[Snyk] Fix for 15 vulnerabilities

[lewk-snyk]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	169/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00045, Social Trends: No, Days since published: 156, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.81, Score Version: V5	Uncontrolled resource consumption SNYK-JS-BRACES-6838727	Yes	Proof of Concept
	219/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Functional, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00305, Social Trends: No, Days since published: 881, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 3.65, Score Version: V5	Denial of Service (DoS) SNYK-JS-DICER-2311764	No	Mature
	141/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Local, EPSS: 0.01055, Social Trends: No, Days since published: 321, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.35, Score Version: V5	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
	124/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00045, Social Trends: No, Days since published: 156, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.06, Score Version: V5	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	No	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-PRINTF-1072096	Yes	No Known Exploit
	115/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 976, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.92, Score Version: V5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	No	No Known Exploit
	/1000 Why?	XML External Entity (XXE) Injection SNYK-JS-XMLDOM-1084960	Yes	No Known Exploit
	/1000 Why?	Improper Input Validation SNYK-JS-XMLDOM-1534562	Yes	No Known Exploit
	/1000 Why?	Prototype Pollution SNYK-JS-XMLDOM-3042242	Yes	No Known Exploit
	/1000 Why?	Improper Input Validation SNYK-JS-XMLDOM-3092935	Yes	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	No	Proof of Concept
	58/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00296, Social Trends: No, Days since published: 2577, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Low, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.43, Score Version: V5	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: dustjs-linkedin

The new version differs by 7 commits.

• 5cd5529 Release v3.0.1
• 0d72e0b Merge pull request Circleci project setup snyk-labs/nodejs-goof#808 from sumeetkakkar/topic/update-deps
• b2aaa47 Merge branch 'master' into topic/update-deps
• bd397ea Update tests.yaml: add --legacy-peer-deps to support npm 8 restrictions
• 115f78c dependency update: chokidar
• d951a90 Update tests.yml
• ea9ae70 Create tests.yml

See the full diff

Package name: express-fileupload

The new version differs by 67 commits.

• 4f81fc8 1.4.0
• 78a66c1 Merge pull request [Snyk-dev Update] New fixes for 54 vulnerable dependency paths snyk-labs/nodejs-goof#315 from duterte/master
• 310a382 Merge branch 'richardgirges:master' into master
• f57198b fix linting error
• ce713c2 add workflow job filters
• e47cc7d trigger ci
• 74a0830 Refactor: upgrade to busboy 1.6.0
• d1d6c66 Refactor busboy is no longer a constructor, its a function
• 30d8535 Merge pull request [Snyk-dev] Fix for 5 vulnerable dependencies snyk-labs/nodejs-goof#310 from richardgirges/dependabot/npm_and_yarn/minimist-1.2.6
• e6948f9 Bump minimist from 1.2.5 to 1.2.6
• c9c7d83 Create SECURITY.md
• f9237aa help wanted readme update
• 651421b help wanted readme update
• 290f3cc 1.3.1
• ab3d252 node 12+ support
• 4afa5a1 1.3.0
• fe0ce3f circleci status badge
• 26f4a92 comment out console logs
• edd91ce Merge pull request [Snyk Update] New fixes for 5 vulnerable dependency paths snyk-labs/nodejs-goof#301 from zwade/master
• 47bc50c Merge remote-tracking branch 'origin/master'
• 3ba7d94 Merge pull request [Snyk Update] New fixes for 5 vulnerable dependency paths snyk-labs/nodejs-goof#302 from zwade/zw-fix-tests
• ddf5530 support node 12+. fix security vulnerabilities re: npm audit
• 3cfbc7f Have promiseCallback make callbacks and promises behave the same
• 5e83249 Refactor prototype pollution check to be more comprehensive

See the full diff

Package name: tap

The new version differs by 250 commits.

