[Snyk] Fix for 47 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	584/1000 Why? Has a fix available, CVSS 7.4	Directory Traversal SNYK-JS-ADMZIP-1065796	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Remote Memory Exposure SNYK-JS-BL-608877	No	Proof of Concept
	526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-EXPRESSFILEUPLOAD-473997	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-EXPRESSFILEUPLOAD-595969	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-FILETYPE-2958042	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	No	Proof of Concept
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-JQUERY-174006	No	Proof of Concept
	701/1000 Why? Mature exploit, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-JQUERY-565129	No	Mature
	711/1000 Why? Mature exploit, Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-JQUERY-567880	No	Mature
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-JSYAML-173999	Yes	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-JSYAML-174129	Yes	No Known Exploit
	741/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.4	DLL Injection SNYK-JS-KERBEROS-568900	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-MONGODB-473855	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MONGOOSE-1086688	Yes	Proof of Concept
	671/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7	Prototype Pollution SNYK-JS-MONGOOSE-2961688	Yes	Proof of Concept
	509/1000 Why? Has a fix available, CVSS 5.9	Information Exposure SNYK-JS-MONGOOSE-472486	No	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MPATH-1577289	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MQUERY-1050858	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MQUERY-1089718	Yes	Proof of Concept
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution npm:ejs:20161128	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Cross-site Scripting (XSS) npm:ejs:20161130	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) npm:ejs:20161130-1	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No	No Known Exploit
	641/1000 Why? Mature exploit, Has a fix available, CVSS 5.1	Remote Memory Exposure npm:mongoose:20160116	No	Mature
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit
	644/1000 Why? Mature exploit, Has a fix available, CVSS 4.3	Open Redirect npm:st:20171013	No	Mature
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: adm-zip

The new version differs by 84 commits.

• c5aeed4 Incremented version number
• 119dcad Fixed path traversal issue GHSL-2020-198
• 1d22ff6 Merge pull request No CVE - medium detected in uglify-js['2.6.2'] #341 from 5saviahv/history
• 492d148 added changelog
• dd415ae Incremented version
• 0f011a3 Fixed outFileName
• bc19fee Added extra parameter to extractEntryTo so target filename can be renamed
• 92e9836 Updated dev dependency
• 2b8d9ab Merge pull request No CVE - high detected in is-my-json-valid['2.19.0'] #315 from enecciari/work_in_browser
• 4fe58d1 Merge pull request CVE-2022-27261 - medium detected in express-fileupload['0.0.5'] #322 from cthackers/dependabot/npm_and_yarn/lodash-4.17.19
• 49218a4 Merge pull request No CVE - low detected in ms['0.7.1', '0.7.2', '0.7.3', '0.6.2'] #327 from kosuke-suzuki/multibyte-comment
• a7e8932 Merge pull request CVE-2021-23807 - medium detected in jsonpointer['4.0.1'] #331 from 5saviahv/master
• 7db0eda modified addLocalFolder method
• e114929 typo
• dc81063 modified addLocalFile method
• bc0f594 Deflate needs min V2.0
• dde4f51 Node v6
• 003d4cf Added ZipCrypto decrypting ability
• 63ed6e2 Detect and throw error with encrypted files
• c64ac14 LICENSE filename in package.json
• 1a334b2 add multibyte-encoded comment with byte length instead of character length
• 96d492a Bump lodash from 4.17.15 to 4.17.19
• b77f380 now it works in browser
• 218feee Merge remote-tracking branch 'upstream/master'

See the full diff

Package name: body-parser

The new version differs by 221 commits.

