[Snyk] Fix for 41 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Denial of Service (DoS) SNYK-JS-EXPRESSFILEUPLOAD-473997	Yes	No Known Exploit
	Prototype Pollution SNYK-JS-JQUERY-174006	Yes	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-JQUERY-565129	Yes	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-JQUERY-567880	Yes	No Known Exploit
	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-73638	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-174116	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451540	No	No Known Exploit
	Denial of Service (DoS) SNYK-JS-MONGODB-473855	Yes	No Known Exploit
	Information Exposure SNYK-JS-MONGOOSE-472486	Yes	No Known Exploit
	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept
	Arbitrary File Write via Archive Extraction (Zip Slip) npm:adm-zip:20180415	No	Mature
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	No Known Exploit
	Code Injection npm:dustjs-linkedin:20160819	No	No Known Exploit
	Arbitrary Code Execution npm:ejs:20161128	Yes	No Known Exploit
	Cross-site Scripting (XSS) npm:ejs:20161130	Yes	No Known Exploit
	Denial of Service (DoS) npm:ejs:20161130-1	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No	No Known Exploit
	Cross-site Scripting (XSS) npm:jquery:20150627	Yes	No Known Exploit
	Prototype Pollution npm:lodash:20180130	No	No Known Exploit
	Cross-site Scripting (XSS) npm:marked:20150520	No	No Known Exploit
	Cross-site Scripting (XSS) npm:marked:20170112	No	No Known Exploit
	Cross-site Scripting (XSS) npm:marked:20170815	No	No Known Exploit
	Cross-site Scripting (XSS) npm:marked:20170815-1	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:marked:20170907	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:marked:20180225	No	Proof of Concept
	Denial of Service (DoS) npm:mem:20180117	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:moment:20161019	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	No	No Known Exploit
	Remote Memory Exposure npm:mongoose:20160116	No	Mature
	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	Yes	No Known Exploit
	Uninitialized Memory Exposure npm:npmconf:20180512	Yes	Mature
	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:semver:20150403	Yes	No Known Exploit
	Directory Traversal npm:st:20140206	No	Proof of Concept
	Open Redirect npm:st:20171013	Yes	Mature

Commit messages

Package name: adm-zip

The new version differs by 50 commits.

• 80d259f Version bump
• 3f00a03 Fixed [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#176
• 650e752 Fixed wrong date on files (issue [Snyk-dev Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#203)
• d01fa8c Fixed bugs introduced with 0.4.9
• c0cc85d Merge pull request [Snyk Update] New fixes for 2 vulnerable dependency paths snyk-labs/nodejs-goof#219 from jontore/master
• 39c83a2 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#209 from poshta1900/fix
• b94c5dd Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#227 from hhaidar/master
• c95c553 Merge pull request [Snyk Update] New fixes for 16 vulnerable dependency paths snyk-labs/nodejs-goof#228 from jmcollin78/patch-1
• cda668c Fix issue [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#218
• 0f2cb41 Fix octal literals so they work in strict mode
• 888931d To support strict mode use 0o prefix to octal numbers
• 89b6f67 Update package.json
• 9592298 Update README.md
• ce59e5a Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#215 from grnd/master
• 38cb4a4 fix: resolve both target and entry path
• 18c3d31 Update package.json
• 666adec Update package.json
• 499d59b Update package.json
• 62f6400 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#212 from aviadatsnyk/master
• 6f4dfeb fix: prevent extracting archived files outside of target path
• ef0abe6 add try-catch around fs.writeSync
• e116bc1 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#208 from pmuens/patch-1
• 12d2099 Fix data accessing example in README
• 032566b Merge pull request [Snyk-dev Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#204 from BridgeAR/master

See the full diff

Package name: body-parser

The new version differs by 221 commits.

• 0f1bed0 1.17.1
• 0532096 lint: remove unreachable code branches
• b34aab5 build: eslint-config-standard@7.0.0
• 77b1ca1 build: eslint-plugin-markdown@1.0.0-beta.4
• e51dbc5 deps: qs@6.4.0
• 79bc939 1.17.0
• e6140e1 build: Node.js@7.7
• 42f467d deps: qs@6.3.1
• 4954aec build: test against Node.js 8.x nightly
• e2050df build: Node.js@7.6
• 2f941c4 build: Node.js@6.10
• 6549617 build: Node.js@4.8
• d1c2c7f deps: http-errors@~1.6.1
• e7b86ba build: eslint@3.16.1
• 7b630f7 1.16.1
• de574bf build: eslint@3.15.0
• 889bcc9 build: Node.js@7.5
• dba8ac4 deps: debug@2.6.1
• 95a3ebb docs: fix history file with incorrect qs version
• c5a73d5 1.16.0
• 9744dda deps: qs@6.3.0
• 7807757 deps: debug@2.6.0
• 0e44768 lint: use standard style in the README
• 14952be build: eslint-config-standard@6.2.1

See the full diff

Package name: errorhandler

The new version differs by 85 commits.

• c41e9aa 1.4.3
• ffce329 build: istanbul@0.4.2
• 90a8777 build: Node.js@4.2
• 38b745b deps: accepts@~1.3.0
• 80aea51 deps: escape-html@~1.0.3
• b0be93a docs: fix typo in readme
• 2f688d0 build: support Node.js 5.x
• 1238ed4 build: istanbul@0.4.1
• fdeb13c build: mocha@2.3.4
• cc6fd1f build: support Node.js 4.x
• 3a2117a build: support io.js 3.x
• 75b9ee1 build: reduce runtime versions to one per major
• 6797752 tests: add test for util.inspect in HTML response
• b6e53d7 docs: add more documentation regarding util.inspect
• 88b9a58 deps: accepts@~1.2.13
• ac75d3f build: istanbul@0.3.19
• 5ee62b7 deps: escape-html@1.0.3
• 1e89ae7 build: istanbul@0.3.18
• ef1e8f1 build: supertest@1.1.0
• a7a6dce 1.4.2
• 692e2e7 deps: accepts@~1.2.12
• 6f2e8d2 build: io.js@2.5
• 564c117 build: fix running Node.js 0.8 tests on Travis CI
• 2dfd872 1.4.1

See the full diff

Package name: express

The new version differs by 250 commits.

• f974d22 4.16.0
• 8d4ceb6 docs: add more information to installation
• c0136d8 Add express.json and express.urlencoded to parse bodies
• 86f5df0 deps: serve-static@1.13.0
• 4196458 deps: send@0.16.0
• ddeb713 tests: add maxAge option tests for res.sendFile
• 7154014 Add "escape json" setting for res.json and res.jsonp
• 628438d deps: update example dependencies
• a24fd0c Add options to res.download
• 95fb5cc perf: remove dead .charset set in res.jsonp
• 44591fe deps: vary@~1.1.2
• 2df1ad2 Improve error messages when non-function provided as middleware
• 12c3712 Use safe-buffer for improved Buffer API
• fa272ed docs: fix typo in jsdoc comment
• d9d09b8 perf: re-use options object when generating ETags
• 02a9d5f deps: proxy-addr@~2.0.2
• c2f4fb5 deps: finalhandler@1.1.0
• 673d51f deps: utils-merge@1.0.1
• 5cc761c deps: parseurl@~1.3.2
• ad7d96d deps: qs@6.5.1
• e62bb8b deps: etag@~1.8.1
• 70589c3 deps: content-type@~1.0.4
• 9a99c15 deps: accepts@~1.3.4
• 550043c deps: setprototypeof@1.1.0

See the full diff

Package name: marked

The new version differs by 250 commits.

• 529a8d4 Merge pull request Test snyk-labs/nodejs-goof#1441 from styfle/release-0.6.2
• fc5dbf1 🗜️ minify [skip ci]
• b1ddd3c Merge pull request Cgibbs demo 1 snyk-labs/nodejs-goof#1460 from andersk/inline-text-quadratic
• be27472 Improve worst-case performance of inline.text regex
• 6b88601 0.6.2
• ba1de1e 🗜️ minify [skip ci]
• d94253c Merge pull request Pr demo branch snyk-labs/nodejs-goof#1438 from UziTech/html-new-line-fix
• 6eec528 Merge pull request [Snyk] Security upgrade tap from 11.1.5 to 18.0.0 snyk-labs/nodejs-goof#1449 from UziTech/use-htmldiffer
• 0cd0333 remove redundant comments
• ff127c5 use template literals
• a16251d fix test spacing
• da57301 use htmldiffer in file tests & update to node 4
• 621f649 abstract htmldiffer
• 42e816c fix again
• 246dd3d fix whitespace after tag
• f1089fe add test
• 0f0b763 allow html without \n after
• d069d0d Merge pull request Test branch snyk-labs/nodejs-goof#1448 from UziTech/version
• 5d6bde0 Merge pull request [Snyk] Fix for 1 vulnerabilities snyk-labs/nodejs-goof#1444 from UziTech/normalize-tests
• 4760772 fix tests
• df310a8 remove header ids from original tests
• 775d08d move redos tests to /redos folder
• b169e7b add excerpt length constant
• fd9dc21 update deps

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• 40a879b chore: release 5.7.5
• 159457d chore: add vpn black friday as sponsor
• e6285ea Merge pull request #8244 from AbdelrahmanHafez/master
• d9163f5 fix: correct order for declaration
• cec9dda Minor refactor to ValidationError
• 13ae085 docs(index): add favicon to home page
• 96ce0eb style: fix lint
• 973b1e0 docs: add schema options to API docs
• cdfb507 chore: add useUnifiedTopology for tests re: #8212
• 936ddfb fix(update): handle subdocument pre('validate') errors in update validation
• 98b3b09 test(update): repro #7187
• b9c1012 docs(middleware): add note about accessing the document being updated in pre('findOneAndUpdate')
• 327b47a fix(subdocument): make subdocument#isModified use parent document's isModified
• 54db026 test(subdocument): repro #8223
• 89eb449 chore: now working on 5.7.5
• ffbff22 chore: change version for recompiling website
• 0562ca7 chore: add opencollective sponsors: top web design companies, casino top
• ee22c09 chore: now working on 5.7.5
• f3eca5b fix(query): delete top-level `_bsontype` property in queries to prevent silent empty queries
• cc10e0d test(query): repro #8222
• ede5aef chore: release 5.7.4
• 402db1a fix(model): support passing `options` to `Model.remove()`
• 7a20276 fix(schema): handle `required: null` and `required: undefined` as `required: false`
• 9b4a323 test(schema): repro #8219

See the full diff

Package name: ms

The new version differs by 19 commits.

• 9b88d15 2.0.0
• 94b995c Invalidated cache for slack badge
• bcf5715 Bumped dependencies to the latest version
• b1eaab7 Ignored logs coming from npm
• caae298 Limit str to 100 to avoid ReDoS of 0.3s ([Snyk] Fix for 33 vulnerable dependency paths snyk-labs/nodejs-goof#89)
• b83b36d chore(package): update eslint to version 3.19.0 ([Snyk] Fix for 33 vulnerable dependency paths snyk-labs/nodejs-goof#88)
• 3f2a4d7 chore(package): update husky to version 0.13.3 ([Snyk] Fix for 33 vulnerable dependency paths snyk-labs/nodejs-goof#86)
• 7daf984 1.0.0
• ee91f30 More suitable name for file containing tests
• e818c35 Removed browser testing
• c9b1fd3 Test on LTS version of Node
• 389840b Badge for XO removed
• 1fbbe97 Removed component specification
• 57b3ef8 Use `prettier` and `eslint`
• 94068ea Removed XO
• 4b7f48f chore(package): update serve to version 5.0.4 ([Snyk] Fix for 33 vulnerable dependency paths snyk-labs/nodejs-goof#85)
• bd49cec chore(package): update xo to version 0.18.0 ([Snyk] Fix for 33 vulnerable dependency paths snyk-labs/nodejs-goof#84)
• d4a94b1 chore(package): update serve to version 5.0.3 (feat: added support for CloudFoundry snyk-labs/nodejs-goof#83)
• 923eee1 chore(package): update serve to version 5.0.2 ([Snyk Update] New fixes for 2 vulnerable dependency paths snyk-labs/nodejs-goof#82)

See the full diff

Package name: tap

The new version differs by 110 commits.

• fa3f6e2 12.6.2
• b8be134 new computer, phantom png changes
• 3833522 update js-yaml and nyc for vuln advisories
• 1871736 12.6.1
• 066f159 updates for npm audit --fix
• ad3bed4 Passes `-r ts-node/register` argument to node
• 4645ecf Fix font-family typo
• 63ff608 12.6.0
• 040f61f Add --no-esm flag to disable '-r esm' behavior
• e2c0c1d update tap-mocha-reporter
• a73e95b update esm, and audit fix
• 2233376 12.5.3
• b45105f nyc@13.3.0
• 611ced8 12.5.2
• 99a989c update write-file-atomic
• e255dd9 update ts-node and typescript
• b674382 esm@3.2.3
• 555ecd4 including esm.js in stack traces is almost never helpful
• ccf2b44 Don't emit end while waiting for pipes to clear
• d3bf1f7 less impact
• 7fbf13f try something else
• b97f460 fix: allow for pipes to drain
• 740e695 nyc@13.2
• d03f383 12.5.1

See the full diff

With a Snyk patch:

Severity	Issue	Exploit Maturity
	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:ms:20151024	No Known Exploit

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:

🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic