[Snyk-dev] Fix for 24 vulnerabilities

[orsagie]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	No	Proof of Concept
	786/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.3	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	Yes	Proof of Concept
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Remote Memory Exposure SNYK-JS-BL-608877	No	Proof of Concept
	696/1000 Why? Recently disclosed, Has a fix available, CVSS 8.2	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Uncontrolled resource consumption SNYK-JS-BRACES-6838727	Yes	Proof of Concept
	541/1000 Why? Recently disclosed, Has a fix available, CVSS 5.1	Cross-site Scripting SNYK-JS-EXPRESS-7926867	No	No Known Exploit
	504/1000 Why? Has a fix available, CVSS 5.8	Prototype Pollution SNYK-JS-HIGHLIGHTJS-1045326	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HIGHLIGHTJS-1048676	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HOSTEDGITINFO-1088355	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Code Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-LODASH-6139239	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	391/1000 Why? Recently disclosed, Has a fix available, CVSS 2.1	Cross-site Scripting SNYK-JS-SEND-7926862	No	No Known Exploit
	391/1000 Why? Recently disclosed, Has a fix available, CVSS 2.1	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	No	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-Y18N-1021887	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: body-parser

The new version differs by 250 commits.

• 1752951 1.20.3
• 39744cf chore: linter ([Snyk] Fix for 36 vulnerable dependencies snyk-labs/nodejs-goof#534)
• b2695c4 Merge commit from fork
• ade0f3f add scorecard to readme ([Snyk] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#531)
• 99a1bd6 deps: [email protected] ([Snyk] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#521)
• 9478591 fix: pin to [email protected]
• 83db46a ci: fix errors in ci github action for node 8 and 9 ([Snyk] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#523)
• 9d4e212 chore: add support for OSSF scorecard reporting ([Snyk] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#522)
• ee91374 1.20.2
• 368a93a Fix strict json error message on Node.js 19+
• 0385872 deps: [email protected]
• 2c35b41 build: [email protected]
• f0646c2 build: [email protected]
• f345fb1 build: [email protected]
• 6842efc deps: content-type@~1.0.5
• 5af7315 build: [email protected]
• 8e605b3 build: [email protected]
• cba6e77 build: [email protected]
• 6a464ab build: [email protected]
• 7ebf276 build: [email protected]
• 69bb649 build: [email protected]
• 8ff995f docs: switch badges to badgen
• 850832f build: [email protected]
• dad8f34 build: actions/download-artifact@v3

See the full diff

Package name: express

The new version differs by 250 commits.

• 7e562c6 4.21.0
• 1bcde96 fix(deps): [email protected] (#5946)
• 7d36477 fix(deps): [email protected] (#5951)
• 40d2d8f fix(deps): [email protected]
• 77ada90 Deprecate `"back"` magic string in redirects (#5935)
• 21df421 4.20.0
• 4c9ddc1 feat: upgrade to [email protected]
• 9ebe5d5 feat: upgrade to [email protected] (#5928)
• ec4a01b feat: upgrade to [email protected] (#5926)
• 54271f6 fix: don't render redirect values in anchor href
• 125bb74 [email protected] (#5902)
• 2a980ad [email protected] (#5781)
• a3e7e05 docs: specify new instructions for `question` and `discuss`
• c5addb9 deps: [email protected] (#5603)
• e35380a docs: add @ IamLizu to the triage team (#5836)
• f5b6e67 docs: update scorecard link (#5814)
• 2177f67 docs: add OSSF Scorecard badge (#5436)
• f4bd86e Replace Appveyor windows testing with GHA (#5599)
• 2ec589c Fix Contributor Covenant link definition reference in attribution section (#5762)
• 4cf7eed remove minor version pinning from ci (#5722)
• 6d08471 📝 update people, add ctcpip to TC (#5683)
• 61421a8 skip QUERY tests for Node 21 only, still not supported (#5695)
• f42b160 [v4] Deprecate `res.clearCookie` accepting `options.maxAge` and `options.expires` (#5672)
• 689073d ✨ bring back query tests for node 21 (#5690)

See the full diff

Package name: hbs

The new version differs by 34 commits.

• a992f58 v4.0.5
• aed9d51 deps: [email protected]
• 2f12c5e tests: add tests for handling helper errors
• c3826ee tests: run express 4.x tests on Node.js 0.10
• 19b90c4 Fix handling of exceptions from layout
• 39434ad Fix handling of exceptions when cache enabled
• e00c762 build: [email protected]
• 891014a Fix async helpers not working when cache enabled
• 80fe665 build: [email protected]
• c933e32 build: [email protected]
• 9e75303 lint: remove multiple empty lines
• 9d7ebbd lint: add basic eslint configuration
• 512d1e2 tests: express@~4.17.1
• 617aa06 tests: run express tests on appropriate Node.js versions
• 7980b82 tests: fix mocha suite marker locations
• dc367f3 build: support Node.js 12.x
• c3f140f build: use nyc for test coverage
• 4197b80 tests: use spec reporter
• badaf7b tests: ensure mocha suite separation
• 1fe9061 build: skip shrinkwrap generation
• a18e55c build: [email protected]
• 6e4ddf2 tests: clean up installed express libraries
• 3009206 deps: [email protected]
• d5e01bc build: increase test timeout for npm install

See the full diff

Package name: mongodb

The new version differs by 236 commits.

• dfb03ad chore(release): 3.6.6
• 5a0d706 chore: reintroduce nodejs fermium testing (#2775)
• af49ba3 test(NODE-3070): Ensure that SDAM should ignore the writeErrors field (#2769)
• 312ffef fix(NODE-3109): prevent servername from being IP (#2763)
• 9256242 fix(NODE-2995): Add shared metadata MongoClient (#2760)
• 91ba19e fix: ensure cursor readPreference is applied to find operations (#2751)
• f2a4ff8 fix: no infinite loop on windows requiring optional deps
• 86bddf1 fix(csfle): ensure that monitoring connections are not encrypted (#2749)
• b94519b fix: ensure monitor has rtt pinger in when calculating rtt (#2757)
• c976a01 fix: always close gridfs upload stream on finish (#2758)
• 6887e8d chore(release): 3.6.5
• 8b370a7 fix: move session support check to operation layer (#2739)
• 2d76492 chore: boron node version test failures (#2747)
• 8bd9777 fix: use emitWarning API for internal messages (#2743)
• d67ffa7 fix: MongoError circular dependency warning (#2734)
• 9baec71 fix: session support detection spec compliance (#2732)
• e8ac558 test: restrict destroy test to versions of node that support it (#2728)
• db1ab0b chore: format readme and add note about 4.0 beta (#2729)
• a485346 chore(release): 3.6.4
• 2fffb52 test: Adding test for cursor cloning removing session (#2723)
• 6314f5a chore(ci): fix aws auth tests (#2720)
• 617d9de fix: restore auto direct connection behavior (#2719)
• 8082c89 fix(cursor): don't use other operation's session for cloned cursor operation (#2705)
• f89e4c1 fix: dont parse tls/ssl file paths in uri (#2718)

See the full diff

Package name: tap

The new version differs by 250 commits.

• 793c1c0 update versions
• 47a2289 add missing @ tapjs/mock service key polyfill
• 6622dca snapshot: update snapshot
• 556e520 mock: actually be resilient against multiple instances
• 2c135b0 Add `t.mockAll` method
• d7e7e4f clean process.cwd() out of snapshots by default
• 4c0dc72 use the released version of tshy
• c858f37 need to check in .tshy configs for typedoc to work
• 82f48cd update versions
• 0f27f73 TypeScript 5.2, use tshy for hybrid builds
• de09096 remove my home directory from parser snapshots
• 46e2bbb repl: mkdirp the .tap dir if missing
• acfae01 link typedocs to main website
• 2ece1da core spawn test even less flaky
• a7a12d2 update typedoc to latest, ts-node to temporary fork
• a5c0e0c some changelog updates
• caf8d81 document repl
• a5dc854 Store t.testdir() fixtures in .tap/fixtures
• 6914d23 remove docs from source control
• 1dcc6a7 exclude test files themselves from coverage
• aff25fc update versions
• c5972e7 core: make spawn timeout test less flaky
• 1c11b37 stack: properly parse ErrnoException errors
• 1280a55 parser: remove node v12 skip check

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Cross-site Scripting
🦉 More lessons are available in Snyk Learn