[Snyk-dev] Fix for 31 vulnerabilities

[ShiriV]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Remote Memory Exposure SNYK-JS-BL-608877	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	No	No Known Exploit
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HOSTEDGITINFO-1088355	No	Proof of Concept
	631/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.2	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-INI-1048974	Yes	Proof of Concept
	823/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.6	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	No	Proof of Concept
	644/1000 Why? Has a fix available, CVSS 8.6	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	Yes	No Known Exploit
	529/1000 Why? Has a fix available, CVSS 6.3	Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JS-JSZIP-3188562	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-MONGOOSE-5777721	Yes	Proof of Concept
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Server-side Request Forgery (SSRF) SNYK-JS-NETMASK-6056519	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-WORDWRAP-3149973	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Prototype Pollution SNYK-JS-XML2JS-5414874	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-Y18N-1021887	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @snyk/nodejs-runtime-agent

The new version differs by 38 commits.

• 224571c Merge pull request [Snyk] Security upgrade express from 4.12.4 to 4.19.2 snyk/snyk-goof#122 from snyk/snyk-upgrade-b499e5dec6c8943e8e5be3b991567d16
• e03426f fix: upgrade needle from 2.5.2 to 2.6.0
• a51b60b Merge pull request [Snyk] Security upgrade express from 4.12.4 to 4.19.2 snyk/snyk-goof#121 from snyk/snyk-upgrade-1b807b9de1acd5e1c9e71d472d42b551
• dbf7424 fix: upgrade debug from 4.1.1 to 4.3.2
• 93bbf24 Merge pull request [Snyk] Security upgrade snyk from 1.290.2 to 1.996.0 snyk/snyk-goof#119 from antonsamper/master
• 41798c3 chore(package): update engine
• efc27b5 Merge pull request [Snyk-dev] Fix for 110 vulnerabilities snyk/snyk-goof#116 from snyk/snyk-upgrade-d663568433e6c3f41671947a0885bd4b
• 0c70f97 fix: upgrade needle from 2.5.0 to 2.5.2
• 8946c95 Merge pull request [Snyk-dev] Fix for 110 vulnerabilities snyk/snyk-goof#114 from snyk/feat/needle
• ac9aabf feat: upgrade needle (redirect bug)
• ade9436 Merge pull request [Snyk-dev] Fix for 111 vulnerabilities snyk/snyk-goof#111 from snyk/snyk-fix-93368b07b9de27f1dbf0560f8ba14c21
• 4b5269a test: update test fixture to match acorn@5.7.2
• 919477e fix: package.json & package-lock.json to reduce vulnerabilities
• a502cbb Merge pull request [Snyk] Fix for 49 vulnerabilities snyk/snyk-goof#107 from snyk/docs/readme
• dde1526 docs: describe supported Node versions on our README.md
• 83fe936 Merge pull request [Snyk-dev] Fix for 98 vulnerabilities snyk/snyk-goof#103 from snyk/chore/codeowners
• 4b0109f chore: codeowners
• 435f878 Merge pull request [Snyk] Fix for 16 vulnerabilities snyk/snyk-goof#99 from snyk/chore/bumps
• 8ef98c8 test: limit concurrency to 1
• c53384a chore: upgrade tap; js-yaml is no longer
• 50a0844 chore: bump semver
• 391a2c5 chore: low-risk bumps
• 800766c chore: run tests on random port
• 3d90fb9 test: try and close the demo server cleanly

See the full diff

Package name: express-fileupload

The new version differs by 250 commits.

