[Snyk] Upgrade: node-fetch, bcrypt, envfile, express, express-session, jimp, mongoose, openai, qrcode, sanitize-html, socket.io, string-argv, web-push

[SimplyTiramisu]

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

node-fetch
from 2.6.9 to 2.7.0 | 5 versions ahead of your current version | a year ago
on 2023-08-23
bcrypt
from 5.1.0 to 5.1.1 | 1 version ahead of your current version | a year ago
on 2023-08-16
envfile
from 6.18.0 to 6.22.0 | 8 versions ahead of your current version | 10 months ago
on 2023-11-23
express
from 4.18.2 to 4.19.2 | 4 versions ahead of your current version | 6 months ago
on 2024-03-25
express-session
from 1.17.3 to 1.18.0 | 1 version ahead of your current version | 8 months ago
on 2024-01-28
jimp
from 0.13.0 to 0.22.12 | 119 versions ahead of your current version | 7 months ago
on 2024-02-23
mongoose
from 6.10.4 to 6.13.0 | 19 versions ahead of your current version | 3 months ago
on 2024-06-06
openai
from 3.2.1 to 3.3.0 | 1 version ahead of your current version | a year ago
on 2023-06-13
qrcode
from 1.5.1 to 1.5.4 | 3 versions ahead of your current version | a month ago
on 2024-08-05
sanitize-html
from 2.10.0 to 2.13.0 | 4 versions ahead of your current version | 6 months ago
on 2024-03-20
socket.io
from 4.6.1 to 4.7.5 | 7 versions ahead of your current version | 6 months ago
on 2024-03-14
string-argv
from 0.3.1 to 0.3.2 | 1 version ahead of your current version | a year ago
on 2023-05-01
web-push
from 3.5.0 to 3.6.7 | 7 versions ahead of your current version | 8 months ago
on 2024-01-16

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Uncaught Exception SNYK-JS-ENGINEIO-5496331	586	No Known Exploit
	Uncaught Exception SNYK-JS-SOCKETIO-7278048	586	No Known Exploit
	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-5596892	586	No Known Exploit
	Prototype Pollution SNYK-JS-MONGOOSE-5777721	586	Proof of Concept
	Improper Handling of Extra Parameters SNYK-JS-FOLLOWREDIRECTS-6141137	586	Proof of Concept
	Information Exposure SNYK-JS-SANITIZEHTML-6256334	586	Proof of Concept
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	586	Proof of Concept
	Information Exposure SNYK-JS-MONGODB-5871303	586	No Known Exploit
	Open Redirect SNYK-JS-EXPRESS-6474509	586	No Known Exploit
	Prototype Pollution SNYK-JS-XML2JS-5414874	586	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	586	Proof of Concept
	Exposure of Sensitive Information to an Unauthorized Actor SNYK-JS-PHIN-6598077	586	No Known Exploit

Release notes

Package name: node-fetch

• 2.7.0 - 2023-08-23
  

  2.7.0 (2023-08-23)

  Features

  • AbortError (#1744) (9b9d458)
• 2.6.13 - 2023-08-18
  

  2.6.13 (2023-08-18)

  Bug Fixes

  • Remove the default connection close header (#1765) (65ae25a), closes #1735 #1473 #1736
• 2.6.12 - 2023-06-29
  

  2.6.12 (2023-06-29)

  Bug Fixes

  • socket variable testing for undefined (#1726) (8bc3a7c)
• 2.6.11 - 2023-05-09
  

  2.6.11 (2023-05-09)

  Reverts

  • Revert "fix: handle bom in text and json (#1739)" (#1741) (afb36f6), closes #1739 #1741
• 2.6.10 - 2023-05-08
  

  2.6.10 (2023-05-08)

  Bug Fixes

  • handle bom in text and json (#1739) (29909d7)
• 2.6.9 - 2023-01-30
  

  2.6.9 (2023-01-30)

  Bug Fixes

  • "global is not defined" (#1704) (70f592d)

from node-fetch GitHub release notes

Package name: bcrypt

• 5.1.1 - 2023-08-16
  

  What's Changed

  • Refactored example with async await by @ lpizzinidev in #894
  • Fixed z/OS build issue by @ laijonathan in #968
  • Update dependencies by @ recrsn in #993

  New Contributors

  • @ lpizzinidev made their first contribution in #894
  • @ laijonathan made their first contribution in #968

  Full Changelog: v5.1.0...v5.1.1

• 5.1.0 - 2022-10-06
  

  What's Changed

  • Update node-pre-gyp to 1.0.2 by @ feuxfollets1013 in #865
  • Update README for inclusion of musl by @ arbourd in #883
  • Version bump, security updates to sub dep npmlog by @ adaniels-parabol in #905
  • document ESM usage (#892) by @ mariusa in #899
  • fix: update travis CI Docker image repository by @ cokia in #930
  • Update node versions in appveyor test matrix by @ p-kuen in #936
  • chore(appveyor): not use latest npm by @ cokia in #932
  • chore: update Appveyor readme badge by @ cokia in #933
  • Use Github actions for CI by @ recrsn in #858
  • Update dependencies by @ recrsn in #953
  • Migrate tests to use Jest by @ recrsn in #958
  • Pin NAPI to v3 by @ recrsn in #959

  New Contributors

  • @ feuxfollets1013 made their first contribution in #865
  • @ arbourd made their first contribution in #883
  • @ adaniels-parabol made their first contribution in #905
  • @ mariusa made their first contribution in #899
  • @ cokia made their first contribution in #930
  • @ p-kuen made their first contribution in #936

  Full Changelog: v5.0.1...v5.1.0

from bcrypt GitHub release notes

Package name: envfile

• 6.22.0 - 2023-11-23
  
  • Updated dependencies, base files, and editions using boundation
• 6.22.0-next.1700712299.86e74f790c5a1e056ed480d9be6ebb04aac6b991 - 2023-11-23
• 6.21.0 - 2023-11-21
  
  • Updated dependencies, base files, and editions using boundation
• 6.21.0-next.1700554457.0412c0363e7505d1492017408ff83304328366a4 - 2023-11-21
• 6.20.0 - 2023-11-14
  
  • Updated dependencies, base files, and editions using boundation
• 6.20.0-next.1699989059.04c24086f5bc395dc49b37abcaf4fed427418000 - 2023-11-14
• 6.19.0 - 2023-11-13
  
  • Updated dependencies, base files, and editions using boundation
  • Updated license from MIT to Artistic-2.0
• 6.19.0-next.1699887700.07ffe496bd08fc295e13d46ebb0441aceb70f227 - 2023-11-13
• 6.18.0 - 2022-09-08
  
  • Normalize string values when parsing to JSON - Thanks to kcarra for pull request #194

from envfile GitHub release notes

Package name: express

• 4.19.2 - 2024-03-25
• 4.19.1 - 2024-03-20
  

  What's Changed

  • Fix ci after location patch by @ wesleytodd in #5552
  • fixed un-edited version in history.md for 4.19.0 by @ wesleytodd in #5556

  Full Changelog: 4.19.0...4.19.1

• 4.19.0 - 2024-03-20
  

  What's Changed

  • fix typo in release date by @ UlisesGascon in #5527
  • docs: nominating @ wesleytodd to be project captian by @ wesleytodd in #5511
  • docs: loosen TC activity rules by @ wesleytodd in #5510
  • Add note on how to update docs for new release by @ crandmck in #5541
  • Prevent open redirect allow list bypass due to encodeurl
  • Release 4.19.0 by @ wesleytodd in #5551

  New Contributors

  • @ crandmck made their first contribution in #5541

  Full Changelog: 4.18.3...4.19.0

• 4.18.3 - 2024-02-29
  

  Main Changes

  • Fix routing requests without method
  • deps: body-parser@1.20.2
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: raw-body@2.5.2

  Other Changes

  • Use https: protocol instead of deprecated git: protocol by @ vcsjones in #5032
  • build: Node.js@16.18 and Node.js@18.12 by @ abenhamdine in #5034
  • ci: update actions/checkout to v3 by @ armujahid in #5027
  • test: remove unused function arguments in params by @ raksbisht in #5124
  • Remove unused originalIndex from acceptParams by @ raksbisht in #5119
  • Fixed typos by @ raksbisht in #5117
  • examples: remove unused params by @ raksbisht in #5113
  • fix: parameter str is not described in JSDoc by @ raksbisht in #5130
  • fix: typos in History.md by @ raksbisht in #5131
  • build : add Node.js@19.7 by @ abenhamdine in #5028
  • test: remove unused function arguments in params by @ raksbisht in #5137
  • use random port in test so it won't fail on already listening by @ rluvaton in #5162
  • tests: use cb() instead of done() by @ kristof-low in #5233
  • examples: remove multipart example by @ riddlew in #5195
  • Update support Node.js@18 in the CI by @ UlisesGascon in #5490
  • Fix favicon-related bug in cookie-sessions example by @ DmytroKondrashov in #5414
  • Release 4.18.3 by @ UlisesGascon in #5505

  New Contributors

  • @ vcsjones made their first contribution in #5032
  • @ abenhamdine made their first contribution in #5034
  • @ armujahid made their first contribution in #5027
  • @ raksbisht made their first contribution in #5124
  • @ rluvaton made their first contribution in #5162
  • @ kristof-low made their first contribution in #5233
  • @ riddlew made their first contribution in #5195
  • @ DmytroKondrashov made their first contribution in #5414

  Full Changelog: 4.18.2...4.18.3

• 4.18.2 - 2022-10-08
  
  • Fix regression routing a large stack in a single route
  • deps: body-parser@1.20.1
    • deps: qs@6.11.0
    • perf: remove unnecessary object clone
  • deps: qs@6.11.0

from express GitHub release notes

Package name: express-session

• 1.18.0 - 2024-01-28
  
  • Add debug log for pathname mismatch
  • Add partitioned to cookie options
  • Add priority to cookie options
  • Fix handling errors from setting cookie
  • Support any type in secret that crypto.createHmac supports
  • deps: cookie@0.6.0
    • Fix expires option to reject invalid dates
    • perf: improve default decode speed
    • perf: remove slow string split in parse
  • deps: cookie-signature@1.0.7
• 1.17.3 - 2022-05-11
  
  • Fix resaving already-saved new session at end of request
  • deps: cookie@0.4.2

from express-session GitHub release notes

Package name: mongoose

• 6.13.0 - 2024-06-06
• 6.12.9 - 2024-05-24
• 6.12.8 - 2024-04-10
• 6.12.7 - 2024-03-01
• 6.12.6 - 2024-01-22
• 6.12.5 - 2024-01-03
• 6.12.4 - 2023-12-27
• 6.12.3 - 2023-11-07
• 6.12.2 - 2023-10-25
• 6.12.1 - 2023-10-12
• 6.12.0 - 2023-08-24
• 6.11.6 - 2023-08-21
• 6.11.5 - 2023-08-01
• 6.11.4 - 2023-07-17
• 6.11.3 - 2023-07-11
• 6.11.2 - 2023-06-08
• 6.11.1 - 2023-05-08
• 6.11.0 - 2023-05-01
• 6.10.5 - 2023-04-06
• 6.10.4 - 2023-03-21

from mongoose GitHub release notes

Package name: openai

• 3.3.0 - 2023-06-13
  

  Add support for function calling in the Chat Completions API

  Announcement: https://openai.com/blog/function-calling-and-other-api-updates
  Documentation: https://platform.openai.com/docs/guides/gpt/function-calling

• 3.2.1 - 2023-03-01
  

  3.2.1

from openai GitHub release notes

Package name: qrcode

• 1.5.4 - 2024-08-05
  

  1.5.4

• 1.5.3 - 2023-04-22
  

  1.5.3

• 1.5.2 - 2023-04-21
  

  1.5.2

• 1.5.1 - 2022-07-13
  

  1.5.1

from qrcode GitHub release notes

Package name: sanitize-html

• 2.13.0 - 2024-03-20
  

  release 2.13.0

• 2.12.1 - 2024-02-22
  

  release 2.12.1

• 2.12.0 - 2024-02-21
• 2.11.0 - 2023-06-21
  

  release 2.11.0

• 2.10.0 - 2023-02-17
  

  release 2.10.0

from sanitize-html GitHub release notes

Package name: socket.io

• 4.7.5 - 2024-03-14
  

  Bug Fixes

  • close the adapters when the server is closed (bf64870)
  • remove duplicate pipeline when serving bundle (e426f3e)

  Links

  • Diff: 4.7.4...4.7.5
  • Client release: 4.7.5
  • engine.io@~6.5.2 (no change)
  • ws@~8.11.0 (no change)
• 4.7.4 - 2024-01-12
• 4.7.3 - 2024-01-03
• 4.7.2 - 2023-08-02
• 4.7.1 - 2023-06-28
• 4.7.0 - 2023-06-22
• 4.6.2 - 2023-05-31
• 4.6.1 - 2023-02-20

from socket.io GitHub release notes

Package name: string-argv

• 0.3.2 - 2023-05-01
• 0.3.1 - 2019-08-29

from string-argv GitHub release notes

Package name: web-push

• 3.6.7 - 2024-01-16
  

  3.6.7

• 3.6.6 - 2023-09-14
  

  3.6.6

• 3.6.5 - 2023-08-29
  No content.
• 3.6.4 - 2023-07-29
  No content.
• 3.6.3 - 2023-06-21
  No content.
• 3.6.2 - 2023-06-13
  No content.
• 3.6.1 - 2023-04-28
  No content.
• 3.5.0 - 2022-05-03
  No content.

from web-push GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[//]: # 'snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"node-fetch","from":"2.6.9","to":"2.7.0"},{"name":"bcrypt","from":"5.1.0","to":"5.1.1"},{"name":"envfile","from":"6.18.0","to":"6.22.0"},{"name":"express","from":"4.18.2","to":"4.19.2"},{"name":"express-session","from":"1.17.3","to":"1.18.0"},{"name":"jimp","from":"0.13.0","to":"0.22.12"},{"name":"mongoose","from":"6.10.4","to":"6.13.0"},{"name":"openai","from":"3.2.1","to":"3.3.0"},{"name":"qrcode","from":"1.5.1","to":"1.5.4"},{"name":"sanitize-html","from":"2.10.0","to":"2.13.0"},{"name":"socket.io","from":"4.6.1","to":"4.7.5"},{"name":"string-argv","from":"0.3.1","to":"0.3.2"},{"name":"web-push","from":"3.5.0","to":"3.6.7"}],"env":"prod","hasFixes":true,"isBreakingChange":false,"isMajorUpgrade":false,"issuesToFix":[{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-ENGINEIO-5496331","issue_id":"SNYK-JS-ENGINEIO-5496331","priority_score":589,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"7.5","score":375},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Uncaught Exception"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-SOCKETIO-7278048","issue_id":"SNYK-JS-SOCKETIO-7278048","priority_score":649,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"8.7","score":435},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Uncaught Exception"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-SOCKETIOPARSER-5596892","issue_id":"SNYK-JS-SOCKETIOPARSER-5596892","priority_score":375,"priority_score_factors":[{"type":"cvssScore","label":"7.5","score":375},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Denial of Service (DoS)"},{"exploit_maturity":...