[Snyk] Upgrade: apollo-server-express, graphql, express, bcrypt, module-alias, mongodb, nodemon, swagger-ui-express, validator

[danilocatapan]

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

apollo-server-express
from 2.19.1 to 2.26.2 | 40 versions ahead of your current version | a year ago
on 2023-08-30
graphql
from 15.5.1 to 15.9.0 | 9 versions ahead of your current version | 3 months ago
on 2024-06-21
express
from 4.17.1 to 4.19.2 | 9 versions ahead of your current version | 6 months ago
on 2024-03-25
bcrypt
from 5.0.1 to 5.1.1 | 2 versions ahead of your current version | a year ago
on 2023-08-16
module-alias
from 2.2.2 to 2.2.3 | 1 version ahead of your current version | a year ago
on 2023-06-03
mongodb
from 3.6.6 to 3.7.4 | 11 versions ahead of your current version | a year ago
on 2023-06-21
nodemon
from 2.0.7 to 2.0.22 | 25 versions ahead of your current version | a year ago
on 2023-03-22
swagger-ui-express
from 4.1.6 to 4.6.3 | 8 versions ahead of your current version | a year ago
on 2023-05-05
validator
from 13.6.0 to 13.12.0 | 4 versions ahead of your current version | 4 months ago
on 2024-05-09

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	482	Proof of Concept
	Denial of Service (DoS) SNYK-JS-WS-7266574	482	Proof of Concept
	Denial of Service (DoS) SNYK-JS-WS-7266574	482	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	482	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	482	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	482	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	482	No Known Exploit
	Open Redirect SNYK-JS-EXPRESS-6474509	482	No Known Exploit
	Open Redirect SNYK-JS-GOT-2932019	482	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	482	Proof of Concept
	Information Exposure SNYK-JS-MONGODB-5871303	482	No Known Exploit
	Information Exposure SNYK-JS-NODEFETCH-2342118	482	No Known Exploit
	Information Exposure SNYK-JS-NODEFETCH-2342118	482	No Known Exploit
	Server-side Request Forgery (SSRF) SNYK-JS-SWAGGERUIDIST-2314884	482	Mature
	Server-side Request Forgery (SSRF) SNYK-JS-SWAGGERUIDIST-6056393	482	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-SWAGGERUIEXPRESS-6815423	482	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-SWAGGERUIEXPRESS-6815424	482	Mature
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	482	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	482	Proof of Concept
	Information Exposure SNYK-JS-APOLLOSERVERCORE-5876618	482	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	482	Proof of Concept
	Prototype Pollution SNYK-JS-MINIMIST-2429795	482	Proof of Concept

Release notes

Package name: apollo-server-express

• 2.26.2 - 2023-08-30
• 2.26.1 - 2022-10-20
• 2.26.0 - 2022-08-18
• 2.25.4 - 2022-05-25
• 2.25.3 - 2021-11-04
• 2.25.2 - 2021-06-22
• 2.25.1 - 2021-06-08
• 2.25.0 - 2021-05-27
• 2.25.0-alpha.1 - 2021-05-27
• 2.25.0-alpha.0 - 2021-05-26
• 2.24.1 - 2021-05-18
• 2.24.0 - 2021-04-30
• 2.24.0-alpha.2 - 2021-04-30
• 2.24.0-alpha.1 - 2021-04-29
• 2.24.0-alpha.0 - 2021-04-28
• 2.23.1-unified2.3 - 2021-04-27
• 2.23.1-unified2.2 - 2021-04-27
• 2.23.1-unified2.1 - 2021-04-23
• 2.23.1-unified2.0 - 2021-04-22
• 2.23.1-unified.2 - 2021-04-22
• 2.23.1-unified.0 - 2021-04-22
• 2.23.0 - 2021-04-14
• 2.23.0-alpha.1 - 2021-04-09
• 2.23.0-alpha.0 - 2021-04-09
• 2.22.2 - 2021-03-29
• 2.22.2-alpha.0 - 2021-03-29
• 2.22.1 - 2021-03-26
• 2.22.0 - 2021-03-26
• 2.22.0-alpha.0 - 2021-03-22
• 2.21.2 - 2021-03-18
• 2.21.2-alpha.0 - 2021-03-16
• 2.21.1 - 2021-03-08
• 2.21.1-alpha.0 - 2021-03-06
• 2.21.0 - 2021-02-12
• 2.21.0-alpha.2 - 2021-02-11
• 2.21.0-alpha.1 - 2021-02-11
• 2.21.0-alpha.0 - 2021-02-11
• 2.20.0 - 2021-02-09
• 2.20.0-alpha.0 - 2021-02-09
• 2.19.2 - 2021-01-14
• 2.19.1 - 2020-12-22

