[Snyk] Upgrade: axios, dotenv, jsonwebtoken, moment, mongoose, nodemailer, react-router-dom, socket.io, uuid #3
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade multiple dependencies.
👯♂ The following dependencies are linked and will therefore be updated together.ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
axios
from 1.4.0 to 1.7.4 | 19 versions ahead of your current version | a month ago
on 2024-08-13
dotenv
from 16.0.3 to 16.4.5 | 17 versions ahead of your current version | 7 months ago
on 2024-02-20
jsonwebtoken
from 9.0.0 to 9.0.2 | 2 versions ahead of your current version | a year ago
on 2023-08-30
moment
from 2.29.4 to 2.30.1 | 2 versions ahead of your current version | 9 months ago
on 2023-12-27
mongoose
from 7.1.0 to 7.8.1 | 40 versions ahead of your current version | 25 days ago
on 2024-08-19
nodemailer
from 6.9.1 to 6.9.14 | 13 versions ahead of your current version | 3 months ago
on 2024-06-19
react-router-dom
from 6.11.1 to 6.26.1 | 76 versions ahead of your current version | a month ago
on 2024-08-15
socket.io
from 4.6.1 to 4.7.5 | 7 versions ahead of your current version | 6 months ago
on 2024-03-14
uuid
from 9.0.0 to 9.0.1 | 1 version ahead of your current version | a year ago
on 2023-09-12
Issues fixed by the recommended upgrade:
SNYK-JS-AXIOS-6032459
SNYK-JS-AXIOS-6144788
SNYK-JS-AXIOS-7361793
SNYK-JS-SOCKETIOPARSER-5596892
SNYK-JS-IP-6240864
SNYK-JS-MONGOOSE-5777721
SNYK-JS-SEMVER-3247795
SNYK-JS-FOLLOWREDIRECTS-6141137
SNYK-JS-SOCKETIO-7278048
SNYK-JS-AXIOS-6124857
SNYK-JS-IP-7148531
SNYK-JS-MONGODB-5871303
SNYK-JS-NODEMAILER-6219989
SNYK-JS-FOLLOWREDIRECTS-6444610
Release notes
Package name: axios
Release notes:
Bug Fixes
Contributors to this release
Release notes:
Bug Fixes
Contributors to this release
Release notes:
Bug Fixes
Contributors to this release
Release notes:
Bug Fixes
Contributors to this release
Release notes:
Features
Bug Fixes
Contributors to this release
Release notes:
Bug Fixes
Contributors to this release
Release notes:
Bug Fixes
Contributors to this release
Install
Release notes:
Features
Contributors to this release
Install
Release notes:
Bug Fixes
Contributors to this release
Package name: dotenv
16.4.5
16.4.4
16.4.3
16.4.2
16.4.1
16.4.0
16.3.2
16.3.1
16.3.0
16.2.0
Package name: jsonwebtoken
Release 9.0.2 (#935)
Updating package version to 9.0.1 (#920)
Check if node version supports asymmetricKeyDetails
Validate algorithms for ec key type
Rename variable
Rename function
Add early return for symmetric keys
Validate algorithm for RSA key type
Validate algorithm for RSA-PSS key type
Check key types for EdDSA algorithm
Rename function
Move validateKey function to module
Convert arrow to function notation
Validate key in verify function
Simplify if
Convert if to switch..case
Guard against empty key in validation
Remove empty line
Add lib to check modulus length
Add modulus length checks
Validate mgf1HashAlgorithm and saltLength
Check node version before using key details API
Use built-in modulus length getter
Fix Node version validations
Remove duplicate validateKey
Add periods to error messages
Fix validation in verify function
Make asymmetric key validation the latest validation step
Change key curve validation
Remove support for ES256K
Fix old test that was using wrong key types to sign tokens
Enable RSA-PSS for old Node versions
Add specific RSA-PSS validations on Node 16 LTS+
Improve error message
Simplify key validation code
Fix typo
Improve error message
Change var to const in test
Change const to let to avoid reassigning problem
Improve error message
Test incorrect private key type
Rename invalid to unsupported
Test verifying of jwt token with unsupported key
Test invalid private key type
Change order of object parameters
Move validation test to separate file
Move all validation tests to separate file
Add prime256v1 ec key
Remove modulus length check
WIP: Add EC key validation tests
Fix node version checks
Fix error message check on test
Add successful tests for EC curve check
Remove only from describe
Remove
only
Remove duplicate block of code
Move variable to a different scope and make it const
Convert allowed curves to object for faster lookup
Rename variable
Change variable assignment order
Remove unused object properties
Test RSA-PSS happy path and wrong length
Add missing tests
Pass validation if no algorithm has been provided
Test validation of invalid salt length
Test error when signing token with invalid key
Change var to const/let in verify tests
Test verifying token with invalid key
Improve test error messages
Add parameter to skip private key validation
Replace DSA key with a 4096 bit long key
Test allowInvalidPrivateKeys in key signing
Improve test message
Rename variable
Add key validation flag tests
Fix variable name in Readme
Change private to public dsa key in verify
Rename flag
Run EC validation tests conditionally
Fix tests in old node versions
Ignore block of code from test coverage
Separate EC validations tests into two different ones
Add comment
Wrap switch in if instead of having an early return
Remove unsupported algorithms from asymmetric key validation
Rename option to allowInvalidAsymmetricKeyTypes and improve Readme
9.0.0
adding migration notes to readme
adding changelog for version 9.0.0
Co-authored-by: julienwoll julien.wollscheid@auth0.com
Package name: moment
2.30.1
2.30.0
2.29.4
Package name: mongoose
chore: release 7.8.1
Package name: nodemailer
6.9.14 (2024-06-19)
Bug Fixes
6.9.13 (2024-03-20)
Bug Fixes
6.9.12 (2024-03-08)
Bug Fixes
6.9.11 (2024-02-29)
Bug Fixes
6.9.10 (2024-02-22)
Bug Fixes
6.9.9 (2024-02-01)
Bug Fixes
6.9.8 (2023-12-30)
Bug Fixes
6.9.7 (2023-10-22)
Bug Fixes
6.9.6 (2023-10-09)
Bug Fixes
6.9.5 (2023-09-06)
Bug Fixes
Package name: react-router-dom
react-router-native@6.26.1
react-router-native@6.26.1-pre.0
Package name: socket.io
Bug Fixes
Links
engine.io@~6.5.2
(no change)ws@~8.11.0
(no change)Bug Fixes
Links
engine.io@~6.5.2
(no change)ws@~8.11.0
(no change)Bug Fixes
Links
engine.io@~6.5.2
(no change)ws@~8.11.0
(no change)Bug Fixes
Links
engine.io@~6.5.2
(diff)ws@~8.11.0
(no change)The client bundle contains a few fixes regarding the WebTransport support.
Links
engine.io@~6.5.0
(no change)ws@~8.11.0
(no change)Bug Fixes
Features
Support for WebTransport
The Socket.IO server can now use WebTransport as the underlying transport.
WebTransport is a web API that uses the HTTP/3 protocol as a bidirectional transport. It's intended for two-way communications between a web client and an HTTP/3 server.
References:
Until WebTransport support lands in Node.js, you can use the
@ fails-components/webtransport
package:const cert = readFileSync("/path/to/my/cert.pem");
const key = readFileSync("/path/to/my/key.pem");
const httpsServer = createServer({
key,
cert
});
httpsServer.listen(3000);
const io = new Server(httpsServer, {
transports: ["polling", "websocket", "webtransport"] // WebTransport is not enabled by default
});
const h3Server = new Http3Server({
port: 3000,
host: "0.0.0.0",
secret: "changeit",
cert,
privKey: key,
});
(async () => {
const stream = await h3Server.sessionStream("/socket.io/");
const sessionReader = stream.getReader();
while (true) {
const { done, value } = await sessionReader.read();
if (done) {
break;
}
io.engine.onWebTransportSession(value);
}
})();
h3Server.startServer();">
Added in 123b68c.
Client bundles with CORS headers
The bundles will now have the right
Access-Control-Allow-xxx
headers.Added in 63f181c.
Links
engine.io@~6.5.0
(diff)ws@~8.11.0
(no change)Bug Fixes
types
condition to the top (#4698) (3d44aae)Links
engine.io@~6.4.2
(diff)ws@~8.11.0
(no change)Package name: uuid
chore(release): 9.0.1
chore(release): 9.0.0
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information: