[Snyk] Fix for 42 vulnerabilities #1

snyk-bot · 2020-01-13T12:27:59Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- goof/package.json
- goof/package-lock.json
- goof/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change
	Denial of Service (DoS) SNYK-JS-EXPRESSFILEUPLOAD-473997	Yes
	Prototype Pollution SNYK-JS-JQUERY-174006	Yes
	Denial of Service (DoS) SNYK-JS-JSYAML-173999	Yes
	Arbitrary Code Execution SNYK-JS-JSYAML-174129	Yes
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-174116	No
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451540	No
	Denial of Service (DoS) SNYK-JS-MONGODB-473855	Yes
	Information Exposure SNYK-JS-MONGOOSE-472486	Yes
	Arbitrary Code Injection SNYK-JS-MORGAN-72579	No
	Arbitrary File Write via Archive Extraction (Zip Slip) npm:adm-zip:20180415	No
	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No
	Code Injection npm:dustjs-linkedin:20160819	No
	Arbitrary Code Execution npm:ejs:20161128	Yes
	Cross-site Scripting (XSS) npm:ejs:20161130	Yes
	Denial of Service (DoS) npm:ejs:20161130-1	Yes
	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No
	Prototype Pollution npm:hoek:20180212	Yes
	Cross-site Scripting (XSS) npm:jquery:20150627	Yes
	Content & Code Injection (XSS) npm:marked:20150520	No
	Cross-site Scripting (XSS) via Data URIs npm:marked:20170112	No
	Cross-site Scripting (XSS) npm:marked:20170815	No
	Cross-site Scripting (XSS) npm:marked:20170815-1	No
	Regular Expression Denial of Service (ReDoS) npm:marked:20170907	No
	Regular Expression Denial of Service (ReDoS) npm:marked:20180225	No
	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes
	Regular Expression Denial of Service (ReDoS) npm:moment:20161019	No
	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	No
	Remote Memory Exposure npm:mongoose:20160116	No
	Regular Expression Denial of Service (ReDoS) npm:ms:20151024	No
	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes
	Regular Expression Denial of Service (DoS) npm:negotiator:20160616	Yes
	Uninitialized Memory Exposure npm:npmconf:20180512	Yes
	Prototype Override Protection Bypass npm:qs:20170213	No
	Regular Expression Denial of Service (ReDoS) npm:semver:20150403	Yes
	Directory Traversal npm:st:20140206	No
	Open Redirect npm:st:20171013	Yes
	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Yes

Commit messages

Package name: adm-zip

The new version differs by 50 commits.

80d259f Version bump
3f00a03 Fixed [Snyk] Security upgrade tap from 5.8.0 to 11.1.3 #176
650e752 Fixed wrong date on files (issue [Snyk(Unlimited)] Upgrade debug from 2.0.0 to 2.6.9 snyk-fixtures/npm-lockfiles#203)
d01fa8c Fixed bugs introduced with 0.4.9
c0cc85d Merge pull request [Snyk(Unlimited)] Upgrade debug from 2.0.0 to 2.6.9 snyk-fixtures/npm-lockfiles#219 from jontore/master
39c83a2 Merge pull request [Snyk(Unlimited)] Upgrade node-uuid from 1.4.0 to 1.4.8 snyk-fixtures/npm-lockfiles#209 from poshta1900/fix
b94c5dd Merge pull request [Snyk(Unlimited)] Upgrade sgr-composer from 0.5.0 to 0.5.3 snyk-fixtures/npm-lockfiles#227 from hhaidar/master
c95c553 Merge pull request [Snyk(Unlimited)] Upgrade truwrap from 0.8.1 to 0.8.4 snyk-fixtures/npm-lockfiles#228 from jmcollin78/patch-1
cda668c Fix issue [Snyk(Unlimited)] Upgrade lodash from 4.17.10 to 4.17.11 snyk-fixtures/npm-lockfiles#218
0f2cb41 Fix octal literals so they work in strict mode
888931d To support strict mode use 0o prefix to octal numbers
89b6f67 Update package.json
9592298 Update README.md
ce59e5a Merge pull request [Snyk(Unlimited)] Upgrade verbosity from 0.9.2 to 0.10.1 snyk-fixtures/npm-lockfiles#215 from grnd/master
38cb4a4 fix: resolve both target and entry path
18c3d31 Update package.json
666adec Update package.json
499d59b Update package.json
62f6400 Merge pull request [Snyk(Unlimited)] Upgrade sgr-composer from 0.5.0 to 0.5.3 snyk-fixtures/npm-lockfiles#212 from aviadatsnyk/master
6f4dfeb fix: prevent extracting archived files outside of target path
ef0abe6 add try-catch around fs.writeSync
e116bc1 Merge pull request [Snyk(Unlimited)] Upgrade qs from 0.0.6 to 0.6.6 snyk-fixtures/npm-lockfiles#208 from pmuens/patch-1
12d2099 Fix data accessing example in README
032566b Merge pull request [Snyk(Unlimited)] Upgrade qs from 0.0.6 to 0.6.6 snyk-fixtures/npm-lockfiles#204 from BridgeAR/master

See the full diff

Package name: body-parser

The new version differs by 221 commits.

0f1bed0 1.17.1
0532096 lint: remove unreachable code branches
b34aab5 build: eslint-config-standard@7.0.0
77b1ca1 build: eslint-plugin-markdown@1.0.0-beta.4
e51dbc5 deps: qs@6.4.0
79bc939 1.17.0
e6140e1 build: Node.js@7.7
42f467d deps: qs@6.3.1
4954aec build: test against Node.js 8.x nightly
e2050df build: Node.js@7.6
2f941c4 build: Node.js@6.10
6549617 build: Node.js@4.8
d1c2c7f deps: http-errors@~1.6.1
e7b86ba build: eslint@3.16.1
7b630f7 1.16.1
de574bf build: eslint@3.15.0
889bcc9 build: Node.js@7.5
dba8ac4 deps: debug@2.6.1
95a3ebb docs: fix history file with incorrect qs version
c5a73d5 1.16.0
9744dda deps: qs@6.3.0
7807757 deps: debug@2.6.0
0e44768 lint: use standard style in the README
14952be build: eslint-config-standard@6.2.1

See the full diff

Package name: cfenv

The new version differs by 7 commits.

6927628 version 1.2.1
3f19f12 Upgrade js-yaml to avoid Denial of Service
a5dbceb version 1.2.0
1a730e3 Stop using outdated manifest stanza; use random-route instead
f8b0392 Upgrade underscore version 1.9.x
b60ef7c add test for local vcapFile port usage
c6262a6 Locally use the options to read the port

See the full diff

Package name: errorhandler

The new version differs by 85 commits.

c41e9aa 1.4.3
ffce329 build: istanbul@0.4.2
90a8777 build: Node.js@4.2
38b745b deps: accepts@~1.3.0
80aea51 deps: escape-html@~1.0.3
b0be93a docs: fix typo in readme
2f688d0 build: support Node.js 5.x
1238ed4 build: istanbul@0.4.1
fdeb13c build: mocha@2.3.4
cc6fd1f build: support Node.js 4.x
3a2117a build: support io.js 3.x
75b9ee1 build: reduce runtime versions to one per major
6797752 tests: add test for util.inspect in HTML response
b6e53d7 docs: add more documentation regarding util.inspect
88b9a58 deps: accepts@~1.2.13
ac75d3f build: istanbul@0.3.19
5ee62b7 deps: escape-html@1.0.3
1e89ae7 build: istanbul@0.3.18
ef1e8f1 build: supertest@1.1.0
a7a6dce 1.4.2
692e2e7 deps: accepts@~1.2.12
6f2e8d2 build: io.js@2.5
564c117 build: fix running Node.js 0.8 tests on Travis CI
2dfd872 1.4.1

See the full diff

Package name: express

The new version differs by 250 commits.

f974d22 4.16.0
8d4ceb6 docs: add more information to installation
c0136d8 Add express.json and express.urlencoded to parse bodies
86f5df0 deps: serve-static@1.13.0
4196458 deps: send@0.16.0
ddeb713 tests: add maxAge option tests for res.sendFile
7154014 Add "escape json" setting for res.json and res.jsonp
628438d deps: update example dependencies
a24fd0c Add options to res.download
95fb5cc perf: remove dead .charset set in res.jsonp
44591fe deps: vary@~1.1.2
2df1ad2 Improve error messages when non-function provided as middleware
12c3712 Use safe-buffer for improved Buffer API
fa272ed docs: fix typo in jsdoc comment
d9d09b8 perf: re-use options object when generating ETags
02a9d5f deps: proxy-addr@~2.0.2
c2f4fb5 deps: finalhandler@1.1.0
673d51f deps: utils-merge@1.0.1
5cc761c deps: parseurl@~1.3.2
ad7d96d deps: qs@6.5.1
e62bb8b deps: etag@~1.8.1
70589c3 deps: content-type@~1.0.4
9a99c15 deps: accepts@~1.3.4
550043c deps: setprototypeof@1.1.0

See the full diff

Package name: humanize-ms

The new version differs by 3 commits.

e8bc10a Release 1.1.0
e584c58 add benchmark
4cf945f deps: upgrade ms to 0.7.0

See the full diff

Package name: marked

The new version differs by 250 commits.

