(*) Note that the real score may have changed since the PR was raised.
Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.
Check the changes in this PR to ensure they won't cause issues with your project.
Note:You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches. Find out more.
Vulnerabilities that will be fixed
With an upgrade:
Why? Proof of Concept exploit, Has a fix available, CVSS 8.2
SNYK-JS-LODASH-567746
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
SNYK-JS-LODASH-608086
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
SNYK-JS-LODASH-73638
Why? Proof of Concept exploit, Has a fix available, CVSS 4.4
SNYK-JS-LODASH-73639
Why? Proof of Concept exploit, Has a fix available, CVSS 6.3
npm:lodash:20180130
Why? Has a fix available, CVSS 5.3
npm:uglify-js:20151024
(*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: gulp
The new version differs by 216 commits.- 84df40b 3.8.11
- c46bf1a update liftoff and v8flags to deal with new node versions and iojs
- 0b7967f Fixed minor JS syntax error in docs
- 98b1cb6 Update .travis.yml
- e8c6bf6 Add node.js 0.12 and io.js to travis.yml
- 54684fe Adding gulp-util to the npm install line
- e9f8991 Update gulp core team GitHub link
- af17d96 Update gulp-ruby-sass syntax (1.0.0)
- 0cc972c add gitter badge and rearrange badge line
- 3cb110b Removed syntax highlighting from file structure
- 17d77cb update MIT License to year range
- 51e5a24 Merge pull request #834 from danielbayerlein/gulp-watch-v3
- f66bbb4 Merge pull request #836 from yousefcisco/patch-1
- 7f25230 Update dealing-with-streams.md
- c9563c7 gulp-watch v3.0.0 API
- 994f872 Merge pull request #820 from pertrai1/patch-1
- d530c08 article on optimizing web code
- e463249 sourcemaps with watchify
- 6a3b85f clean up watchify recipe
- 20774cc Merge pull request #596 from stevelacy/patch-1
- 03df8c9 Merge pull request #818 from CaryLandholt/master
- 742dce6 pluralized Book(s) section
- 305500f Add "Developing a gulp Edge" book reference
- ae98edf Merge pull request #809 from svetlyak40wt/patch-1
See the full diffPackage name: gulp-jshint
The new version differs by 20 commits.- c277434 2.0.3
- 711f3f0 test fix
- 0045278 dep updates
- bee3a83 [readme] spruce things up a bit
- 2cb429b 2.0.2
- f1f3fc2 Merge pull request #150 from VictorVation/master
- 4f1f1cb update minimatch
- 6c9cadd Merge pull request #140 from rtack/patch-1
- 6532823 fix typo
- 4a7f304 2.0.1
- 5c1d63f move to explicitly imported lodash functions
- 81c7498 Merge pull request #139 from rkurbatov/upgrade-lodash
- 631e7ed Update .gitignore
- 368f267 Upgrade lodash version, fix 'repository' field to correct form
- 0d91672 Create CHANGELOG.md
- d7cc9ea version 2.0.0
- 02c4053 added note about jshint peerDependency
- 226ea3b Merge pull request #120 from spalger/jshintAsPeer
- a1c0be4 [npm] install jshint on travis, for old npm and future npm
- 3e7ad84 [npm] move jshint to peerDependencies
See the full diffPackage name: gulp-uglify
The new version differs by 63 commits.- c16275f 1.5.1
- c572ae3 chore: package only specific files
- e9fe539 1.5.0
- 0555181 Fix the case where the generated source maps contains a null source content
- 289a910 Merge pull request #147 from terinjokes/greenkeeper-uglify-js-2.6.0
- 1814403 chore(package): update uglify-js to version 2.6.0
- e3709af fix(createError): separate createError into own module
- 735e04d chore(format): use a consistent format
- 03c672a Merge pull request #140 from terinjokes/greenkeeper-istanbul-0.4.0
- 1a1325d chore(CI): add AppVeyor configuration
- b4e8e53 chore(package): update istanbul to version 0.4.0
- b646e2a Merge pull request #139 from terinjokes/greenkeeper-istanbul-0.3.22
- 5e00139 chore(CI): upload to coveralls in after_success
- 36bf554 chore(package): update istanbul to version 0.3.22
- 4f1c636 1.4.2
- d4dbc41 chore(CI): add coveralls
- 2804b0e chore(dependencies): update dependencies
- 1f3bd5f Merge pull request #134 from zaygraveyard/fix-typo-in-tests
- 82abf51 Fix a typo in the sourcemap test
- 44cc797 chore(changelog): changelog was not commited
- d82f8d4 1.4.1
- 557b4d2 fix(minifier): detect non-object options argument
- f8412fd chore(travis-ci): test on Node 4.x
- 23639f3 1.4.0
See the full diffWith a Snyk patch:
Why? Has a fix available, CVSS 5.3
npm:ws:20160920
(*) Note that the real score may have changed since the PR was raised.
Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution 🦉 Regular Expression Denial of Service (ReDoS) 🦉 Insecure Randomness