[Snyk] Fix for 28 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	630/1000 Why? Has a fix available, CVSS 8.1	Internal Property Tampering SNYK-JS-BSON-561052	Yes	No Known Exploit
	526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-I-1726768	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-LODASH-590103	No	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451341	No	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-584281	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-MONGODB-473855	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MONGOOSE-1086688	Yes	Proof of Concept
	509/1000 Why? Has a fix available, CVSS 5.9	Information Exposure SNYK-JS-MONGOOSE-472486	No	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MPATH-1577289	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MQUERY-1050858	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MQUERY-1089718	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	Yes	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Validation Bypass SNYK-JS-SANITIZEHTML-1070780	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Access Restriction Bypass SNYK-JS-SANITIZEHTML-1070786	Yes	No Known Exploit
	519/1000 Why? Has a fix available, CVSS 6.1	Cross-site Scripting (XSS) SNYK-JS-TINYMCE-1910225	Yes	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Cross-site Scripting (XSS) SNYK-JS-TINYMCE-543825	No	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-TINYMCE-568922	No	Proof of Concept
	694/1000 Why? Has a fix available, CVSS 9.6	Cross-site Scripting (XSS) SNYK-JS-TINYMCE-598223	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: i

The new version differs by 13 commits.

• 71961bd Version bump v0.3.7
• a9a0a8e Fix CVE-2021-3820
• c025e15 Fix formatting
• dace42b Move away from travis
• 22fa473 Merge pull request [Snyk] Security upgrade gatsby from 1.9.279 to 2.0.0 #30 from pksunkara/dependabot/add-v2-config-file
• e84c23a Upgrade to GitHub-native Dependabot
• b267d23 Merge pull request [Snyk] Fix for 1 vulnerabilities #28 from brimworks/patch-1
• 2f47b1c Please add copyright information to the license
• da50027 Fixed "Custom human" example in README ([Snyk] Security upgrade gatsby from 1.9.279 to 2.0.84 #27)
• 4d62cfe Fixed "Custom human" example in README
• 816ecae Upgrade deps
• aee47db Update .travis.yml
• 65926f0 Update .travis.yml

See the full diff

Package name: marked

The new version differs by 250 commits.

• ae01170 chore(release): 4.0.10 [skip ci]
• fceda57 🗜️ build [skip ci]
• 8f80657 fix(security): fix redos vulnerabilities
• c4a3ccd Merge pull request from GHSA-rrrm-qjm4-v8hf
• d7212a6 chore(deps-dev): Bump jasmine from 4.0.0 to 4.0.1 (Update babel-plugin-transform-object-rest-spread to version 6.6.4 🚀 keystonejs/keystone-classic#2352)
• 5a84db5 chore(deps-dev): Bump rollup from 2.62.0 to 2.63.0 ([0.x] Current user not available in when removing item keystonejs/keystone-classic#2350)
• 2bc67a5 chore(deps-dev): Bump markdown-it from 12.3.0 to 12.3.2 (yo keystone Error keystone keystonejs/keystone-classic#2351)
• 98996b8 chore(deps-dev): Bump @ babel/preset-env from 7.16.5 to 7.16.7 (Update babel-core to version 6.6.4 🚀 keystonejs/keystone-classic#2353)
• ebc2c95 chore(deps-dev): Bump highlight.js from 11.3.1 to 11.4.0 (Update react-day-picker to version 1.3.1 🚀 keystonejs/keystone-classic#2354)
• e5171a9 chore(release): 4.0.9 [skip ci]
• 41990a5 🗜️ build [skip ci]
• a9696e2 fix: retain line breaks in tokens properly (Update react-color to version 1.3.8 🚀 keystonejs/keystone-classic#2341)
• 6aacd13 chore(deps-dev): Bump jasmine from 3.10.0 to 4.0.0 (Update express-request-language to version 1.1.4 🚀 keystonejs/keystone-classic#2343)
• 55e5df9 chore(deps-dev): Bump @ babel/core from 7.16.5 to 7.16.7 (static files not correctly handled in node@5.7 keystonejs/keystone-classic#2344)
• 4f4cab4 chore(deps-dev): Bump eslint-plugin-import from 2.25.3 to 2.25.4 (Update babel-core to version 6.6.0 🚀 keystonejs/keystone-classic#2345)
• 97ea9f2 chore(deps-dev): Bump eslint from 8.5.0 to 8.6.0 (Update babel-preset-es2015 to version 6.6.0 🚀 keystonejs/keystone-classic#2346)
• 4c3b853 chore(deps-dev): Bump rollup-plugin-license from 2.6.0 to 2.6.1 (Allow for deletion of LocalFiles keystonejs/keystone-classic#2347)
• 9396896 chore(deps-dev): Bump rollup from 2.61.1 to 2.62.0 (Change e-mail service to Mailgun keystonejs/keystone-classic#2338)
• 103a56c chore(deps-dev): Bump @ babel/preset-env from 7.16.4 to 7.16.5 (Mongoose update is breaking keystonejs/keystone-classic#2333)
• be771c9 chore(deps-dev): Bump eslint from 8.4.1 to 8.5.0 (adding 'mongo options' option and deprecating 'mongo replica set' option keystonejs/keystone-classic#2334)
• 67d5a65 chore(deps-dev): Bump @ babel/core from 7.16.0 to 7.16.5 (external user auth keystonejs/keystone-classic#2335)
• 991493a chore(deps-dev): Bump eslint-plugin-promise from 5.2.0 to 6.0.0 (De-register lists keystonejs/keystone-classic#2336)
• 59375fb chore(release): 4.0.8 [skip ci]
• 4734c82 🗜️ build [skip ci]

