[Snyk] Fix for 18 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-AWSSDK-1059424	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-CONVICT-1062508	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-DATEANDTIME-1054430	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-JSONBIGINT-608659	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MERGE-1040469	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MERGE-1042987	Yes	Proof of Concept
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	No	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	HTTP Header Injection SNYK-JS-NODEMAILER-1296415	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-REDIS-1255645	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-1023599	No	Proof of Concept
	520/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-1072471	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-610226	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: aws-sdk

The new version differs by 10 commits.

• 8875a35 Updates SDK to v2.814.0
• dd83d67 throw at invalid profile name in shared ini file (#3585)
• ee0c5a3 Updates SDK to v2.813.0
• 468d15b Updates SDK to v2.812.0
• c50132f Update README.md with references to JS SDK V3 (#3582)
• 3e19b08 Updates SDK to v2.811.0
• f26c00d Updates SDK to v2.810.0
• b393a6e Adds automatic PreSignedUrl generation to RDS.StartDBInstanceAutomatedBackupsReplication (#3566)
• fa57967 Updates SDK to v2.809.0
• 9a52018 Updates SDK to v2.808.0

See the full diff

Package name: convict

The new version differs by 57 commits.

• 7e068d8 v6.0.1
• 81771b3 ran npm audit fix
• dc17a2e Merge pull request Password option to allow sharing link over unencrypted networks mozilla/send#384 from 418sec/1-npm-convict
• 180d692 Merge pull request Store the URL that the user has come from in the redirect_uri query param #1 from arjunshibu/master
• 688c46a Security fix for prototype pollution
• 95f4ab3 Fix lodash vuln by regenerating package-lock.json
• 9d90709 Use consistent code style
• 76f0f98 Fix typo (No error is shown for missing or wrong fragment mozilla/send#375)
• a3eee35 Remove david-dm.org badges because not fitted
• fe80cf8 Add more keywords for convict package
• eb2db0c Easier text layout for copy-pasting
• e86b84a Simplify setup with postinstall script (Switch from jQuery to React? mozilla/send#374)
• 289ff74 Update devDependencies (Add noscript tag? mozilla/send#373)
• fdf3e69 Feat add migrating doc (Investigate test timeouts on Circle-CI mozilla/send#372)
• 0f18464 Remove warning convict@6.0.0 soon to be published
• e3770a6 Advertise that convict@6 is in the process of
• edff2dd More details on the release process
• d2f40e2 More details on the release process
• 7f974da v6.0.0
• 203657b Setup Lerna strategy (WIP: Add babel+webpack scaffolding mozilla/send#368)
• 9f2aec3 Revert "v6.0.0"
• 6162366 v6.0.0
• 8ef51ae More details about Lerna management
• 9bb5bb2 Better do requires at the root of modules

See the full diff

Package name: mozlog

The new version differs by 16 commits.

• 1b9cf8d updated "merge" and bump patch version
• 119afb7 3.0.1
• 27cf232 Merge pull request Email on download #30 from julienw/patch-1
• f9bc9ff Change license string to SPDX compliant version
• 1e0a72b Create CONTRIBUTING.md
• 2e33824 3.0.0
• eb23207 Merge pull request Email on download #29 from mozilla/deps
• af967c0 Update Travis for latest versions of node
• 576f26c Update deps
• 2d51e33 Merge pull request fix: change ci to target correct env #28 from julienw/slightly-change-formatter-output
• be6066c Change how the pretty formatter output its arguments
• cdd572b Add a test for the pretty formatter
• 04c6486 Merge pull request chore: change console log to avoid displaying cookie #23 from Mozilla-GitHub-Standards/master
• a1e5496 Add Mozilla Code of Conduct file
• 78be2bd Merge pull request feat: update header and footer #21 from devinreams/patch-1
• e280910 bump merge due to prototype pollution advisory

See the full diff

Package name: node-fetch

The new version differs by 12 commits.

• b5e2e41 update version number
• 2358a6c Honor the `size` option after following a redirect and revert data uri support
• 8c197f8 docs: Fix typos and grammatical errors in README.md (Hide password while Typing and after Entering: Fixes #670  mozilla/send#686)
• 1e99050 fix: Change error message thrown with redirect mode set to error (Fix 'exit' event reporting mozilla/send#653)
• 244e6f6 docs: Show backers in README
• 6a5d192 fix: Properly parse meta tag when parameters are reversed ([Docs] - README.md - minor spelling fixes mozilla/send#682)
• 47a24a0 chore: Add opencollective badge
• 7b13662 chore: Add funding link
• 5535c2e fix: Check for global.fetch before binding it (Download not working on Safari for iOS mozilla/send#674)
• 1d5778a docs: Add Discord badge
• eb3a572 feat: Data URI support (The share link field is wrongly active when the "Require a password" checkbox is selected mozilla/send#659)
• 086be6f Remove --save option as it isn't required anymore (introducing ToC to README.md mozilla/send#581)

See the full diff

Package name: nodemailer

The new version differs by 16 commits.

• 7e02648 v6.6.1
• 1750c0f v6.6.0
• 0636d58 Merge branch 'master' of github.com:nodemailer/nodemailer
• 058d414 v6.6.0
• fcb0d1f test: 💍 aws ses SDK v3 support
• 2ef39e3 test: 💍 aws ses connection verification
• 6107585 fix: 🐛 ses verify, add support for v3 API
• bf57cf5 Fixes resolveContent with streams overriding data
• 91108d7 v6.5.0
• 87d9b25 Pass through textEncoding to subnodes.
• 271f91b Update index.js
• 9b5fb94 v6.4.18
• 625a9ed Update README.md
• 1d24d8b docs: added rudimentary sponsor quote block
• a455716 Added OhMySMTP to services
• 6e045d1 v6.4.17

See the full diff

Package name: redis

The new version differs by 142 commits.

• fc28860 Bump version to 3.1.1 (#1597)
• 2d11b6d fix #1569 - improve monitor_regex (#1595)
• 7e77de8 Add Chat (#1594)
• 5d3e995 Merge branch 'master' of https://github.com/NodeRedis/node-redis
• b797cf2 add user to README.md
• 79f34c2 Bump version to 3.1.0 (#1590)
• 7fdc54e fix for 428e1c8a7b2322c2650294638cb1663ac5692728 - fix auth retry when redis is in loading state
• 09f0fe8 "fix" tests
• 428e1c8 Add support for Redis 6 `auth pass [user]` (The Privacy Notice is not displayed after clicking the Privacy footer link if you are not logged in mozilla/send#1508)
• bb208d0 Add codeclimate badge (#1572)
• 47e2e38 Exclude examples from deepsource (#1579)
• fbca5cd Upgrade node and dependencies (#1578)
• 2188744 Create codeql-analysis.yml (#1577)
• 32861b5 Create .deepsource.toml (#1574)
• 2a34d41 Add LGTM badge (#1571)
• 69b7094 Workflows fixes (#1570)
• 49c4131 Merge pull request #1531 from marnikvde/improve-docs
• 3c8ff5c Merge branch 'master' into improve-docs
• 685a72d Merge pull request Add to F Droid mozilla/send#1277 from dcharbonnier/patch-1
• 055f5c5 Merge branch 'master' into patch-1
• c78b6d5 Merge pull request #1527 from heynikhil/patch-1
• 53f1468 Merge branch 'master' into patch-1
• 232f191 Merge pull request #1563 from lebseu/patch-1
• e4cb073 Update README.md

See the full diff

Package name: ua-parser-js

The new version differs by 88 commits.

• 9999815 Update version number to 0.7.24
• 809439e Fix potential ReDoS vulnerability as reported by Doyensec
• 5b83893 Merge pull request Add progress (%) to the title of upload page mozilla/send#479 from joeyparrish/develop
• 9d154cc chore: Update build
• 7679003 fix: Xbox OS detection
• 45bf76a Merge pull request Fixing bug #438 by adding role attribute to anchor tags and alt attribute images mozilla/send#474 from dust-off/master
• f543c5a facebook movile app with no browser info
• 89a72c2 Merge pull request Remove aad from tests mozilla/send#471 from jishidaaaaa/fix-firetv-detection
• 314131d Merge pull request removed references to checksums in frontend tests mozilla/send#472 from GeraldHost/master
• 386ebc2 feat: update readme playstation
• b0f14de Fix Detection Rule For Amazon Fire TV
• fd8a583 Merge pull request Increase mimimum node version to 8.2.0 mozilla/send#469 from bynice/patch-1
• cc2da93 Merge pull request WIP: Add babel+webpack scaffolding mozilla/send#368 from Deliaz/master
• 34e2e80 Update ua-parser.js
• 26c74ef Merge branch 'develop' into master
• e4b3029 Merge pull request added webpack mozilla/send#466 from yoyo837/patch-1
• b7d4865 Update homepage
• d5ab75a Merge branch 'master' of github.com:faisalman/ua-parser-js
• c7475db 0.7.23
• 83d37b4 Merge pull request Add rel noopener noreferrer to target='_blank' anchor elements (Fixes #439) mozilla/send#451 from dineshks1/master
• 2d53ceb Merge branch 'develop' of github.com:faisalman/ua-parser-js into develop
• d107155 Merge pull request Upload button doesn't look that great in Japanese locale mozilla/send#463 from vinyldarkscratch/bump-deps
• 43fb4d1 Merge pull request Continue to serve download page until after 24 hour expiry  mozilla/send#459 from WizKid/master
• 6d1f26d Fix ReDoS vulnerabilities reported by Snyk

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

[danielkhoo]

Problem

Send has a bunch of Snyk vulnerabilities. This PR is focused on mitigating the critical and high ones.

Solution

• I used Snyk to open PR fixing the vulnerabilities with newer version. It also created a patch for the latest version of Lodash which has a vulnerability. Full details in the PR description above ☝️ .
  

• Next I bumped all the npm audit fix and Snyk bot version updates (consolidated from
  [Snyk] Security upgrade nodemailer from 6.4.16 to 6.6.1 #32, [Snyk] Upgrade aws-sdk from 2.807.0 to 2.933.0 #33, [Snyk] Upgrade @sentry/node from 5.8.0 to 5.30.0 #34, [Snyk] Upgrade selenium-standalone from 6.17.0 to 6.24.0 #35, [Snyk] Upgrade @google-cloud/storage from 4.1.1 to 4.7.0 #36).

That addressed most of the outstanding "high" vuln. There were few remaining highs which are 3x-4x nested dependencies with no upgrade path. I've set Snyk to temporarily ignore them until an update is available.

How to test

All the changes are live on https://send-staging.vault.gov.sg/

Deploy Notes

Will manually deploy to prod once tested and approved.