• 0f1bed0 1.17.1
• 0532096 lint: remove unreachable code branches
• b34aab5 build: eslint-config-standard@7.0.0
• 77b1ca1 build: eslint-plugin-markdown@1.0.0-beta.4
• e51dbc5 deps: qs@6.4.0
• 79bc939 1.17.0
• e6140e1 build: Node.js@7.7
• 42f467d deps: qs@6.3.1
• 4954aec build: test against Node.js 8.x nightly
• e2050df build: Node.js@7.6
• 2f941c4 build: Node.js@6.10
• 6549617 build: Node.js@4.8
• d1c2c7f deps: http-errors@~1.6.1
• e7b86ba build: eslint@3.16.1
• 7b630f7 1.16.1
• de574bf build: eslint@3.15.0
• 889bcc9 build: Node.js@7.5
• dba8ac4 deps: debug@2.6.1
• 95a3ebb docs: fix history file with incorrect qs version
• c5a73d5 1.16.0
• 9744dda deps: qs@6.3.0
• 7807757 deps: debug@2.6.0
• 0e44768 lint: use standard style in the README
• 14952be build: eslint-config-standard@6.2.1

See the full diff

Package name: cfenv

The new version differs by 3 commits.

• fb0a2aa update dependencies, now at version 1.2.4
• 63e072a version 1.2.3
• 02bb92d Issue 45 Remove '.cfignore'

See the full diff

Package name: dustjs-linkedin

The new version differs by 7 commits.

• 5cd5529 Release v3.0.1
• 0d72e0b Merge pull request Circleci project setup snyk-labs/nodejs-goof#808 from sumeetkakkar/topic/update-deps
• b2aaa47 Merge branch 'master' into topic/update-deps
• bd397ea Update tests.yaml: add --legacy-peer-deps to support npm 8 restrictions
• 115f78c dependency update: chokidar
• d951a90 Update tests.yml
• ea9ae70 Create tests.yml

See the full diff

Package name: express

The new version differs by 175 commits.

• f974d22 4.16.0
• 8d4ceb6 docs: add more information to installation
• c0136d8 Add express.json and express.urlencoded to parse bodies
• 86f5df0 deps: serve-static@1.13.0
• 4196458 deps: send@0.16.0
• ddeb713 tests: add maxAge option tests for res.sendFile
• 7154014 Add "escape json" setting for res.json and res.jsonp
• 628438d deps: update example dependencies
• a24fd0c Add options to res.download
• 95fb5cc perf: remove dead .charset set in res.jsonp
• 44591fe deps: vary@~1.1.2
• 2df1ad2 Improve error messages when non-function provided as middleware
• 12c3712 Use safe-buffer for improved Buffer API
• fa272ed docs: fix typo in jsdoc comment
• d9d09b8 perf: re-use options object when generating ETags
• 02a9d5f deps: proxy-addr@~2.0.2
• c2f4fb5 deps: finalhandler@1.1.0
• 673d51f deps: utils-merge@1.0.1
• 5cc761c deps: parseurl@~1.3.2
• ad7d96d deps: qs@6.5.1
• e62bb8b deps: etag@~1.8.1
• 70589c3 deps: content-type@~1.0.4
• 9a99c15 deps: accepts@~1.3.4
• 550043c deps: setprototypeof@1.1.0

See the full diff

Package name: express-fileupload

The new version differs by 250 commits.

• 9f22db7 version bump
• 9fca550 Merge pull request CVE-2019-20920 - high detected in handlebars #240 from AmazingMech2418/patch-1
• 1530cf5 Make Travis happy
• e43bfcf Fix typo
• 8bf7427 Update processNested.js
• fd40389 version bump
• 94c9cf9 prototype pollution fix [Snyk] Fix for 1 vulnerabilities #2
• 829f395 version bump
• db49535 Merge pull request CVE-2022-29167 - high detected in hawk #237 from richardgirges/fix-236-proto-pollution
• d81bee9 Upgrade latest packages; run npm audit fix; add logic to prevent prototype pollution in parseNested
• e9848fc Update package-lock.json
• d536cfb Update package.json
• c7a6b9c Merge pull request CVE-2020-7774 - high detected in y18n #233 from RomanBurunkov/master
• a53b93f Update tests to support empty files
• d8c00c5 Add empty files support for tempFileHandler
• b24233d Comment extra condition in fileFactory(issue [Snyk] Fix for 4 vulnerabilities #1), add more logging
• d57ee02 Formatting utilities
• b6097df Merge pull request CVE-2015-8315 - medium detected in ms #232 from RomanBurunkov/master
• 05004b7 Merge pull request No CVE - critical detected in handlebars #230 from Code42Cate/readme-timeout
• 1afa527 Update dependencies
• 880c2b7 Improve timeout option documentation
• 3f130b0 Add timeout option to README.MD
• d55fa83 Merge pull request No CVE - medium detected in tunnel-agent #222 from wbt/patch-1
• d61f02f Fix some small typos

See the full diff

Package name: file-type

The new version differs by 218 commits.

• b5fe3b9 16.5.4
• d868356 Fix: Malformed MKV could cause an infinite loop
• 3b08ab1 Upgrade and unlock dependencies
• c011315 Lock strtok3 dependency
• 9102f1c Update dependency to token-types v3, supporting BigInt ([Snyk] Fix for 3 vulnerable dependencies snyk-labs/nodejs-goof#465)
• ac866f9 16.5.1
• 0012c56 Fix `mimeTypes` TypeScript type (Feat/runtime agent snyk-labs/nodejs-goof#464)
• 92f3f50 Meta tweaks
• 4ea7bff 16.5.0
• 57ecf2d Add support for JPEG XL image format ([Snyk] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#455)
• 07101ac Remove ASAR 240 bytes of JSON payload length limitation ([Snyk-dev] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#453)
• 3df0ed1 Remove an unnecessary dependency ([Snyk-test] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#458)
• 1e4e8df 16.4.0
• 29618c8 Add support for VCF (and fix ICS detection) ([Snyk] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#451)
• 6ab25f3 Add support for XCF ([Snyk] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#450)
• 7021d9a Remove moot check for sync word at odd offsets for MPEG detection ([Snyk] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#448)
• fd1e72c 16.3.0
• 9319167 Add support for Zstandard compressed file ([Snyk] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#439)
• 2cc0869 Add file type descriptions ([Snyk] Fix for 2 vulnerable dependencies snyk-labs/nodejs-goof#433)
• 98e6886 16.2.0
• 9736aa3 Improve PDF / AI (Adobe Illustrator) recognition ([Snyk-dev] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#396)
• 7f95cd2 Add support for 3mf ([Snyk-local] Fix for 34 vulnerable dependencies snyk-labs/nodejs-goof#415)
• 579f8cb 16.1.0
• e43cdc9 Add support for CHM ([Snyk-dev] Fix for 2 vulnerable dependencies snyk-labs/nodejs-goof#424)

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• ca7996b chore: release 5.13.15
• e75732a Merge pull request #12307 from Automattic/vkarpov15/fix-5x-build
• a1144dc test: run node 7 tests with upgraded npm re: #12297
• dfc4ad7 test: try upgrading npm for node v4 tests re: #12297
• b9e985c test: more strict @ types/node version
• 4d813fa test: fix @ types/node version in tests re: #12297
• 99b4189 Merge pull request #12297 from shubanker/issue/prototype-pollution-5.x-patch
• 5eb11dd made function non async
• 6a19731 fix(schema): disallow setting __proto__ when creating schema with dotted properties
• a2ec28d Merge pull request #11366 from laissonsilveira/5.x
• 05ce577 Fix broken link from findandmodify method deprecation
• d2b846f chore: release 5.13.14
• 69c1f6c docs(models): fix up nModified example for 5.x
• 4cfc4d6 fix(timestamps): avoid setting `createdAt` on documents that already exist but dont have createdAt
• a738440 chore: release 5.13.13
• 4d12a62 Merge pull request #10942 from jneal-afs/fix-query-set-ts-type
• c3463c4 Merge pull request #10916 from iovanom/gh-10902-v5
• ff5ddb5 fix: hardcode base 10 for nodeMajorVersion parseInt() call
• d205c4d make value optional
• c6fd7f7 Fix ts types for query set
• 22e9b3b [gh-10902 v5] Add node major version to utils
• 5468642 [gh-10902 v5] Emit end event in before close
• 271bc60 Merge pull request #10910 from lorand-horvath/patch-2
• b7ebeec Update mongodb driver to 3.7.3

