[Snyk] Upgrade: argon2, async, bluebird, body-parser, bunyan, cookie-parser, docdash, ejs, express, express-rate-limit, express-session, external-ip, formidable, geoip-lite, jimp, jsdoc, json2csv, mcc-mnc-list, moment, moment-timezone, mongodb, nginx-conf, nodemailer, properties-parser, puppeteer, request, underscore

[srom23]

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

argon2
from 0.24.0 to 0.40.3 | 30 versions ahead of your current version | 4 months ago
on 2024-05-25
async
from 2.6.3 to 2.6.4 | 1 version ahead of your current version | 2 years ago
on 2022-04-13
bluebird
from 3.5.5 to 3.7.2 | 4 versions ahead of your current version | 5 years ago
on 2019-11-28
body-parser
from 1.19.0 to 1.20.2 | 5 versions ahead of your current version | 2 years ago
on 2023-02-22
bunyan
from 1.8.12 to 1.8.15 | 3 versions ahead of your current version | 4 years ago
on 2021-01-08
cookie-parser
from 1.4.4 to 1.4.6 | 2 versions ahead of your current version | 3 years ago
on 2021-11-16
docdash
from 1.1.1 to 1.2.0 | 1 version ahead of your current version | 5 years ago
on 2020-01-26
ejs
from 2.6.2 to 2.7.4 | 4 versions ahead of your current version | 5 years ago
on 2019-11-19
express
from 4.16.4 to 4.19.2 | 11 versions ahead of your current version | 6 months ago
on 2024-03-25
express-rate-limit
from 5.0.0 to 5.5.1 | 12 versions ahead of your current version | 3 years ago
on 2021-11-06
express-session
from 1.16.2 to 1.18.0 | 5 versions ahead of your current version | 7 months ago
on 2024-01-28
external-ip
from 2.1.1 to 2.3.1 | 1 version ahead of your current version | 4 years ago
on 2020-04-26
formidable
from 1.2.1 to 1.2.6 | 5 versions ahead of your current version | 3 years ago
on 2021-10-30
geoip-lite
from 1.3.7 to 1.4.10 | 12 versions ahead of your current version | 7 months ago
on 2024-02-15
jimp
from 0.6.4 to 0.22.12 | 203 versions ahead of your current version | 7 months ago
on 2024-02-23
jsdoc
from 3.6.3 to 3.6.11 | 8 versions ahead of your current version | 2 years ago
on 2022-07-20
json2csv
from 4.5.2 to 4.5.4 | 2 versions ahead of your current version | 5 years ago
on 2019-10-09
mcc-mnc-list
from 1.0.82 to 1.1.11 | 11 versions ahead of your current version | a year ago
on 2023-04-04
moment
from 2.24.0 to 2.30.1 | 14 versions ahead of your current version | 8 months ago
on 2023-12-27
moment-timezone
from 0.5.26 to 0.5.45 | 19 versions ahead of your current version | 7 months ago
on 2024-02-04
mongodb
from 3.2.7 to 3.7.4 | 42 versions ahead of your current version | a year ago
on 2023-06-21
nginx-conf
from 1.5.0 to 1.7.0 | 2 versions ahead of your current version | 4 years ago
on 2020-12-27
nodemailer
from 6.3.0 to 6.9.14 | 51 versions ahead of your current version | 3 months ago
on 2024-06-19
properties-parser
from 0.3.1 to 0.6.0 | 4 versions ahead of your current version | a year ago
on 2023-05-26
puppeteer
from 1.19.0 to 1.20.0 | 1 version ahead of your current version | 5 years ago
on 2019-09-13
request
from 2.88.0 to 2.88.2 | 1 version ahead of your current version | 5 years ago
on 2020-02-11
underscore
from 1.9.1 to 1.13.7 | 19 versions ahead of your current version | 2 months ago
on 2024-07-24

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	696	Proof of Concept
	Command Injection SNYK-JS-NODEMAILER-1038834	696	Proof of Concept
	Prototype Pollution SNYK-JS-ASYNC-2441827	696	Proof of Concept
	Denial of Service (DoS) SNYK-JS-JPEGJS-2859218	696	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	696	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	696	Proof of Concept
	Directory Traversal SNYK-JS-MOMENT-2440688	696	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKDOWNIT-2331914	696	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKDOWNIT-459438	696	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	696	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	696	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-584281	696	No Known Exploit
	Prototype Pollution SNYK-JS-MINIMIST-559764	696	Proof of Concept
	Remote Code Execution (RCE) SNYK-JS-BUNYAN-573166	696	No Known Exploit
	Open Redirect SNYK-JS-EXPRESS-6474509	696	No Known Exploit
	Denial of Service (DoS) SNYK-JS-JPEGJS-570039	696	No Known Exploit
	HTTP Header Injection SNYK-JS-NODEMAILER-1296415	696	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-NODEMAILER-6219989	696	Proof of Concept
	Exposure of Sensitive Information to an Unauthorized Actor SNYK-JS-PHIN-6598077	696	No Known Exploit
	Prototype Pollution SNYK-JS-MINIMIST-2429795	696	Proof of Concept

Release notes

Package name: argon2

• 0.40.3 - 2024-05-25
• 0.40.2 - 2024-05-25
  

  Fix issue with publishing tags starting with v

• 0.40.1 - 2024-02-22
• 0.40.0-alpha.3 - 2024-01-10
• 0.40.0-alpha.2 - 2023-12-30
• 0.40.0-alpha.1 - 2023-12-20
• 0.31.2 - 2023-11-04
  

  Note: this is the last version that will support Node 16 since it's support has ended on 2023-09-11. Please upgrade to 18 or preferably 20 as soon as possible.

  What's Changed

  • Fix macos m1 build/release by @ CarsonF in #387
  • Change workflow bridge routes by @ RavelloH in #388

  New Contributors

  • @ CarsonF made their first contribution in #387
  • @ RavelloH made their first contribution in #388

  Full Changelog: v0.31.1...v0.31.2

• 0.31.1 - 2023-09-01
  

  Maintenance release intended to fix missing prebuilts due to failure when building v0.31.0

  Note: v0.31.x will be the last version supporting Node v16. Please update to Node v18 or newer.

  Full Changelog: v0.31.0...v0.31.1

• 0.31.0 - 2023-08-02
  

  What's Changed

  • Security update: bump @ mapbox/node-pre-gyp by @ jdforsythe in #383

  Please update to v0.31.0 as soon as possible.

  New Contributors

  • @ abcfy2 made their first contribution in #371
  • @ jdforsythe made their first contribution in #383

  Full Changelog: v0.30.3...v0.31.0

• 0.30.3 - 2023-01-05
  

  What's Changed

  • Change binding resolution to mitigate "Module parse failed" errors by @ Voltra in #366

  New Contributors

  • @ Voltra made their first contribution in #366

  Full Changelog: v0.30.2...v0.30.3

• 0.30.2 - 2022-11-08
  

  Fixes #362

• 0.30.1 - 2022-10-13
  

  Defaults have been updated to use RFC recommended values, see #360

• 0.29.1 - 2022-08-23
  

  Added builds for FreeBSD, closes #320 and hopefully fixes coder/code-server#4669 coder/code-server#4670

• 0.29.0 - 2022-08-22
  

  MacOS M1 builds are here! We are finally closing #305

  New Contributors

  • @ EmmanouilSpitaliorakis made their first contribution in #346
  • @ gunwd made their first contribution in #348

  Full Changelog: v0.28.7...v0.29.0

• 0.28.7 - 2022-07-03
• 0.28.5 - 2022-03-01
• 0.28.4 - 2022-02-02
• 0.28.3 - 2021-11-25
• 0.28.2 - 2021-06-08
• 0.28.1 - 2021-06-02
• 0.28.0 - 2021-06-02
• 0.27.2 - 2021-03-31
• 0.27.1 - 2020-12-11
• 0.27.0 - 2020-08-13
• 0.26.2 - 2020-04-08
• 0.26.1 - 2020-02-28
• 0.26.0 - 2020-02-11
• 0.25.1 - 2019-11-04
• 0.25.0 - 2019-10-01
• 0.24.1 - 2019-08-27
• 0.24.0 - 2019-06-18

from argon2 GitHub release notes

Package name: async

• 2.6.4 - 2022-04-13
  

  Version 2.6.4

• 2.6.3 - 2019-07-14
  

  Version 2.6.3

from async GitHub release notes

Package name: bluebird

• 3.7.2 - 2019-11-28
  

  Bugfixes:

  • Fixes firefox settimeout not initialized error (#1623)
• 3.7.1 - 2019-10-15
  

  Features:

  • feature

  Bugfixes:

  • Fix (#1614)
  • Fix (#1613)
  • Fix (#1616)
• 3.7.0 - 2019-10-01
  

  Features:

  • Add Promise.allSettled` method (#1606)
• 3.6.0 - 2019-10-01
  

  Features:

  • Add support for AsyncResource (#1403)

  Bugfixes:

  • Fix .reduce generating unhandled rejection events (#1501)
  • Fix Promise.reduce` generating unhandled rejction events (#1502)
  • Fix .map and .filter generating unhandled rejection events (#1487)
  • Fix Promise.map` unhandled rejection events (#1489)
  • Fix cancel skipping upward propagation (#1459)
  • Fix loadTimes deprecation (#1505)
  • Fix Promise.each` maximum stack exceeded error (#1326)
  • Make PromiseRejectionEvent confrom to spec (#1509)
  • Fix false unhandled rejection events (#1468)
• 3.5.5 - 2019-05-24
  

  Features:

  • Added Symbol.toStringTag support to Promise (#1421)

  Bugfixes:

  • Fix error in IE9 (#1591, #1592)
  • Fix error with undefined stack trace (#1537)
  • Fix #catch throwing an error later rather than immediately when passed non-function handler (#1517)

from bluebird GitHub release notes

Package name: body-parser

• 1.20.2 - 2023-02-22
  
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
    • perf: skip value escaping when unnecessary
  • deps: raw-body@2.5.2
• 1.20.1 - 2022-10-06
  
  • deps: qs@6.11.0
  • perf: remove unnecessary object clone
• 1.20.0 - 2022-04-03
  
  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: depd@2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: http-errors@2.0.0
    • deps: depd@2.0.0
    • deps: statuses@2.0.1
  • deps: on-finished@2.4.1
  • deps: qs@6.10.3
  • deps: raw-body@2.5.1
    • deps: http-errors@2.0.0
• 1.19.2 - 2022-02-16
  
  • deps: bytes@3.1.2
  • deps: qs@6.9.7
    • Fix handling of __proto__ keys
  • deps: raw-body@2.4.3
    • deps: bytes@3.1.2
• 1.19.1 - 2021-12-10
  
  • deps: bytes@3.1.1
  • deps: http-errors@1.8.1
    • deps: inherits@2.0.4
    • deps: toidentifier@1.0.1
    • deps: setprototypeof@1.2.0
  • deps: qs@6.9.6
  • deps: raw-body@2.4.2
    • deps: bytes@3.1.1
    • deps: http-errors@1.8.1
  • deps: safe-buffer@5.2.1
  • deps: type-is@~1.6.18
• 1.19.0 - 2019-04-26
  
  • deps: bytes@3.1.0
    • Add petabyte (pb) support
  • deps: http-errors@1.7.2
    • Set constructor name when possible
    • deps: setprototypeof@1.1.1
    • deps: statuses@'>= 1.5.0 < 2'
  • deps: iconv-lite@0.4.24
    • Added encoding MIK
  • deps: qs@6.7.0
    • Fix parsing array brackets after index
  • deps: raw-body@2.4.0
    • deps: bytes@3.1.0
    • deps: http-errors@1.7.2
    • deps: iconv-lite@0.4.24
  • deps: type-is@~1.6.17
    • deps: mime-types@~2.1.24
    • perf: prevent internal throw on invalid type

from body-parser GitHub release notes

Package name: bunyan

• 1.8.15 - 2021-01-08
  

  version 1.8.15 (2021-01-08)

• 1.8.14 - 2020-06-29
  

  version 1.8.14 (2020-06-29)

• 1.8.13 - 2020-06-24
  

  version 1.8.13 (2020-06-24)

• 1.8.12 - 2017-08-02
  

  version 1.8.12 (2017-08-02)

from bunyan GitHub release notes

Package name: cookie-parser

• 1.4.6 - 2021-11-16
  
  • deps: cookie@0.4.1
• 1.4.5 - 2020-03-15
  
  • deps: cookie@0.4.0
• 1.4.4 - 2019-02-13
  
  • perf: normalize secret argument only once

from cookie-parser GitHub release notes

Package name: docdash

• 1.2.0 - 2020-01-26
  
  • [feature] host fonts locally
  • [feature] separate styles for headers inside user markdown
  • [feature] hide static/private method depending of the config
  • [fix] fix empty source code lines in some browsers
  • [fix] improved viewing theme on smaller screens
• 1.1.1 - 2019-05-21
  
  • [feature] scroll to currently opened method on page load
  • [fix] fixed searching in IE11
  • [fix] hiding/showing find exact match to open only single relevant section

from docdash GitHub release notes

Package name: ejs

• 2.7.4 - 2019-11-19
  

  Bug fixes

  • Fixed Node 4 support, which broke in v2.7.3 (5e42d6c, @ mde)
• 2.7.3 - 2019-11-19
  

  Bug fixes

  • Made the post-install message more discreet by following the example of opencollective-postinstall (228d8e4, @ mde)
• 2.7.2 - 2019-11-13
  

  Features

  • Added support for destructuring locals (#452, @ ExE-Boss)
  • Added support for disabling legacy include directives (#458, #459, @ ExE-Boss)
  • Compiled functions are now shown in the debugger (#456, @ S2-)
  • function.name is now set to the file base name in environments that support this (#466, @ ExE-Boss)

  Bug Fixes

  • The error message when async != true now correctly mention the existence of the async option (#460, @ ExE-Boss)
  • Improved performance of HTML output generation (#470, @ nwoltman)
• 2.7.1 - 2019-09-02
  

  Deprecated:

  • Added deprecation notice for use of require.extensions (@ mde)
• 2.6.2 - 2019-06-15
  
  • Correctly pass custom escape function to includes (@ alecgibson)
  • Fixes for rmWhitespace (@ nwoltman)
  • Examples for client-side EJS compiled with Express middleware (@ mjgs)
  • Make Template constructor public (@ ThisNameWasTaken)
  • Added remove function to cache (@ S2-)
  • Recognize both 'Nix and Windows absolute paths (@ mde)

from ejs GitHub release notes

Package name: express

• 4.19.2 - 2024-03-25
• 4.19.1 - 2024-03-20
  

  What's Changed

  • Fix ci after location patch by @ wesleytodd in #5552
  • fixed un-edited version in history.md for 4.19.0 by @ wesleytodd in #5556

  Full Changelog: 4.19.0...4.19.1

• 4.19.0 - 2024-03-20
  

  What's Changed

  • fix typo in release date by @ UlisesGascon in #5527
  • docs: nominating @ wesleytodd to be project captian by @ wesleytodd in #5511
  • docs: loosen TC activity rules by @ wesleytodd in #5510
  • Add note on how to update docs for new release by @ crandmck in #5541
  • Prevent open redirect allow list bypass due to encodeurl
  • Release 4.19.0 by @ wesleytodd in #5551

  New Contributors

  • @ crandmck made their first contribution in #5541

  Full Changelog: 4.18.3...4.19.0

• 4.18.3 - 2024-02-29
  

  Main Changes

  • Fix routing requests without method
  • deps: body-parser@1.20.2
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: raw-body@2.5.2

  Other Changes

  • Use https: protocol instead of deprecated git: protocol by @ vcsjones in #5032
  • build: Node.js@16.18 and Node.js@18.12 by @ abenhamdine in #5034
  • ci: update actions/checkout to v3 by @ armujahid in #5027
  • test: remove unused function arguments in params by @ raksbisht in #5124
  • Remove unused originalIndex from acceptParams by @ raksbisht in #5119
  • Fixed typos by @ raksbisht in #5117
  • examples: remove unused params by @ raksbisht in #5113
  • fix: parameter str is not described in JSDoc by @ raksbisht in #5130
  • fix: typos in History.md by @ raksbisht in #5131
  • build : add Node.js@19.7 by @ abenhamdine in #5028
  • test: remove unused function arguments in params by @ raksbisht in #5137
  • use random port in test so it won't fail on already listening by @ rluvaton in #5162
  • tests: use cb() instead of done() by @ kristof-low in #5233
  • examples: remove multipart example by @ riddlew in #5195
  • Update support Node.js@18 in the CI by @ UlisesGascon in #5490
  • Fix favicon-related bug in cookie-sessions example by @ DmytroKondrashov in #5414
  • Release 4.18.3 by @ UlisesGascon in #5505

  New Contributors

  • @ vcsjones made their first contribution in #5032
  • @ abenhamdine made their first contribution in #5034
  • @ armujahid made their first contribution in #5027
  • @ raksbisht made their first contribution in #5124
  • @ rluvaton made their first contribution in #5162
  • @ kristof-low made their first contribution in #5233
  • @ riddlew made their first contribution in