"vuln"})
---
**Learn how to fix vulnerabilities with free interactive lessons:**
🦉 [Regular Expression Denial of Service (ReDoS)](https://learn.snyk.io/lesson/redos/?loc=fix-pr)
🦉 [Prototype Pollution](https://learn.snyk.io/lesson/prototype-pollution/?loc=fix-pr)
🦉 [Improper Input Validation](https://learn.snyk.io/lesson/improper-input-validation/?loc=fix-pr)
🦉 [More lessons are available in Snyk Learn](https://learn.snyk.io/?loc=fix-pr)
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
#### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - package.json - package-lock.json #### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------  | **696/1000****Why?** Proof of Concept exploit, Has a fix available, CVSS 7.5 | Regular Expression Denial of Service (ReDoS)
[SNYK-JS-ANSIREGEX-1583908](https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908) | Yes | Proof of Concept  | **586/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS)
[SNYK-JS-HTMLMINIFIER-3091181](https://snyk.io/vuln/SNYK-JS-HTMLMINIFIER-3091181) | Yes | Proof of Concept  | **686/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 7.3 | Prototype Pollution
[SNYK-JS-LODASHSET-1320032](https://snyk.io/vuln/SNYK-JS-LODASHSET-1320032) | Yes | Proof of Concept  | **681/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 7.2 | Command Injection
[SNYK-JS-LODASHTEMPLATE-1088054](https://snyk.io/vuln/SNYK-JS-LODASHTEMPLATE-1088054) | Yes | Proof of Concept  | **506/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 3.7 | Prototype Pollution
[SNYK-JS-MINIMIST-2429795](https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795) | No | Proof of Concept  | **601/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 5.6 | Prototype Pollution
[SNYK-JS-MINIMIST-559764](https://snyk.io/vuln/SNYK-JS-MINIMIST-559764) | No | Proof of Concept  | **479/1000**
**Why?** Has a fix available, CVSS 5.3 | Improper Input Validation
[SNYK-JS-POSTCSS-5926692](https://snyk.io/vuln/SNYK-JS-POSTCSS-5926692) | Yes | No Known Exploit  | **646/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 6.5 | Server-side Request Forgery (SSRF)
[SNYK-JS-REQUEST-3361831](https://snyk.io/vuln/SNYK-JS-REQUEST-3361831) | Yes | Proof of Concept  | **619/1000**
**Why?** Has a fix available, CVSS 8.1 | Cross-site Scripting (XSS)
[SNYK-JS-SERIALIZEJAVASCRIPT-536840](https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-536840) | No | No Known Exploit  | **706/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 7.7 | Arbitrary Code Injection
[SNYK-JS-SERIALIZEJAVASCRIPT-570062](https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-570062) | No | Proof of Concept  | **619/1000**
**Why?** Has a fix available, CVSS 8.1 | Cross-site Scripting (XSS)
[SNYK-JS-SERIALIZEJAVASCRIPT-6056521](https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-6056521) | No | No Known Exploit  | **646/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 6.5 | Prototype Pollution
[SNYK-JS-TOUGHCOOKIE-5672873](https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873) | Yes | Proof of Concept  | **589/1000**
**Why?** Has a fix available, CVSS 7.5 | Prototype Pollution
[SNYK-JS-UNSETVALUE-2400660](https://snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660) | Yes | No Known Exploit (*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: css-loader
The new version differs by 71 commits.- 634ab49 chore(release): 2.0.0
- 6ade2d0 refactor: remove unused file (#860)
- e7525c9 test: nested url (#859)
- 7259faa test: css hacks (#858)
- 5e6034c feat: allow to filter import at-rules (#857)
- 5e702e7 feat: allow filtering urls (#856)
- 9642aa5 test: css stuff (#855)
- 3338656 fix: reduce number of require for url (#854)
- 533abbe test: issue 636 (#853)
- 08c551c refactor: better warning on invalid url resolution (#852)
- b0aa159 test: issue #589 (#851)
- f599c70 fix: broken unucode characters (#850)
- 1e551f3 test: issue 286 (#849)
- 419d27b docs: improve readme (#848)
- d94a698 refactor: webpack-default (#847)
- b97d997 feat: schema options
- 453248f fix: support module resolution in composes (#845)
- 8a6ea10 refactor: postcss plugins (#844)
- fdcf687 fix: url resolving logic (#843)
- 889dc7f feat: allow to disable css modules and disable their by default (#842)
- ee2d253 test: importLoaders option (#841)
- 1dad1fb feat: reuse postcss ast from other loaders (i.e `postcss-loader`) (#840)
- fe94ebc test: icss reserved keywords (#839)
- 9eaba66 refactor: migrate on message api for postcss-icss-plugin (#838)
See the full diffPackage name: eslint
The new version differs by 10 commits.- 80b8d5d 5.5.0
- b68e403 Build: changelog update for 5.5.0
- 6e110e6 Fix: camelcase duplicate warning bug (fixes #10801) (#10802)
- 5103ee7 Docs: Add Brackets integration (#10813)
- b61d2cd Update: max-params to only highlight function header (#10815)
- 2b2f11d Upgrade: babel-code-frame to version 7 (#10808)
- 2824d43 Docs: fix comment placement in a code example (#10799)
- 10690b7 Upgrade: devdeps and deps to latest (#10622)
- 80c8598 Docs: gitignore syntax updates (fixes #8139) (#10776)
- cb946af Chore: use meta.messages in some rules (1/4) (#10764)
See the full diffPackage name: express-jwt
The new version differs by 23 commits.- c4de5de 6.1.1
- 691fd6a Merge pull request #272 from ryanpcmcquen/prototype-pollution-vulnerability-fix
- 551bf40 Fix prototype pollution vulnerability.
- 354e1f8 6.1.0
- 3db0e6b Merge pull request #265 from pipeline1987/master
- 67bd3c4 upgrade express-unless dependency to v1.0.0
- 5cf9b0b Merge pull request #236 from auth0/dependabot/npm_and_yarn/lodash-4.17.19
- adf60bb Merge pull request #239 from auth0/update-changelog
- ed743a8 Updated changelog
- 61776e2 Bump lodash from 4.17.15 to 4.17.19
- 5fb8c88 Merge pull request #234 from gkwang/update-readme
- 43b7921 Update readme on 6.0.0 changes
- 678f3b0 6.0.0
- 7ecab5f Merge pull request from GHSA-6g6m-m6h5-w9gf
- 304a1c5 Made algorithms mandatory
- e9ed6d2 5.3.3
- 8662579 Make clearer sections in the Readme
- d3e86bf Update README.md
- c5d8419 Add a note about OAuth2 bearer tokens
- 888f0e9 Update Readme and use a consistent JS style for code examples
- 6591014 5.3.2
- f4f4d1d fix license field
- 1789282 fix dependencies vulnerabilities and test against 8, 10 and 12 from now on
See the full diffPackage name: handlebars
The new version differs by 203 commits.- 7adc19a v4.7.4
- 9dd8d10 Update release notes
- 4671c4b Use tmp directory for files written during tests
- e46baa1 tasks/test-bin.js: Delete duplicate test
- c491b4e Revert "Update release-notes.md"
- 738391a Update release-notes.md
- 80c4516 chore: add unit tests for cli options (#1666)
- d79212a fix: migrate from optimist to yargs (#1666)
- b440c38 chore: ignore external @ types in tests
- 2dba7ee docs: fix comparison link
- c978969 v4.7.3
- 9278f21 Update release notes
- d78cc73 Fixes spelling and punctuation
- 4de51fe Add Type Definition for Handlebars.VERSION, Fixes #1647
- a32d05f Include Type Definition for runtime.js in Package
- ad63f51 chore: add missing "await" in aws-s3 publishing code
- 586e672 v4.7.2
- f0c6c4c Update release notes
- a4fd391 chore: execute saucelabs-task only if access-key exists
- 9d5aa36 fix: don't wrap helpers that are not functions
- 14ba3d0 v4.7.1
- 4cddfe7 Update release notes
- f152dfc fix: fix log output in case of illegal property access
- 3c1e252 fix: log error for illegal property access only once per property
See the full diffPackage name: html-webpack-plugin
The new version differs by 250 commits.- 873d75b chore(release): 5.5.0
- ddeb774 chore: update examples
- 1e42625 feat: Support type=module via scriptLoading option
- 7d3645b Bump pretty-error to 4.0.0 to fix transitive vuln for ansi-regex CVE-2021-3807
- 79be779 [chore] changes actions to run on pull_requests
- b7e5859 [chore] fixes CI to avoid race conditions
- 48131d3 chore(release): 5.4.0
- 16a841a [chore] rebuild examples
- 3bb7c17 Update index.js
- e38ac97 Update index.js
- f08bd02 [chore] updates fixtures
- d62a10f [chore] upgrades html-minifier-terser@5.0.0 -> 6.0.2
- 2f5de7a Remove archived plugin
- 8f8f7c5 chore(release): 5.3.2
- 053c6e6 chore: update snapshot tests for webpack 5.4.0
- 9c7fba0 Fix security vulnerabilities
- b98fbeb Fix security vulnerabilities
- 25cdfc7 Added inject-body-webpack-plugin to readme
- 0e4c1fb Update README to document actual behavior
- 0a6568d chore(release): 5.3.1
- 82d0ee8 fix: remove loader-utils from plugin core
- 6f39192 chore(release): 5.3.0
- d654f5b feat: allow to modify the interpolation options in webpack config
- 41d7a50 feat: drop loader-utils dependency
See the full diffPackage name: lint-staged
The new version differs by 250 commits.- 885a644 Merge pull request #852 from okonet/listr2
- aba3421 fix: all lint-staged output respects the `quiet` option
- b8df31a fix: do not show incorrect error when verbose and no output
- eed6198 style: simplify eslint and prettier config
- b746290 ci: replace Node.js 13 with 14, since 14 will be next LTS
- 2c6f3ad docs: improve `verbose` description
- e749a0b test: remove redundant, misbehaving test
- 16848d8 fix: use test renderer during tests and when TERM=dumb
- efffa22 test: cover `--verbose` option usage
- 1b18550 test: restore variable in test output
- 6aede38 test: add test for error during merge state restoration
- b565481 test: integration test targets the full Node.js API instead of just `runAll`
- a3bd9d7 feat: allow specifying `cwd` using the Node.js API
- 85de3a3 feat: add `--verbose` to show output even when tasks succeed
- d69c65b fix: log task output after running listr to keep everything
- e95d1b0 refactor: move skip and enable cheks of listr tasks to separate file
- 6da7667 refactor: move messages to separate file
- 6392480 refactor: use symbols for errors
- 8f32a3e feat: replace listr with listr2 and print errors inline
- c9adca5 fix: use stash create/store to prevent files from disappearing from disk
- e093b1d fix(deps): update dependencies
- 6066b07 fix: pass correct path to unstaged patch during cleanup
- 0bf1fb0 fix: allow lint-staged to run on empty git repo by disabling backup
- 1ac6863 Merge pull request #837 from okonet/serial-git-add
See the full diffPackage name: node-sass
The new version differs by 156 commits.- 3b556c1 7.0.2
- c716359 Bump sass-graph@^4.0.1 (#3292)
- 24741b3 docs(readme): fix docpad plugin link
- 1523330 feat: Drop Node 12
- 365d357 update https://registry.npm.taobao.org to https://registry.npmmirror.com
- 1456114 build(deps): bump actions/upload-artifact from 2 to 3
- b465b69 chore: bump GitHub Actions to Windows 2019 (#3254)
- e6194b1 build(deps): bump make-fetch-happen from 9.1.0 to 10.0.4
- 4edf594 build(deps): bump node-gyp from 8.4.1 to 9.0.0
- 29e2344 build(deps): bump actions/checkout from 2 to 3
- 85b0d22 build(deps): bump actions/setup-node from 2 to 3
- 3bb51da Use make-fetch-happen instead of request (#3193)
- adc2f8b build(deps): bump true-case-path from 1.0.3 to 2.2.1 (#3000)
- 77d12f0 chore: disable Apline for Node 16/17 builds
- 308d533 ci: use Python 3 for Node 12
- c818907 ci: unpin actions/setup-node to v2
- 99242d7 7.0.1
- 77049d1 build(deps): bump sass-graph from 2.2.5 to 4.0.0 (#3224)
- c929f25 build(deps): bump node-gyp from 7.1.2 to 8.4.1 (#3209)
- 918dcb3 Lint fix
- 0a21792 Set rejectUnauthorized to true by default (#3149)
- e80d4af chore: Drop EOL Node 15 (#3122)
- d753397 feat: Add Node 17 support (#3195)
- dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0
See the full diffPackage name: webpack
The new version differs by 250 commits.- 610f368 5.0.0
- 5ce65c1 update examples
- bbe1230 Merge pull request #11628 from webpack/bugfix/real-content-hash
- 75ecff2 5.0.0-rc.6
- bfc35d6 Merge pull request #11603 from MayaWolf/master
- 76e8cbd Merge pull request #11622 from webpack/dependabot/npm_and_yarn/types/node-13.13.25
- 9fd1be2 chore(deps-dev): bump @ types/node from 13.13.23 to 13.13.25
- 36bcfaa Merge pull request #11621 from webpack/bugfix/11619
- 9130d10 fix called variables with ProvidePlugin
- 3e42105 Merge pull request #11620 from webpack/bugfix/11617
- 4709719 skip connections copied to concatenated module
- 57b493f 5.0.0-rc.5
- 1658e2f Merge pull request #11618 from webpack/bugfix/11615
- a8fb45d fixes crash in SideEffectsFlagPlugin
- 84b196d emit error instead of crashing when unexpected problem occurs
- 5573fed Merge pull request #11601 from Hornwitser/improve-suggested-polyfill-config
- 9b5cce9 Merge pull request #11609 from snitin315/export-types
- 37c495c export type RuleSetUseItem
- 39faf34 export type RuleSetUse
- e5fd246 export type RuleSetConditionAbsolute
- 660baad export RuleSetCondition types
- 13e3ca5 Merge pull request #11602 from webpack/bugfix/shared-runtime-chunk
- 9c0587e Merge pull request #11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
- 502d166 Merge pull request #11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4
See the full diff