See the full diff

Package name: ms

The new version differs by 19 commits.

• 9b88d15 2.0.0
• 94b995c Invalidated cache for slack badge
• bcf5715 Bumped dependencies to the latest version
• b1eaab7 Ignored logs coming from npm
• caae298 Limit str to 100 to avoid ReDoS of 0.3s (Regular Expression Denial of Service (ReDoS)(package.json) #89)
• b83b36d chore(package): update eslint to version 3.19.0 (Denial of Service (DoS)(package.json) #88)
• 3f2a4d7 chore(package): update husky to version 0.13.3 (Denial of Service (DoS)(package.json) #86)
• 7daf984 1.0.0
• ee91f30 More suitable name for file containing tests
• e818c35 Removed browser testing
• c9b1fd3 Test on LTS version of Node
• 389840b Badge for XO removed
• 1fbbe97 Removed component specification
• 57b3ef8 Use `prettier` and `eslint`
• 94068ea Removed XO
• 4b7f48f chore(package): update serve to version 5.0.4 (Arbitrary Code Injection(package.json) #85)
• bd49cec chore(package): update xo to version 0.18.0 (Prototype Pollution(package.json) #84)
• d4a94b1 chore(package): update serve to version 5.0.3 (Prototype Pollution(package.json) #83)
• 923eee1 chore(package): update serve to version 5.0.2 (Prototype Pollution(package.json) #82)

See the full diff

Package name: st

The new version differs by 12 commits.

• 0e87caf 1.2.2
• 579960c improved traversal detection & location redirect
• ae7b676 1.2.1
• 5744d49 update deps
• 473a344 update mime dependency to avoid ReDoS vulnerability
• 2a5f970 1.2.0
• fad0367 update deps
• 67a521e Test command-line switches, --host in particular
• 128c6fd Introduce -localhost resp. -l abbreviation
• cc20690 Make the host configurable
• 9cc1709 Report actual address we're listening on
• 70b0a48 Configure Travis CI

See the full diff

Package name: tap

The new version differs by 250 commits.

• eaa0084 14.6.8
• e7cff4d update deps to node >=8 requirements
• b9e53c2 update cli doc
• 9917a7a 14.6.7
• 125aae3 async-hook-domain@1.1.1
• ce0c629 update cli doc
• eb2bded 14.6.6
• 7f453f5 Set nyc color watermarks based on check-coverage levels
• 28e7db5 update cli doc
• fb852ee 14.6.5
• eeb423a minipass@2.8.3
• 5b83028 watch: add --no-clean to nyc args on change tests
• 6a4d64b track thrown error when timeout/throws happen during promise waiting
• 5b977e1 update cli doc
• 49e9df0 14.6.4
• 6d37040 update deps, remove npm-shrinkwrap.json
• d19ab3d update cli doc
• 1436f4f 14.6.3
• a266e30 Fail if error is thrown while awaiting a Promise
• 73e7496 update cli doc
• 443786c 14.6.2
• 36d6dc5 Properly handle test aborts when awaiting promises
• 28cd2ff update cli doc
• 8d280c3 14.6.1

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:hawk:20160119	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Timing Attack npm:http-signature:20150122	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:ms:20151024	No Known Exploit
	469/1000 Why? Has a fix available, CVSS 5.1	Remote Memory Exposure npm:request:20160119	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Open Redirect
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn