[Snyk-dev] Fix for 42 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • test/fixtures/demo-os/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-AWSSDK-1059424	Yes	Proof of Concept
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Remote Memory Exposure SNYK-JS-BL-608877	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	Yes	Proof of Concept
	344/1000 Why? Has a fix available, CVSS 2.6	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	Yes	No Known Exploit
	671/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7	Remote Code Execution (RCE) SNYK-JS-HANDLEBARS-1056767	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-HANDLEBARS-1279029	Yes	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-HANDLEBARS-173692	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-HANDLEBARS-567742	Yes	Proof of Concept
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-JSBEAUTIFY-2311652	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Cross-site Scripting (XSS) npm:handlebars:20151207	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:hawk:20160119	No	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Timing Attack npm:http-signature:20150122	No	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:ms:20151024	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: body-parser

The new version differs by 197 commits.

• b2659a7 1.18.2
• 6339bf7 perf: remove argument reassignment
• d5f9a4a deps: debug@2.6.9
• d041563 1.18.1
• 9efa9ab deps: content-type@~1.0.4
• f1ef6cc deps: qs@6.5.1
• e438db5 deps: raw-body@2.3.2
• 15c3585 deps: iconv-lite@0.4.19
• adfa01c 1.18.0
• 0632e2f Include the "type" property on all generated errors
• b8f97cd Include the "body" property on verify errors
• c659e8a tests: add test for err.body on json parse error
• 4e15325 tests: reorganize json error tests
• 5bd7ed5 tests: reorganize json strict option tests
• 3cb380b tests: store server on mocha context instead of variable shadowing
• 29c8cd0 docs: document too many parameters error
• 7b9cb14 Use http-errors to set status code on errors
• 29a27f1 docs: fix typo in jsdoc comment
• 448dc57 Fix JSON strict violation error to match native parse error
• 87df7e6 tests: add leading whitespace strict json test
• 1841248 deps: raw-body@2.3.1
• e666dbe deps: http-errors@~1.6.2
• c2a110a deps: bytes@3.0.0
• a1a2e31 build: Node.js@8.4

See the full diff

Package name: bookshelf

The new version differs by 250 commits.

• 3afecc4 Prepare for release
• a81945a Merge pull request feat: add new generic payload to process scan results from plugins #1305 from tgriesser/feature/gh-pages-script
• b497ce0 Remove test from `prepublish`.
• ea66c18 Try to fix tests
• 1822e74 Add postpublish script to tag and push
• 96b7668 gh-pages script
• ab426d9 Update changelog for next release
• 6a77562 Merge pull request chore(test): use shellspec for regression test #1287 from acburdine/lodash-4
• 4c7212f update changelog
• 12c9af8 cleanup extend function and super method calls
• 937eb59 deps: lodash@4.13.1
• 619414c Merge pull request chore: update run test exports to modules syntax #1294 from chamini2/registry
• bb8300f Changed registry plugin to re-implement only the _relation method
• 0124c0b Merge pull request feat: support pipfile on containerized cli #1288 from vellotis/fix-beolngs_to_many-jsdocs
• 4f48a7f Fix belongsToMany jsdocs
• 54c2237 Merge pull request fix: abridge call graph creation error messages in analytics #1279 from 1mike12/1mike12-patch-1
• e92f5f4 fix typo in docs
• adeccde Merge pull request chore: Update node version for Gradle with Java 11 standalone binary #1273 from vellotis/fix-linter-warnings
• 637ea90 Merge pull request feat: if matched display the project ID #1271 from vellotis/restore-postinstall-script
• a099e98 Remove two linter warnings
• 382f2c4 Fix Travis CI by restoring `postinstall` script in package.json
• 89b888c Merge pull request feat: add --json-file-output option for snyk test #1107 from gergelyke/master
• cbb8fef Merge pull request test: run yarn v2 tests for Node 10 #1268 from jadengore/fix/documentation-model-where
• 1182485 Add missing fetch() in Model#where

See the full diff

Package name: cheerio

The new version differs by 106 commits.