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• 07946be chore: release v5.13.9
• 264554f fix: upgrade to mpath v0.8.4 re: security issue
• fc5fc7e fix: peg @ types/bson version to 1.x || 4.0.x to avoid stubbed 4.2.x release
• 1f28237 fix(populate): avoid setting empty array on lean document when populate result is undefined
• 1dc9b45 style: fix lint
• 3f7dfc5 fix(document): make `depopulate()` handle populated paths underneath document arrays
• b34d1d5 fix(index.d.ts): simplify UpdateQuery to avoid "excessively deep and possibly infinite" errors with `extends Document` and `any`
• 2a3399e docs: another layout fix for 5.x docs
• 5bf3c29 chore: update makefile again
• 191678c chore: update makefile re: #10607
• 776fae9 docs: fix up 5.x docs navbar
• a803885 test(typescript): add coverage for #10590
• bf43078 fix(index.d.ts): allow specifying `weights` as an IndexOption
• cb1e787 chore: release 5.13.8
• 5c0140c fix(index.d.ts): add `match` to `VirtualTypeOptions.options`
• 6122f4b docs(api): add `Document#$where` to API docs
• 2871c1b style: fix lint
• 8d00f62 Merge pull request #10587 from osmanakol/master
• 57e729b allow QueryOptions populate parameter use PopulateOptions
• 6c36263 fix(index.d.ts): allow strings for ObjectIds in nested properties
• e90aab1 docs(History): make a note about #10555
• fca0627 style: fix lint
• 6b92599 fix(populate): handle populating subdoc array virtual with sort
• 283d43f test(populate): repro #10552

See the full diff

Package name: sanitize-html

The new version differs by 205 commits.

• fd3cb54 changelog credit
• 6012524 Merge pull request Improving Admin UI performance keystonejs/keystone-classic#460 from apostrophecms/iframe-validation-redux
• 5395e36 markdown
• bff6d9f Merge pull request adding cloudinary image replace on upload option keystonejs/keystone-classic#459 from Aspedm/main
• 1ecf30f pass eslint
• 54851d0 new and interesting iframe validation exploits
• dafee4f Update README.md
• b77e1d9 2.3.1
• bdf7836 Merge pull request Access logged in User object in model? keystonejs/keystone-classic#458 from apostrophecms/stop-idna-iframe-attacks
• 477b032 Updates README to specify node version (Trying to access keystone redirects to my main page keystonejs/keystone-classic#457)
• 5804fa9 changelog
• ca4b62a stop IDNA iframe attacks
• 7229906 Fleshes out changelog message
• 5d6c6e6 Updates the version number
• af6e348 Fixes a typo in the changelog
• 251e14a Merge pull request FieldType: Relationship - {required: true} does not effect keystonejs/keystone-classic#429 from TrySound/upgrade-htmlparser2
• 102c623 Upgrade to v6
• f07bf65 Upgrade htmlparser2
• 6a7b0ca bumps the version number (Matrix/Repeater/Mixed/[Mixed] Field Type keystonejs/keystone-classic#446)
• 4be8a61 Adds acknowledgement to changelog. (Installation fails: Error: No compatible version found: yo@'>=1.2.0-0 <1.3.0-0' keystonejs/keystone-classic#445)
• d59fdac Merge pull request Item filtering in Types.Relationship keystonejs/keystone-classic#444 from aHerbots/patch-1
• 34f00be Update CHANGELOG.md
• 5ae731e Update README.md
• 07d1523 Allow 'tel' links by default

See the full diff

Package name: watchify

The new version differs by 9 commits.

• 7b27a3c 4.0.0
• 5d4842a bump deps (Adds .env to .gitignore keystonejs/keystone-classic#380)
• b840f29 disable package-lock.json
• bae5e02 update chokidar and anymatch (Issue with field.watch keystonejs/keystone-classic#378)
• 3445775 ci: use github actions (Default values are not working on initial fields keystonejs/keystone-classic#379)
• f79e59f Change URLs from "Substack" (someones personal site & acc) to "browserify" (Hogan Templating keystonejs/keystone-classic#369)
• bd2f677 ci: run on more node versions
• 563a90d Merge pull request Add imgur support keystonejs/keystone-classic#367 from Trott/update-readme-badge
• bb2b429 chore: Fix Travis-CI badge in readme.markdown

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

[qasneha4]

go for it.

[qasneha4]

Done