from apollo-server-express GitHub release notes

Package name: graphql

• 15.9.0 - 2024-06-21
  

  v15.9.0 (2024-06-21)

  New Feature 🚀

  • #4120 backport[v15]: Introduce "recommended" validation rules (@ benjie)

  Bug Fix 🐞

  • #3708 Fix crash in node when mixing sync/async resolvers (backport of #3706) (@ chrskrchr)
  • #4000 Backport "Prevent Infinite Loop in OverlappingFieldsCanBeMergedRule" to v15 (@ benjie)

  Internal 🏠

  • #4126 backport(v15): fix publish scripts (@ benjie)

  Committers: 2

  • Benjie(@ benjie)
  • Chris Karcher(@ chrskrchr)
• 15.8.0 - 2021-12-07
• 15.7.2 - 2021-10-28
• 15.7.1 - 2021-10-27
• 15.7.0 - 2021-10-26
• 15.6.1 - 2021-10-05
• 15.6.0 - 2021-09-20
• 15.5.3 - 2021-09-06
• 15.5.2 - 2021-08-30
• 15.5.1 - 2021-06-20

from graphql GitHub release notes

Package name: express

• 4.19.2 - 2024-03-25
• 4.19.1 - 2024-03-20
  

  What's Changed

  • Fix ci after location patch by @ wesleytodd in #5552
  • fixed un-edited version in history.md for 4.19.0 by @ wesleytodd in #5556

  Full Changelog: 4.19.0...4.19.1

• 4.19.0 - 2024-03-20
  

  What's Changed

  • fix typo in release date by @ UlisesGascon in #5527
  • docs: nominating @ wesleytodd to be project captian by @ wesleytodd in #5511
  • docs: loosen TC activity rules by @ wesleytodd in #5510
  • Add note on how to update docs for new release by @ crandmck in #5541
  • Prevent open redirect allow list bypass due to encodeurl
  • Release 4.19.0 by @ wesleytodd in #5551

  New Contributors

  • @ crandmck made their first contribution in #5541

  Full Changelog: 4.18.3...4.19.0

• 4.18.3 - 2024-02-29
  

  Main Changes

  • Fix routing requests without method
  • deps: body-parser@1.20.2
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: raw-body@2.5.2

  Other Changes

  • Use https: protocol instead of deprecated git: protocol by @ vcsjones in #5032
  • build: Node.js@16.18 and Node.js@18.12 by @ abenhamdine in #5034
  • ci: update actions/checkout to v3 by @ armujahid in #5027
  • test: remove unused function arguments in params by @ raksbisht in #5124
  • Remove unused originalIndex from acceptParams by @ raksbisht in #5119
  • Fixed typos by @ raksbisht in #5117
  • examples: remove unused params by @ raksbisht in #5113
  • fix: parameter str is not described in JSDoc by @ raksbisht in #5130
  • fix: typos in History.md by @ raksbisht in #5131
  • build : add Node.js@19.7 by @ abenhamdine in #5028
  • test: remove unused function arguments in params by @ raksbisht in #5137
  • use random port in test so it won't fail on already listening by @ rluvaton in #5162
  • tests: use cb() instead of done() by @ kristof-low in #5233
  • examples: remove multipart example by @ riddlew in #5195
  • Update support Node.js@18 in the CI by @ UlisesGascon in #5490
  • Fix favicon-related bug in cookie-sessions example by @ DmytroKondrashov in #5414
  • Release 4.18.3 by @ UlisesGascon in #5505

  New Contributors

  • @ vcsjones made their first contribution in #5032
  • @ abenhamdine made their first contribution in #5034
  • @ armujahid made their first contribution in #5027
  • @ raksbisht made their first contribution in #5124
  • @ rluvaton made their first contribution in #5162
  • @ kristof-low made their first contribution in #5233
  • @ riddlew made their first contribution in #5195
  • @ DmytroKondrashov made their first contribution in #5414

