[Snyk] Fix for 24 vulnerabilities

[bparrish206]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	584/1000 Why? Has a fix available, CVSS 7.4	Directory Traversal SNYK-JS-ADMZIP-1065796	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	Yes	Proof of Concept
	671/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7	Remote Code Execution (RCE) SNYK-JS-HANDLEBARS-1056767	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-HANDLEBARS-1279029	No	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-HANDLEBARS-469063	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-HANDLEBARS-480388	No	No Known Exploit
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-HANDLEBARS-534478	No	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-HANDLEBARS-534988	No	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-HANDLEBARS-567742	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-INI-1048974	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	No	Proof of Concept
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution npm:ejs:20161128	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Cross-site Scripting (XSS) npm:ejs:20161130	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) npm:ejs:20161130-1	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: adm-zip

The new version differs by 134 commits.

• c5aeed4 Incremented version number
• 119dcad Fixed path traversal issue GHSL-2020-198
• 1d22ff6 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#341 from 5saviahv/history
• 492d148 added changelog
• dd415ae Incremented version
• 0f011a3 Fixed outFileName
• bc19fee Added extra parameter to extractEntryTo so target filename can be renamed
• 92e9836 Updated dev dependency
• 2b8d9ab Merge pull request [Snyk-dev Update] New fixes for 54 vulnerable dependency paths snyk-labs/nodejs-goof#315 from enecciari/work_in_browser
• 4fe58d1 Merge pull request [Snyk-dev Update] New fixes for 14 vulnerable dependency paths snyk-labs/nodejs-goof#322 from cthackers/dependabot/npm_and_yarn/lodash-4.17.19
• 49218a4 Merge pull request [Snyk-dev Update] New fixes for 15 vulnerable dependency paths snyk-labs/nodejs-goof#327 from kosuke-suzuki/multibyte-comment
• a7e8932 Merge pull request [Snyk-dev] Fix for 65 vulnerable dependency paths snyk-labs/nodejs-goof#331 from 5saviahv/master
• 7db0eda modified addLocalFolder method
• e114929 typo
• dc81063 modified addLocalFile method
• bc0f594 Deflate needs min V2.0
• dde4f51 Node v6
• 003d4cf Added ZipCrypto decrypting ability
• 63ed6e2 Detect and throw error with encrypted files
• c64ac14 LICENSE filename in package.json
• 1a334b2 add multibyte-encoded comment with byte length instead of character length
• 96d492a Bump lodash from 4.17.15 to 4.17.19
• b77f380 now it works in browser
• 218feee Merge remote-tracking branch 'upstream/master'

See the full diff

Package name: body-parser

The new version differs by 250 commits.

• 424dadd 1.19.2
• 11248a2 deps: raw-body@2.4.3
• 7a088eb build: Node.js@14.19
• ecedf31 build: Node.js@16.14
• b6bfabd build: Node.js@17.5
• badd6b2 build: fix code coverage aggregate upload
• 96b448a build: Node.js@17.4
• 70560b1 build: mocha@9.2.0
• 548a06f build: supertest@6.2.2
• 3b00678 deps: bytes@3.1.2
• d5acb61 build: mocha@9.1.4
• 82c8a7c tests: add limit + inflate tests
• b356758 deps: qs@6.9.7
• c631b58 build: supertest@6.2.1
• c81a8e2 build: eslint-plugin-import@2.25.4
• 3c4dcb8 build: Node.js@17.3
• d0a214b 1.19.1
• fb172d4 build: eslint-plugin-promise@5.2.0
• c5e63cb build: Node.js@17.2
• c6d43bd build: eslint-plugin-import@2.25.3
• 313ed6d build: eslint-plugin-promise@5.1.1
• 8389b51 deps: bytes@3.1.1
• aae94b2 deps: http-errors@1.8.1
• 7f84d4f deps: raw-body@2.4.2

See the full diff

Package name: express

The new version differs by 250 commits.

• 3d7fce5 4.17.3
• f906371 build: update example dependencies
• 6381bc6 deps: qs@6.9.7
• a007863 deps: body-parser@1.19.2
• e98f584 Revert "build: use minimatch@3.0.4 for Node.js < 4"
• a659137 tests: use strict mode
• a39e409 tests: prevent leaking changes to NODE_ENV
• 82de4de examples: fix path traversal in downloads example
• 12310c5 build: use nyc for test coverage
• 884657d examples: remove bitwise syntax for includes check
• 7511d08 build: use minimatch@3.0.4 for Node.js < 4
• 2585f20 tests: fix test missing assertion
• 9d09762 build: supertest@6.2.2
• 43cc56e build: clean up gitignore
• 1c7bbcc build: Node.js@14.19
• 9cbbc8a deps: cookie@0.4.2
• 6fbc269 pref: remove unnecessary regexp for trust proxy
• 2bc734a deps: accepts@~1.3.8
• 89bb531 docs: fix typo in res.download jsdoc
• 744564f tests: add test for multiple ips in "trust proxy"
• da6cb0e tests: add range tests to res.download
• 00ad5be tests: add more tests for app.request & app.response
• 141914e tests: fix tests that did not bubble errors
• bd4fdfe tests: remove global dependency on should

See the full diff

Package name: hbs

The new version differs by 107 commits.

• 00764e0 v4.1.2
• 8dcac86 tests: add test for layout that does not exist
• 1046191 test: add test for layout using async helper
• 9c6ee6f test: add test for async helper with layout
• b109867 lint: fix redeclared variable
• 7920ac6 build: Node.js@12.22
• 5623682 deps: handlebars@4.7.7
• 81ee48a build: supertest@6.1.3
• c90ac58 build: eslint-plugin-markdown@2.0.1
• 5179777 build: eslint@7.24.0
• 4c73a69 build: mocha@8.3.2
• 0826373 build: Node.js@14.16
• 711c4fa build: Node.js@12.21
• a48b2bf build: Node.js@10.24
• c9ba0a3 build: eslint@7.21.0
• dfc44e3 build: eslint-plugin-markdown@2.0.0
• f3f5697 build: Node.js@12.20
• b2a461b build: eslint@7.18.0
• 3852e7c build: supertest@6.1.1
• 67c942d build: eslint@7.16.0
• 14c84ff build: Node.js@14.15
• 1fcbd8b build: mocha@8.2.1
• 20afe45 build: eslint@7.13.0
• bd96ad1 build: Node.js@12.19

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• 23efdcf chore: release 4.10.2
• f627ba5 fix: bump ms -> 2.0.0
• b8263d6 fix: bump mquery for regexp vulnerability
• 84b3e28 docs: improve projection descriptions re: #1534
• ca5e53c chore: now working on 4.10.2
• 3474d8d chore: release 4.10.1
• dc6f887 fix(populate): handle doc.populate() with virtuals
• a6dd311 test(populate): repro #5240
• 6a2d405 fix(aggregate): handle sorting by text score correctly
• b386516 test(aggregate): repro #5258
• 54f624e Merge branch 'master' of github.com:Automattic/mongoose
• 5038635 fix(schema): enforce that _id is never null
• f7cbbdc docs: list a couple intermediate changes in changelog
• d951bed chore: now working on 4.10.1
• 274ed0f docs: add missing ignore
• 43752e8 chore: release 4.10.0
• 142fbba Merge pull request #5270 from Automattic/4.10
• 4bc7b3e docs: add missing ignores to sharding plugin
• e8c8789 Merge branch '4.10' of github.com:Automattic/mongoose into 4.10
• 9d4c9d4 Merge branch 'master' into 4.10
• b8f0dd8 Merge pull request #5253 from Automattic/5145
• f3805fa Merge pull request #5252 from Automattic/4569
• 8ba7869 Merge pull request #5268 from clozanosanchez/patch-2
• 373bb6f Update clone method to include indexes

See the full diff

Package name: ms

The new version differs by 19 commits.

• 9b88d15 2.0.0
• 94b995c Invalidated cache for slack badge
• bcf5715 Bumped dependencies to the latest version
• b1eaab7 Ignored logs coming from npm
• caae298 Limit str to 100 to avoid ReDoS of 0.3s ([Snyk] Fix for 33 vulnerable dependency paths snyk-labs/nodejs-goof#89)
• b83b36d chore(package): update eslint to version 3.19.0 ([Snyk] Fix for 33 vulnerable dependency paths snyk-labs/nodejs-goof#88)
• 3f2a4d7 chore(package): update husky to version 0.13.3 ([Snyk] Fix for 33 vulnerable dependency paths snyk-labs/nodejs-goof#86)
• 7daf984 1.0.0
• ee91f30 More suitable name for file containing tests
• e818c35 Removed browser testing
• c9b1fd3 Test on LTS version of Node
• 389840b Badge for XO removed
• 1fbbe97 Removed component specification
• 57b3ef8 Use `prettier` and `eslint`
• 94068ea Removed XO
• 4b7f48f chore(package): update serve to version 5.0.4 ([Snyk] Fix for 33 vulnerable dependency paths snyk-labs/nodejs-goof#85)
• bd49cec chore(package): update xo to version 0.18.0 ([Snyk] Fix for 33 vulnerable dependency paths snyk-labs/nodejs-goof#84)
• d4a94b1 chore(package): update serve to version 5.0.3 (feat: added support for CloudFoundry snyk-labs/nodejs-goof#83)
• 923eee1 chore(package): update serve to version 5.0.2 ([Snyk Update] New fixes for 2 vulnerable dependency paths snyk-labs/nodejs-goof#82)

See the full diff

Package name: snyk

The new version differs by 250 commits.

• 3f52bdc Merge pull request #1669 from snyk/fix/dont-fail-on-request-big-payload
• 47e106e fix: don't fail on request's big payload
• 1228b55 Merge pull request #1624 from snyk/chore/cli-alert-improvement
• fccd907 Merge pull request #1666 from snyk/chore/bump-cpp-test-timeout
• 6772a3e Merge pull request #1649 from snyk/chore/deps-update
• 89a7767 chore: update dependencies
• eaf4915 test: wrap pagerduty await in try-catch, remove condition
• 0576431 test: add pagerduty, check if test is running before attemmpting rerun
• a08a938 chore: bump flaky cpp test timeout
• ebb8dd7 Merge pull request #1656 from snyk/feat/protect-prime-time
• 69cd590 test: fix flakey json output test
• 3021bb2 Merge pull request #1663 from snyk/fix/upgrade-snyk-gradle-plugin
• a988600 Merge pull request #1654 from snyk/feat/iac-experimental-terraform-support
• b455497 feat: iac experimental tf support
• 4848b7e chore: run tests in packages in CI
• 3e7e99e feat: implement snyk protect
• bb233f1 chore: enable prettier formatting in packages
• fe0183d test: enable jest testing in snyk-protect workspace
• 40ec817 test: test fixture for snyk protect
• 7dfd3ea Merge pull request #1661 from snyk/test/fix-flake-with-dev-count-analysis
• 02c99b8 test: remove tests previously migrated to jest
• e203fd1 test: set timeout in beforeAll
• d42f6d9 fix: update snyk-gradle-plugin to 3.13.2
• 8cd9fbf Merge pull request #1662 from snyk/test/add-longer-timeouts

See the full diff

Package name: tap

The new version differs by 250 commits.

• eaa0084 14.6.8
• e7cff4d update deps to node >=8 requirements
• b9e53c2 update cli doc
• 9917a7a 14.6.7
• 125aae3 async-hook-domain@1.1.1
• ce0c629 update cli doc
• eb2bded 14.6.6
• 7f453f5 Set nyc color watermarks based on check-coverage levels
• 28e7db5 update cli doc
• fb852ee 14.6.5
• eeb423a minipass@2.8.3
• 5b83028 watch: add --no-clean to nyc args on change tests
• 6a4d64b track thrown error when timeout/throws happen during promise waiting
• 5b977e1 update cli doc
• 49e9df0 14.6.4
• 6d37040 update deps, remove npm-shrinkwrap.json
• d19ab3d update cli doc
• 1436f4f 14.6.3
• a266e30 Fail if error is thrown while awaiting a Promise
• 73e7496 update cli doc
• 443786c 14.6.2
• 36d6dc5 Properly handle test aborts when awaiting promises
• 28cd2ff update cli doc
• 8d280c3 14.6.1

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Arbitrary Code Injection
🦉 More lessons are available in Snyk Learn