[Snyk] Fix for 5 vulnerabilities

[Woodpile37]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-2863123	No	No Known Exploit
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Improper Privilege Management SNYK-JS-SHELLJS-2332187	No	Proof of Concept
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: solidity-coverage

The new version differs by 75 commits.

• 784216d 0.6.0
• 9732b55 Merge pull request Bump mixin-deep from 1.3.1 to 1.3.2 ensdomains/ens#341 from sc-forks/maint/misc-pre-6
• f3462cf Readme edits, file & deps cleanup
• a3a4a97 Merge pull request Bump js-yaml from 3.12.0 to 3.13.1 ensdomains/ens#340 from sc-forks/ci/add-nightly-cron
• 319ada0 Add nightly e2e cron
• a6e6461 Merge pull request reverse resolver info on website is wrong ensdomains/ens#339 from sc-forks/test/assembly-if
• 547d690 Add assembly if regression test
• de73865 Add assembly if regression test source
• 3086047 Merge pull request Register Domains ensdomains/ens#337 from sc-forks/upgrade/testrpc-sc
• 58ffad8 Unpin truffle, add Metacoin e2e
• d05e5a2 Get zeppelin passing...
• e4d39a7 Use testrpc-sc in e2e (Zeppelin)
• 8709436 Upgrade testrpc-sc to 6.4.5, pin truffle
• b54b8ed Merge pull request Adding interface to reverse registrar ensdomains/ens#336 from sc-forks/misc/prerelease
• c0086dc Fix circle
• 31a8822 Use shelljs fork (to hide from insane sec bots)
• e914453 Remove eslint (unused / triggers gh sec warning)
• 83da3a2 Remove zeppelin unit tests (superceded by full e2e in CI)
• 6bd12e3 Let truffle pick compiler in default config
• 2bd5212 README updates for 0.6.0
• f671b72 Merge pull request ens X ethpm = <3 ensdomains/ens#335 from sc-forks/test/else-if
• aa77b3d Add angus-hamill to contributors list
• 2f6a73d Add multi else-if instrumentation test
• 8ccdd64 Add multi else-if source

See the full diff

Package name: truffle

The new version differs by 250 commits.

• 94dda0c Publish
• 2c68fb1 Merge pull request #5730 from trufflesuite/subCMDHelp
• 28f3d26 fix TypeError: Cannot read properties of undefined (reading 'subCommand')
• ee9165c Merge pull request #5727 from trufflesuite/thanksify
• 281c938 Update Sourcify networks
• 3950dca Merge pull request #5717 from trufflesuite/revert-5359-db-jest-resolver
• f17aa05 Revert "Internal improvements: Custom jest resolver for db"
• b9087b5 Merge pull request #5713 from trufflesuite/dependabot/npm_and_yarn/loader-utils-1.4.2
• 4095a68 Bump loader-utils from 1.4.1 to 1.4.2
• 31cc6eb dashboard: Decode requests (#5621)
• eb8a3a6 Merge pull request #5709 from trufflesuite/bump-mocha
• 6af18fa Merge pull request #5707 from trufflesuite/dependabot/npm_and_yarn/loader-utils-1.4.2
• cee41e5 Merge pull request #5710 from trufflesuite/sweep-up
• 8db49f7 Publish
• 76acaa0 Merge pull request #5708 from trufflesuite/picky-dash-event-handlers
• 9ab12a8 get rid of unnecessary gitHead property from package.jsons
• b186513 bump mocha to 10.1.0
• 58f42bd events: Early return dashboard event handlers if network isn't dashboard
• 81dd430 Bump loader-utils from 1.4.1 to 1.4.2
• f3d1c7a Merge pull request #5700 from trufflesuite/trim-it
• 4e8df7b Merge pull request #5646 from trufflesuite/add-compilations-simple
• 360fc65 Add test that overlapping id array has correct length
• d7715e8 Return all overlapping IDs in error
• b756ba2 Factor out repeat compilation check and put it in encoder

See the full diff

Package name: web3-utils

The new version differs by 62 commits.

• 8bfba23 v1.3.6
• 4fee853 Update geth-dev-assistant
• 69155de 1.3.6-rc.2 Fixes (#4065)
• 444bce7 Remove dtslint from ci scripts (#4064)
• 360b96a Fixing 1.3.6-rc.2 related issues (#4063)
• 7584ed7 Add web3-core-helpers as dev dependency
• 2823033 Add web3-core-helpers as dev dependency
• bd4509f 1.3.6-rc.2 fixes (#4062)
• 2d3c54a 1.3.6-rc.2 (#4059)
• b0822cd v1.3.6-rc.1
• 0b243e4 Built lib for 1.3.6-rc.1
• 5894e9e npm i
• 131fb16 Merge conflicts
• 73ef7e2 v1.3.6-rc.0
• e758f4b Built lib for 1.3.6-rc.0
• cddf991 Update CHANGELOG and ran npm i
• fdbda49 Bump underscore (#4051)
• 5d02719 Release/1.3.5 (#3974)
• 888d107 Feature/web3 eth iban es6 (#3964) (#3965)
• dc148e7 Clarify commitment to semantic versioning (#3961) (#3962)
• 88f59fe Debugging failing tests (#3959) (#3960)
• 8b2291b Rename tsc to compile (#3957) (#3958)
• bb259d9 add nvmrc file (#3817)
• 20bf22d Bump elliptic from 6.5.3 to 6.5.4 in /packages/web3-core-requestmanager (#3945)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Improper Privilege Management
🦉 More lessons are available in Snyk Learn

[changeset-bot]

⚠️ No Changeset found

Latest commit: d39a077

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR