[Snyk] Upgrade: dotenv, express, express-session, node-fetch, http-errors, jsonwebtoken, morgan, neo4j-driver, nodemailer, underscore #9
+313
−258
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Snyk has created this PR to upgrade:
- dotenv from 16.0.3 to 16.4.5.
See this package in npm: https://www.npmjs.com/package/dotenv
- express from 4.18.2 to 4.19.2.
See this package in npm: https://www.npmjs.com/package/express
- express-session from 1.17.3 to 1.18.0.
See this package in npm: https://www.npmjs.com/package/express-session
- node-fetch from 2.6.9 to 2.7.0.
See this package in npm: https://www.npmjs.com/package/node-fetch
- http-errors from 1.6.3 to 1.8.1.
See this package in npm: https://www.npmjs.com/package/http-errors
- jsonwebtoken from 9.0.0 to 9.0.2.
See this package in npm: https://www.npmjs.com/package/jsonwebtoken
- morgan from 1.9.1 to 1.10.0.
See this package in npm: https://www.npmjs.com/package/morgan
- neo4j-driver from 5.5.0 to 5.24.0.
See this package in npm: https://www.npmjs.com/package/neo4j-driver
- nodemailer from 6.9.1 to 6.9.14.
See this package in npm: https://www.npmjs.com/package/nodemailer
- underscore from 1.13.6 to 1.13.7.
See this package in npm: https://www.npmjs.com/package/underscore
See this project in Snyk:
https://app.snyk.io/org/jonkiky/project/316744b9-e65c-4e93-b0b5-625a7770b6dc?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade multiple dependencies.
👯 The following dependencies are linked and will therefore be updated together.ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
dotenv
from 16.0.3 to 16.4.5 | 17 versions ahead of your current version | 7 months ago
on 2024-02-20
express
from 4.18.2 to 4.19.2 | 4 versions ahead of your current version | 6 months ago
on 2024-03-25
express-session
from 1.17.3 to 1.18.0 | 1 version ahead of your current version | 8 months ago
on 2024-01-28
node-fetch
from 2.6.9 to 2.7.0 | 5 versions ahead of your current version | a year ago
on 2023-08-23
http-errors
from 1.6.3 to 1.8.1 | 6 versions ahead of your current version | 3 years ago
on 2021-11-14
jsonwebtoken
from 9.0.0 to 9.0.2 | 2 versions ahead of your current version | a year ago
on 2023-08-30
morgan
from 1.9.1 to 1.10.0 | 1 version ahead of your current version | 5 years ago
on 2020-03-20
neo4j-driver
from 5.5.0 to 5.24.0 | 25 versions ahead of your current version | 22 days ago
on 2024-08-29
nodemailer
from 6.9.1 to 6.9.14 | 13 versions ahead of your current version | 3 months ago
on 2024-06-19
underscore
from 1.13.6 to 1.13.7 | 1 version ahead of your current version | 2 months ago
on 2024-07-24
Issues fixed by the recommended upgrade:
SNYK-JS-EXPRESS-6474509
SNYK-JS-NODEMAILER-6219989
Release notes
Package name: dotenv
-
16.4.5 - 2024-02-20
-
16.4.4 - 2024-02-13
-
16.4.3 - 2024-02-12
-
16.4.2 - 2024-02-10
-
16.4.1 - 2024-01-24
-
16.4.0 - 2024-01-23
-
16.3.2 - 2024-01-19
-
16.3.1 - 2023-06-17
-
16.3.0 - 2023-06-16
-
16.2.0 - 2023-06-16
-
16.1.4 - 2023-06-04
-
16.1.3 - 2023-05-31
-
16.1.2 - 2023-05-31
-
16.1.1 - 2023-05-31
-
16.1.0 - 2023-05-30
-
16.1.0-rc2 - 2023-05-21
-
16.1.0-rc1 - 2023-04-07
-
16.0.3 - 2022-09-29
from dotenv GitHub release notes16.4.5
16.4.4
16.4.3
16.4.2
16.4.1
16.4.0
16.3.2
16.3.1
16.3.0
16.2.0
Package name: express
-
4.19.2 - 2024-03-25
-
4.19.1 - 2024-03-20
- Fix ci after location patch by @ wesleytodd in #5552
- fixed un-edited version in history.md for 4.19.0 by @ wesleytodd in #5556
-
4.19.0 - 2024-03-20
- fix typo in release date by @ UlisesGascon in #5527
- docs: nominating @ wesleytodd to be project captian by @ wesleytodd in #5511
- docs: loosen TC activity rules by @ wesleytodd in #5510
- Add note on how to update docs for new release by @ crandmck in #5541
- Prevent open redirect allow list bypass due to encodeurl
- Release 4.19.0 by @ wesleytodd in #5551
- @ crandmck made their first contribution in #5541
-
4.18.3 - 2024-02-29
- Fix routing requests without method
- deps: body-parser@1.20.2
- Fix strict json error message on Node.js 19+
- deps: content-type@~1.0.5
- deps: raw-body@2.5.2
- Use https: protocol instead of deprecated git: protocol by @ vcsjones in #5032
- build: Node.js@16.18 and Node.js@18.12 by @ abenhamdine in #5034
- ci: update actions/checkout to v3 by @ armujahid in #5027
- test: remove unused function arguments in params by @ raksbisht in #5124
- Remove unused originalIndex from acceptParams by @ raksbisht in #5119
- Fixed typos by @ raksbisht in #5117
- examples: remove unused params by @ raksbisht in #5113
- fix: parameter str is not described in JSDoc by @ raksbisht in #5130
- fix: typos in History.md by @ raksbisht in #5131
- build : add Node.js@19.7 by @ abenhamdine in #5028
- test: remove unused function arguments in params by @ raksbisht in #5137
- use random port in test so it won't fail on already listening by @ rluvaton in #5162
- tests: use cb() instead of done() by @ kristof-low in #5233
- examples: remove multipart example by @ riddlew in #5195
- Update support Node.js@18 in the CI by @ UlisesGascon in #5490
- Fix favicon-related bug in cookie-sessions example by @ DmytroKondrashov in #5414
- Release 4.18.3 by @ UlisesGascon in #5505
- @ vcsjones made their first contribution in #5032
- @ abenhamdine made their first contribution in #5034
- @ armujahid made their first contribution in #5027
- @ raksbisht made their first contribution in #5124
- @ rluvaton made their first contribution in #5162
- @ kristof-low made their first contribution in #5233
- @ riddlew made their first contribution in #5195
- @ DmytroKondrashov made their first contribution in #5414
-
4.18.2 - 2022-10-08
- Fix regression routing a large stack in a single route
- deps: body-parser@1.20.1
- deps: qs@6.11.0
- perf: remove unnecessary object clone
- deps: qs@6.11.0
from express GitHub release notesWhat's Changed
Full Changelog: 4.19.0...4.19.1
What's Changed
New Contributors
Full Changelog: 4.18.3...4.19.0
Main Changes
Other Changes
New Contributors
Full Changelog: 4.18.2...4.18.3
Package name: express-session
-
1.18.0 - 2024-01-28
- Add debug log for pathname mismatch
- Add
- Add
- Fix handling errors from setting cookie
- Support any type in
- deps: cookie@0.6.0
- Fix
- perf: improve default decode speed
- perf: remove slow string split in parse
- deps: cookie-signature@1.0.7
-
1.17.3 - 2022-05-11
- Fix resaving already-saved new session at end of request
- deps: cookie@0.4.2
from express-session GitHub release notespartitionedtocookieoptionsprioritytocookieoptionssecretthatcrypto.createHmacsupportsexpiresoption to reject invalid datesPackage name: node-fetch
-
2.7.0 - 2023-08-23
-
2.6.13 - 2023-08-18
- Remove the default connection close header (#1765) (65ae25a), closes #1735 #1473 #1736
-
2.6.12 - 2023-06-29
- socket variable testing for undefined (#1726) (8bc3a7c)
-
2.6.11 - 2023-05-09
- Revert "fix: handle bom in text and json (#1739)" (#1741) (afb36f6), closes #1739 #1741
-
2.6.10 - 2023-05-08
- handle bom in text and json (#1739) (29909d7)
-
2.6.9 - 2023-01-30
- "global is not defined" (#1704) (70f592d)
from node-fetch GitHub release notes2.7.0 (2023-08-23)
Features
AbortError(#1744) (9b9d458)2.6.13 (2023-08-18)
Bug Fixes
2.6.12 (2023-06-29)
Bug Fixes
2.6.11 (2023-05-09)
Reverts
2.6.10 (2023-05-08)
Bug Fixes
2.6.9 (2023-01-30)
Bug Fixes
Package name: http-errors
-
1.8.1 - 2021-11-14
-
1.8.0 - 2020-06-29
-
1.7.3 - 2019-06-24
-
1.7.2 - 2019-02-18
-
1.7.1 - 2018-09-08
-
1.7.0 - 2018-07-30
-
1.6.3 - 2018-03-29
from http-errors GitHub release notes1.8.1
1.8.0
1.7.3
1.7.2
1.7.1
1.7.0
1.6.3
Package name: jsonwebtoken
-
9.0.2 - 2023-08-30
-
9.0.1 - 2023-07-05
-
9.0.0 - 2022-12-21
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
from jsonwebtoken GitHub release notesRelease 9.0.2 (#935)
Updating package version to 9.0.1 (#920)
Check if node version supports asymmetricKeyDetails
Validate algorithms for ec key type
Rename variable
Rename function
Add early return for symmetric keys
Validate algorithm for RSA key type
Validate algorithm for RSA-PSS key type
Check key types for EdDSA algorithm
Rename function
Move validateKey function to module
Convert arrow to function notation
Validate key in verify function
Simplify if
Convert if to switch..case
Guard against empty key in validation
Remove empty line
Add lib to check modulus length
Add modulus length checks
Validate mgf1HashAlgorithm and saltLength
Check node version before using key details API
Use built-in modulus length getter
Fix Node version validations
Remove duplicate validateKey
Add periods to error messages
Fix validation in verify function
Make asymmetric key validation the latest validation step
Change key curve validation
Remove support for ES256K
Fix old test that was using wrong key types to sign tokens
Enable RSA-PSS for old Node versions
Add specific RSA-PSS validations on Node 16 LTS+
Improve error message
Simplify key validation code
Fix typo
Improve error message
Change var to const in test
Change const to let to avoid reassigning problem
Improve error message
Test incorrect private key type
Rename invalid to unsupported
Test verifying of jwt token with unsupported key
Test invalid private key type
Change order of object parameters
Move validation test to separate file
Move all validation tests to separate file
Add prime256v1 ec key
Remove modulus length check
WIP: Add EC key validation tests
Fix node version checks
Fix error message check on test
Add successful tests for EC curve check
Remove only from describe
Remove
onlyRemove duplicate block of code
Move variable to a different scope and make it const
Convert allowed curves to object for faster lookup
Rename variable
Change variable assignment order
Remove unused object properties
Test RSA-PSS happy path and wrong length
Add missing tests
Pass validation if no algorithm has been provided
Test validation of invalid salt length
Test error when signing token with invalid key
Change var to const/let in verify tests
Test verifying token with invalid key
Improve test error messages
Add parameter to skip private key validation
Replace DSA key with a 4096 bit long key
Test allowInvalidPrivateKeys in key signing
Improve test message
Rename variable
Add key validation flag tests
Fix variable name in Readme
Change private to public dsa key in verify
Rename flag
Run EC validation tests conditionally
Fix tests in old node versions
Ignore block of code from test coverage
Separate EC validations tests into two different ones
Add comment
Wrap switch in if instead of having an early return
Remove unsupported algorithms from asymmetric key validation
Rename option to allowInvalidAsymmetricKeyTypes and improve Readme
9.0.0
adding migration notes to readme
adding changelog for version 9.0.0
Co-authored-by: julienwoll julien.wollscheid@auth0.com
Package name: morgan
-
1.10.0 - 2020-03-20
- Add
- Fix trailing space in colored status code for
- deps: basic-auth@~2.0.1
- deps: safe-buffer@5.1.2
- deps: depd@~2.0.0
- Replace internal
- Use instance methods on
- deps: on-headers@~1.0.2
- Fix
-
1.9.1 - 2018-09-11
- Fix using special characters in format
- deps: depd@~1.1.2
- perf: remove argument reassignment
from morgan GitHub release notes:total-timetokendevformatevalusage withFunctionconstructorprocessto check for listenersres.writeHeadpatch missing return valuePackage name: neo4j-driver
-
5.24.0 - 2024-08-29
- Added Schema notification category #1211
- Move Pool module to core #1212
- Fix to npm test crashing at Deno tests when running test containers #1210
-
5.23.0 - 2024-07-25
- Fix
- Improve pipelines stability #1206
-
5.22.0 - 2024-06-27
- Introduce GqlStatusObject support as notifications to
- Introduce
- Introduce
- Introduce
- Introduce
- Don't prevent NodeJS from closing to run acquisition timeout error #1196. Thanks, CarsonF.
- Improvements on internal APIs #1195
-
5.21.0 - 2024-05-30
- Fix OOM crash, when closing a transaction while Queries are still ongoing #1193
-
5.20.0 - 2024-04-25
- benchkit: Fix Node installation in Dockerimage #1190
-
5.19.0 - 2024-04-02
- Introduce Client Certificate configuration (ℹ️ preview) #1183
- Updated manifest and Dockerfile for Testkit and Benchkit #1187
-
5.18.0 - 2024-02-29
- Introduces
- Testkit and other tests suite improvements #1181 #1179 #1180 #1175
-
5.17.0 - 2024-01-29
- Optimize usage of Intl API to speed up response parsing with many datetime objects #1174
- Fix duplicated
-
5.16.0 - 2024-01-02
-
5.15.0 - 2023-11-27
-
5.14.0 - 2023-10-26
-
5.13.0 - 2023-09-28
-
5.12.0 - 2023-08-31
-
5.11.0 - 2023-07-27
-
5.10.0 - 2023-06-29
-
5.9.2 - 2023-06-19
-
5.9.1 - 2023-06-09
-
5.9.0 - 2023-05-26
-
5.8.1 - 2023-05-22
-
5.8.0 - 2023-05-02
-
5.7.1 - 2023-05-22
-
5.7.0 - 2023-04-03
-
5.6.1 - 2023-05-22
-
5.6.0 - 2023-02-24
-
5.5.1 - 2023-05-22
-
5.5.0 - 2023-01-27
from neo4j-driver GitHub release notesAdded support for the new Schema notification category, and a minor fix to stop Deno tests from failing when run locally
⭐ New Features
🧹 Housekeeping
This fix a potential issue in the
Notificationapi.🔧 Fixes
Notification.descriptionpolyfill fromGqlStatusObject#1205🧹 Housekeeping
This release introduces preview support to the GQLStatusObject #1194 along with other ergonomic preview features. This also speeds up the driver shutdown when connections are waiting to be acquired #1196, thanks, CarsonF, for the contribution.
⭐⚠️ Preview Features
ResultSummary#1194AbortSignaltoDriver.executeQuery1199resultTransformer.first#1200resultTransformer.summary1201resultTransformers.eagerandresultTransformers.mapped1202🔧 Fixes
🧹 Housekeeping
Fixes crashes when closing transactions when Queries are still ongoing. Thanks for your contribution, @ reckter.
🔧 Fixes
Housekeeping only.
🧹 Housekeeping
Introduces
clientCertificateconfiguration as a mechanism to support mutual TLS as a second factor for authentication, currently a preview feature.⭐ New Features
🧹 Housekeeping
Introduces
authconfiguration toDriver.executeQuery⭐ New Features
authconfiguration toDriver.executeQuery#1177🧹 Housekeeping
Improves performance on deserialising
DateTime. Thanks for your contribution, @ vongruenigen.👏🏼 Improvements
🔧 Fixes
neo4j-javascriptstring onboltAgent.productobject 1173See release notes on the wiki
Package name: nodemailer
-
6.9.14 - 2024-06-19
- api: Added support for Ethereal authentication (56b2205)
- services.json: Add Email Services Provider Feishu Mail (CN) (#1648) (e9e9ecc)
- services.json: update Mailtrap host and port in well known (#1652) (fc2c9ea)
- well-known-services: Add Loopia in well known services (#1655) (21a28a1)
-
6.9.13 - 2024-03-20
- tls: Ensure servername for SMTP (d66fdd3)
-
6.9.12 - 2024-03-08
- message-generation: Escape single quote in address names (4ae5fad)
-
6.9.11 - 2024-02-29
- headers: Ensure that Content-type is the bottom header (c7cf97e)
-
6.9.10 - 2024-02-22
- data-uri: Do not use regular expressions for parsing data URI schemes (12e65e9)
- data-uri: Moved all data-uri regexes to use the non-regex parseDataUri method (edd5dfe)
-
6.9.9 - 2024-02-01
- security: Fix issues described in GHSA-9h6g-pr28-7cqp. Do not use eternal matching pattern if only a few occurences are expected (dd8f5e8)
- tests: Use native node test runner, added code coverage support, removed grunt (#1604) (be45c1b)
-
6.9.8 - 2023-12-30
- punycode: do not use native punycode module (b4d0e0c)
-
6.9.7 - 2023-10-22
- customAuth: Do not require user and pass to be set for custom authentication schemes (fixes #1584) (41d482c)
-
6.9.6 - 2023-10-09
- inline: Use 'inline' as the default Content Dispostion value for embedded images (db32c93)
- tests: Removed Node v12 from test matrix as it is not compatible with the test framework anymore (7fe0a60)
-
6.9.5 - 2023-09-06
- license: Updated license year (da4744e)
-
6.9.4 - 2023-07-19
-
6.9.3 - 2023-05-29
-
6.9.2 - 2023-05-11
-
6.9.1 - 2023-01-27
from nodemailer GitHub release notes6.9.14 (2024-06-19)
Bug Fixes
6.9.13 (2024-03-20)
Bug Fixes
6.9.12 (2024-03-08)
Bug Fixes
6.9.11 (2024-02-29)
Bug Fixes
6.9.10 (2024-02-22)
Bug Fixes
6.9.9 (2024-02-01)
Bug Fixes
6.9.8 (2023-12-30)
Bug Fixes
6.9.7 (2023-10-22)
Bug Fixes
6.9.6 (2023-10-09)
Bug Fixes
6.9.5 (2023-09-06)
Bug Fixes
Package name: underscore
-
1.13.7 - 2024-07-24
-
1.13.6 - 2022-09-23
from underscore GitHub release notesDataView bugfix, source links, dark mode and other improvements
Hotfix after 1.13.5 to remove postinstall script
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
[//]: # 'snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"dotenv","from":"16.0.3","to":"16.4.5"},{"name":"express","from":"4.18.2","to":"4.19.2"},{"name":"express-session","from":"1.17.3","to":"1.18.0"},{"name":"node-fetch","from":"2.6.9","to":"2.7.0"},{"name":"http-errors","from":"1.6.3","to":"1.8.1"},{"name":"jsonwebtoken","from":"9.0.0","to":"9.0.2"},{"name":"morgan","from":"1.9.1","to":"1.10.0"},{"name":"neo4j-driver","from":"5.5.0","to":"5.24.0"},{"name":"nodemailer","from":"6.9.1","to":"6.9.14"},{"name":"underscore","from":"1.13.6","to":"1.13.7"}],"env":"prod","hasFixes":true,"isBreakingChange":false,"isMajorUpgrade":false,"issuesToFix":[{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-EXPRESS-6474509","issue_id":"SNYK-JS-EXPRESS-6474509","priority_score":519,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"6.1","score":305},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Open Redirect"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-NODEMAILER-6219989","issue_id":"SNYK-JS-NODEMAILER-6219989","priority_score":586,"priority_score_factors":[{"type":"exploit","label":"Proof of Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.3","score":265},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Regular Expression Denial of Service (ReDoS)"}],"prId":"35f0d72d-04fa-4c99-b245-8eb4318c3dbf","prPublicId":"35f0d72d-04fa-4c99-b245-8eb4318c3dbf","packageManager":"npm","priorityScoreList":[519,586],"projectPublicId":"316744b9-e65c-4e93-b0b5-625a7770b6dc","projectUrl":"https://app.snyk.io/org/jonkiky/project/316744b9-e65c-4e93-b0b5-625a7770b6dc?utm_source=github&utm_medium=referral&page=upgrade-pr","prType":"upgrade","templateFieldSources":{"branchName":"default","commitMessage":"default","description":"default","title":"...