529a8d4 Merge pull request [Snyk(Unlimited)] Upgrade @thebespokepixel/string from 0.5.2 to 0.5.10 snyk-fixtures/npm-lockfiles#1441 from styfle/release-0.6.2
fc5dbf1 🗜️ minify [skip ci]
b1ddd3c Merge pull request [Snyk(Unlimited)] Upgrade truwrap from 0.8.1 to 0.8.4 snyk-fixtures/npm-lockfiles#1460 from andersk/inline-text-quadratic
be27472 Improve worst-case performance of inline.text regex
6b88601 0.6.2
ba1de1e 🗜️ minify [skip ci]
d94253c Merge pull request [Snyk(Unlimited)] Upgrade adm-zip from 0.4.7 to 0.4.13 snyk-fixtures/npm-lockfiles#1438 from UziTech/html-new-line-fix
6eec528 Merge pull request [Snyk(Unlimited)] Upgrade color-convert from 1.9.2 to 1.9.3 snyk-fixtures/npm-lockfiles#1449 from UziTech/use-htmldiffer
0cd0333 remove redundant comments
ff127c5 use template literals
a16251d fix test spacing
da57301 use htmldiffer in file tests & update to node 4
621f649 abstract htmldiffer
42e816c fix again
246dd3d fix whitespace after tag
f1089fe add test
0f0b763 allow html without \n after
d069d0d Merge pull request [Snyk(Unlimited)] Upgrade @thebespokepixel/es-tinycolor from 0.3.1 to 0.3.2 snyk-fixtures/npm-lockfiles#1448 from UziTech/version
5d6bde0 Merge pull request [Snyk(Unlimited)] Upgrade sgr-composer from 0.5.0 to 0.5.3 snyk-fixtures/npm-lockfiles#1444 from UziTech/normalize-tests
4760772 fix tests
df310a8 remove header ids from original tests
775d08d move redos tests to /redos folder
b169e7b add excerpt length constant
fd9dc21 update deps

See the full diff

Package name: mongoose

The new version differs by 250 commits.

40a879b chore: release 5.7.5
159457d chore: add vpn black friday as sponsor
e6285ea Merge pull request #8244 from AbdelrahmanHafez/master
d9163f5 fix: correct order for declaration
cec9dda Minor refactor to ValidationError
13ae085 docs(index): add favicon to home page
96ce0eb style: fix lint
973b1e0 docs: add schema options to API docs
cdfb507 chore: add useUnifiedTopology for tests re: #8212
936ddfb fix(update): handle subdocument pre('validate') errors in update validation
98b3b09 test(update): repro #7187
b9c1012 docs(middleware): add note about accessing the document being updated in pre('findOneAndUpdate')
327b47a fix(subdocument): make subdocument#isModified use parent document's isModified
54db026 test(subdocument): repro #8223
89eb449 chore: now working on 5.7.5
ffbff22 chore: change version for recompiling website
0562ca7 chore: add opencollective sponsors: top web design companies, casino top
ee22c09 chore: now working on 5.7.5
f3eca5b fix(query): delete top-level `_bsontype` property in queries to prevent silent empty queries
cc10e0d test(query): repro #8222
ede5aef chore: release 5.7.4
402db1a fix(model): support passing `options` to `Model.remove()`
7a20276 fix(schema): handle `required: null` and `required: undefined` as `required: false`
9b4a323 test(schema): repro #8219

See the full diff

Package name: morgan

The new version differs by 27 commits.

572dd93 1.9.1
e02de38 lint: apply standard 12 style
e329663 Fix using special characters in format
eb1968a tests: use strict equality checks
310b206 build: use yaml eslint configuration
5810937 build: Node.js@9.11
f60afd5 build: Node.js@8.11
5295b0c build: eslint-plugin-standard@3.1.0
178daaf build: eslint-plugin-promise@3.8.0
7b08641 build: eslint-plugin-import@2.12.0
73cb666 build: eslint@4.19.1
edc95aa build: Node.js@6.14
ace86c3 build: Node.js@4.9
4dd1180 lint: apply standard 11 style
60c31e8 build: Node.js@9.8
05e382f build: Node.js@8.10
1a5be20 build: Node.js@6.13
cf9565f docs: remove gratipay badge
b66251d build: eslint-plugin-node@5.2.0
0113732 build: eslint-plugin-import@2.8.0
47659a9 deps: depd@~1.1.2
695f659 build: support Node.js 9.x
f4c51e9 build: Node.js@8.9
4f15f36 build: Node.js@6.12

See the full diff

Package name: ms

The new version differs by 19 commits.

9b88d15 2.0.0
94b995c Invalidated cache for slack badge
bcf5715 Bumped dependencies to the latest version
b1eaab7 Ignored logs coming from npm
caae298 Limit str to 100 to avoid ReDoS of 0.3s ([Snyk] Security upgrade moment from 2.15.1 to 2.29.2 #89)
b83b36d chore(package): update eslint to version 3.19.0 ([Snyk] Security upgrade moment from 2.15.1 to 2.29.2 #88)
3f2a4d7 chore(package): update husky to version 0.13.3 ([Snyk] Security upgrade tap from 5.8.0 to 11.1.3 #86)
7daf984 1.0.0
ee91f30 More suitable name for file containing tests
e818c35 Removed browser testing
c9b1fd3 Test on LTS version of Node
389840b Badge for XO removed
1fbbe97 Removed component specification
57b3ef8 Use `prettier` and `eslint`
94068ea Removed XO
4b7f48f chore(package): update serve to version 5.0.4 ([Snyk] Security upgrade tap from 5.8.0 to 11.1.3 #85)
bd49cec chore(package): update xo to version 0.18.0 ([Snyk] Security upgrade tap from 5.8.0 to 11.1.3 #84)
d4a94b1 chore(package): update serve to version 5.0.3 ([Snyk] Fix for 4 vulnerabilities #83)
923eee1 chore(package): update serve to version 5.0.2 ([Snyk] Security upgrade marked from 0.3.5 to 4.0.10 #82)

See the full diff

Package name: tap

The new version differs by 250 commits.

fe8158e 11.1.3
b17542d Upgrade deps (changing semver requirements)
bc3ba17 update deps
bd4de92 Clean up nyc output so Travis passes on node 6
2292432 Add hexagonal-lambda to the tap 100 list
fed62c9 Merge remote-tracking branch 'origin/master'
3cdf1c7 11.1.2
ddf938b Only ship files we want to ship
5b5e2ee docs: add unique page titles
2323c3b Merge tag 'v11.1.1'
95faf6c 11.1.1
283c8e6 Handle EPIPE better in exceptional edge cases
b727234 Fix obscure edge case when this.results is not set
1699eb9 process: update docs on the master branch
ac366a0 docs: fix typo ('heirarchical' -> 'hierarchical')
13073a7 docs: correct 100 PR link
b95ee22 v11.1.0
fcf70aa Add support for disabling autoend
94be0a7 v11.0.1
6c3f019 remove badges that are no longer accurate or in use
ae562a7 don't ignore coverage doc
9fcfd52 Migrate docs into main repository
f189c50 v11.0.0
5cde128 Merge branch 'v11'

See the full diff

With a Snyk patch:

Severity	Issue
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905
	Regular Expression Denial of Service (DoS) npm:hawk:20160119
	Timing Attack npm:http-signature:20150122
	Regular Expression Denial of Service (ReDoS) npm:mime:20170907
	Regular Expression Denial of Service (DoS) npm:minimatch:20160620
	Regular Expression Denial of Service (ReDoS) npm:ms:20170412
	Remote Memory Exposure npm:request:20160119
	Uninitialized Memory Exposure npm:tunnel-agent:20170305

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:

🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

snyk-bot mentioned this pull request Jul 30, 2020

[Snyk] Security upgrade express-fileupload from 0.0.5 to 1.1.8 #31

Open

snyk-bot mentioned this pull request Mar 24, 2021

[Snyk] Security upgrade mongoose from 4.2.4 to 5.12.2 #53

Open

This was referenced Dec 19, 2023

[Snyk] Fix for 20 vulnerabilities #154

Open

[Snyk] Fix for 27 vulnerabilities #155

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Fix for 42 vulnerabilities #1

[Snyk] Fix for 42 vulnerabilities #1

snyk-bot commented Jan 13, 2020

[Snyk] Fix for 42 vulnerabilities #1

Are you sure you want to change the base?

[Snyk] Fix for 42 vulnerabilities #1

Conversation

snyk-bot commented Jan 13, 2020

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

With a Snyk patch: