[Snyk] Upgrade: , ws, , , axios, express, fastify, geolib, jsonwebtoken, prisma, socket.io, tsx, zod

[gjovs]

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

@fastify/cors
from 8.2.1 to 8.5.0 | 5 versions ahead of your current version | 9 months ago
on 2023-12-18
ws
from 8.13.0 to 8.18.0 | 9 versions ahead of your current version | 3 months ago
on 2024-07-03
@googlemaps/google-maps-services-js
from 3.3.28 to 3.4.0 | 15 versions ahead of your current version | 5 months ago
on 2024-04-09
@prisma/client
from 4.12.0 to 4.16.2 | 651 versions ahead of your current version | a year ago
on 2023-06-30
axios
from 1.3.4 to 1.7.6 | 24 versions ahead of your current version | 22 days ago
on 2024-08-30
express
from 4.18.2 to 4.19.2 | 4 versions ahead of your current version | 6 months ago
on 2024-03-25
fastify
from 4.15.0 to 4.28.1 | 30 versions ahead of your current version | 3 months ago
on 2024-06-29
geolib
from 3.3.3 to 3.3.4 | 1 version ahead of your current version | a year ago
on 2023-06-01
jsonwebtoken
from 9.0.0 to 9.0.2 | 2 versions ahead of your current version | a year ago
on 2023-08-30
prisma
from 4.12.0 to 4.16.2 | 651 versions ahead of your current version | a year ago
on 2023-06-30
socket.io
from 4.6.1 to 4.7.5 | 7 versions ahead of your current version | 6 months ago
on 2024-03-14
tsx
from 3.12.6 to 3.14.0 | 6 versions ahead of your current version | a year ago
on 2023-10-17
zod
from 3.21.4 to 3.23.8 | 93 versions ahead of your current version | 4 months ago
on 2024-05-08

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Server-side Request Forgery (SSRF) SNYK-JS-AXIOS-7361793	761	Proof of Concept
	Uncaught Exception SNYK-JS-ENGINEIO-5496331	761	No Known Exploit
	Cross-site Request Forgery (CSRF) SNYK-JS-AXIOS-6032459	761	Proof of Concept
	Cross-site Request Forgery (CSRF) SNYK-JS-AXIOS-6032459	761	Proof of Concept
	Prototype Pollution SNYK-JS-AXIOS-6144788	761	No Known Exploit
	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-5596892	761	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ZOD-5925617	761	Proof of Concept
	Improper Handling of Extra Parameters SNYK-JS-FOLLOWREDIRECTS-6141137	761	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	761	Proof of Concept
	Uncaught Exception SNYK-JS-SOCKETIO-7278048	761	No Known Exploit
	Open Redirect SNYK-JS-EXPRESS-6474509	761	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-6124857	761	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-6124857	761	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-FINDMYWAY-8055229	761	No Known Exploit
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	761	Proof of Concept

Release notes

Package name: @fastify/cors

• 8.5.0 - 2023-12-18
  

  What's Changed

  • chore(deps): bump mnemonist from 0.39.5 to 0.39.6 by @ dependabot in #283
  • Revert "fix: support for embedded cors for route params (#278)" by @ climba03003 in #285

  Full Changelog: v8.4.2...v8.5.0

• 8.4.2 - 2023-12-04
  

  What's Changed

  • build(dependabot): ignore tap major updates by @ Fdawgs in #276
  • fix: support for embedded cors for route params by @ mohammedSlimani in #278

  New Contributors

  • @ mohammedSlimani made their first contribution in #278

  Full Changelog: v8.4.1...v8.4.2

• 8.4.1 - 2023-10-29
  

  What's Changed

  • Fix type of OriginCallback by @ ken-browning in #272
  • test: add u unicode flag to regex by @ Fdawgs in #273
  • chore(package): explicitly declare js module type by @ Fdawgs in #274
  • test(index): replace typeof undefined check by @ Fdawgs in #275

  New Contributors

  • @ ken-browning made their first contribution in #272

  Full Changelog: v8.4.0...v8.4.1

• 8.4.0 - 2023-09-19
  

  What's Changed

  • fix documentation, onRequest is default lifecycle stage by @ Uzlopak in #254
  • perf(index): use spread over Object.assign() by @ Fdawgs in #257
  • docs(readme): add plugin compatibility table by @ Fdawgs in #258
  • test: cors headers sent when payload is stream by @ Uzlopak in #260
  • Reduce bundle size by @ timedtext in #266
  • chore(deps-dev): bump @ typescript-eslint/eslint-plugin from 5.62.0 to 6.4.1 by @ dependabot in #267
  • chore(deps-dev): bump tsd from 0.28.1 to 0.29.0 by @ dependabot in #268
  • test: use node: prefix to bypass require.cache call for builtins by @ Fdawgs in #269
  • refactor(vary): use word character inside regex character class by @ Fdawgs in #270

  New Contributors

  • @ timedtext made their first contribution in #266

  Full Changelog: v8.3.0...v8.4.0

• 8.3.0 - 2023-05-25
  

  What's Changed

  • chore(deps-dev): bump typescript from 4.9.5 to 5.0.2 by @ dependabot in #247
  • chore(deps-dev): bump tsd from 0.27.0 to 0.28.0 by @ dependabot in #248
  • ci: only trigger on pushes to main branches by @ Fdawgs in #249
  • chore(deps-dev): bump @ types/node from 18.16.5 to 20.1.0 by @ dependabot in #250
  • Add cacheControl to control caching in CDN by @ brettwillis in #252

  New Contributors

  • @ brettwillis made their first contribution in #252

  Full Changelog: v8.2.1...v8.3.0

• 8.2.1 - 2023-03-14
  

  What's Changed

  • chore(deps-dev): bump tsd from 0.24.1 to 0.25.0 by @ dependabot in #235
  • fix(types): Origin within OriginFunction can be undefined by @ joshmeads in #237
  • chore(.gitignore): add clinic by @ Fdawgs in #239
  • chore(.gitignore): add bun lockfile by @ Fdawgs in #241
  • chore(deps-dev): bump tsd from 0.25.0 to 0.26.0 by @ dependabot in #242
  • chore(deps-dev): bump tsd from 0.26.1 to 0.27.0 by @ dependabot in #245
  • add normalizeCorsOptions and handle wildcards in origin parameter by @ Uzlopak in #244

  New Contributors

  • @ joshmeads made their first contribution in #237

  Full Changelog: v8.2.0...v8.2.1

from @fastify/cors GitHub release notes

Package name: ws

• 8.18.0 - 2024-07-03
  

  Features

  • Added support for Blob (#2229).
• 8.17.1 - 2024-06-16
  

  Bug fixes

  • Fixed a DoS vulnerability (#2231).

  A request with a number of headers exceeding theserver.maxHeadersCount
  threshold could be used to crash a ws server.

  const http = require('http');
  const WebSocket = require('ws');

  const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
  if (count === 2000) break;

  <span class="pl-k">for</span> <span class="pl-kos">(</span><span class="pl-k">let</span> <span class="pl-s1">j</span> <span class="pl-c1">=</span> <span class="pl-c1">0</span><span class="pl-kos">;</span> <span class="pl-s1">j</span> <span class="pl-c1">&lt;</span> <span class="pl-s1">chars</span><span class="pl-kos">.</span><span class="pl-c1">length</span><span class="pl-kos">;</span> <span class="pl-s1">j</span><span class="pl-c1">++</span><span class="pl-kos">)</span> <span class="pl-kos">{</span>
    <span class="pl-k">const</span> <span class="pl-s1">key</span> <span class="pl-c1">=</span> <span class="pl-s1">chars</span><span class="pl-kos">[</span><span class="pl-s1">i</span><span class="pl-kos">]</span> <span class="pl-c1">+</span> <span class="pl-s1">chars</span><span class="pl-kos">[</span><span class="pl-s1">j</span><span class="pl-kos">]</span><span class="pl-kos">;</span>
    <span class="pl-s1">headers</span><span class="pl-kos">[</span><span class="pl-s1">key</span><span class="pl-kos">]</span> <span class="pl-c1">=</span> <span class="pl-s">'x'</span><span class="pl-kos">;</span>
  
    <span class="pl-k">if</span> <span class="pl-kos">(</span><span class="pl-c1">++</span><span class="pl-s1">count</span> <span class="pl-c1">===</span> <span class="pl-c1">2000</span><span class="pl-kos">)</span> <span class="pl-k">break</span><span class="pl-kos">;</span>
  <span class="pl-kos">}</span>
  

  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
  headers: headers,
  host: '127.0.0.1',
  port: wss.address().port
  });

  request.end();
  });

  The vulnerability was reported by Ryan LaPointe in #2230.

  In vulnerable versions of ws, the issue can be mitigated in the following ways:

  1. Reduce the maximum allowed length of the request headers using the
     --max-http-header-size=size and/or the maxHeaderSize options so
     that no more headers than the server.maxHeadersCount limit can be sent.
  2. Set server.maxHeadersCount to 0 so that no limit is applied.
• 8.17.0 - 2024-04-28
  

  Features

  • The WebSocket constructor now accepts the createConnection option (#2219).

  Other notable changes

  • The default value of the allowSynchronousEvents option has been changed to
    true (#2221).

  This is a breaking change in a patch release. The assumption is that the option
  is not widely used.

• 8.16.0 - 2023-12-26
  

  Features

  • Added the autoPong option (01ba54e).
• 8.15.1 - 2023-12-12
  

  Notable changes

  • The allowMultipleEventsPerMicrotask option has been renamed to
    allowSynchronousEvents (4ed7fe5).

  This is a breaking change in a patch release that could have been avoided with
  an alias, but the renamed option was added only 3 days ago, so hopefully it
  hasn't already been widely used.

• 8.15.0 - 2023-12-09
  

  Features

  • Added the allowMultipleEventsPerMicrotask option (93e3552).
• 8.14.2 - 2023-09-19
  

  Bug fixes

  • Fixed an issue that allowed errors thrown by failed assertions to be
    swallowed when running tests (7f4e1a7).
• 8.14.1 - 2023-09-08
• 8.14.0 - 2023-09-06
• 8.13.0 - 2023-03-10

from ws GitHub release notes

Package name: @googlemaps/google-maps-services-js

• 3.4.0 - 2024-04-09
  

  3.4.0 (2024-04-09)

  Features

  • Added Address Descriptors to Geocoding response. (#1187) (47db368)
• 3.3.42 - 2023-12-12
  

  3.3.42 (2023-12-12)

  Build System

  • deps-dev: bump @ babel/traverse from 7.23.0 to 7.23.2 (#1058) (820544c)
  • deps-dev: bump @ types/jest from 29.5.5 to 29.5.7 (#1070) (8a4ec75)
  • deps-dev: bump @ types/jest from 29.5.7 to 29.5.10 (#1092) (d2b74f1)
  • deps-dev: bump @ types/node from 20.10.0 to 20.10.3 (#1102) (e6cd0e7)
  • deps-dev: bump @ types/node from 20.10.3 to 20.10.4 (#1111) (374b7b6)
  • deps-dev: bump @ types/node from 20.8.4 to 20.8.6 (#1056) (917c616)
  • deps-dev: bump @ types/node from 20.8.6 to 20.8.7 (#1059) (d2ed837)
  • deps-dev: bump @ types/node from 20.8.7 to 20.9.0 (#1080) (3c7cfda)
  • deps-dev: bump @ types/node from 20.9.0 to 20.9.2 (#1087) (d5d5521)
  • deps-dev: bump @ types/node from 20.9.2 to 20.10.0 (#1096) (40030b0)
  • deps-dev: bump @ typescript-eslint/eslint-plugin (#1055) (f1674df)
  • deps-dev: bump @ typescript-eslint/eslint-plugin (#1062) (dbf243b)
  • deps-dev: bump @ typescript-eslint/eslint-plugin (#1071) (b36384e)
  • deps-dev: bump @ typescript-eslint/eslint-plugin (#1073) (4e7ac73)
  • deps-dev: bump @ typescript-eslint/eslint-plugin (#1085) (80697e6)
  • deps-dev: bump @ typescript-eslint/eslint-plugin (#1088) (de1a052)
  • deps-dev: bump @ typescript-eslint/eslint-plugin (#1108) (3701d7e)
  • deps-dev: bump @ typescript-eslint/parser from 6.10.0 to 6.11.0 (#1084) (3e8bcdd)
  • deps-dev: bump @ typescript-eslint/parser from 6.11.0 to 6.12.0 (#1089) (895dbd3)
  • deps-dev: bump @ typescript-eslint/parser from 6.12.0 to 6.13.0 (#1095) (1c42682)
  • deps-dev: bump @ typescript-eslint/parser from 6.13.0 to 6.13.2 (#1103) (b8f1741)
  • deps-dev: bump @ typescript-eslint/parser from 6.7.5 to 6.8.0 (#1057) (1aa5649)
  • deps-dev: bump @ typescript-eslint/parser from 6.8.0 to 6.9.0 (#1063) (4dee296)
  • deps-dev: bump @ typescript-eslint/parser from 6.9.0 to 6.9.1 (#1069) (bd98de5)
  • deps-dev: bump @ typescript-eslint/parser from 6.9.1 to 6.10.0 (#1075) (781ce3e)
  • deps-dev: bump eslint from 8.51.0 to 8.52.0 (#1060) (8f7eb83)
  • deps-dev: bump eslint from 8.52.0 to 8.53.0 (#1077) (36e67f0)
  • deps-dev: bump eslint from 8.53.0 to 8.54.0 (#1090) (67c0e48)
  • deps-dev: bump eslint from 8.54.0 to 8.55.0 (#1101) (56f5d88)
  • deps-dev: bump eslint-config-prettier from 9.0.0 to 9.1.0 (#1099) (4b6f1ae)
  • deps-dev: bump eslint-plugin-jest from 27.4.2 to 27.4.3 (#1061) (e5c37be)
  • deps-dev: bump eslint-plugin-jest from 27.4.3 to 27.6.0 (#1076) (28624ad)
  • deps-dev: bump nock from 13.3.4 to 13.3.7 (#1068) (1a780bc)
  • deps-dev: bump nock from 13.3.7 to 13.3.8 (#1074) (f1bee09)
  • deps-dev: bump nock from 13.3.8 to 13.4.0 (#1094) (04ce099)
  • deps-dev: bump prettier from 3.0.3 to 3.1.0 (#1082) (3c472fd)
  • deps-dev: bump prettier from 3.1.0 to 3.1.1 (#1109) (785ff4a)
  • deps-dev: bump typedoc from 0.25.2 to 0.25.3 (#1067) (eecbe98)
  • deps-dev: bump typedoc from 0.25.3 to 0.25.4 (#1093) (cf24d22)
  • deps-dev: bump typescript from 5.2.2 to 5.3.2 (#1097) (9212502)
  • deps-dev: bump typescript from 5.3.2 to 5.3.3 (#1112) (eedf7b0)
  • deps: bump @ googlemaps/url-signature from 1.0.29 to 1.0.30 (#1110) (4400a37)
  • deps: bump axios from 1.5.1 to 1.6.0 (#1079) (c5e3c9a)
  • deps: bump axios from 1.6.0 to 1.6.1 (#1081) (392a38b)
  • deps: bump axios from 1.6.1 to 1.6.2 (#1091) (031213f)
  • deps: bump crypto-js from 4.1.1 to 4.2.0 (#1066) (51383bf)

  Miscellaneous Chores

  • add eslint and fix problems (#1045) (67e5de8)
  • update workflows to use newer versions (#1046) (52b256f)

  Tests

  • fix places/photo test (#1113) (1be71ac)
• 3.3.41 -