[Snyk] Fix for 104 vulnerabilities

[Omrisnyk]

Snyk has created this PR to fix 104 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json
• package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	****
	Improper Input Validation SNYK-JS-URIJS-1055003	****
	Improper Input Validation SNYK-JS-URIJS-1078286	****
	Open Redirect SNYK-JS-URIJS-1319803	****
	Prototype Pollution SNYK-JS-URIJS-1319806	****
	Open Redirect SNYK-JS-URIJS-2401466	****
	Improper Input Validation SNYK-JS-URIJS-2415026	****
	Open Redirect SNYK-JS-URIJS-2419067	****
	Misinterpretation of Input SNYK-JS-URIJS-2440699	****
	Cross-site Scripting (XSS) SNYK-JS-URIJS-2441239	****
	Improper Input Validation SNYK-JS-URLPARSE-1078283	****
	Open Redirect SNYK-JS-URLPARSE-1533425	****
	Access Restriction Bypass SNYK-JS-URLPARSE-2401205	****
	Authorization Bypass SNYK-JS-URLPARSE-2407759	****
	Improper Input Validation SNYK-JS-URLPARSE-2407770	****
	Authorization Bypass Through User-Controlled Key SNYK-JS-URLPARSE-2412697	****
	Improper Input Validation SNYK-JS-URLPARSE-543307	****
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WEBSOCKETEXTENSIONS-570623	****
	Prototype Pollution SNYK-JS-Y18N-1021887	****
	Prototype Pollution SNYK-JS-YARGSPARSER-560381	****
	Code Injection SNYK-JS-LODASH-1040724	239
	Code Injection SNYK-JS-LODASHES-2434284	239
	Arbitrary File Overwrite SNYK-JS-TAR-174125	238
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577916	224
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577917	224
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577918	224
	Cryptographic Issues SNYK-JS-ELLIPTIC-571484	221
	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	221
	Remote Code Execution (RCE) SNYK-JS-HANDLEBARS-1056767	219
	Open Redirect npm:url-parse:20180731	219
	Arbitrary Code Execution SNYK-JS-HANDLEBARS-534478	214
	Prototype Pollution SNYK-JS-LODASH-567746	189
	Prototype Pollution SNYK-JS-LODASHES-2434283	189
	Prototype Pollution SNYK-JS-HANDLEBARS-534988	188
	Arbitrary Command Injection npm:macaddress:20180511	186
	Prototype Pollution SNYK-JS-JSON5-3182856	179
	Prototype Pollution SNYK-JS-LODASH-6139239	170
	Uncontrolled resource consumption SNYK-JS-BRACES-6838727	169
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ES5EXT-6095076	169
	Arbitrary Code Execution SNYK-JS-JSYAML-174129	166
	Prototype Pollution SNYK-JS-AJV-584908	165
	Prototype Poisoning SNYK-JS-QS-3153490	162
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	159
	Prototype Pollution SNYK-JS-ASYNC-2441827	159
	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	159
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	159
	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-1023599	159
	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-610226	159
	Prototype Pollution SNYK-JS-SETVALUE-1540541	158
	Prototype Pollution SNYK-JS-LODASH-450202	152
	Prototype Pollution SNYK-JS-LODASHES-2434290	152
	Prototype Pollution SNYK-JS-INI-1048974	151
	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	150
	Prototype Pollution SNYK-JS-LODASH-608086	150
	Prototype Pollution SNYK-JS-LODASHES-2434285	150
	Prototype Pollution SNYK-JS-MIXINDEEP-450212	150
	Prototype Pollution SNYK-JS-SETVALUE-450213	150
	Prototype Pollution SNYK-JS-LODASH-73638	149
	Prototype Pollution SNYK-JS-LODASHES-2434287	149
	Prototype Pollution SNYK-JS-NODEFORGE-598677	149
	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-1072471	146
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	142
	Prototype Pollution SNYK-JS-HANDLEBARS-1279029	141
	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	141
	Prototype Pollution SNYK-JS-DOTPROP-543489	140
	Prototype Pollution SNYK-JS-MINIMIST-559764	137
	Prototype Pollution SNYK-JS-HANDLEBARS-567742	134
	Denial of Service (DoS) SNYK-JS-HTTPPROXY-569139	134
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	133
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASHES-2434286	133
	Improper Verification of Cryptographic Signature SNYK-JS-BROWSERIFYSIGN-6037026	124
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	124
	Arbitrary Code Execution SNYK-JS-REACTDEVUTILS-72875	121
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ACORN-559469	115
	Prototype Pollution SNYK-JS-LOADERUTILS-3043105	115
	Denial of Service (DoS) SNYK-JS-HANDLEBARS-480388	114
	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	112
	Prototype Pollution SNYK-JS-HANDLEBARS-173692	108
	Prototype Pollution SNYK-JS-HANDLEBARS-174183	108
	Prototype Pollution SNYK-JS-HANDLEBARS-469063	108
	Information Exposure SNYK-JS-NODEFETCH-2342118	104
	Denial of Service (DoS) SNYK-JS-JSYAML-173999	102
	Denial of Service SNYK-JS-NODEFETCH-674311	101
	Arbitrary File Write SNYK-JS-TAR-1579147	97
	Arbitrary File Write SNYK-JS-TAR-1579152	97
	Arbitrary File Write SNYK-JS-TAR-1579155	97
	Command Injection SNYK-JS-NODENOTIFIER-1035794	95
	Arbitrary File Overwrite SNYK-JS-TAR-1536528	95
	Arbitrary File Overwrite SNYK-JS-TAR-1536531	95
	Timing Attack SNYK-JS-ELLIPTIC-511941	75
	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	63
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HOSTEDGITINFO-1088355	63
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	63
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASHES-2434289	63
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	63
	Prototype Pollution SNYK-JS-MINIMIST-2429795	59
	Validation Bypass SNYK-JS-KINDOF-537849	57
	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	46
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	45
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	45
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	45
	Time of Check Time of Use (TOCTOU) npm:chownr:20180731	41
	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	40
	Arbitrary File Read SNYK-JS-MACADDRESS-567156	34

Release notes

Package name: react

• 16.5.0 - 2018-09-06
  

  16.5.0 (September 5, 2018)

  React

  • Add a warning if React.forwardRef render function doesn't take exactly two arguments (@ bvaughn in #13168)
  • Improve the error message when passing an element to createElement by mistake (@ DCtheTall in #13131)
  • Don't call profiler onRender until after mutations (@ bvaughn in #13572)

  React DOM

  • Add support for React DevTools Profiler (@ bvaughn in #13058)
  • Add react-dom/profiling entry point alias for profiling in production (@ bvaughn in #13570)
  • Add onAuxClick event for browsers that support it (@ jquense in #11571)
  • Add movementX and movementY fields to mouse events (@ jasonwilliams in #9018)
  • Add tangentialPressure and twist fields to pointer events (@ motiz88 in #13374)
  • Minimally support iframes (nested browsing contexts) in selection event handling (@ acusti in #12037)
  • Support passing booleans to the focusable SVG attribute (@ gaearon in #13339)
  • Ignore <noscript> on the client when when hydrating (@ Ephem in #13537)
  • Fix gridArea to be treated as a unitless CSS property (@ mgol in #13550)
  • Fix incorrect data in compositionend event when typing Korean on IE11 (@ crux153 in #12563)
  • Fix a crash when using dynamic children in the <option> tag (@ Slowyn in #13261, @ gaearon in #13465)
  • Fix the checked attribute not getting initially set on the input (@ dilidili in #13114)
  • Fix hydration of dangerouslySetInnerHTML when __html is not a string (@ gaearon in #13353)
  • Fix a warning about missing controlled onChange to fire on falsy values too (@ nicolevy in #12628)
  • Fix submit and reset buttons getting an empty label (@ ellsclytn in #12780)
  • Fix the onSelect event not being triggered after drag and drop (@ gaearon in #13422)
  • Fix the onClick event not working inside a portal on iOS (@ aweary in #11927)
  • Fix a performance issue when thousands of roots are re-rendered (@ gaearon in #13335)
  • Fix a performance regression that also caused onChange to not fire in some cases (@ gaearon in #13423)
  • Handle errors in more edge cases gracefully (@ gaearon in #13237 and @ acdlite in #13269)
  • Don't use proxies for synthetic events in development (@ gaearon in #12171)
  • Warn when "false" or "true" is the value of a boolean DOM prop (@ motiz88 in #13372)
  • Warn when this.state is initialized to props (@ veekas in #11658)
  • Don't compare style on hydration in IE due to noisy false positives (@ mgol in #13534)
  • Include StrictMode in the component stack (@ gaearon in #13240)
  • Don't overwrite window.event in IE (@ ConradIrwin in #11696)
  • Improve component stack for the folder/index.js naming convention (@ gaearon in #12059)
  • Improve a warning when using getDerivedStateFromProps without initialized state (@ flxwu in #13317)
  • Improve a warning about invalid textarea usage (@ raunofreiberg in #13361)
  • Treat invalid Symbol and function values more consistently (@ raunofreiberg in #13362 and #13389)
  • Allow Electron <webview> tag without warnings (@ philipp-spiess in #13301)
  • Don't show the uncaught error addendum if e.preventDefault() was called (@ gaearon in #13384)
  • Warn about rendering Generators (@ gaearon in #13312)
  • Remove irrelevant suggestion of a legacy method from a warning (@ zx6658 in #13169)
  • Remove unstable_deferredUpdates in favor of unstable_scheduleWork from schedule (@ gaearon in #13488)
  • Fix unstable asynchronous mode from doing unnecessary work when an update takes too long (@ acdlite in #13503)

  React DOM Server

  • Fix crash with nullish children when using dangerouslySetInnerHtml in a selected <option> (@ mridgway in #13078)
  • Fix crash when setTimeout is missing (@ dustinsoftware in #13088)

  React Test Renderer and Test Utils

  • Fix this in a functional component for shallow renderer to be undefined (@ koba04 in #13144)
  • Deprecate a Jest-specific ReactTestUtils.mockComponent() helper (@ bvaughn in #13193)
  • Warn about ReactDOM.createPortal usage within the test renderer (@ bvaughn in #12895)
  • Improve a confusing error message (@ gaearon in #13351)

  React ART

  • Add support for DevTools (@ yunchancho in #13173)

  Schedule (Experimental)

  • New package for cooperatively scheduling work in a browser environment. It's used by React internally, but its public API is not finalized yet. (@ flarnie in #12624)
• 16.4.2 - 2018-08-01
  

  16.4.2 (August 1, 2018)

  React DOM Server

  • Fix a potential XSS vulnerability when the attacker controls an attribute name (CVE-2018-6341). This fix is available in the latest [email protected], as well as in previous affected minor versions: [email protected], [email protected], [email protected], and [email protected]. (@ gaearon in #13302)

  • Fix a crash in the server renderer when an attribute is called hasOwnProperty. This fix is only available in [email protected]. (@ gaearon in #13303)

• 16.4.1 - 2018-06-13
  

  16.4.1 (June 13, 2018)

  React

  • You can now assign propTypes to components returned by React.ForwardRef. (@ bvaughn in #12911)

  React DOM

  • Fix a crash when the input type changes from some other types to text. (@ spirosikmd in #12135)
  • Fix a crash in IE11 when restoring focus to an SVG element. (@ ThaddeusJiang in #12996)
  • Fix a range input not updating in some cases. (@ Illu in #12939)
  • Fix input validation triggering unnecessarily in Firefox. (@ nhunzaker in #12925)
  • Fix an incorrect event.target value for the onChange event in IE9. (@ nhunzaker in #12976)
  • Fix a false positive error when returning an empty <React.Fragment /> from a component. (@ philipp-spiess in #12966)

  React DOM Server

  • Fix an incorrect value being provided by new context API. (@ ericsoderberghp in #12985, @ gaearon in #13019)

  React Test Renderer

  • Allow multiple root children in test renderer traversal API. (@ gaearon in #13017)
  • Fix getDerivedStateFromProps() in the shallow renderer to not discard the pending state. (@ fatfisz in #13030)
• 16.4.0 - 2018-05-24
  

  React

  • Add a new experimental React.unstable_Profiler component for measuring performance. (@ bvaughn in #12745)

  React DOM

  • Add support for the Pointer Events specification. (@ philipp-spiess in #12507)
  • Properly call getDerivedStateFromProps() regardless of the reason for re-rendering. (@ acdlite in #12600 and #12802)
  • Fix a bug that prevented context propagation in some cases. (@ gaearon in #12708)
  • Fix re-rendering of components using forwardRef() on a deeper setState(). (@ gaearon in #12690)
  • Fix some attributes incorrectly getting removed from custom element nodes. (@ airamrguez in #12702)
  • Fix context providers to not bail out on children if there's a legacy context provider above. (@ gaearon in #12586)
  • Add the ability to specify propTypes on a context provider component. (@ nicolevy in #12658)
  • Fix a false positive warning when using react-lifecycles-compat in <StrictMode>. (@ bvaughn in #12644)
  • Warn when the forwardRef() render function has propTypes or defaultProps. (@ bvaughn in #12644)
  • Improve how forwardRef() and context consumers are displayed in the component stack. (@ sophiebits in #12777)
  • Change internal event names. This can break third-party packages that rely on React internals in unsupported ways. (@ philipp-spiess in #12629)

