[Snyk] Fix for 8 vulnerabilities

[H4NG-MAN]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/@uppy/companion/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-AWSSDK-1059424	No	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Configuration Override SNYK-JS-HELMETCSP-469436	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-REDIS-1255645	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: aws-sdk

The new version differs by 250 commits.

• 8875a35 Updates SDK to v2.814.0
• dd83d67 throw at invalid profile name in shared ini file (bug upload larg file transloadit/uppy#3585)
• ee0c5a3 Updates SDK to v2.813.0
• 468d15b Updates SDK to v2.812.0
• c50132f Update README.md with references to JS SDK V3 (Robodog is undefined after 2.2.0 when using CDN script tag  transloadit/uppy#3582)
• 3e19b08 Updates SDK to v2.811.0
• f26c00d Updates SDK to v2.810.0
• b393a6e Adds automatic PreSignedUrl generation to RDS.StartDBInstanceAutomatedBackupsReplication (AWS Multipart Upload "excluding disallowed header Authorization" transloadit/uppy#3566)
• fa57967 Updates SDK to v2.809.0
• 9a52018 Updates SDK to v2.808.0
• 1958076 Updates SDK to v2.807.0
• ffcad20 Updates SDK to v2.806.0
• 2f37893 chore: remove cognitoidentity customizations to disable auth (meta: fix CJS interop in Vite config transloadit/uppy#3543)
• c6fe3c0 Updates SDK to v2.805.0
• 71d6fa9 Fix dual-callback case (nanoid is not a function transloadit/uppy#3537)
• b981971 Updates SDK to v2.804.0
• 332573f Updates SDK to v2.803.0
• deb7bc7 Updates SDK to v2.802.0
• b6401d0 Remove incorrectly named service named 'Profile' (meta: fix e2e transloadit/uppy#3562)
• 3364d4b Updates SDK to v2.801.0
• d400577 Updates SDK to v2.800.0
• 21c7dc0 Updates SDK to v2.799.0
• d2b8964 Updates SDK to v2.798.0
• 44ded82 fix: test IAM.getUser instead of listUsers (Companion refactor transloadit/uppy#3542)

See the full diff

Package name: connect-redis

The new version differs by 13 commits.

• c951850 v4.0.0
• 2df1368 Version 4
• 1d36eec Format code base and cleanup tests.
• a50fbcc Enabling Redis client error logging by default
• 5469fcb v3.4.2
• 3609797 Fix compatibility issues with ioredis + Cluster
• a2babda Bump devDependencies
• e8744e4 Session check verbiage reduction
• 2f4b9d2 v3.4.1
• b60d6ed Bump debug dependency
• 8b8c951 Require node-redis conditionally
• 98752e1 Mention redis-mock in readme
• 41ad8ca Add length method (core: Only catch errors from onBeforeUpload transloadit/uppy#246)

See the full diff

Package name: helmet

The new version differs by 96 commits.

• 5d964d4 3.21.1
• 1e9b8ea Update changelog for 3.21.1 release
• 86f1f59 Update helmet-csp to 2.9.2
• 76ca5bd Update Standard devDependency to latest version
• 0dad3c2 3.21.0
• 33cfd10 Update changelog for 3.21.0 release
• 349117f Update helmet-csp to 2.9.1
• 03d4fa6 Update x-xss-protection from 1.2.0 to 1.3.0
• 3b9d0e8 Update devDependencies to latest versions
• 80fe85f Remove old HISTORY.md
• e3ea074 Use sinon's default sandbox feature
• 968fabd 3.20.1
• d588453 Update changelog for 3.20.1 release
• a5a9679 Update Sinon and Standard to latest versions
• 844739c Update helmet-csp to v2.9.0
• b2a3700 3.20.0
• 87d7323 Update changelog for 3.20.0 release
• a711731 Update Mocha and Standard to latest versions
• 6aab72d Update helmet-csp to 2.8.0
• ac46aaf Minor: in changelog, change "updated" header in under 3.19.0
• 17707ae 3.19.0
• ca34982 Update changelog for 3.19.0 release
• 06d5bde Update all remaining outdated dependencies
• 91e071c Update helmet-crossdomain from 0.3.0 to 0.4.0

See the full diff

Package name: node-redis-pubsub

The new version differs by 14 commits.

• 5f07f0b 5.0.0
• 9b53782 Merge pull request [Snyk] Security upgrade socket.io-client from 2.2.0 to 3.0.0 #60 from gdelory/master
• b0d44e3 Update to redis 3
• 643e10a Version 4.0.0
• a4cd4c8 Merge pull request [Snyk] Upgrade marked from 0.7.0 to 0.8.2 #53 from assadvirgo/master
• e46d2c5 test for non json message data
• dc7d34f Allow non-json messages to be returned in handler
• b3203dc Merge pull request [Snyk] Fix for 1 vulnerabilities #51 from seiyria/patch-1
• ce76a11 Update README.md
• ee41740 Version 3.0.0
• 717a89b Merge pull request [Snyk] Fix for 1 vulnerabilities #48 from Zaikaai/master
• 4e30bad reflecting to comment
• 24fc454 reflecting to comments.
• b16e826 Fixed Uncaught error in handler causes incorrect "invalid JSON received"

See the full diff

Package name: redis

The new version differs by 142 commits.

• fc28860 Bump version to 3.1.1 (Fix/on before file added not called transloadit/uppy#1597)
• 2d11b6d fix Do not extract keys from empty fields. transloadit/uppy#1569 - improve monitor_regex (Docs > Custom Stores > Fix store source link transloadit/uppy#1595)
• 7e77de8 Add Chat (core: Pass newFile with all the info to onBeforeFileAdded transloadit/uppy#1594)
• 5d3e995 Merge branch 'master' of https://github.com/NodeRedis/node-redis
• b797cf2 add user to README.md
• 79f34c2 Bump version to 3.1.0 (Companion failed to fetch this URL HTTP/HTTPS error? transloadit/uppy#1590)
• 7fdc54e fix for 428e1c8a7b2322c2650294638cb1663ac5692728 - fix auth retry when redis is in loading state
• 09f0fe8 "fix" tests
• 428e1c8 Add support for Redis 6 `auth pass [user]` (CONTRIBUTING.MD - added info on how to require() files transloadit/uppy#1508)
• bb208d0 Add codeclimate badge (Uncaught TypeError: morphdom is not a function transloadit/uppy#1572)
• 47e2e38 Exclude examples from deepsource (Fix tags for docker build transloadit/uppy#1579)
• fbca5cd Upgrade node and dependencies (Is there a way to detect when the Dashboard close? transloadit/uppy#1578)
• 2188744 Create codeql-analysis.yml (Paste works with certain quirks in Chrome transloadit/uppy#1577)
• 32861b5 Create .deepsource.toml (More design improvements transloadit/uppy#1574)
• 2a34d41 Add LGTM badge (Uppy DashboardModal white foreground. transloadit/uppy#1571)
• 69b7094 Workflows fixes (Issue with icon when using custom provider transloadit/uppy#1570)
• 49c4131 Merge pull request Add 1.0 block near the logo 🎉 transloadit/uppy#1531 from marnikvde/improve-docs
• 3c8ff5c Merge branch 'master' into improve-docs
• 685a72d Merge pull request File Auto Removed transloadit/uppy#1277 from dcharbonnier/patch-1
• 055f5c5 Merge branch 'master' into patch-1
• c78b6d5 Merge pull request lerna bootstrap doesn't install npm modules transloadit/uppy#1527 from heynikhil/patch-1
• 53f1468 Merge branch 'master' into patch-1
• 232f191 Merge pull request Companion: 'Dropbox Integration logout' does not sign out (Security concern) transloadit/uppy#1563 from lebseu/patch-1
• e4cb073 Update README.md

See the full diff

Package name: validator

The new version differs by 250 commits.

• 47ee5ad 13.7.0
• 496fc8b fix(rtrim): remove regex to prevent ReDOS attack (Upload only a specified file transloadit/uppy#1738)
• 45901ec Merge pull request Is it possible to add reactive parameter in endpoint when uploading file on vue.js transloadit/uppy#1851 from validatorjs/chore/fix-merge-conflicts
• 83cb7f8 chore: merge conflict clean-up
• f17e220 feat(isMobilePhone): add El Salvador es-SV locale
• 5b06703 feat(isMobilePhone): add Palestine ar-PS locale
• a3faa83 feat(isMobilePhone): add Botswana en-BW locale
• 26605f9 feat(isMobilePhone): add Turkmenistan tk-TM
• 0e5d5d4 feat(isMobilePhone): add Guyana en-GY locale
• f7ff349 feat(isMobilePhone): add Frech Polynesia fr-PF locale
• 8627e48 feat(isMobilePhone): add Kiribati en-KI locale
• ed60123 feat(isMobilePhone): add Tajikistan tg-TJ locale (companion,google-drive: drop deprecated usage for Google Drive's "shared drive" transloadit/uppy#1846)
• c96d805 feat(isMobilePhone): add Maldives dv-MV locale
• 5c2d69e feat(isMobilePhone): regex for Burkina Faso fr-BF and Namibia en-NA locales
• fc0fefc feat(isMobilePhone): add Bhutan dz-BT locale (React native: could not create Assembly io().connect transloadit/uppy#1770)
• 01d3da3 feat(isMobilePhone): add Tajikistan tg-TJ locale (companion,google-drive: drop deprecated usage for Google Drive's "shared drive" transloadit/uppy#1846)
• af2b43c feat(isUUID): add support for validation of version v1 and v2 (File-specific medatada with XHRUpload bundle: true transloadit/uppy#1848)
• 769f6d5 feat(contains): add possibility to check that string contains seed multiple times (remaining time fluctuations transloadit/uppy#1836)
• f2381e0 feat: (isMobilePhone): add Cameroon fr-CM locale (no possibility to delete file after failed upload transloadit/uppy#1772)
• 5773869 feat(isVAT): add dutch NL locale (List required permissions to upload S3 files using companion transloadit/uppy#1825)
• de1cb29 fix: Russian passport number regex (Link to Transloadit plugin from Robodog Form page transloadit/uppy#1810)
• 7bee611 add CDN use option with unpkg (App failed transloadit/uppy#1844)
• 57cc14e feat(isIdentityCard): add finnish locale (How Remove files from cache when their upload finished using TUS and Dashboard React transloadit/uppy#1838)
• 2201869 feat: added finnish locale to isAlpha and isAlphanumeric (Added Danish locale transloadit/uppy#1837)

See the full diff

Package name: ws

The new version differs by 120 commits.

• 6dd88e7 [dist] 5.2.3
• 76d47c1 [security] Fix ReDoS vulnerability
• 5d55e52 [dist] 5.2.2
• 8aba871 [fix] Fix use after invalidation bug
• 175ce46 [dist] 5.2.1
• 307be7a [fix] Remove the `'data'` listener when the receiver emits an error
• 6046a28 [fix] Do not prematurely remove the listener of the `'data'` event
• bf9b2ec chore(package): update nyc to version 12.0.2 (Uppy has no exported member 'default'. transloadit/uppy#1395)
• bcab531 chore(package): update eslint-plugin-promise to version 3.8.0 (Examples update transloadit/uppy#1389)
• e4d032c [dist] 5.2.0
• e7bfe5f chore(package): update mocha to version 5.2.0 (update day 2 transloadit/uppy#1385)
• 6dae94b chore(package): update eslint-plugin-import to version 2.12.0 (customize dashboard styles transloadit/uppy#1384)
• aebda2b chore(package): update nyc to version 11.8.0 (Informer Plugin: made the tooltip not overflow the uppy container transloadit/uppy#1382)
• d871bdf [feature] Add `headers` argument to `verifyClient()` callback (Website: add markdown snippets example transloadit/uppy#1379)
• bb9c21c [test] Fix failing test on node 10
• 6d8f1f4 [ci] Test on node 10
• 4385c78 [doc] Add `request` to emit arguments in shared server example (Hard to read allowed file type error message transloadit/uppy#1372)
• 690b3f2 [minor] Replace bound function with arrow function
• 9dc25a3 chore(package): update nyc to version 11.7.1 (Dashboard add files class name is misspelled transloadit/uppy#1364)
• a81e580 chore(package): update mocha to version 5.1.0 (Protect some more styles from bleeding transloadit/uppy#1362)
• 3215cf3 chore(package): update eslint-plugin-import to version 2.11.0 (iCloud photos swipe select transloadit/uppy#1361)
• 0100d82 [doc] Improve FAQ example for X-Forwarded-For header (allow customized option to set upload status transloadit/uppy#1360)
• c801e99 [doc] Improve docs and examples (Remove locales for now transloadit/uppy#1355)
• 10c92ff [dist] 5.1.1

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn