Bump lodash, browser-sync and gulp-watch

[dependabot]

Bumps lodash to 4.17.21 and updates ancestor dependencies lodash, browser-sync and gulp-watch. These dependencies need to be updated together.

Updates lodash from 4.17.5 to 4.17.21

Commits

• f299b52 Bump to v4.17.21
• c4847eb Improve performance of toNumber, trim and trimEnd on large input strings
• 3469357 Prevent command injection through _.template's variable option
• ded9bc6 Bump to v4.17.20.
• 63150ef Documentation fixes.
• 00f0f62 test.js: Remove trailing comma.
• 846e434 Temporarily use a custom fork of lodash-cli.
• 5d046f3 Re-enable Travis tests on 4.17 branch.
• aa816b3 Remove /npm-package.
• d7fbc52 Bump to v4.17.19
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by bnjmnt4n, a new releaser for lodash since your current version.

Updates browser-sync from 1.9.2 to 2.27.10

Release notes

Sourced from browser-sync's releases.

2.27.9

What's Changed

• fix(cli): Where's the command help? fixes #1929 by @​shakyShane in BrowserSync/browser-sync#1945

A bug prevented the help output from displaying - it was introduced when the CLI parser yargs was updated, and is now fixed :)

Full Changelog: BrowserSync/browser-sync@v2.27.8...v2.27.9

2.27.8

This release upgrades Socket.io (client+server) to the latest versions - solving the following issues, and silencing security warning :)

PR:

• BrowserSync/browser-sync@58ab4ab

Resolved Issues:

• BrowserSync/browser-sync#1850
• BrowserSync/browser-sync#1892
• BrowserSync/browser-sync#1925
• BrowserSync/browser-sync#1926
• BrowserSync/browser-sync#1933

Thanks to @​lachieh for the original PR, which helped me land this fix

added snippet: boolean option

This release adds a feature to address BrowserSync/browser-sync#1882

Sometimes you don't want Browsersync to auto-inject it's connection snippet into your HTML - now you can disable it globally via either a CLI param or the new snippet option :)

browser-sync . --no-snippet

or in any Browsersync configuration

const config = {
  snippet: false,
};

the original request was related to Eleventy usage, so here's how that would look

eleventyConfig.setBrowserSyncConfig({
  snippet: false,
});

... (truncated)

Changelog

Sourced from browser-sync's changelog.

2.23.1 (2018-01-01)

2.8.2 (2015-07-31)

Bug Fixes

• https: add newly generated ssl self-signed certs that will expire for 10 years - fixes (45104a7), closes #750

2.8.1 (2015-07-28)

Bug Fixes

• web-sockets: Use separate server for web sockets in proxy mode - fixes #625 (40017b4), closes #625

Features

• serve-static: Added option serveStatic to allow proxy/snippet mode to easily serve local fil (384ef67)

2.7.13 (2015-06-28)

Bug Fixes

• snippet: Allow async attribute to be removed from snippet with snippetOptions.async = fal (c32bec6), closes #670
• socket-options: allow socket.domain string|fn for setting domain only on socket path - fixes #69 (5157432), closes #690

Features

• api: expose sockets to public api (985682c)

2.7.12 (2015-06-17)

Bug Fixes

• client-script: allow proxy to also use client script middleware (c5fdbbf)
• client-script: serve cached/gzipped client JS file - fixes #657 (dbe9ffe), closes #657

... (truncated)

Commits

• See full diff in compare view

Updates gulp-watch from 0.7.1 to 5.0.1

Release notes

Sourced from gulp-watch's releases.

v5.0.0

Major:

Dependency updates:

• vinyl was updated to ^2.1.0 (02bd06da07b9e341c96d6007c15d33c398b813ff)
• chokidar was updated to v2.0.0 (9208d48f9fcfc968c5d7aca08f9606b735bb9b16)

v4.3.11

Added support for Node v7.

v4.1.1

Base property of files, that matched non-glob patterns is now set to path.dirname(glob). More info in #135.

v4.1.0

Initial adds is now disabled by default. You can enable them with ignoreInitial: true option.

v4.0.0

In short:

• Migration from gaze to chokidar - this will improve stability and responsiveness of gulp-watch
• Events on directory creation is now filtered out
• By default all files (that matched globs) will be emitted on first run with add event
• close() is now not necessary (if you don't use persistent option)
• Event names changed (added -> add, modified -> change and deleted -> unlink)
• All logging now hidden in verbose option
• Lots of issues should be fixed

v3.0.0

gulp-batch was removed, so callback is changed. Now it passes just vinyl object to you. Also callback now not catching errors inside and reemits them to stream.

v2.0.0

Before 2.0.0 version there was a bug in gulp-batch - it does not prevent tasks to execute in same time. In 2.0.0 version of gulp-batch was bumped.

This can cause your watch tasks to hang, if you do not calling done in callback or returning Stream/Promise from it.

v1.0.0

• watch is not emmiting files at start - read «Starting tasks on events» and «Incremental build» for workarounds.
• watch is now pass through stream - which means that streaming files into watch will not add them to gaze. It is very hard to maintain, because watch is not aware about glob, from which this files come from and can not re-create vinyl object properly without maintaining cache of the base properties of incoming files (yuck).
• array of tasks is not accepted as callback - this was not working anyway, but rationale behind it - requiring gulp and calling internal method start is bad. This feature will become more clear, when gulp 4.0.0 will be released with new task system. Read «Starting tasks on events» for right way to do it.

Commits

• 80cd83e 5.0.1
• 6fe8912 Replace deprecated gulp-util (#303)
• 959128a 5.0.0
• 9208d48 Bump chokidar to ^2.0.0
• 02bd06d Update to newest vinyl for gulp 4 support (#296)
• 4ced696 Add Node.js 9 and increase timeout to 5 secs
• aa8146f Remove unsupported versions of Node.js
• 608c7aa 4.3.11
• 410dbab Bump dem deps 🐎
• bd4d31e Fix Windows Node v7 support
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.