• 9f22db7 version bump
• 9fca550 Merge pull request #240 from AmazingMech2418/patch-1
• 1530cf5 Make Travis happy
• e43bfcf Fix typo
• 8bf7427 Update processNested.js
• fd40389 version bump
• 94c9cf9 prototype pollution fix [Snyk-dev] Upgrade snyk from 1.290.2 to 1.1079.0 #2
• 829f395 version bump
• db49535 Merge pull request #237 from richardgirges/fix-236-proto-pollution
• d81bee9 Upgrade latest packages; run npm audit fix; add logic to prevent prototype pollution in parseNested
• e9848fc Update package-lock.json
• d536cfb Update package.json
• c7a6b9c Merge pull request #233 from RomanBurunkov/master
• a53b93f Update tests to support empty files
• d8c00c5 Add empty files support for tempFileHandler
• b24233d Comment extra condition in fileFactory(issue [Snyk-dev] Upgrade snyk from 1.290.2 to 1.1077.0 #1), add more logging
• d57ee02 Formatting utilities
• b6097df Merge pull request #232 from RomanBurunkov/master
• 05004b7 Merge pull request #230 from Code42Cate/readme-timeout
• 1afa527 Update dependencies
• 880c2b7 Improve timeout option documentation
• 3f130b0 Add timeout option to README.MD
• d55fa83 Merge pull request #222 from wbt/patch-1
• d61f02f Fix some small typos

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• 0f3997a chore: release 5.13.20
• f1efabf fix: avoid prototype pollution on init
• 98e0762 chore: release 5.13.19
• 7e36d21 chore: release 5.13.18
• 6759c60 undo accidental changes and actually pin @ types/json-schema
• 4ed4a89 chore: pin version of @ types/json-schema because of install issues on node v4 and v6
• 9a9536d Merge pull request #13535 from lorand-horvath/patch-12
• 26424d5 5.x - bump mongodb driver to 3.7.4
• 4b8b0a9 add versionNumber to 5.x
• 1bc07ec chore: release 5.13.17
• 3f827b3 Merge branch '5.x' of github.com:Automattic/mongoose into 5.x
• eeabe5f chore: run CI tests on ubuntu 20.04 because 18.04 no longer supported
• 14464d1 Merge pull request #13195 from raj-goguardian/gh-13192
• 7e888e4 fix(update): handle $and & $or in array filters.
• 5dd0a4e Merge pull request #13138 from rdeavila94/gh-13136
• c8191da Update model.indexes.test.js
• 7364264 Update model.indexes.test.js
• 77b9d99 Updated the isIndexEqual function to take into account non-text indexes when checking compound indexes that include both text and non-text indexes
• 9dd82be Merge pull request #13132 from rdeavila94/gh-12654
• d0e149b Merge pull request #12737 from Automattic/vkarpov15/gh-12654
• e76c41c chore: release 5.13.16
• cdab11e chore: remove Node 5 and 7 from CI because GitHub actions is bugging out with them
• e33a8be fix(types): add missing typedefs for bulkSave() to 5.x
• 896cd76 Merge pull request #12692 from hasezoey/backportLinkUpdate

See the full diff

Package name: tap

The new version differs by 250 commits.

• 793c1c0 update versions
• 47a2289 add missing @ tapjs/mock service key polyfill
• 6622dca snapshot: update snapshot
• 556e520 mock: actually be resilient against multiple instances
• 2c135b0 Add `t.mockAll` method
• d7e7e4f clean process.cwd() out of snapshots by default
• 4c0dc72 use the released version of tshy
• c858f37 need to check in .tshy configs for typedoc to work
• 82f48cd update versions
• 0f27f73 TypeScript 5.2, use tshy for hybrid builds
• de09096 remove my home directory from parser snapshots
• 46e2bbb repl: mkdirp the .tap dir if missing
• acfae01 link typedocs to main website
• 2ece1da core spawn test even less flaky
• a7a12d2 update typedoc to latest, ts-node to temporary fork
• a5c0e0c some changelog updates
• caf8d81 document repl
• a5dc854 Store t.testdir() fixtures in .tap/fixtures
• 6914d23 remove docs from source control
• 1dcc6a7 exclude test files themselves from coverage
• aff25fc update versions
• c5972e7 core: make spawn timeout test less flaky
• 1c11b37 stack: properly parse ErrnoException errors
• 1280a55 parser: remove node v12 skip check

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Open Redirect
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn