[Snyk-local] Fix for 43 vulnerabilities

[cfereday]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Directory Traversal SNYK-JS-ADMZIP-1065796	No	No Known Exploit
	Internal Property Tampering SNYK-JS-BSON-561052	Yes	No Known Exploit
	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	Denial of Service (DoS) SNYK-JS-EXPRESSFILEUPLOAD-473997	Yes	No Known Exploit
	Prototype Pollution SNYK-JS-EXPRESSFILEUPLOAD-595969	Yes	Proof of Concept
	Prototype Pollution SNYK-JS-INI-1048974	Yes	Proof of Concept
	Prototype Pollution SNYK-JS-JQUERY-174006	Yes	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-JQUERY-565129	Yes	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-JQUERY-567880	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-174116	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451540	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS ) SNYK-JS-MARKED-584281	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	No	No Known Exploit
	Denial of Service (DoS) SNYK-JS-MONGODB-473855	Yes	No Known Exploit
	Prototype Pollution SNYK-JS-MQUERY-1050858	Yes	No Known Exploit
	Improper Access Control SNYK-JS-NEXTAUTH-1072465	No	No Known Exploit
	Prototype Pollution SNYK-JS-NODEFORGE-598677	No	Proof of Concept
	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept
	Insecure use of /tmp folder npm:cli:20160615	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	No Known Exploit
	Arbitrary Code Execution npm:ejs:20161128	Yes	No Known Exploit
	Cross-site Scripting (XSS) npm:ejs:20161130	Yes	No Known Exploit
	Denial of Service (DoS) npm:ejs:20161130-1	Yes	No Known Exploit
	Cross-site Scripting (XSS) npm:jquery:20150627	Yes	No Known Exploit
	Cross-site Scripting (XSS) npm:marked:20150520	No	No Known Exploit
	Cross-site Scripting (XSS) npm:marked:20170112	No	No Known Exploit
	Cross-site Scripting (XSS) npm:marked:20170815	No	No Known Exploit
	Cross-site Scripting (XSS) npm:marked:20170815-1	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:marked:20170907	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:marked:20180225	No	Proof of Concept
	Denial of Service (DoS) npm:mem:20180117	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	Yes	No Known Exploit
	Uninitialized Memory Exposure npm:npmconf:20180512	Yes	Mature
	Regular Expression Denial of Service (ReDoS) npm:semver:20150403	Yes	No Known Exploit
	Directory Traversal npm:st:20140206	No	Proof of Concept
	Open Redirect npm:st:20171013	Yes	Mature

Commit messages

Package name: adm-zip

The new version differs by 84 commits.

• c5aeed4 Incremented version number
• 119dcad Fixed path traversal issue GHSL-2020-198
• 1d22ff6 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#341 from 5saviahv/history
• 492d148 added changelog
• dd415ae Incremented version
• 0f011a3 Fixed outFileName
• bc19fee Added extra parameter to extractEntryTo so target filename can be renamed
• 92e9836 Updated dev dependency
• 2b8d9ab Merge pull request [Snyk-dev Update] New fixes for 54 vulnerable dependency paths snyk-labs/nodejs-goof#315 from enecciari/work_in_browser
• 4fe58d1 Merge pull request [Snyk-dev Update] New fixes for 14 vulnerable dependency paths snyk-labs/nodejs-goof#322 from cthackers/dependabot/npm_and_yarn/lodash-4.17.19
• 49218a4 Merge pull request [Snyk-dev Update] New fixes for 15 vulnerable dependency paths snyk-labs/nodejs-goof#327 from kosuke-suzuki/multibyte-comment
• a7e8932 Merge pull request [Snyk-dev] Fix for 65 vulnerable dependency paths snyk-labs/nodejs-goof#331 from 5saviahv/master
• 7db0eda modified addLocalFolder method
• e114929 typo
• dc81063 modified addLocalFile method
• bc0f594 Deflate needs min V2.0
• dde4f51 Node v6
• 003d4cf Added ZipCrypto decrypting ability
• 63ed6e2 Detect and throw error with encrypted files
• c64ac14 LICENSE filename in package.json
• 1a334b2 add multibyte-encoded comment with byte length instead of character length
• 96d492a Bump lodash from 4.17.15 to 4.17.19
• b77f380 now it works in browser
• 218feee Merge remote-tracking branch 'upstream/master'

See the full diff

Package name: body-parser

The new version differs by 53 commits.