  React Test Renderer

  • Fix the getDerivedStateFromProps() support to match the new React DOM behavior. (@ koba04 in #12676)
  • Fix a testInstance.parent crash when the parent is a fragment or another special node. (@ gaearon in #12813)
  • forwardRef() components are now discoverable by the test renderer traversal methods. (@ gaearon in #12725)
  • Shallow renderer now ignores setState() updaters that return null or undefined. (@ koba04 in #12756)

  React ART

  • Fix reading context provided from the tree managed by React DOM. (@ acdlite in #12779)

  React Call Return (Experimental)

  • This experiment was deleted because it was affecting the bundle size and the API wasn't good enough. It's likely to come back in the future in some other form. (@ gaearon in #12820)

  React Reconciler (Experimental)

  • The new host config shape is flat and doesn't use nested objects. (@ gaearon in #12792)
• 16.4.0-alpha.0911da3 - 2018-02-27
• 16.4.0-alpha.7926752 - 2018-02-13
• 16.4.0-alpha.3174632 - 2018-02-24
• 16.3.2 - 2018-04-16
  

  16.3.2 (April 16, 2018)

  React

  • Improve the error message when passing null or undefined to React.cloneElement. (@ nicolevy in #12534)

  React DOM

  • Fix an IE crash in development when using <StrictMode>. (@ bvaughn in #12546)
  • Fix labels in User Timing measurements for new component types. (@ bvaughn in #12609)
  • Improve the warning about wrong component type casing. (@ nicolevy in #12533)
  • Improve general performance in development mode. (@ gaearon in #12537)
  • Improve performance of the experimental unstable_observedBits API with nesting. (@ gaearon in #12543)

  React Test Renderer

  • Add a UMD build. (@ bvaughn in #12594)

from react GitHub release notes

Package name: react-redux

• 6.0.0 - 2018-12-05
  

  🎉 This is our first big release supporting the new Context API added in React 16.4!

  As such, we now require React 16.4 or higher. Make sure to update your version when updating to this release.

  This work has been mostly lead by @ cellog and @ markerikson, with special guest appearances by yours truly and a whole cast of helpful reviewers.

  Note: If you'd like to know more about the changes in v6, and how the implementation has changed over time, see Mark's post Idiomatic Redux: The History and Implementation of React-Redux.

  Breaking Changes

  • The withRef option to connect has been replaced with forwardRef. If {forwardRef : true} has been passed to connect, adding a ref to the connected wrapper component will actually return the instance of the wrapped component.

  • Passing store as a prop to a connected component is no longer supported. Instead, you may pass a custom context={MyContext} prop to both <Provider> and <ConnectedComponent>. You may also pass {context : MyContext} as an option to connect.

  Behavior Changes

  Any library that attempts to access the store instance out of legacy context will break, because we now put the store state into a <Context.Provider> instead. Examples of this include connected-react-router and react-redux-subspace. (The current implementation does also put the store itself into that same context. While accessing the store in context is not part of our public API, we will still try to make it possible for other libraries to access it, with the understanding that this could break at any time.)

  Also, there is a behavior change around dispatching actions in constructors / componentWillMount. Previously, dispatching in a parent component's constructor would cause its children to immediately use the updated state as they mounted, because each component read from the store individually. In version 6, all components read the same current store state value from context, which means the tree will be consistent and not have "tearing". This is an improvement overall, but there may be applications that relied on the existing behavior.

  Changes

  • Use React.createContext() (#1000 by @ cellog)
  • Use Prettier (#1071 by @ NMinhNguyen)
  • Only run isValidElementType in development builds (#1069 by @ alexreardon)
  • Treat null as a valid plain object prototype in isPlainObject() (#1075 by @ rgrove)
  • Ensure connectAdvanced only re-renders if derived props change (#1079 by @ epeli and @ markerikson)
• 6.0.0-beta.3 - 2018-11-23
  

  Changes

  • Treat null as a valid plain object prototype in isPlainObject() (#1075 by @ rgrove)
  • Ensure connectAdvanced only re-renders if derived props change (#1079 by @ epeli and @ markerikson)

[Omrisnyk]

🎉 Snyk hasn't found any issues so far.

✅ code/snyk check is completed. No issues were found. (View Details)