  Full Changelog: 4.18.2...4.18.3

• 4.18.2 - 2022-10-08
  
  • Fix regression routing a large stack in a single route
  • deps: body-parser@1.20.1
    • deps: qs@6.11.0
    • perf: remove unnecessary object clone
  • deps: qs@6.11.0
• 4.18.1 - 2022-04-29
  
  • Fix hanging on large stack of sync routes
• 4.18.0 - 2022-04-25
  
  • Add "root" option to res.download
  • Allow options without filename in res.download
  • Deprecate string and non-integer arguments to res.status
  • Fix behavior of null/undefined as maxAge in res.cookie
  • Fix handling very large stacks of sync middleware
  • Ignore Object.prototype values in settings through app.set/app.get
  • Invoke default with same arguments as types in res.format
  • Support proper 205 responses using res.send
  • Use http-errors for res.format error
  • deps: body-parser@1.20.0
    • Fix error message for json parse whitespace in strict
    • Fix internal error when inflated body exceeds limit
    • Prevent loss of async hooks context
    • Prevent hanging when request already read
    • deps: depd@2.0.0
    • deps: http-errors@2.0.0
    • deps: on-finished@2.4.1
    • deps: qs@6.10.3
    • deps: raw-body@2.5.1
  • deps: cookie@0.5.0
    • Add priority option
    • Fix expires option to reject invalid dates
  • deps: depd@2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: finalhandler@1.2.0
    • Remove set content headers that break response
    • deps: on-finished@2.4.1
    • deps: statuses@2.0.1
  • deps: on-finished@2.4.1
    • Prevent loss of async hooks context
  • deps: qs@6.10.3
  • deps: send@0.18.0
    • Fix emitted 416 error missing headers property
    • Limit the headers removed for 304 response
    • deps: depd@2.0.0
    • deps: destroy@1.2.0
    • deps: http-errors@2.0.0
    • deps: on-finished@2.4.1
    • deps: statuses@2.0.1
  • deps: serve-static@1.15.0
    • deps: send@0.18.0
  • deps: statuses@2.0.1
    • Remove code 306
    • Rename 425 Unordered Collection to standard 425 Too Early
• 4.17.3 - 2022-02-17
  
  • deps: accepts@~1.3.8
    • deps: mime-types@~2.1.34
    • deps: negotiator@0.6.3
  • deps: body-parser@1.19.2
    • deps: bytes@3.1.2
    • deps: qs@6.9.7
    • deps: raw-body@2.4.3
  • deps: cookie@0.4.2
  • deps: qs@6.9.7
    • Fix handling of __proto__ keys
  • pref: remove unnecessary regexp for trust proxy
• 4.17.2 - 2021-12-17
  
  • Fix handling of undefined in res.jsonp
  • Fix handling of undefined when "json escape" is enabled
  • Fix incorrect middleware execution with unanchored RegExps
  • Fix res.jsonp(obj, status) deprecation message
  • Fix typo in res.is JSDoc
  • deps: body-parser@1.19.1
    • deps: bytes@3.1.1
    • deps: http-errors@1.8.1
    • deps: qs@6.9.6
    • deps: raw-body@2.4.2
    • deps: safe-buffer@5.2.1
    • deps: type-is@~1.6.18
  • deps: content-disposition@0.5.4
    • deps: safe-buffer@5.2.1
  • deps: cookie@0.4.1
    • Fix maxAge option to reject invalid values
  • deps: proxy-addr@~2.0.7
    • Use req.socket over deprecated req.connection
    • deps: forwarded@0.2.0
    • deps: ipaddr.js@1.9.1
  • deps: qs@6.9.6
  • deps: safe-buffer@5.2.1
  • deps: send@0.17.2
    • deps: http-errors@1.8.1
    • deps: ms@2.1.3
    • pref: ignore empty http tokens
  • deps: serve-static@1.14.2
    • deps: send@0.17.2
  • deps: setprototypeof@1.2.0
• 4.17.1 - 2019-05-26

from express GitHub release notes

Package name: bcrypt

• 5.1.1 - 2023-08-16
  

  What's Changed

  • Refactored example with async await by @ lpizzinidev in #894
  • Fixed z/OS build issue by @ laijonathan in #968
  • Update dependencies by @ recrsn in #993

  New Contributors

  • @ lpizzinidev made their first contribution in #894
  • @ laijonathan made their first contribution in #968

  Full Changelog: v5.1.0...v5.1.1

• 5.1.0 - 2022-10-06
  

  What's Changed

  • Update node-pre-gyp to 1.0.2 by @ feuxfollets1013 in #865
  • Update README for inclusion of musl by @ arbourd in #883
  • Version bump, security updates to sub dep npmlog by @ adaniels-parabol in #905
  • document ESM usage (#892) by @ mariusa in #899
  • fix: update travis CI Docker image repository by @ cokia in #930
  • Update node versions in appveyor test matrix by @ p-kuen in #936
  • chore(appveyor): not use latest npm by @ cokia in #932
  • chore: update Appveyor readme badge by @ cokia in #933
  • Use Github actions for CI by @ recrsn in #858
  • Update dependencies by @ recrsn in #953
  • Migrate tests to use Jest by @ recrsn in #958
  • Pin NAPI to v3 by @ recrsn in #959

  New Contributors

  • @ feuxfollets1013 made their first contribution in #865
  • @ arbourd made their first contribution in #883
  • @ adaniels-parabol made their first contribution in #905
  • @ mariusa made their first contribution in #899
  • @ cokia made their first contribution in #930
  • @ p-kuen made their first contribution in #936

  Full Changelog: v5.0.1...v5.1.0

• 5.0.1 - 2021-02-26
  

  Update node-pre-gyp to 1.0.0

from bcrypt GitHub release notes

Package name: module-alias

• 2.2.3 - 2023-06-03
• 2.2.2 - 2019-10-01
  

  Make module-alias work in cli mode #76

from module-alias GitHub release notes

Package name: mongodb

• 3.7.4 - 2023-06-21
  

  The MongoDB Node.js team is pleased to announce version 3.7.4 of the mongodb package!

  Release Highlights

  This release fixes a bug that throws a type error when SCRAM-SHA-256 is used with saslprep in a webpacked environment.

  3.7.4 (2023-06-21)

  Bug Fixes

  • NODE-3711: retry txn end on retryable write (#3047) (1595140)
  • NODE-5355: prevent error when saslprep is not a function (#3733) (152425a)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 3.7.3 - 2021-10-20
• 3.7.2 - 2021-10-05
• 3.7.1 - 2021-09-14
• 3.7.0 - 2021-08-31
• 3.6.12 - 2021-08-30
• 3.6.11 - 2021-08-05
• 3.6.10 - 2021-07-06
• 3.6.9 - 2021-05-26
• 3.6.8 - 2021-05-21
• 3.6.7 - 2021-05-18
• 3.6.6 - 2021-04-06

from mongodb GitHub release notes

Package name: nodemon

• 2.0.22 - 2023-03-22
  

  2.0.22 (2023-03-22)

  Bug Fixes

  • remove ts mapping if loader present (f7816e4), closes #2083
• 2.0.21 - 2023-03-02
  

  2.0.21 (2023-03-02)

  Bug Fixes

  • remove ts mapping if loader present (1468397), closes #2083
• 2.0.20 - 2022-09-16
  

  2.0.20 (2022-09-16)

  Bug Fixes

  • remove postinstall script (e099e91)
• 2.0.19 - 2022-07-05
  

  2.0.19 (2022-07-05)

  Bug Fixes

  • Replace update notifier with simplified deps (#2033) (176c4a6), closes #1961 #2028
• 2.0.18 - 2022-06-23
  

  2.0.18 (2022-06-23)

  Bug Fixes

  • revert update-notifier forcing esm (1b3bc8c)
• 2.0.17 - 2022-06-23
  

  2.0.17 (2022-06-23)

  Bug Fixes

  • bump update-notifier to v6.0.0 (#2029) (0144e4f)
  • update packge-lock (27e91c3)
• 2.0.16 - 2022-04-29
  

  2.0.16 (2022-04-29)

  Bug Fixes

  • support windows by using path.delimiter (