[Snyk] Fix for 38 vulnerabilities #1

DaniellaNiceSnyk · 2020-03-17T15:25:22Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

As this is a private repository, Snyk-bot does not have access. Therefore, this PR has been created automatically, but appears to have been created by a real user.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Issue	Breaking Change	Exploit Maturity
Denial of Service (DoS) SNYK-JS-EXPRESSFILEUPLOAD-473997	Yes	No Known Exploit
Prototype Pollution SNYK-JS-JQUERY-174006	Yes	No Known Exploit
Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
Prototype Pollution SNYK-JS-LODASH-73638	No	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-174116	No	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451540	No	No Known Exploit
Denial of Service (DoS) SNYK-JS-MONGODB-473855	Yes	No Known Exploit
Information Exposure SNYK-JS-MONGOOSE-472486	Yes	No Known Exploit
Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept
Arbitrary File Write via Archive Extraction (Zip Slip) npm:adm-zip:20180415	No	Mature
Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	No Known Exploit
Code Injection npm:dustjs-linkedin:20160819	No	No Known Exploit
Arbitrary Code Execution npm:ejs:20161128	Yes	No Known Exploit
Cross-site Scripting (XSS) npm:ejs:20161130	Yes	No Known Exploit
Denial of Service (DoS) npm:ejs:20161130-1	Yes	No Known Exploit
Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No	No Known Exploit
Cross-site Scripting (XSS) npm:jquery:20150627	Yes	No Known Exploit
Prototype Pollution npm:lodash:20180130	No	No Known Exploit
Cross-site Scripting (XSS) npm:marked:20150520	No	No Known Exploit
Cross-site Scripting (XSS) npm:marked:20170112	No	No Known Exploit
Cross-site Scripting (XSS) npm:marked:20170815	No	No Known Exploit
Cross-site Scripting (XSS) npm:marked:20170815-1	No	No Known Exploit
Regular Expression Denial of Service (ReDoS) npm:marked:20170907	No	No Known Exploit
Regular Expression Denial of Service (ReDoS) npm:marked:20180225	No	Proof of Concept
Denial of Service (DoS) npm:mem:20180117	Yes	No Known Exploit
Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit
Regular Expression Denial of Service (ReDoS) npm:moment:20161019	No	No Known Exploit
Regular Expression Denial of Service (ReDoS) npm:moment:20170905	No	No Known Exploit
Remote Memory Exposure npm:mongoose:20160116	No	Mature
Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	Yes	No Known Exploit
Uninitialized Memory Exposure npm:npmconf:20180512	Yes	Mature
Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit
Regular Expression Denial of Service (ReDoS) npm:semver:20150403	Yes	No Known Exploit
Directory Traversal npm:st:20140206	No	No Known Exploit
Open Redirect npm:st:20171013	Yes	Mature

Commit messages

Package name: adm-zip

The new version differs by 50 commits.

80d259f Version bump
3f00a03 Fixed #176
650e752 Fixed wrong date on files (issue #203)
d01fa8c Fixed bugs introduced with 0.4.9
c0cc85d Merge pull request #219 from jontore/master
39c83a2 Merge pull request #209 from poshta1900/fix
b94c5dd Merge pull request #227 from hhaidar/master
c95c553 Merge pull request #228 from jmcollin78/patch-1
cda668c Fix issue #218
0f2cb41 Fix octal literals so they work in strict mode
888931d To support strict mode use 0o prefix to octal numbers
89b6f67 Update package.json
9592298 Update README.md
ce59e5a Merge pull request #215 from grnd/master
38cb4a4 fix: resolve both target and entry path
18c3d31 Update package.json
666adec Update package.json
499d59b Update package.json
62f6400 Merge pull request #212 from aviadatsnyk/master
6f4dfeb fix: prevent extracting archived files outside of target path
ef0abe6 add try-catch around fs.writeSync
e116bc1 Merge pull request #208 from pmuens/patch-1
12d2099 Fix data accessing example in README
032566b Merge pull request #204 from BridgeAR/master

See the full diff

Package name: body-parser

The new version differs by 221 commits.

0f1bed0 1.17.1
0532096 lint: remove unreachable code branches
b34aab5 build: [email protected]
77b1ca1 build: [email protected]
e51dbc5 deps: [email protected]
79bc939 1.17.0
e6140e1 build: [email protected]
42f467d deps: [email protected]
4954aec build: test against Node.js 8.x nightly
e2050df build: [email protected]
2f941c4 build: [email protected]
6549617 build: [email protected]
d1c2c7f deps: http-errors@~1.6.1
e7b86ba build: [email protected]
7b630f7 1.16.1
de574bf build: [email protected]
889bcc9 build: [email protected]
dba8ac4 deps: [email protected]
95a3ebb docs: fix history file with incorrect qs version
c5a73d5 1.16.0
9744dda deps: [email protected]
7807757 deps: [email protected]
0e44768 lint: use standard style in the README
14952be build: [email protected]

See the full diff

Package name: errorhandler

The new version differs by 85 commits.

c41e9aa 1.4.3
ffce329 build: [email protected]
90a8777 build: [email protected]
38b745b deps: accepts@~1.3.0
80aea51 deps: escape-html@~1.0.3
b0be93a docs: fix typo in readme
2f688d0 build: support Node.js 5.x
1238ed4 build: [email protected]
fdeb13c build: [email protected]
cc6fd1f build: support Node.js 4.x
3a2117a build: support io.js 3.x
75b9ee1 build: reduce runtime versions to one per major
6797752 tests: add test for util.inspect in HTML response
b6e53d7 docs: add more documentation regarding util.inspect
88b9a58 deps: accepts@~1.2.13
ac75d3f build: [email protected]
5ee62b7 deps: [email protected]
1e89ae7 build: [email protected]
ef1e8f1 build: [email protected]
a7a6dce 1.4.2
692e2e7 deps: accepts@~1.2.12
6f2e8d2 build: [email protected]
564c117 build: fix running Node.js 0.8 tests on Travis CI
2dfd872 1.4.1

See the full diff

Package name: express

The new version differs by 250 commits.

f974d22 4.16.0
8d4ceb6 docs: add more information to installation
c0136d8 Add express.json and express.urlencoded to parse bodies
86f5df0 deps: [email protected]
4196458 deps: [email protected]
ddeb713 tests: add maxAge option tests for res.sendFile
7154014 Add "escape json" setting for res.json and res.jsonp
628438d deps: update example dependencies
a24fd0c Add options to res.download
95fb5cc perf: remove dead .charset set in res.jsonp
44591fe deps: vary@~1.1.2
2df1ad2 Improve error messages when non-function provided as middleware
12c3712 Use safe-buffer for improved Buffer API
fa272ed docs: fix typo in jsdoc comment
d9d09b8 perf: re-use options object when generating ETags
02a9d5f deps: proxy-addr@~2.0.2
c2f4fb5 deps: [email protected]
673d51f deps: [email protected]
5cc761c deps: parseurl@~1.3.2
ad7d96d deps: [email protected]
e62bb8b deps: etag@~1.8.1
70589c3 deps: content-type@~1.0.4
9a99c15 deps: accepts@~1.3.4
550043c deps: [email protected]

See the full diff

Package name: marked

The new version differs by 250 commits.

529a8d4 Merge pull request #1441 from styfle/release-0.6.2
fc5dbf1 🗜️ minify [skip ci]
b1ddd3c Merge pull request #1460 from andersk/inline-text-quadratic
be27472 Improve worst-case performance of inline.text regex
6b88601 0.6.2
ba1de1e 🗜️ minify [skip ci]
d94253c Merge pull request #1438 from UziTech/html-new-line-fix
6eec528 Merge pull request #1449 from UziTech/use-htmldiffer
0cd0333 remove redundant comments
ff127c5 use template literals
a16251d fix test spacing
da57301 use htmldiffer in file tests & update to node 4
621f649 abstract htmldiffer
42e816c fix again
246dd3d fix whitespace after tag
f1089fe add test
0f0b763 allow html without \n after
d069d0d Merge pull request #1448 from UziTech/version
5d6bde0 Merge pull request #1444 from UziTech/normalize-tests
4760772 fix tests
df310a8 remove header ids from original tests
775d08d move redos tests to /redos folder
b169e7b add excerpt length constant
fd9dc21 update deps

See the full diff

Package name: mongoose

The new version differs by 250 commits.

40a879b chore: release 5.7.5
159457d chore: add vpn black friday as sponsor
e6285ea Merge pull request #8244 from AbdelrahmanHafez/master
d9163f5 fix: correct order for declaration
cec9dda Minor refactor to ValidationError
13ae085 docs(index): add favicon to home page
96ce0eb style: fix lint
973b1e0 docs: add schema options to API docs
cdfb507 chore: add useUnifiedTopology for tests re: #8212
936ddfb fix(update): handle subdocument pre('validate') errors in update validation
98b3b09 test(update): repro #7187
b9c1012 docs(middleware): add note about accessing the document being updated in pre('findOneAndUpdate')
327b47a fix(subdocument): make subdocument#isModified use parent document's isModified
54db026 test(subdocument): repro #8223
89eb449 chore: now working on 5.7.5
ffbff22 chore: change version for recompiling website
0562ca7 chore: add opencollective sponsors: top web design companies, casino top
ee22c09 chore: now working on 5.7.5
f3eca5b fix(query): delete top-level `_bsontype` property in queries to prevent silent empty queries
cc10e0d test(query): repro #8222
ede5aef chore: release 5.7.4
402db1a fix(model): support passing `options` to `Model.remove()`
7a20276 fix(schema): handle `required: null` and `required: undefined` as `required: false`
9b4a323 test(schema): repro #8219