[Snyk] Fix for 10 vulnerabilities

[hopetambala]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	624/1000 Why? Has a fix available, CVSS 8.2	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	Yes	No Known Exploit
	601/1000 Why? Recently disclosed, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	Yes	No Known Exploit
	519/1000 Why? Has a fix available, CVSS 6.1	Open Redirect SNYK-JS-EXPRESS-6474509	Yes	No Known Exploit
	469/1000 Why? Has a fix available, CVSS 5.1	Cross-site Scripting SNYK-JS-EXPRESS-7926867	Yes	No Known Exploit
	631/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.2	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
	716/1000 Why? Recently disclosed, Has a fix available, CVSS 8.6	Improper Authorization SNYK-JS-PARSESERVER-8163062	Yes	No Known Exploit
	666/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	319/1000 Why? Has a fix available, CVSS 2.1	Cross-site Scripting SNYK-JS-SEND-7926862	Yes	No Known Exploit
	319/1000 Why? Has a fix available, CVSS 2.1	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: express

The new version differs by 250 commits.

• 8e229f9 4.21.1
• a024c8a fix(deps): cookie@0.7.1
• 7e562c6 4.21.0
• 1bcde96 fix(deps): qs@6.13.0 (#5946)
• 7d36477 fix(deps): serve-static@1.16.2 (#5951)
• 40d2d8f fix(deps): finalhandler@1.3.1
• 77ada90 Deprecate `"back"` magic string in redirects (#5935)
• 21df421 4.20.0
• 4c9ddc1 feat: upgrade to serve-static@0.16.0
• 9ebe5d5 feat: upgrade to send@0.19.0 (#5928)
• ec4a01b feat: upgrade to body-parser@1.20.3 (#5926)
• 54271f6 fix: don't render redirect values in anchor href
• 125bb74 path-to-regexp@0.1.10 (#5902)
• 2a980ad merge-descriptors@1.0.3 (#5781)
• a3e7e05 docs: specify new instructions for `question` and `discuss`
• c5addb9 deps: path-to-regexp@0.1.8 (#5603)
• e35380a docs: add @ IamLizu to the triage team (#5836)
• f5b6e67 docs: update scorecard link (#5814)
• 2177f67 docs: add OSSF Scorecard badge (#5436)
• f4bd86e Replace Appveyor windows testing with GHA (#5599)
• 2ec589c Fix Contributor Covenant link definition reference in attribution section (#5762)
• 4cf7eed remove minor version pinning from ci (#5722)
• 6d08471 📝 update people, add ctcpip to TC (#5683)
• 61421a8 skip QUERY tests for Node 21 only, still not supported (#5695)

See the full diff

Package name: parse-dashboard

The new version differs by 250 commits.

• 408154b chore(release): 6.0.0 [skip ci]
• eabe5a2 build: Release (#2605)
• 32a79e5 empty
• 4c6896b chore(release): 6.0.0-beta.2 [skip ci]
• 374b1a9 build: Release (#2602)
• cd44ff3 empty
• a1e53ab chore(release): 6.0.0-alpha.16 [skip ci]
• 8c4a862 fix: Dashboard not building for Docker platform arm64/v8 (#2534)
• 2242218 refactor: Security upgrade node from 20.14.0-alpine3.20 to 20.17.0-alpine3.20 (#2593)
• 000588b chore(release): 6.0.0-alpha.15 [skip ci]
• 3689106 feat: Add support for Node 22 (#2603)
• 3beef24 docs: Add info panel docs to README (#2601)
• cf6ec88 chore(release): 6.0.0-alpha.14 [skip ci]
• 914cc71 feat: Add data panel to display object related data fetched via Cloud Function (#2584)
• fcfc757 chore(release): 6.0.0-alpha.13 [skip ci]
• 8239cc8 fix: Internal classes `_User`, `_Role`, `_Installation` referenced with pointer don't appear in data browser filter dialog (#2599)
• b7565c2 refactor: Bump qs from 6.5.2 to 6.13.0 (#2595)
• 7c64e3c refactor: Fix for 4 vulnerabilities (#2594)
• cf8b77f refactor: Bump webpack from 5.75.0 to 5.94.0 (#2588)
• 28aeacf chore(release): 6.0.0-alpha.12 [skip ci]
• 6fa2c8c fix: Filter string is erased when changing filter condition (#2586)
• 9f1afda refactor: Bump requirejs from 2.3.6 to 2.3.7 (#2582)
• 843584c chore(release): 6.0.0-alpha.11 [skip ci]
• e146b6f fix: Descriptive statistics for number cells in data browser not showing (#2581)

See the full diff

Package name: parse-server

The new version differs by 250 commits.

• 144781a chore(release): 6.5.9 [skip ci]
• 1bfbccf fix: Custom object ID allows to acquire role privileges ([GHSA-8xq9-g7ch-35hg](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg)) (#9318)
• 12ce46d chore(release): 6.5.8 [skip ci]
• d5290d4 fix: Various vulnerabilities related to cross-site scripting (#9310)
• 52729fd chore(release): 6.5.7 [skip ci]
• f332d54 fix: SQL injection when using Parse Server with PostgreSQL; fixes security vulnerability [GHSA-c2hr-cqg6-8j6r](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r) (#9168)
• 3012ff7 refactor: Security upgrade ws from 8.16.0 to 8.17.1 (#9157)
• 0d5e01c test: Disable OAuth 1 tests with Twitter API (#9162)
• 09ead54 chore(release): 6.5.6 [skip ci]
• 0e92f76 fix: Facebook Limited Login not workind due to incorrect domain in JWT validation (#9120)
• acea93c refactor: Upgrade graphql-relay from 0.10.0 to 0.10.1 (#9096)
• 490898e refactor: Upgrade @ babel/eslint-parser from 7.23.3 to 7.24.1 (#9091)
• 63db281 refactor: Upgrade winston from 3.11.0 to 3.12.0 (#9054)
• 72ba762 refactor: Upgrade express from 4.18.2 to 4.18.3 (#9042)
• eba0da4 refactor: Upgrade @ babel/eslint-parser from 7.21.8 to 7.23.3 (#8868)
• dc53521 ci: Fix auto-release (#9035)
• 9dc0235 chore(release): 6.5.5 [skip ci]
• 5ae6d6a fix: Server crashes on invalid Cloud Function or Cloud Job name; fixes security vulnerability [GHSA-6hh7-46r2-vf29](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29) (#9023)
• 3773203 chore(release): 6.5.4 [skip ci]
• 8ff444d fix: Server crashes when receiving an array of `Parse.Pointer` in the request body (#9012)
• 9cb44c0 chore(release): 6.5.3 [skip ci]
• 09b6a95 ci: Fix auto-release (#9021)
• 422958e fix: Security upgrade follow-redirects from 1.15.5 to 1.15.6 (#9019)
• b8535b3 ci: Fix LTS releases are published as pre-releases (#8989)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)
🦉 Open Redirect
🦉 Regular Expression Denial of Service (ReDoS)