[Snyk] Upgrade: async, debug, morgan, serve-favicon, web3

[snyk-io]

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Name	Versions	Released on

async
from 2.6.4 to 3.2.6 | 12 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | a month ago
on 2024-08-19
debug
from 2.6.9 to 4.3.6 | 23 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 months ago
on 2024-07-27
morgan
from 1.7.0 to 1.10.0 | 6 versions ahead of your current version | 5 years ago
on 2020-03-20
serve-favicon
from 2.3.2 to 2.5.0 | 7 versions ahead of your current version | 6 years ago
on 2018-03-29
web3
from 0.19.1 to 4.12.1 | 451 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | a month ago
on 2024-08-23

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Use of Weak Hash SNYK-JS-CRYPTOJS-6028119	574	No Known Exploit
	Arbitrary Code Injection SNYK-JS-MORGAN-72579	574	Proof of Concept

Release notes

Package name: async

• 3.2.6 - 2024-08-19
  

  Version 3.2.6

• 3.2.5 - 2023-11-03
  

  Version 3.2.5

• 3.2.4 - 2022-06-07
  

  Version 3.2.4

• 3.2.3 - 2022-01-10
  

  Version 3.2.3

• 3.2.2 - 2021-10-28
  

  Version 3.2.2

• 3.2.1 - 2021-08-05
  

  Version 3.2.1

• 3.2.0 - 2020-02-24
  

  Version 3.2.0

• 3.1.1 - 2020-01-24
  

  Version 3.1.1

• 3.1.0 - 2019-06-23
• 3.0.1 - 2019-05-26
• 3.0.1-0 - 2018-10-01
• 3.0.0 - 2019-05-20
• 2.6.4 - 2022-04-13
  

  Version 2.6.4

from async GitHub release notes

Package name: debug

• 4.3.6 - 2024-07-27
  

  What's Changed

  • Avoid using deprecated RegExp.$1 by @ bluwy in #969

  New Contributors

  • @ bluwy made their first contribution in #969

  Full Changelog: 4.3.5...4.3.6

• 4.3.5 - 2024-05-31
  

  Patch

  • cac39b1 Fix/debug depth (#926)

  Thank you @ calvintwr for the fix.

• 4.3.4 - 2022-03-17
  

  What's Changed

  • Add section about configuring JS console to show debug messages by @ gitname in #866
  • Replace deprecated String.prototype.substr() by @ CommanderRoot in #876

  New Contributors

  • @ gitname made their first contribution in #866
  • @ CommanderRoot made their first contribution in #876

  Full Changelog: 4.3.3...4.3.4

• 4.3.3 - 2021-11-27
  

  Patch Release 4.3.3

  This is a documentation-only release. Further, the repository was transferred. Please see notes below.

  • Migrates repository from https://github.com/visionmedia/debug to https://github.com/debug-js/debug. Please see notes below as to why this change was made.
  • Updates repository maintainership information
  • Updates the copyright (no license terms change has been made)
  • Removes accidental epizeuxis (#828)
  • Adds README section regarding usage in child procs (#850)

  Thank you to @ taylor1791 and @ kristofkalocsai for their contributions.

  ---

  Repository Migration Information

  I've formatted this as a FAQ, please feel free to open an issue for any additional question and I'll add the response here.

  Q: What impact will this have on me?

  In most cases, you shouldn't notice any change.

  The only exception I can think of is if you pull code directly from https://github.com/visionmedia/debug, e.g. via a "debug": "visionmedia/debug"-type version entry in your package.json - in which case, you should still be fine due to the automatic redirection Github sets up, but you should also update any references as soon as possible.

  Q: What are the security implications of this change?

  If you pull code directly from the old URL, you should update the URL to https://github.com/debug-js/debug as soon as possible. The old organization has many approved owners and thus a new repository could (in theory) be created at the old URL, circumventing Github's automatic redirect that is in place now and serving malicious code. I (@ Qix-) also wouldn't have access to that repository, so while I don't think it would happen, it's still something to consider.

  Even in such a case, however, the officially released package on npm (debug) would not be affected. That package is still very much under control (even more than it used to be).

  Q: What should I do if I encounter an issue related to the migration?

  Search the issues first to see if someone has already reported it, and then open a new issue if someone has not.

  Q: Why was this done as a 'patch' release? Isn't this breaking?

  No, it shouldn't be breaking. The package on npm shouldn't be affected (aside from this patch release) and any references to the old repository should automatically redirect.

  Thus, according to all of the "APIs" (loosely put) involved, nothing should have broken.

  I understand there are a lot of edge cases so please open issues as needed so I can assist in any way necessary.

  Q: Why was the repository transferred?

  I'll just list them off in no particular order.

  • The old organization was defunct and abandoned.
  • I was not an owner of the old organization and thus could not ban the non-trivial amount of spam users or the few truly abusive users from the org. This hindered my ability to properly maintain this package.
  • The debug ecosystem intends to grow beyond a single package, and since new packages could not be created in the old org (nor did it make sense for them to live there), a new org made the most sense - especially from a security point of view.
  • The old org has way, way too many approved members with push access, for which there was nothing I could do. This presented a pretty sizable security risk given that many packages in recent years have fallen victim to backdoors and the like due to lax security access.

  Q: Was this approved?

  Yes.^[archive]

  Q: Do I need to worry about another migration sometime in the future?

  No.

• 4.3.2 - 2020-12-09
  

  Patch release 4.3.2

  • Caches enabled statuses on a per-logger basis to speed up .enabled checks (#799)

  Thank you @ omg!

• 4.3.1 - 2020-11-19
  

  Patch release 4.3.1

  • Fixes a ReDOS regression (#458) - see #797 for details.
• 4.3.0 - 2020-09-19
  

  Minor release

  • Deprecated debugInstance.destroy(). Future major versions will not have this method; please remove it from your codebases as it currently does nothing.
  • Fixed quoted percent sign
  • Fixed memory leak within debug instances that are created dynamically
• 4.2.0 - 2020-05-19
  

  Minor Release

  • Replaced phantomJS with chrome backend for browser tests
  • Deprecated and later removed Changelog.md in lieu of releases page
  • Removed bower.json (#602)
  • Removed .eslintrc (since we've switched to XO)
  • Removed .coveralls.yml
  • Removed the build system that was in place for various alternate package managers
  • Removed the examples folder (#650)
  • Switched to console.debug in the browser only when it is available (#600)
  • Copied custom logger to namespace extension (#646)
  • Added issue and pull request templates
  • Added "engines" key to package.json
  • Added ability to control selectColor (#747)
  • Updated dependencies
  • Marked supports-color as an optional peer dependency
• 4.1.1 - 2018-12-22
• 4.1.0 - 2018-10-08
• 4.0.1 - 2018-09-11
• 4.0.0 - 2018-09-11
• 3.2.7 - 2020-11-19
  

  3.2.7

• 3.2.6 - 2018-10-10
• 3.2.5 - 2018-09-11
• 3.2.4 - 2018-09-11
• 3.2.3 - 2018-09-11
• 3.2.2 - 2018-09-11
• 3.2.1 - 2018-09-11
• 3.2.0 - 2018-09-11
• 3.1.0 - 2017-09-26
• 3.0.1 - 2017-08-24
• 3.0.0 - 2017-08-08
• 2.6.9 - 2017-09-22

from debug GitHub release notes

Package name: morgan

• 1.10.0 - 2020-03-20
  
  • Add :total-time token
  • Fix trailing space in colored status code for dev format
  • deps: basic-auth@~2.0.1
    • deps: safe-buffer@5.1.2
  • deps: depd@~2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: on-headers@~1.0.2
    • Fix res.writeHead patch missing return value
• 1.9.1 - 2018-09-11
  
  • Fix using special characters in format
  • deps: depd@~1.1.2
    • perf: remove argument reassignment
• 1.9.0 - 2017-09-27
  
  • Use res.headersSent when available
  • deps: basic-auth@~2.0.0
    • Use safe-buffer for improved Buffer API
  • deps: debug@2.6.9
  • deps: depd@~1.1.1
    • Remove unnecessary Buffer loading
• 1.8.2 - 2017-05-24
  
  • deps: debug@2.6.8
    • Fix DEBUG_MAX_ARRAY_LENGTH
    • deps: ms@2.0.0
• 1.8.1 - 2017-02-11
  
  • deps: debug@2.6.1
    • Fix deprecation messages in WebStorm and other editors
    • Undeprecate DEBUG_FD set to 1 or 2
• 1.8.0 - 2017-02-05
  
  • Fix sending unnecessary undefined argument to token functions
  • deps: basic-auth@~1.1.0
  • deps: debug@2.6.0
    • Allow colors in workers
    • Deprecated DEBUG_FD environment variable
    • Fix error when running under React Native
    • Use same color for same namespace
    • deps: ms@0.7.2
  • perf: enable strict mode in compiled functions
• 1.7.0 - 2016-02-19
  
  • Add digits argument to response-time token
  • deps: depd@~1.1.0
    • Enable strict mode in more places
    • Support web browser loading
  • deps: on-headers@~1.0.1
    • perf: enable strict mode

from morgan GitHub release notes

Package name: serve-favicon

• 2.5.0 - 2018-03-29
  
  • Ignore requests without url property
  • deps: ms@2.1.1
    • Add week
    • Add w
• 2.4.5 - 2017-09-26
  
  • deps: etag@~1.8.1
    • perf: replace regular expression with substring
  • deps: fresh@0.5.2
    • Fix regression matching multiple ETags in If-None-Match
    • perf: improve If-None-Match token parsing
• 2.4.4 - 2017-09-12
  
  • deps: fresh@0.5.1
    • Fix handling of modified headers with invalid dates
    • perf: improve ETag match loop
  • deps: parseurl@~1.3.2
    • perf: reduce overhead for full URLs
    • perf: unroll the "fast-path" RegExp
  • deps: safe-buffer@5.1.1
• 2.4.3 - 2017-05-16
  
  • Use safe-buffer for improved Buffer API
  • deps: ms@2.0.0
• 2.4.2 - 2017-03-25
  
  • deps: ms@1.0.0
• 2.4.1 - 2017-02-28
  
  • Remove usage of res._headers private field
  • deps: fresh@0.5.0
    • Fix incorrect result when If-None-Match has both * and ETags
    • Fix weak ETag matching to match spec
    • perf: skip checking modified time if ETag check failed
    • perf: skip parsing If-None-Match when no ETag header
    • perf: use Date.parse instead of new Date
• 2.4.0 - 2017-02-20
  
  • deps: etag@~1.8.0
    • Use SHA1 instead of MD5 for ETag hashing
    • Works with FIPS 140-2 OpenSSL configuration
  • deps: fresh@0.4.0
    • Fix false detection of no-cache request directive
    • perf: enable strict mode
    • perf: hoist regular expressions
    • perf: remove duplicate conditional
    • perf: remove unnecessary boolean coercions
  • perf: simplify initial argument checking
• 2.3.2 - 2016-11-17
  
  • deps: ms@0.7.2

from serve-favicon GitHub release notes

Package name: web3

• 4.12.1 - 2024-08-23
  

  Hot fix

  [4.12.1]

  Fixed

  web3-eth-accounts

  • Revert TransactionFactory.registerTransactionType if there is a version mistatch between web3-eth and web3-eth-accounts and fix nextjs problem. (#7216)

  What's Changed

  • fix yml by @ avkos in #6803
• 4.12.1-dev.e746566.0 - 2024-08-22
• 4.12.1-dev.0b75589.0 - 2024-08-23
• 4.12.0 - 2024-08-22
  

  [4.12.0]

  Fixed

  web3-core

  • setConfig() fix for setMaxListenerWarningThreshold fix (#5079)

  web3-eth-accounts

  • Fix TransactionFactory.registerTransactionType not working, if there is a version mistatch between web3-eth and web3-eth-accounts by saving extraTxTypes at globals. (#7197)

  Added

  web3-eth-accounts

  • Added public function signMessageWithPrivateKey (#7174)

  web3-eth-contract

  • Added populateTransaction to the contract.deploy(...) properties. (#7197)

  web3-providers-http

  • Added statusCode of response in ResponseError, statusCode is optional property in ResponseError.

  web3-rpc-providers

  • Updated rate limit error of QuickNode provider for HTTP transport
  • Added optional HttpProviderOptions | SocketOptions in Web3ExternalProvider and QuickNodeProvider for provider configs

  web3-errors

  • Added optional statusCode property of response in ResponseError.

  Changed

  web3-eth-contract

  • The returnred properties of contract.deploy(...) are structured with a newly created class named DeployerMethodClass. (#7197)
  • Add a missed accepted type for the abi parameter, at dataInputEncodeMethodHelper and getSendTxParams. (#7197)

  What's Changed

  • Cookbook integration branch by @ SantiagoDevRel in #7178
  • feat(glossary): updated glossary by @ EmmanuelOluwafemi in #7168
  • fix infura tests and secrets by @ luu-alex in #7163
  • Zk sync plugin related changes by @ avkos in #7174
  • 4x tests updates by @ jdevcs in #7162
  • feat(docs): Expand web3 config guide by @ mmyyrroonn in #7131
  • Fix 7055 one of with scalar value and string by @ mmyyrroonn in #7173
  • Quicknode provider update by @ jdevcs in #7195
  • Web3 RPC Providers support of configuration of selected transport by @ jdevcs in #7205
  • Refactor some parts of contract and accounts packages by @ Muhammad-Altabba in #7197

  New Contributors

  • @ EmmanuelOluwafemi made their first contribution in #7168
  • @ mmyyrroonn made their first contribution in #7131
• 4.11.2-dev.f87ffbe.0 - 2024-08-01
• 4.11.2-dev.dee14ec.0 - 2024-07-30
• 4.11.2-dev.d9d0391.0 - 2024-08-20
• 4.11.2-dev.cbbbd84.0 - 2024-07-24
• 4.11.2-dev.8b435c1.0 - 2024-08-06
• 4.11.2-dev.61e9e06.0 - 2024-08-02
• 4.11.2-dev.60fc197.0 - 2024-08-21
• 4.11.2-dev.5080e80.0 - 2024-08-02
• 4.11.2-dev.4f8e8cc.0 - 2024-08-21
• 4.11.2-dev.2ef694c.0 - 2024-08-21
• 4.11.2-dev.0db2b18.0 - 2024-08-08
• 4.11.2-dev.2706805.0 - 2024-08-02
• 4.11.1 - 2024-07-24
  

  [4.11.1]

  Fixed

  web3-errors

  • Fixed the undefined data in Eip838ExecutionError constructor (#6905)

  web3-eth

  • Adds transaction property to be an empty list rather than undefined when no transactions are included in the block (#7151)
  • Change method getTransactionReceipt to not be casted as TransactionReceipt to give proper return type (#7159)

  web3

  • Remove redundant constructor of contractBuilder (#7150)

  What's Changed

  • fix(web3-errors): the undefined data in Eip838ExecutionError (#6905) by @ jdevcs in #7147
  • Fix getblock.transactions by @ luu-alex in #7151
  • Tx Types and ERC20 token transaction by @ SantiagoDevRel in #7156
  • remove redundant constructor of ContractBuilder by @ agj017 in #7150
  • Fix transaction receipt return type by @ luu-alex in #7159
  • feat/docs/plugin-middleware by @ danforbes in #7158

  New Contributors

  • @ agj017 made their first contribution in #7150

  Full Changelog: v4.11.0...v4.11.1

• 4.11.1-dev.e5efe49.0 - 2024-07-22
• 4.11.1-dev.cbcfc18.0 - 2024-07-22
• 4.11.1-dev.9afaa61.0 - 2024-07-16
• 4.11.1-dev.6b80cf0.0 - 2024-07-12
• 4.11.1-dev.5f6deeb.0 - 2024-07-22
• 4.11.1-dev.5ad7e5b.0 - 2024-07-17
• 4.11.1-dev.463d070.0 - 2024-07-11
• 4.11.0 - 2024-07-11
  

  [4.11.0]

  Fixed

  web3-eth-abi

  • fix encodedata in EIP-712 (#7095)

  web3-utils

  • _sendPendingRequests will catch unhandled errors from _sendToSocket (#6968)

  web3-eth

  • Fixed geth issue when running a new instance, transactions will index when there are no blocks created (#7098)

  Changed

  web3-eth-accounts

  • baseTransaction method updated (#7095)

  web3-providers-ws

  • Update dependancies (#7109)

  web3-rpc-providers

  • Change request return type Promise<ResultType> to Promise<JsonRpcResponseWithResult<ResultType>> (#7102)

  Added

  web3-eth-contract

  • populateTransaction was added to contract methods (#7124)
  • Contract has setTransactionMiddleware and getTransactionMiddleware for automatically passing to sentTransaction for deploy and send functions (#7138)

  web3-rpc-providers

  • When error is returned with code 429, throw rate limit error (#7102)

  web3

  • web3.eth.Contract will get transaction middleware and use it, if web3.eth has transaction middleware. (#7138)
• 4.10.1-dev.89711ab.0 - 2024-07-10
• 4.10.1-dev.1436228.0 - 2024-07-09
• 4.10.0 - 2024-06-17
  

  [4.10.0]

  Added

  web3

  • Now when existing packages are added in web3, will be avalible for plugins via context. (#7088)

  web3-core

  • Now when existing packages are added in web3, will be avalible for plugins via context. (#7088)

  web3-eth

  • sendTransaction in rpc_method_wrappers accepts optional param of TransactionMiddleware (#7088)
  • WebEth has setTransactionMiddleware and getTransactionMiddleware for automatically passing to sentTransaction (#7088)

  web3-eth-ens

  • getText now supports first param Address
  • getName has optional second param checkInterfaceSupport

  web3-types

  • Added result as optional never and error as optional never in type JsonRpcNotification` (#7091)
  • Added JsonRpcNotfication as a union type in JsonRpcResponse (#7091)

  web3-rpc-providers

  • Alpha release

  Fixed

  web3-eth-ens

  • getName reverse resolution

  What's Changed

  • release/v4.9.0 by @ luu-alex in #7057
  • fix(docs): intro by @ danforbes in #7056
  • coverage increase by @ jdevcs in #7051
  • 6992 getText update and getName fix by @ jdevcs in #7047
  • web3 external provider - Quicknode by @ jdevcs in #7019
  • fix(docs): quickstart by @ danforbes in #7062
  • Fix SNYK for 4.x by @ avkos in #7064
  • Use .snyk file for all projects by @ avkos in #7071
  • fix(docs): sidebar by @ danforbes in #7063
  • fix(docs): mastering providers by @ danforbes in #7070
  • Remove .snyk files by @ avkos in #7073
  • 100% Coverage web3-utills by @ Muhammad-Altabba in #7042
  • chore(docs): formatting by @ danforbes in