• 793c1c0 update versions
• 47a2289 add missing @ tapjs/mock service key polyfill
• 6622dca snapshot: update snapshot
• 556e520 mock: actually be resilient against multiple instances
• 2c135b0 Add `t.mockAll` method
• d7e7e4f clean process.cwd() out of snapshots by default
• 4c0dc72 use the released version of tshy
• c858f37 need to check in .tshy configs for typedoc to work
• 82f48cd update versions
• 0f27f73 TypeScript 5.2, use tshy for hybrid builds
• de09096 remove my home directory from parser snapshots
• 46e2bbb repl: mkdirp the .tap dir if missing
• acfae01 link typedocs to main website
• 2ece1da core spawn test even less flaky
• a7a12d2 update typedoc to latest, ts-node to temporary fork
• a5c0e0c some changelog updates
• caf8d81 document repl
• a5dc854 Store t.testdir() fixtures in .tap/fixtures
• 6914d23 remove docs from source control
• 1dcc6a7 exclude test files themselves from coverage
• aff25fc update versions
• c5972e7 core: make spawn timeout test less flaky
• 1c11b37 stack: properly parse ErrnoException errors
• 1280a55 parser: remove node v12 skip check

See the full diff

Package name: testem

The new version differs by 136 commits.

• 6387915 3.4.3
• 2d9f931 Merge pull request #1469 from testem/dependabot/github_actions/actions/setup-node-2.4.0
• a172f62 Merge pull request #1470 from testem/dependabot/npm_and_yarn/path-parse-1.0.7
• ec0a8b0 Merge pull request #1473 from mrloop/xmldom-xmldom
• 2898201 Update xmldom to maintained package release
• 1c4bf1d Bump path-parse from 1.0.6 to 1.0.7
• e01ac22 Bump actions/setup-node from 2.1.5 to 2.4.0
• 152b25f 3.4.2
• 2f9d1df Merge pull request Magnologan patch 11 snyk-labs/nodejs-goof#1459 from testem/socket-4
• 3d74078 feat: socket.io v4.1.2
• ff71d5d Merge pull request npx inline comment test - add token snyk-labs/nodejs-goof#1458 from testem/dependabot/npm_and_yarn/ws-7.4.6
• 3584157 Bump ws from 7.4.4 to 7.4.6
• b3f7865 Merge pull request new vuln snyk-labs/nodejs-goof#1453 from testem/dependabot/npm_and_yarn/underscore-1.13.1
• 18e4f9a Bump underscore from 1.8.3 to 1.13.1
• 6d2b9aa 3.4.1
• 38fb6fb Merge pull request made few changes to package.json snyk-labs/nodejs-goof#1421 from artemgurzhii/fix/CVE-2021-21366
• ad93bb3 fix: CVE-2021-21366
• 8528142 Merge pull request [Snyk] Security upgrade tap from 11.1.5 to 18.0.0 snyk-labs/nodejs-goof#1451 from testem/dependabot/github_actions/GabrielBB/xvfb-action-v1.5
• db71529 Bump GabrielBB/xvfb-action from v1.4 to v1.5
• 50ca9c2 Merge pull request Test branch snyk-labs/nodejs-goof#1448 from testem/dependabot/npm_and_yarn/sinon-10.0.0
• 0e3eb15 Bump sinon from 7.3.2 to 10.0.0
• ad7d326 3.4.0
• 3361ce5 Merge pull request Update package.json snyk-labs/nodejs-goof#1446 from testem/dependabot/npm_and_yarn/sinon-chai-3.6.0
• a8a3d9a Bump sinon-chai from 3.5.0 to 3.6.0

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	58/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00296, Social Trends: No, Days since published: 2577, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Low, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.43, Score Version: V5	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Proof of Concept
	40/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00129, Social Trends: No, Days since published: 2576, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Low, Package Popularity Score: 99, Impact: 2.35, Likelihood: 1.67, Score Version: V5	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No Known Exploit
	53/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00171, Social Trends: No, Days since published: 2711, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Low, Package Popularity Score: 100, Impact: 2.35, Likelihood: 2.23, Score Version: V5	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit
	114/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00112, Social Trends: No, Days since published: 3043, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.89, Score Version: V5	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Uncontrolled resource consumption
🦉 Prototype Pollution
🦉 XML External Entity (XXE) Injection
🦉 More lessons are available in Snyk Learn