[Snyk] Upgrade morgan from 1.6.1 to 1.10.0

[snyk-bot]

Snyk has created this PR to upgrade morgan from 1.6.1 to 1.10.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 7 versions ahead of your current version.
• The recommended version was released 10 days ago, on 2020-03-20.

The recommended version fixes:

Severity	Issue	Exploit Maturity
	Arbitrary Code Injection SNYK-JS-MORGAN-72579	Proof of Concept

Release notes

Package name: morgan

• 1.10.0 - 2020-03-20
  
  • Add :total-time token
  • Fix trailing space in colored status code for dev format
  • deps: basic-auth@~2.0.1
    • deps: safe-buffer@5.1.2
  • deps: depd@~2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: on-headers@~1.0.2
    • Fix res.writeHead patch missing return value
• 1.9.1 - 2018-09-11
  
  • Fix using special characters in format
  • deps: depd@~1.1.2
    • perf: remove argument reassignment
• 1.9.0 - 2017-09-27
  
  • Use res.headersSent when available
  • deps: basic-auth@~2.0.0
    • Use safe-buffer for improved Buffer API
  • deps: debug@2.6.9
  • deps: depd@~1.1.1
    • Remove unnecessary Buffer loading
• 1.8.2 - 2017-05-24
  
  • deps: debug@2.6.8
    • Fix DEBUG_MAX_ARRAY_LENGTH
    • deps: ms@2.0.0
• 1.8.1 - 2017-02-11
  
  • deps: debug@2.6.1
    • Fix deprecation messages in WebStorm and other editors
    • Undeprecate DEBUG_FD set to 1 or 2
• 1.8.0 - 2017-02-05
  
  • Fix sending unnecessary undefined argument to token functions
  • deps: basic-auth@~1.1.0
  • deps: debug@2.6.0
    • Allow colors in workers
    • Deprecated DEBUG_FD environment variable
    • Fix error when running under React Native
    • Use same color for same namespace
    • deps: ms@0.7.2
  • perf: enable strict mode in compiled functions
• 1.7.0 - 2016-02-19
  
  • Add digits argument to response-time token
  • deps: depd@~1.1.0
    • Enable strict mode in more places
    • Support web browser loading
  • deps: on-headers@~1.0.1
    • perf: enable strict mode
• 1.6.1 - 2015-07-04
  
  • deps: basic-auth@~1.0.3

from morgan GitHub release notes

Commit messages

Package name: morgan

• c68d2ea 1.10.0
• aa718d7 Add :total-time token
• ce15462 build: remove deprecated Travis CI directive
• e13e0d3 build: Node.js@13.11
• f023828 build: use nyc for test coverage
• 30c0871 build: mocha@7.1.1
• 8114639 docs: document success color in dev format
• 5d8176f docs: update rotating-file-stream usage for 2.x
• c54194c tests: ignore branch coverage that varies
• 5659d2f build: Node.js@12.16
• 43518b4 build: Node.js@13.10
• 7a42b31 build: Node.js@10.19
• 397208d build: Node.js@8.17
• 89dffcc build: mocha@7.1.0
• 9bf0e8c build: eslint-plugin-markdown@1.0.2
• 3ea521c build: mocha@7.0.1
• f72345d build: eslint@6.8.0
• 675be35 build: eslint-plugin-import@2.20.1
• 9ff523d build: Node.js@12.13
• 23f26c9 build: mocha@6.2.2
• f67208d build: eslint-plugin-import@2.19.1
• b7496d9 build: eslint@6.7.2
• 662aa28 build: eslint-plugin-markdown@1.0.1
• 20a26fe build: support Node.js 13.x

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[guardrails]

⚠️ We detected security issues in this pull request:

Vulnerable Libraries (7)

• lodash.merge@3.3.2 upgrade to >=4.6.2
• negotiator@0.5.3 upgrade to >= 0.6.1
• fresh@0.3.0 upgrade to >= 0.5.2
• lodash@3.10.1 upgrade to >=4.17.12
• growl@1.8.1 upgrade to >=1.10.2
• minimatch@0.2.14 upgrade to >=3.0.2
• qs@4.0.0 upgrade to >=6.0.4 <6.1.0 || >=6.1.2 <6.2.0 || >=6.2.3 <6.3.0 || >=6.3.2

More info on how to fix Vulnerable Libraries in Javascript.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.