• c3ec1cd Release 0.20.0
• ef848ca Add coveralls badge, remove link to old report
• dbcbe90 Merge pull request feat: add pipfile support to docker image #808 from leifhanack/lodash4
• c04ead1 Merge pull request #668 from rwaldin/prop-method
• b5531bb Merge pull request fix: revert to nodejs8 on standalone binaries #671 from twolfson/dev/fallback.select.content.sqwished
• 9d98bd7 Merge pull request feat: Send ignorePolicyOption to the server #704 from Rycochet/master
• 1b9c5c9 Merge pull request test: skip test that uses previous bad version #797 from Delgan/641-appendTo_prependTo
• b12cbe8 Update lodash dependeny to 4.1.0
• 8c9b2e0 Merge pull request #796 from Delgan/fix_780
• b09db31 Fix PR feat: add legal instructions #726 adding 'appendTo()' and 'prependTo()'
• ce8829d Added appendTo and prependTo with tests docs: vulns badge in readme tests the repo #641
• 4779762 Fix feat: add CocoaPods support #780 by changing options context in '.find()'
• 8dc1cc9 Add an unit test checking the query of child
• b27bed6 fix #667: attr({foo: null}) removes attribute foo, like attr('foo', null)
• 70c5608 Include reference to dedicated "Loading" section
• fa70a84 Added load method to $
• 4e8483a update css-select to 1.2.0
• 5f2777a Merge pull request fix: reinstate --all-sub-project support for Gradle #732 from jugglinmike/reinstate-toarray
• 106e42a Merge pull request fix: Do not show duplicate license issues #776 from dYale/master
• 97149d3 Fixing Grammatical Error
• a1367ee Merge pull request fix: Ignore empty fixedIn arrays #739 from TrySound/npm-files
• 6c73b7a Merge pull request feat: convert nodejs plugin response to use multi format #773 from JaKXz/patch-1
• 48bb22d Test against node v0.12 --> v4.2
• ec2414d Correct output in example

See the full diff

Package name: compression

The new version differs by 117 commits.

• 93586e7 1.7.1
• bd3fa8a deps: bytes@3.0.0
• e1ce980 deps: vary@~1.1.2
• d0f7eab deps: debug@2.6.9
• 931c346 build: Node.js@8.4
• 8c8e36a deps: compressible@~2.0.11
• 8a5e773 deps: accepts@~1.3.4
• 7b4a7e2 build: eslint-plugin-node@5.1.1
• de30e3a build: mocha@2.5.3
• 8c3f7ea 1.7.0
• c27dc0f build: support Node.js 8.x
• d886306 build: eslint-config-standard@10.2.1
• 598d876 Use safe-buffer for improved Buffer API
• 47fca12 build: eslint-plugin-markdown@1.0.0-beta.6
• 3c78e39 build: Node.js@6.11
• 6c4c539 deps: debug@2.6.8
• 6d2de08 deps: compressible@~2.0.10
• ac13bc4 deps: bytes@2.5.0
• 527907c deps: debug@2.6.4
• 6488fc2 build: Node.js@7.10
• 55532e1 build: Node.js@6.10
• 0e4ad01 build: Node.js@4.8
• be58132 deps: compressible@~2.0.10
• 4d5238e deps: vary@~1.1.1

See the full diff

Package name: cookie-session

The new version differs by 43 commits.

• 9e9c681 1.3.2
• 62a6ec8 deps: debug@2.6.9
• 3d81629 1.3.1
• 269e5dd build: Node.js@8.4
• 84414e9 docs: fix date of 1.3.0 release
• 6d6c0b5 docs: add some comparison to express-session
• 0718b0b deps: cookies@0.7.1
• 096353e 1.3.0
• dfe1279 build: supertest@1.1.0
• ef47255 build: istanbul@0.4.5
• 3cf0b6c build: support Node.js 4.x - 8.x
• 0739b01 deps: cookies@0.7.0
• f8c02a3 build: support io.js 3.x
• a53eb76 deps: on-headers@~1.0.1
• 7eb6a41 build: reduce runtime versions to one per major
• 64de88f build: mocha@2.5.3
• f11ffdc deps: debug@2.6.8
• c8867bc build: remove unnecessary Travis CI command
• 92608fb build: io.js@2.5
• e7613aa build: fix running Node.js 0.8 tests on Travis CI
• 24334af 1.2.0
• caf462d Make req.sessionOptions a shallow clone to override per-request
• 5117478 docs: expand req.session documentation
• 5d3a73c perf: remove argument reassignments

See the full diff

Package name: glob

The new version differs by 76 commits.

• 3a7e71d v5.0.15
• 841fda0 use latest minimatch
• 4ba54a8 Skip some tests on Windows, make others pass
• 3936e1e Build: Add build for node v4
• c47d451 v5.0.14
• 821fac8 Handle ENOTSUP for sync glob as well as async
• 9625618 Test for when readdir raises ENOTSUP
• 0a2b519 Generate fixtures more effectively, with -O instead of eval
• f96190b Use js for benchmark cleanup
• 957fd93 Fix some 'use strict' errors
• bf3381e Treat ENOTSUP like ENOTDIR in readdir
• 507733d v5.0.13
• f5878af Do not emit 'match' events for ignored items
• 9439afd v5.0.12
• 6071f3a Revert "Use graceful-fs if available"
• 38ff16c v5.0.11
• f09292b Use graceful-fs if available
• 4f39b60 Remove duplicate option description
• e3cdccc v5.0.10
• 480da05 ignore .nyc_output, upgrade tap, use coverage, rm fixtures
• 155124b add more sync cb thrower tests
• f7302ca Test base-matching
• 7530e88 v5.0.9
• b185987 reduce cases where tests need to be regenerated

See the full diff

Package name: morgan

The new version differs by 122 commits.

• 4def0fa 1.9.0
• b29fc88 docs: update license
• ddf4f8c Use res.headersSent when available
• 7348b5c docs: add example of split / dual logging
• 98d62ee docs: fix block formatting
• 6fdf1a0 docs: fix typo
• a028ae7 deps: basic-auth@~2.0.0
• 4e4f07f deps: debug@2.6.9
• 67a1be6 build: Node.js@8.6
• 188826e build: Node.js@6.11
• a5acdee build: eslint-plugin-node@5.1.1
• 1ec7060 build: eslint-plugin-import@2.7.0
• b6c0d71 build: split@1.0.1
• bbcadcf deps: depd@~1.1.1
• bb8717a build: support Node.js 8.x
• c6dffd5 build: eslint-plugin-import@2.3.0
• 475ae38 1.8.2
• b33ed70 deps: debug@2.6.8
• 864a036 build: eslint-config-standard@10.2.1
• ab10b6c build: eslint-plugin-markdown@1.0.0-beta.6
• 714577d build: Node.js@7.10
• fb33e99 tests: add stream option tests
• d265d9f build: eslint@3.19.0
• e17e76f build: Node.js@7.9

See the full diff

Package name: request

The new version differs by 250 commits.

• 02fc5b1 Update changelog
• de1ed5a 2.87.0
• a6741d4 Replace hawk dependency with a local implemenation ([Snyk] Upgrade qs from 6.2.4 to 6.10.3 #2943)
• a7f0a36 2.86.1
• 8f2fd4d Update changelog
• 386c7d8 2.86.0
• 76a6e5b Merge pull request [Snyk] Upgrade qs from 0.0.6 to 0.6.6 #2885 from ChALkeR/patch-1
• db76838 Merge branch 'patch-1' of github.com:ChALkeR/request
• fb7aeb3 Merge pull request [Snyk] Upgrade string_decoder from 0.10.31 to 0.11.10 #2942 from simov/fix-tests
• e47ce95 Add Node v10 build target explicitly
• 0c5db42 Skip status code 105 on Node > v10
• d555bd7 Generate server certificates for Node > v10
• 81f8cb5 Remove redundant code
• db17497 Use Buffer.from and Buffer.alloc in tests
• 0d29635 Merge pull request [Snyk] Upgrade delayed-stream from 0.0.5 to 0.0.7 #2923 from gareth-robinson/cifixes
• 3745cec Correction for Windows OS identification
• 219a298 Alterations for failing CI tests
• bbb3a0b 2.85.1
• 21ef363 Update changelog
• 5dad86e 2.85.0
• 5ba8eb4 Revert "Update hawk to 7.0.7 ([Snyk] Upgrade express from 4.12.4 to 4.17.2 #2880)"
• b191514 2.84.1
• d77c839 Update changelog
• 4b46a13 2.84.0

See the full diff

Package name: sqlite3

The new version differs by 250 commits.

• 573784b v5.0.3
• e5a24fd Deleted `examples/` folder
• b05f459 Added note about GitHub Releases to CHANGELOG.md
• 33d0656 Modernised Usage example in README
• 9d05c55 Fixed up more README nits
• 08d6319 Fixed link to API docs
• 0e2235a Altered wording in README
• 76b6c56 Altered README header
• e3df365 Updated README
• 426930f Enabled CI to run when pushing tags
• a21d41f Fixed uploading binaries to commit artifacts
• bc978c7 Fixed CI step wording
• 7f744a1 Added prebuilt binaries via GitHub Releases
• b4b3c3a Deleted `scripts/` directory
• 71bbdea Pinned dev dependencies (feat: Add impact and resolve fields in sarif output. #1558)
• a597383 Updated badges in README
• 0eb4a0f Deleted Travis and Appveyor configs
• b58d341 Downgraded `mocha` and `eslint`
• f39b10d Added missing Node versions to CI
• 8db96d4 Replaced Python extraction script with JS (fix: update go plugin #1570)
• 11c988c Fixed Windows build architecture in CI
• 8e63848 Updated Windows CI runner to `windows-latest`
• d9e7d8b Fixed building on MacOS Monterey 12.3
• 859b95b Updated `node-gyp` to v8.x

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Remote Code Execution (RCE)
🦉 Prototype Pollution
🦉 Cross-site Scripting (XSS)
🦉 More lessons are available in Snyk Learn