[Snyk] Fix for 15 vulnerabilities #46

nekia · 2022-10-05T21:31:03Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	Yes	Proof of Concept
509/1000 Why? Has a fix available, CVSS 5.9	Cryptographic Weakness SNYK-JS-JSRSASIGN-1244072	No	No Known Exploit
706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Improper Verification of Cryptographic Signature SNYK-JS-JSRSASIGN-2869122	No	Proof of Concept
489/1000 Why? Has a fix available, CVSS 5.5	Information Exposure SNYK-JS-LOG4JS-2348757	No	No Known Exploit
454/1000 Why? Has a fix available, CVSS 4.8	Session Fixation SNYK-JS-PASSPORT-2840631	No	No Known Exploit
791/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.4	SQL Injection SNYK-JS-SEQUELIZE-2932027	No	Proof of Concept
564/1000 Why? Has a fix available, CVSS 7	SQL Injection SNYK-JS-SEQUELIZE-2959225	No	No Known Exploit
484/1000 Why? Has a fix available, CVSS 5.4	User Interface (UI) Misrepresentation of Critical Information SNYK-JS-SWAGGERUIDIST-2314884	No	No Known Exploit
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	No	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	No	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	No	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	No	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: ajv

The new version differs by 250 commits.

521c3a5 6.12.3
bd7107b Merge pull request #1229 from ajv-validator/dependabot/npm_and_yarn/mocha-8.0.1
9c26bb2 Merge pull request #1234 from ajv-validator/dependabot/npm_and_yarn/eslint-7.3.1
c6a6daa Merge branch 'master' into dependabot/npm_and_yarn/mocha-8.0.1
15eda23 Merge branch 'master' into dependabot/npm_and_yarn/eslint-7.3.1
d6aabb8 test: remove node 8 from travis test
c4801ca Merge pull request #1242 from ajv-validator/refactor
988982d ignore proto properties
f2b1e3d whitespace
65e3678 Merge pull request #1239 from GrahamLea/patch-1
68d72c4 update regex
9c009a9 validate numbers in multipleOf
332b30d Merge pull request #1241 from ajv-validator/refactor
1105fd5 ignore proto properties
65b2f7d validate numbers in schemas during schema compilation
24d4f8f remove code post-processing
fd64fb4 Add link to CSP section in Security section
0e2c346 Add Contents link to CSP section
c581ff3 Clarify limitations of ajv-pack in README
0006f34 Document pre-compiled schemas for CSP in README
140cfa6 Merge pull request #1238 from cvlab/patch-1
e7f0c81 Fix mistype in README.md
54c96b0 Bump eslint from 6.8.0 to 7.3.1
854dbef Bump mocha from 7.2.0 to 8.0.1

See the full diff

Package name: log4js

The new version differs by 126 commits.

9fdbed5 6.4.0
788c7a8 Merge pull request #1150 from log4js-node/update-changelog
7fdb141 chore: updated changelog for 6.4.0
e6bd888 Merge pull request #1151 from log4js-node/feat-zero-backup
ac599e4 allow for zero backup - in sync with https://github.com/fix: allow for zero backups and zero daysToKeep log4js-node/streamroller#74
53248cd Merge pull request #1149 from log4js-node/migrate-daysToKeep-to-numBackups
436d9b4 Merge pull request #1148 from log4js-node/update-docs
d6b017e chore(docs): updated fileSync.md and misc comments
d4617a7 chore(deps): migrated from daysToKeep to numBackups due to streamroller@^3.0.0
0ad0133 Merge pull request #1147 from log4js-node/update-deps
773962b Merge pull request #1146 from log4js-node/update-deps
823bb46 Merge pull request #1145 from log4js-node/update-deps
6cc0035 chore(deps): bump streamroller from 3.0.1 to 3.0.2
0f39859 chore(deps): bump date-format from 4.0.2 to 4.0.3
85ac31e chore(deps-dev): bump eslint from from 8.6.0 to 8.7.0
acd41ef Merge pull request #1144 from log4js-node/refactor
4c4bbe8 chore(refactor): using writer.writable instead of alive for checking
e86a809 Merge pull request #1097 from 4eb0da/datefile-error-handling
34ab3b2 Merge pull request #1143 from log4js-node/update-test
8cba85f chore(test): renamed tap.teardown() to tap.tearDown() for consistency (while both works, only tap.tearDown() is documented)
a0baec2 chore(test): fixed teardown() causing tests to fail due to fs errors on removal
51ac865 Merge pull request #1103 from polo-language/recording-typescript
653a20f Merge pull request #1028 from techmunk/master
43a2199 chore(test): Changed default TAP test suite timeout from 30s to 45s because Windows takes a long time

See the full diff

Package name: passport

The new version differs by 100 commits.

c33067b 0.6.0
3052bb4 Update changelog.
42630cb Merge pull request #900 from jaredhanson/fix-fixation
8dd79fe Use utils-merge rather than Object.assign for compatibility.
4f6bd5b Change keepSessionData to keepSessionData.
46756e5 Silence verbose logging.
987b191 Add tests.
f8a175f Add tests.
29a90d6 No need to guard callback existence.
bfba8a1 Add tests.
17111d7 Add option to keep session data on logout.
a349c2b Add option to keep session data.
e69834e Add optional options to login and logout.
8825a9a Add tests.
c1991cf Add tests.
294f22c Better session detection and exceptions.
80cc4e3 Add tests.
3001654 Add tests.
b395106 Clean up tests.
cfa8259 Add tests.
ee0bf81 Add tests.
cc7606c Add tests.
71c54f6 Add test.
88c1f1b Handle logout without session manager.

See the full diff

Package name: sequelize

The new version differs by 250 commits.

7bb60e3 fix: properly escaoe multiple `$` in `fn` args (#14678)
86d35b1 docs: added nest option inside findAll query (#14683)
2f3b924 fix(postgres): use schema set in sequelize config by default (#14665)
cbdf73e feat: exports types to support typescript >= 4.5 nodenext module (#14620)
a333862 docs(readme): update README to be more like main (#14626)
e1a9c28 fix: kill connection on commit/rollback error (#14535)
b37df96 feat: support cyclic foreign keys (#14499)
e37c572 fix: accept replacements in `ARRAY[]` & followed by `;` (#14518)
6c5f8ec test: disable mysql/mariadb deadlock test (#14514)
87655eb build: fix esdoc (#14513)
ccaa399 fix: do not replace `:replacements` inside of strings (#14472)
5954d2c feat(types): make `Model.init` aware of pre-configured foreign keys (#14370)
0d0aade fix(types): make `WhereOptions` more accurate (#14368)
7e8b707 docs: restore Model api reference & make fail on error (#14323)
ca0e017 test: disable deadlock test for mariadb 10.5.15 (#14314)
62564f7 docs: fix dead link in API reference (#14313)
cdc8881 build: remove v6 docs from repository (#14234)
730af27 docs: document scope whereMergeStrategy option (#14201)
8349c02 feat: add whereScopeStrategy to merge where scopes with Op.and (#14152)
e974e20 feat(types): make `Model.getAttributes` stricter (#14017)
2d339d0 fix: fix typo in query-generator.js error message (#14151)
b80aeed fix(types): update return type of `Model.update` (#14155)
f5c06bd feat(types): infer nullable creation attributes as optional (#14147)
af6cbe6 build(deps): move @ types/validator to prod deps (#14159)

See the full diff

Package name: stomp-broker-js

The new version differs by 81 commits.

317ca32 Update readme, revert mocha for backward nodejs compatibility
f25ce20 Update dependencies, clean
99bf5d2 Update dependencies
7f69a47 clean tests, update version and docs
d7ea044 clean tests, update version and docs
9dc0923 Merge pull request [Snyk] Fix for 3 vulnerabilities #20 from joedski/fix/case-typo-in-main-file
8ce1c94 npm hooks to lint and test preversion and prepublishOnly
2387de2 Removed unnecessary console log
88dc943 Added eslint and fixed linting errors
8d8de4b Merge pull request [Snyk] Security upgrade ws from 5.2.2 to 7.4.6 #16 from starstalk/middleware-hooks
3dc64bf Fix code
48a4570 Merge branch 'master' into middleware-hooks
72c5c66 Merge pull request [Snyk] Security upgrade pygments from 2.1.3 to 2.7.4 #13 from Borewit/fix/example
8d325c3 Merge pull request [Snyk] Security upgrade babel from 2.3.4 to 2.9.1 #15 from starstalk/fix-binary
dd45322 Merge pull request [Snyk] Upgrade fabric-ca-client from 2.2.4 to 2.2.5 #8 from ypetya/master
ed6077c Merge pull request [Snyk] Security upgrade pygments from 2.1.3 to 2.7.4 #14 from szarsti/fix-local-var
4291e82 Improve test expression to make sure that whole frame is tested
401f528 Add tests to make sure binary encoding works
4499875 Do not stringify frame body if it has json already encoded in a Buffer
68347b8 Fix serializing binary frames
a2fdd9d Add mechanism to add/remove middleware hooks
1ad0066 Fix local variable declaration
385c517 Fix server subscription example code
dce5b35 Extract config