[Snyk] Upgrade: body-parser, express, passport, passport-jwt, validator

[Marsko94]

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

body-parser
from 1.19.0 to 1.20.2 | 5 versions ahead of your current version | 2 years ago
on 2023-02-22
express
from 4.17.1 to 4.19.2 | 9 versions ahead of your current version | 5 months ago
on 2024-03-25
passport
from 0.4.1 to 0.7.0 | 6 versions ahead of your current version | 9 months ago
on 2023-11-27
passport-jwt
from 4.0.0 to 4.0.1 | 1 version ahead of your current version | 2 years ago
on 2022-12-24
validator
from 13.0.0 to 13.12.0 | 11 versions ahead of your current version | 4 months ago
on 2024-05-09

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Prototype Poisoning SNYK-JS-QS-3153490	519	Proof of Concept
	Open Redirect SNYK-JS-EXPRESS-6474509	519	No Known Exploit
	Session Fixation SNYK-JS-PASSPORT-2840631	519	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	519	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	519	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	519	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	519	Proof of Concept

Release notes

Package name: body-parser

• 1.20.2 - 2023-02-22
  
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
    • perf: skip value escaping when unnecessary
  • deps: [email protected]
• 1.20.1 - 2022-10-06
  
  • deps: [email protected]
  • perf: remove unnecessary object clone
• 1.20.0 - 2022-04-03
  
  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: [email protected]
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
    • deps: [email protected]
• 1.19.2 - 2022-02-16
  
  • deps: [email protected]
  • deps: [email protected]
    • Fix handling of __proto__ keys
  • deps: [email protected]
    • deps: [email protected]
• 1.19.1 - 2021-12-10
  
  • deps: [email protected]
  • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
  • deps: [email protected]
  • deps: type-is@~1.6.18
• 1.19.0 - 2019-04-26
  
  • deps: [email protected]
    • Add petabyte (pb) support
  • deps: [email protected]
    • Set constructor name when possible
    • deps: [email protected]
    • deps: statuses@'>= 1.5.0 < 2'
  • deps: [email protected]
    • Added encoding MIK
  • deps: [email protected]
    • Fix parsing array brackets after index
  • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
  • deps: type-is@~1.6.17
    • deps: mime-types@~2.1.24
    • perf: prevent internal throw on invalid type

from body-parser GitHub release notes

Package name: express

• 4.19.2 - 2024-03-25
• 4.19.1 - 2024-03-20
  

  What's Changed

  • Fix ci after location patch by @ wesleytodd in #5552
  • fixed un-edited version in history.md for 4.19.0 by @ wesleytodd in #5556

  Full Changelog: 4.19.0...4.19.1

• 4.19.0 - 2024-03-20
  

  What's Changed

  • fix typo in release date by @ UlisesGascon in #5527
  • docs: nominating @ wesleytodd to be project captian by @ wesleytodd in #5511
  • docs: loosen TC activity rules by @ wesleytodd in #5510
  • Add note on how to update docs for new release by @ crandmck in #5541
  • Prevent open redirect allow list bypass due to encodeurl
  • Release 4.19.0 by @ wesleytodd in #5551

  New Contributors

  • @ crandmck made their first contribution in #5541

  Full Changelog: 4.18.3...4.19.0

• 4.18.3 - 2024-02-29
  

  Main Changes

  • Fix routing requests without method
  • deps: [email protected]
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: [email protected]

  Other Changes

  • Use https: protocol instead of deprecated git: protocol by @ vcsjones in #5032
  • build: [email protected] and [email protected] by @ abenhamdine in #5034
  • ci: update actions/checkout to v3 by @ armujahid in #5027
  • test: remove unused function arguments in params by @ raksbisht in #5124
  • Remove unused originalIndex from acceptParams by @ raksbisht in #5119
  • Fixed typos by @ raksbisht in #5117
  • examples: remove unused params by @ raksbisht in #5113
  • fix: parameter str is not described in JSDoc by @ raksbisht in #5130
  • fix: typos in History.md by @ raksbisht in #5131
  • build : add [email protected] by @ abenhamdine in #5028
  • test: remove unused function arguments in params by @ raksbisht in #5137
  • use random port in test so it won't fail on already listening by @ rluvaton in #5162
  • tests: use cb() instead of done() by @ kristof-low in #5233
  • examples: remove multipart example by @ riddlew in #5195
  • Update support Node.js@18 in the CI by @ UlisesGascon in #5490
  • Fix favicon-related bug in cookie-sessions example by @ DmytroKondrashov in #5414
  • Release 4.18.3 by @ UlisesGascon in #5505

  New Contributors

  • @ vcsjones made their first contribution in #5032
  • @ abenhamdine made their first contribution in #5034
  • @ armujahid made their first contribution in #5027
  • @ raksbisht made their first contribution in #5124
  • @ rluvaton made their first contribution in #5162
  • @ kristof-low made their first contribution in #5233
  • @ riddlew made their first contribution in #5195
  • @ DmytroKondrashov made their first contribution in #5414

  Full Changelog: 4.18.2...4.18.3

• 4.18.2 - 2022-10-08
  
  • Fix regression routing a large stack in a single route
  • deps: [email protected]
    • deps: [email protected]
    • perf: remove unnecessary object clone
  • deps: [email protected]
• 4.18.1 - 2022-04-29
  
  • Fix hanging on large stack of sync routes
• 4.18.0 - 2022-04-25
  
  • Add "root" option to res.download
  • Allow options without filename in res.download
  • Deprecate string and non-integer arguments to res.status
  • Fix behavior of null/undefined as maxAge in res.cookie
  • Fix handling very large stacks of sync middleware
  • Ignore Object.prototype values in settings through app.set/app.get
  • Invoke default with same arguments as types in res.format
  • Support proper 205 responses using res.send
  • Use http-errors for res.format error
  • deps: [email protected]
    • Fix error message for json parse whitespace in strict
    • Fix internal error when inflated body exceeds limit
    • Prevent loss of async hooks context
    • Prevent hanging when request already read
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
  • deps: [email protected]
    • Add priority option
    • Fix expires option to reject invalid dates
  • deps: [email protected]
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: [email protected]
    • Remove set content headers that break response
    • deps: [email protected]
    • deps: [email protected]
  • deps: [email protected]
    • Prevent loss of async hooks context
  • deps: [email protected]
  • deps: [email protected]
    • Fix emitted 416 error missing headers property
    • Limit the headers removed for 304 response
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
  • deps: [email protected]
    • deps: [email protected]
  • deps: [email protected]
    • Remove code 306
    • Rename 425 Unordered Collection to standard 425 Too Early
• 4.17.3 - 2022-02-17
  
  • deps: accepts@~1.3.8
    • deps: mime-types@~2.1.34
    • deps: [email protected]
  • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
    • Fix handling of __proto__ keys
  • pref: remove unnecessary regexp for trust proxy
• 4.17.2 - 2021-12-17
  
  • Fix handling of undefined in res.jsonp
  • Fix handling of undefined when "json escape" is enabled
  • Fix incorrect middleware execution with unanchored RegExps
  • Fix res.jsonp(obj, status) deprecation message
  • Fix typo in res.is JSDoc
  • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • deps: type-is@~1.6.18
  • deps: [email protected]
    • deps: [email protected]
  • deps: [email protected]
    • Fix maxAge option to reject invalid values
  • deps: proxy-addr@~2.0.7
    • Use req.socket over deprecated req.connection
    • deps: [email protected]
    • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • pref: ignore empty http tokens
  • deps: [email protected]
    • deps: [email protected]
  • deps: [email protected]
• 4.17.1 - 2019-05-26

from express GitHub release notes

Package name: passport

• 0.7.0 - 2023-11-27
  

  0.7.0

• 0.6.0 - 2022-05-20
  

  0.6.0

• 0.5.3 - 2022-05-16
  

  0.5.3

• 0.5.2 - 2021-12-16
  

  0.5.2

• 0.5.1 - 2021-12-15
  

  0.5.1

• 0.5.0 - 2021-09-23
  

  0.5.0

• 0.4.1 - 2019-12-09
  

  0.4.1

from passport GitHub release notes

Package name: passport-jwt

• 4.0.1 - 2022-12-24
  
  • Updates jsonwebtoken dependency to ^9.0.0 to address high severity
    vulnerability CVE-2022-3517
  • Updates a number of other dependencies
  • Fixes a number of typos

  [Developer facing]

  • Updates CI to use github actions
• 4.0.0 - 2018-03-13
  

  Fixes #147 - Vulnerability due to dependency on jsonwebtoken 7.x.x

from passport-jwt GitHub release notes

Package name: validator

• 13.12.0 - 2024-05-09
  

  What's Changed

  New Features / Validators

  • #2143 isAbaRouting @ songyuew

  Fixes, New Locales and Enhancements

  • #2207 isLicensePlate add Pakistani en-PK locale @ anasshakil
  • #2208 isPort fix invalid leading zeros @ anasshakil
  • #2224 isTaxID added Argentina es-AR locale @ estefrare
  • #2257 isDate timezone offset fix @ tomaspanek
  • #2265 isPassportNumber added ZA locale @ GMorris-professional
  • isMobilePhone:
    • #2267 added en-MW locale @ SimranSiddiqui
    • #2140 fix am-AM locale @ AlexKrupko
  • #2271 isPostalAddress fix NL locale @ RobinvanderVliet
  • #2273 isISO4217 add SLE currency @ urg
  • #2278 isStrongPassword fix symbolRegex to include \ @ nandavikas
  • #2279 isVAT fixed KZ locale @ MatthieuLemoine
  • #2285 isAlpha, isAlphanumeric added eo locale @ RobinvanderVliet
  • #2320 isIBAN add Algeria DZ locale @ thibault-lr
  • #2343 isVATimprove AU locale @ matthewberryman
  • #2345 isUUID add support for v7 @ ruscon
  • #2358 isTaxID add Ukraine uk-UA locale @ arttiger
  • #2381 isDate disallow hiphen before year @ Sumit-tech-joshi
  • Doc fixes and others:
    • #2276 @ meyfa
    • #2341 @ WikiRik
    • #2364 @ rubiin
    • #2368 @ ZhulinskiiDanil
    • #2371 @ devmanbud
    • #2386 @ alinaghale88

  New Contributors

  • @ tomaspanek made their first contribution in #2257
  • @ estefrare made their first contribution in #2224
  • @ GMorris-professional made their first contribution in #2265
  • @ SimranSiddiqui made their first contribution in #2267
  • @ ZhulinskiiDanil made their first contribution in #2368
  • @ devmanbud made their first contribution in #2371
  • @ ruscon made their first contribution in #2345
  • @ amaliacatalina made their first contribution in #2284
  • @ RobinvanderVliet made their first contribution in #2285
  • @ anasshakil made their first contribution in #2211
  • @ AlexKrupko made their first contribution in #2140
  • @ urg made their first contribution in #2273
  • @ meyfa made their first contribution in #2276
  • @ nandavikas made their first contribution in #2278
  • @ MatthieuLemoine made their first contribution in #2279
  • @ thibault-lr made their first contribution in #2320
  • @ alinaghale88 made their first contribution in #2386
  • @ Sumit-tech-joshi made their first contribution in #2381
  • @ arttiger made their first contribution in #2358
  • @ matthewberryman made their first contribution in #2343

  Full Changelog: 13.11.0...13.12.0

• 13.11.0 - 2023-08-04
  

  New Features / Validators

  • #2144 isFreightContainerID: for shipping containers IDs @ songyuew
  • #2188 isMailtoURI @ uksarkar

  Fixes, New Locales and Enhancements

  • #2025 isIBAN add MA locale @ lroudge
  • #2117 isCreditCard refactor @ pano9000
  • #2189 isLocale add support for more language tags @ kwahome
  • #2203 isVAT for CU