• b2659a7 1.18.2
• 6339bf7 perf: remove argument reassignment
• d5f9a4a deps: debug@2.6.9
• d041563 1.18.1
• 9efa9ab deps: content-type@~1.0.4
• f1ef6cc deps: qs@6.5.1
• e438db5 deps: raw-body@2.3.2
• 15c3585 deps: iconv-lite@0.4.19
• adfa01c 1.18.0
• 0632e2f Include the "type" property on all generated errors
• b8f97cd Include the "body" property on verify errors
• c659e8a tests: add test for err.body on json parse error
• 4e15325 tests: reorganize json error tests
• 5bd7ed5 tests: reorganize json strict option tests
• 3cb380b tests: store server on mocha context instead of variable shadowing
• 29c8cd0 docs: document too many parameters error
• 7b9cb14 Use http-errors to set status code on errors
• 29a27f1 docs: fix typo in jsdoc comment
• 448dc57 Fix JSON strict violation error to match native parse error
• 87df7e6 tests: add leading whitespace strict json test
• 1841248 deps: raw-body@2.3.1
• e666dbe deps: http-errors@~1.6.2
• c2a110a deps: bytes@3.0.0
• a1a2e31 build: Node.js@8.4

See the full diff

Package name: express-fileupload

The new version differs by 250 commits.

• 9f22db7 version bump
• 9fca550 Merge pull request [Snyk Update] New fixes for 2 vulnerable dependency paths snyk-labs/nodejs-goof#240 from AmazingMech2418/patch-1
• 1530cf5 Make Travis happy
• e43bfcf Fix typo
• 8bf7427 Update processNested.js
• fd40389 version bump
• 94c9cf9 prototype pollution fix [Snyk-dev] Upgrade marked from 0.3.5 to 0.8.2 #2
• 829f395 version bump
• db49535 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#237 from richardgirges/fix-236-proto-pollution
• d81bee9 Upgrade latest packages; run npm audit fix; add logic to prevent prototype pollution in parseNested
• e9848fc Update package-lock.json
• d536cfb Update package.json
• c7a6b9c Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#233 from RomanBurunkov/master
• a53b93f Update tests to support empty files
• d8c00c5 Add empty files support for tempFileHandler
• b24233d Comment extra condition in fileFactory(issue [Snyk] Fix for 6 vulnerabilities #1), add more logging
• d57ee02 Formatting utilities
• b6097df Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#232 from RomanBurunkov/master
• 05004b7 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#230 from Code42Cate/readme-timeout
• 1afa527 Update dependencies
• 880c2b7 Improve timeout option documentation
• 3f130b0 Add timeout option to README.MD
• d55fa83 Merge pull request [Snyk Update] New fixes for 2 vulnerable dependency paths snyk-labs/nodejs-goof#222 from wbt/patch-1
• d61f02f Fix some small typos

See the full diff

Package name: lodash

The new version differs by 1 commits.

• c6e281b Bump to v4.17.21

See the full diff

Package name: marked

The new version differs by 250 commits.

• 1ad8e69 Merge pull request #1731 from UziTech/release-1.1.1
• 7e17526 1.1.1
• 7fbee6e Merge pull request #1730 from UziTech/update-deps
• 6f7522f Merge pull request #1729 from UziTech/quick-ref
• f8024eb remove ending slash
• 524ae66 remove ending slash
• 0d6e056 build
• 04ac593 update dev deps
• f36f676 🗜️ build [skip ci]
• dddf9ae Merge pull request #1686 from calculuschild/EmphasisFixes
• 6b729ed Merge branch 'EmphasisFixes' of https://github.com/calculuschild/marked into EmphasisFixes
• e27e6f9 Sorted strong and em into sub-objects
• a761316 Merge pull request #1726 from UziTech/show-rules
• f8193ed add npm run rules
• ad720c1 Make emEnd const
• 1fb141d Make strEnd const
• 226bbe7 Lint
• cc778ad Removed redundancy in "startEM" check
• 211b9f9 Removed Lookbehinds
• 982b57e Merge pull request #1720 from vassudanagunta/docs-patch-1
• 2a847e6 clarify level of support for Markdown flavors
• bd4f8c4 Fix unrestricted "any character" for REDOS
• 4e7902e Gaaaah lint
• 4db32dc Links are masked only once per inline string

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• d7fc59c chore: release 5.11.7
• d318339 fix(index.d.ts): make `Document#id` optional so types that use `id` can use `Model<IMyType & Document>`
• a9b317a chore: upgrade mquery -> 3.2.3
• 43f88db fix(document): ensure calling `get()` with empty string returns undefined for mongoose-plugin-autoinc
• 369efe1 Merge pull request #9692 from sahasayan/patch-4
• f879c4d chore: update opencollective sponsors
• 1be4d87 fix(model): set `isNew` to false for documents that were successfully inserted by `insertMany` with `ordered = false` when an error occurred
• b2da840 test(model): repro #9677
• 15d6660 fix(index.d.ts): add missing Aggregate#skip() & Aggregate#limit()
• dd348b1 chore: release 5.11.6
• 3ec01fa fix(index.d.ts): allow calling `mongoose.model()` and `Connection#model()` with model as generic param
• ccfa041 Merge pull request #9686 from cjroebuck/patch-1
• 7a52e45 Merge pull request #9685 from sahasayan/patch-3
• a5c98c2 Allow array of validators in SchemaTypeOptions
• 48907ea fix(index.d.ts): allow 2 generic types in mongoose.model function
• a17a2c3 Merge pull request #9683 from isengartz/master
• 61595f0 fix(index.d.ts): allow passing ObjectId properties as strings to `create()` and `findOneAndReplace()`
• 8e20ee6 optional next() parameter for post middleware
• 8a52485 Merge pull request #9680 from orgads/aggregate
• 1ef8274 fix(middleware): ensure sync errors in pre hooks always bubble up to the calling code
• 067e3a2 fix(index.d.ts): Fix return type of Model#aggregate()
• 0e2058d chore: release 5.11.5
• 6d9fb4d fix(index.d.ts): add missing `SchemaTypeOpts` and `ConnectionOptions` aliases for backwards compat
• a85adb9 test: fix tests re: #9669

See the full diff

Package name: ms

The new version differs by 19 commits.

• 9b88d15 2.0.0
• 94b995c Invalidated cache for slack badge
• bcf5715 Bumped dependencies to the latest version
• b1eaab7 Ignored logs coming from npm
• caae298 Limit str to 100 to avoid ReDoS of 0.3s ([Snyk-local] Fix for 1 vulnerabilities #89)
• b83b36d chore(package): update eslint to version 3.19.0 ([Snyk-dev] Fix for 1 vulnerabilities #88)
• 3f2a4d7 chore(package): update husky to version 0.13.3 ([Snyk] Security upgrade rrule from 2.5.5 to 2.6.0 #86)
• 7daf984 1.0.0
• ee91f30 More suitable name for file containing tests
• e818c35 Removed browser testing
• c9b1fd3 Test on LTS version of Node
• 389840b Badge for XO removed
• 1fbbe97 Removed component specification
• 57b3ef8 Use `prettier` and `eslint`
• 94068ea Removed XO
• 4b7f48f chore(package): update serve to version 5.0.4 (chore: add vuln #85)
• bd49cec chore(package): update xo to version 0.18.0 ([Snyk] Security upgrade dustjs-linkedin from 2.6.0 to 2.6.3 #84)
• d4a94b1 chore(package): update serve to version 5.0.3 ([Snyk-dev] Fix for 70 vulnerabilities #83)
• 923eee1 chore(package): update serve to version 5.0.2 ([Snyk-dev] Fix for 70 vulnerabilities #82)

See the full diff

Package name: next-auth

The new version differs by 250 commits.

• 553036d Merge branch 'main' into canary
• ce073f4 docs: trigger release
• c5bb0ac fix(provider): Fixes for email sign in (Intel based MAC OS 12.2.1 and Node v19.1 - docker build fails snyk-labs/nodejs-goof#1285)
• 69cc6bf docs: Change "docs" to "documentation"
• cfc6648 docs(provider): Update azure-ad-b2c.md [skip release] (Test snyk-labs/nodejs-goof#1280)
• 8121f72 docs(adapter): Update Prisma docs [skip release] ([Snyk] Security upgrade node from 14.1.0 to 14.20.0 snyk-labs/nodejs-goof#1279) (Vuln 1 snyk-labs/nodejs-goof#1283)
• 6af40e3 docs(adapter): Update Prisma docs ([Snyk] Security upgrade node from 14.1.0 to 14.20.0 snyk-labs/nodejs-goof#1279)
• e5410c8 Merge pull request from GHSA-pg53-56cg-4m8q
• 748e7b4 fix(page): fix typo in error page
• f4269f7 feat(provider): update session when signIn/signOut successful ([Snyk] Security upgrade tap from 11.1.5 to 14.6.8 snyk-labs/nodejs-goof#1267)
• 15e9d9e docs: Minor text error fixed [skip release] (Kennedyc alves patch 2 snyk-labs/nodejs-goof#1263)
• 487906e fix(ui): use color text var for input color (Refactor CSS with Flexbox snyk-labs/nodejs-goof#1260)
• 5ee84c5 fix(provider): add verificationRequest flag to email signIn callback (Feat/testsnowflakeaction snyk-labs/nodejs-goof#1258)
• 2c81011 chore: don't sync labels with labeler [skip release]
• cb6f787 fix(provider): okta client authentication (adding vulns snyk-labs/nodejs-goof#1257)
• c7f1923 docs(provider): Update Atlassian docs (Docker deployment doesn't work snyk-labs/nodejs-goof#1255)
• afb5082 docs: clarify custom pages usage [skip release] (Testing DevSecOps Checks snyk-labs/nodejs-goof#1239)
• c387f32 feat(provider): add EVE Online provider (chore: test commit snyk-labs/nodejs-goof#1227)
• 562bcf2 feat(ts): preliminary TypeScript support (Circleci project setup snyk-labs/nodejs-goof#1223)
• 690f81e feat(provider): option to disable client-side redirects (credentials) ([Snyk] Upgrade mongoose from 4.2.4 to 6.2.5 snyk-labs/nodejs-goof#1219)
• 909acab Merge branch 'main' into canary [skip release]
• cdc1ac5 docs: Update Providers.Credential Example Block [skip release] (My Test PR snyk-labs/nodejs-goof#1225)
• f2a7ee0 fix: make OAuth 1 work after refactoring (updated packages snyk-labs/nodejs-goof#1218)
• d67f1b7 docs: remove announcement bar [skip release]

See the full diff

Package name: tap

The new version differs by 110 commits.

• fa3f6e2 12.6.2
• b8be134 new computer, phantom png changes
• 3833522 update js-yaml and nyc for vuln advisories
• 1871736 12.6.1
• 066f159 updates for npm audit --fix
• ad3bed4 Passes `-r ts-node/register` argument to node
• 4645ecf Fix font-family typo
• 63ff608 12.6.0
• 040f61f Add --no-esm flag to disable '-r esm' behavior
• e2c0c1d update tap-mocha-reporter
• a73e95b update esm, and audit fix
• 2233376 12.5.3
• b45105f nyc@13.3.0
• 611ced8 12.5.2
• 99a989c update write-file-atomic
• e255dd9 update ts-node and typescript
• b674382 esm@3.2.3
• 555ecd4 including esm.js in stack traces is almost never helpful
• ccf2b44 Don't emit end while waiting for pipes to clear
• d3bf1f7 less impact
• 7fbf13f try something else
• b97f460 fix: allow for pipes to drain
• 740e695 nyc@13.2
• d03f383 12.5.1

See the full diff

With a Snyk patch:

Severity	Issue	Exploit Maturity
	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:ms:20151024	No Known Exploit

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic