[Snyk] Fix for 29 vulnerabilities

[rima-snyk]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	574/1000 Why? Has a fix available, CVSS 7.2	Use of Weak Hash SNYK-JS-CRYPTOJS-6028119	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ENGINEIO-3136336	No	No Known Exploit
	584/1000 Why? Has a fix available, CVSS 7.4	Authorization Bypass SNYK-JS-EXPRESSJWT-575022	Yes	No Known Exploit
	534/1000 Why? Has a fix available, CVSS 6.4	Improper Authentication SNYK-JS-JSONWEBTOKEN-3180022	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Improper Restriction of Security Token Assignment SNYK-JS-JSONWEBTOKEN-3180024	Yes	No Known Exploit
	554/1000 Why? Has a fix available, CVSS 6.8	Use of a Broken or Risky Cryptographic Algorithm SNYK-JS-JSONWEBTOKEN-3180026	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Access Restriction Bypass SNYK-JS-SANITIZEHTML-1070786	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SANITIZEHTML-2957526	Yes	No Known Exploit
	684/1000 Why? Has a fix available, CVSS 9.4	Arbitrary Code Execution SNYK-JS-SANITIZEHTML-585892	Yes	No Known Exploit
	564/1000 Why? Has a fix available, CVSS 7	SQL Injection SNYK-JS-SEQUELIZE-2959225	Yes	No Known Exploit
	629/1000 Why? Has a fix available, CVSS 8.3	Improper Filtering of Special Elements SNYK-JS-SEQUELIZE-3324088	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Information Exposure SNYK-JS-SEQUELIZE-3324089	Yes	No Known Exploit
	529/1000 Why? Has a fix available, CVSS 6.3	Access of Resource Using Incompatible Type ('Type Confusion') SNYK-JS-SEQUELIZE-3324090	Yes	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-SQLITE3-3358947	No	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	No	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	No	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	649/1000 Why? Has a fix available, CVSS 8.7	Forgeable Public/Private Tokens npm:jws:20160726	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:moment:20160126	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:moment:20161019	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	Yes	No Known Exploit
	429/1000 Why? Has a fix available, CVSS 4.3	Cross-site Scripting (XSS) npm:sanitize-html:20141024	No	No Known Exploit
	449/1000 Why? Has a fix available, CVSS 4.7	Cross-site Scripting (XSS) npm:sanitize-html:20160801	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: check-dependencies

The new version differs by 61 commits.

• 03c8847 Tag 2.0.0
• 65d9ef5 Set Node.js requirement in package.json engines to >=18.3
• 4917ab0 Simplify the spawn logic
• fc04cc8 Drop support for the callback interface
• 28257dd Tweak ESLint settings
• dc16e8a Drop the bluebird devDependency
• 412337a Drop fs-extra & graceful-fs devDependencies
• 091279a Drop the findup-sync dependency
• 10ac9c5 Drop lodash.camelcase & minimist dependencies
• 35dce52 Update dependencies
• 2929ba7 Update tested Node.js versions
• 1f514eb Don't invoke `npm prune`, `npm install` is already enough
• 65107d2 Drop support for Bower & the `checkCustomPackageNames` option
• f28ba1b Avoid `git://` URLs, they're no longer supported
• 8fdc6ad Limit allowed `packageManager` values
• 9809f13 Bump word-wrap from 1.2.3 to 1.2.4 ([Snyk] Security upgrade sqlite3 from 5.0.2 to 5.0.3 #58)
• e522471 Bump semver from 7.3.8 to 7.5.2 (Bump jszip from 3.7.1 to 3.10.1 #57)
• 031416d Bump yaml from 2.2.1 to 2.2.2 ([Snyk] Security upgrade @angular/cli from 10.2.4 to 11.1.0 #56)
• dff3ab9 Build: Fix running tests on Windows
• 062005f Build: Update the GitHub Actions config
• ecf138f Build: Update dependencies
• 15c13b3 Build: Remove AppVeyor
• 89b9df0 Build: Update .gitattributes to files always use LF line endings
• db8c172 Build: Tweak GitHub Actions workflow code style

See the full diff

Package name: sequelize

The new version differs by 250 commits.

• d3f5b5a feat: throw an error if attribute includes parentheses (fixes CVE-2023-22578) (#15710)
• 53bd9b7 meta: fix null test getWhereConditions (#15705)
• 13f2e89 fix: accept undefined in where (#15703)
• d9e0728 fix: throw if where receives an invalid value (#15699)
• 48d6193 fix: update moment-timezone version (#15685)
• fd4afa6 feat(types): use retry-as-promised types for retry options to match documentation (#15484)
• 1247c01 feat: add support for bigints (backport of #14485) (#15413)
• 94beace feat(postgres): add support for lock_timeout [#15345] (#15355)
• 7885000 fix(oracle): remove hardcoded maxRows value (#15323)
• bc39fd6 fix: fix parameters not being replaced when after $$ strings (#15307)
• a205765 fix(postgres): invalidate connection after client-side timeout (#15283)
• 67e69cd fix: remove options.model overwrite on bulkUpdate (#15252)
• 00c6da3 fix(types): add instance.dataValues property to model.d.ts (#15240)
• bf98d7c meta: swap Slack links (#15159)
• 7990095 fix: don't treat \ as escape in standard strings, support E-strings, support vars after ->> operator, treat lowercase e as valid e-string prefix (#15139)
• 851daaf fix(types): fix TS 4.9 excessive depth error on `InferAttributes` (v6) (#15135)
• 9dd93b8 fix(types): expose legacy "types" folder in export alias ( #15123)
• 06ad05d feat(oracle): add support for `dialectOptions.connectString` (#15042)
• a44772e feat(snowflake): Add support for `QueryGenerator#tableExistsQuery` (#15087)
• 55051d0 docs: add missing ssl options for sequelize instance (v6) (#15049)
• 5c88734 docs(model): Added paranoid option for Model.BelongsToMany.through (#15065)
• 7203b66 fix(postgres): add custom order direction to subQuery ordering with minified alias (#15056)
• 5f621d7 fix(oracle): add support for Oracle DB 18c CI (#15016)
• 3468378 feat(types): add typescript 4.8 compatibility (#14990)

See the full diff

Package name: socket.io

The new version differs by 6 commits.

• baa6804 chore(release): 2.5.0
• f223178 fix: prevent the socket from joining a room after disconnection
• 226cc16 fix: only set 'connected' to true after middleware execution
• 05e1278 fix: fix race condition in dynamic namespaces
• 22d4bdf fix: ignore packet received after disconnection
• dfded53 chore: update engine.io version to 3.6.0

See the full diff

Package name: sqlite3

The new version differs by 129 commits.

• 6a806f8 v5.1.5
• edb1934 Fixed code execution vulnerability due to Object coercion
• 3a48888 Updated bundled SQLite to v3.41.1
• c1440bd Fixed rpath linker option when using a custom sqlite ([🚀] Fixes for the coding challenges juice-shop/juice-shop#1654)
• 93affa4 Update microsoft/setup-msbuild action to v1.3
• 6f6318e v5.1.4
• aeafe25 Revert "Renamed `master` references to `main`"
• 57ce2d4 Fixed glib compatibility by downgrading to Ubuntu 20
• af8e567 Renamed `master` references to `main`
• 8fd18a3 Extracted function checking code into macro
• 5c94f75 v5.1.3
• aec0d31 Updated bundled SQLite to v3.40.0
• 1980f10 v5.1.2
• 7aa29fe Updated bundled SQLite to v3.39.4
• c4fca9f v5.1.1
• ea71343 Added Darwin ARM64 to prebuilt binaries list in README
• ec154ab Added Darwin ARM64 prebuilt binaries
• 9290d8c v5.1.0
• 9e9079d Updated types file
• 946a3f6 Added ability to receive updates from `sqlite3_update_hook`
• 97cc584 Added yarn.lock to gitignore
• 572f05e Fixed importing `sqlite3#verbose` using destructuring syntax ([🐛] Basket Access challenge solved by switching between two users juice-shop/juice-shop#1632)
• c366ef9 Fixed remaining method declarations (Ugh juice-shop/juice-shop#1633)
• f0090b8 Added `.configure('limit', ...` to library type file

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Use of Weak Hash
🦉 Denial of Service (DoS)
🦉 Improper Authentication
🦉 More lessons are available in Snyk Learn