[Snyk] Fix for 20 vulnerabilities #154

gregoryrabbit · 2023-12-19T15:03:11Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- goof/package.json
- goof/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-DICER-2311764	Yes	Mature
671/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7	Remote Code Execution (RCE) SNYK-JS-HANDLEBARS-1056767	Yes	Proof of Concept
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-HANDLEBARS-1279029	Yes	Proof of Concept
579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-HANDLEBARS-173692	Yes	No Known Exploit
579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-HANDLEBARS-174183	Yes	No Known Exploit
579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-HANDLEBARS-469063	Yes	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-HANDLEBARS-480388	Yes	No Known Exploit
726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-HANDLEBARS-534478	Yes	Proof of Concept
704/1000 Why? Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-HANDLEBARS-534988	Yes	No Known Exploit
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-HANDLEBARS-567742	Yes	Proof of Concept
703/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.2	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-JSYAML-173999	Yes	No Known Exploit
619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-JSYAML-174129	Yes	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
524/1000 Why? Has a fix available, CVSS 6.2	Regular Expression Denial of Service (ReDoS) npm:brace-expansion:20170302	Yes	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: express-fileupload

The new version differs by 250 commits.

9f22db7 version bump
9fca550 Merge pull request [Snyk(Unlimited)] Upgrade from thebespokepixel/string to thebespokepixel/string snyk-fixtures/npm-lockfiles#240 from AmazingMech2418/patch-1
1530cf5 Make Travis happy
e43bfcf Fix typo
8bf7427 Update processNested.js
fd40389 version bump
94c9cf9 prototype pollution fix [Snyk] Fix for 1 vulnerabilities #2
829f395 version bump
db49535 Merge pull request [Snyk(Unlimited)] Upgrade adm-zip from 0.4.7 to 0.4.13 snyk-fixtures/npm-lockfiles#237 from richardgirges/fix-236-proto-pollution
d81bee9 Upgrade latest packages; run npm audit fix; add logic to prevent prototype pollution in parseNested
e9848fc Update package-lock.json
d536cfb Update package.json
c7a6b9c Merge pull request [Snyk(Unlimited)] Upgrade lodash from 4.17.10 to 4.17.11 snyk-fixtures/npm-lockfiles#233 from RomanBurunkov/master
a53b93f Update tests to support empty files
d8c00c5 Add empty files support for tempFileHandler
b24233d Comment extra condition in fileFactory(issue [Snyk] Fix for 42 vulnerabilities #1), add more logging
d57ee02 Formatting utilities
b6097df Merge pull request [Snyk(Unlimited)] Upgrade color-convert from 1.9.2 to 1.9.3 snyk-fixtures/npm-lockfiles#232 from RomanBurunkov/master
05004b7 Merge pull request [Snyk(Unlimited)] Upgrade verbosity from 0.9.2 to 0.10.1 snyk-fixtures/npm-lockfiles#230 from Code42Cate/readme-timeout
1afa527 Update dependencies
880c2b7 Improve timeout option documentation
3f130b0 Add timeout option to README.MD
d55fa83 Merge pull request [Snyk(Unlimited)] Upgrade adm-zip from 0.4.7 to 0.4.13 snyk-fixtures/npm-lockfiles#222 from wbt/patch-1
d61f02f Fix some small typos

See the full diff

Package name: tap

The new version differs by 25 commits.

3cdc354 v6.3.0
137a2bb changelog is on the website now
49354cd t.doesNotThrow can take a string as the first arg
f5b1b30 upgrade nyc to v7
f068025 s/supports-color/color-support/g
6eb21aa ignore tap lib folder in stack traces
8faa184 v6.2.0
f745959 Add --test-arg=<argument> option
3ace105 signal-exit@3
a976db2 v6.1.1
500f8ad remove unused codecov.io dep
191eeed v6.1.0
840fd12 adds 'diagnostic' flag to include diags always
a5d8cee v6.0.0
1f88f4a Child tests should inherit bail-on-fail from parent
ec90a96 hard-code TAP_TIMEOUT in rcfiles test
f085de5 Fix regression on coverage-check args passing to nyc
d87a857 Document rc files
4d3b0e8 shim home directory in rcfile test
ca5be4f document environs and --dump-config
b7e048f Add --dump-config, refactor rcfile handling slightly
b1c99b3 remove deep-extension for rc file handling
54e73f4 adds .taprc file support [Snyk(Unlimited)] Upgrade truwrap from 0.8.1 to 0.8.4 snyk-fixtures/npm-lockfiles#228
f8964a0 Remove built-in codecov.io support