[Snyk] Fix for 31 vulnerabilities

[tejas002]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Arbitrary File Overwrite SNYK-JS-FSTREAM-174725	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	No	Proof of Concept
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	Yes	No Known Exploit
	703/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.2	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-INI-1048974	No	Proof of Concept
	644/1000 Why? Has a fix available, CVSS 8.6	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	No	Proof of Concept
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	No	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	No	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	No	No Known Exploit
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary File Overwrite SNYK-JS-TAR-174125	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:bson:20180225	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution npm:deep-extend:20180409	No	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:sshpk:20180409	Yes	Proof of Concept
	646/1000 Why? Mature exploit, Has a fix available, CVSS 5.2	Uninitialized Memory Exposure npm:stringstream:20180511	Yes	Mature
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: connect-mongo

The new version differs by 90 commits.

• 63ca966 docs: update readme and bump version to 3.0.0
• aceb1ee chore: bump version to 3.0.0-rc.2
• 0e4a234 test: add test cases on event listener
• e77a7f1 test: replace mocha with jest (null isn't a valid json meanjs/mean#324)
• ad39e88 test: replace deprecated collection.insert to collection.insertOne
• 545c06e docs: update README on testing
• 2d5442e chore: upgrade depns mocha
• 5d3a321 chore: upgrade nyc depns
• 54cd91d chore: upgrade depns
• afb7a12 docs: remove some badges
• 6c2484b docs: update README for supporting version
• c925c92 test: fix test case
• 6827330 chore: bump version to 3.0.0-rc.1
• f62692b ci: update .npmignore
• aa2637d ci: remove node 6 support and add linting in travis
• 801291b fix linting error
• f928547 travis add test on Node 12
• 12275f0 better linting
• eb23b1e linting fix
• 66194c7 bump major version to 3.0.0-rc
• f29084f Wait for client open, before calling db. (Path to social meta brand image is wrong meanjs/mean#321)
• d252bfc Install Stale bot
• 15d91c1 Transparent crypto support (Fix typo meanjs/mean#314)
• 08ccada Update readme refer to latest release to avoid confusion

See the full diff

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples ([Snyk] Fix for 1 vulnerable dependencies meanjs/mean#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (Update development.js meanjs/mean#1859)
• 723cbc4 Docs: Fix syntax in recipe example (Swig tempting language is not maintained meanjs/mean#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (Getting a blank page after starting the app for the first time on Windows meanjs/mean#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (Add comment to remind change for mongo replicaset connection (clean branch source) meanjs/mean#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (feat(articles): Simple test enhancement meanjs/mean#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (How can I run my mean app so that another application can call the backend api (of mean) to perform CRUD operations (on mean app) ? meanjs/mean#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (how to temporally disable the cors ?  meanjs/mean#1609)

See the full diff

Package name: gulp-autoprefixer

The new version differs by 4 commits.

• d008588 4.1.0
• 27816c3 Meta tweaks
• 94f3447 Drop dependency on deprecated gulp-util (Enhancement: Verify user with email meanjs/mean#94)
• 60aead3 Test against Node.js v8 (Update header.client.view.html meanjs/mean#90)

See the full diff

Package name: gulp-csslint

The new version differs by 5 commits.

• c895cee 1.0.1
• 0a47d89 Only test against the latest note and lts
• c40191e Merge pull request [Snyk] Security upgrade gulp-load-plugins from 1.5.0 to 2.0.1 #62 from ladom/no-gulp-util
• 38488da gulp-util removed
• b74cfc3 gulp-util changed

See the full diff

Package name: gulp-csso

The new version differs by 4 commits.

• 9d07cc6 3.0.1
• 1d116fd Update changelog
• 1060fcd Drop dependency on deprecated `gulp-util` ([Snyk] Security upgrade socket.io from 2.0.3 to 3.0.0 #31)
• f488df3 Add links to CSSO release notes

See the full diff

Package name: gulp-eslint

The new version differs by 14 commits.

• 1d79ed0 4.0.1
• 8f7e966 replace all HTTP protocols with HTTPS
• b48a04a remove deprecated gulp-util dependency (disabling JSONP from controllers and from expressjs by default meanjs/mean#213)
• 35eae57 update devDependencies (Social logins do not work for me... what am I missing? meanjs/mean#207)
• 47bd269 use npx to simplify after_script
• 29dbab5 inherit autofix-related props even if `quiet` option is enabled
• a398838 4.0.0
• 18a4299 emit an error when it fails to load an ESLint plugin
• b8bf261 update ESLint from v3 to v4 ("Unexpected request: GET .../.html" on Karma tests meanjs/mean#198)
• c0e82ce use `Buffer.from` instead of `new Buffer`
• e6c67a2 drop support for linting `Stream` contents
• 132d5cc Fix formatting issues in README.md (IOS web app support meanjs/mean#194)
• 7f65378 remove link to config file `globals` doc
• 8ddfb84 correct the type of `globals` option in README

See the full diff

Package name: gulp-imagemin

The new version differs by 41 commits.

• 2f7ecc9 8.0.0
• 1b4baf6 Require Node.js 12.20 and move to ESM
• ed39463 Move to GitHub Actions (LoopBack meanjs/mean#351)
• 8b40da0 Update readme lossless note (added dependencies to package.json meanjs/mean#346)
• 1cbb7c5 7.1.0
• 67cceb3 Update `imagemin-gifsicle` optional dependency
• 97432ea 7.0.0
• aacca91 Require Node.js 10
• 279a91b Replace jpegtran with mozjpeg (2 different views with forms for creating and updating articles - bad practice meanjs/mean#336)
• f4a2255 6.2.0
• 0460c78 Add `silent` option (0.4.0 meanjs/mean#331)
• dfdba76 6.1.1
• 165bf8b Make Gulp an optional peer dependency
• 6c35e59 6.1.0
• 92e224a Update dependencies
• 97cd1c3 6.0.0
• 6e091ed Require Node.js 8
• c1c3346 Create funding.yml
• 8e731f0 5.0.3
• 3e68bd4 Fix another regression of b57f1d6 (Move static files middleware before sessions meanjs/mean#318)
• 3ad32ab 5.0.2
• c7170ba Fix another regression in b57f1d6
• 51bb2ad 5.0.1
• 821dc8a Fix regression in b57f1d6 (Qa quiz meanjs/mean#316)

See the full diff

Package name: gulp-less

The new version differs by 6 commits.

• 7d9df97 4.0.0
• cde149b Update accord to support less@3.0.0 - closes fix getToggleElement on dropdown by updating to angular-bootstrap 0.12.0 #250 meanjs/mean#269
• 453625a 3.5.0
• d706f87 fix(deps): update accord to version 0.28 (Correcting Outdated Docs for Menu Service meanjs/mean#281)
• 9f9e643 3.4.0
• f58e0f7 Remove gulp-util

See the full diff

Package name: gulp-ng-annotate

The new version differs by 6 commits.

• 18ba641 2.1.0
• 998fbc9 Disable package lock
• 002e043 Migrate away from deprecated gulp-util
• edeac0f Fix travis build
• 9ce0ed8 Merge pull request [Snyk] Fix for 1 vulnerabilities #43 from suvjunmd/options
• 5ded9c5 Fixed options link

See the full diff

Package name: gulp-nodemon

The new version differs by 36 commits.

• 7fcbc06 NPM audit. Closes Update signin.client.view.html meanjs/mean#176.
• 5100088 Merge pull request Not showing but return a download item in Tencent's QQ browser(Chrominum). meanjs/mean#174 from JacksonGariety/dependabot/npm_and_yarn/diff-3.5.0
• 7c0c02e Merge pull request Mean.js in a vagrant? meanjs/mean#173 from JacksonGariety/dependabot/npm_and_yarn/growl-1.10.5
• fe95e64 Merge pull request Suggestion: Edit account page profile pic meanjs/mean#172 from JacksonGariety/dependabot/npm_and_yarn/mixin-deep-1.3.2
• a8d4391 Merge pull request Developer Support - Warn when libs are not specified in config meanjs/mean#171 from JacksonGariety/dependabot/npm_and_yarn/lodash-4.17.15
• 3b01d33 Bump diff from 1.0.8 to 3.5.0
• 5bd5530 Bump growl from 1.8.1 to 1.10.5
• c5f4120 Bump mixin-deep from 1.3.1 to 1.3.2
• f634d93 Bump lodash from 2.4.2 to 4.17.15
• 028d498 Version bump
• 5254572 Merge pull request Contributing to modules meanjs/mean#166 from spencerbeggs/master
• ef52e08 Merge pull request Adding Service Layer Implementation meanjs/mean#164 from aal89/master
• 1916114 Removes event-stream module
• 0002c45 Remove yarn.lock
• 495afda Updates nodemon
• 8c46ee1 Added lock file and updated gitignore to include to lock file
• b7cd92d Updated nodemon dependency
• 54f8778 Removed event-stream
• 0e5bb86 Locked event-stream to v3.3.4
• 8ae135f Upgrade depends to avoid flatmap-stream
• b4234a3 Version bump
• 033c27b Merge pull request Sending error stack on 500 server error meanjs/mean#159 from bennyn/patch-1
• 7ce2da0 Support Ctrl + C on Windows
• 1a31fa2 Update nodemon. Remove (erroneously named) "test" folder.

See the full diff

Package name: gulp-rev

The new version differs by 8 commits.

• bb3a3fd 8.1.1
• e46406b Replace gulp-util with smaller modules (fig up - node container cannot connect to mongo container meanjs/mean#237)
• 6c9bcac Remove Code Sponsor
• fe0c551 8.1.0
• 47ffbe0 Bump `rev-path`
• fc74b5b Try out Code Sponsor
• cdf63fa Pass resolved, absolute paths to relPath() (Angular 1.3 meanjs/mean#220) (missing envs for docker / fig in development and test meanjs/mean#222)
• 567c340 Update readme.md (Error: Error setting TTL index on collection meanjs/mean#224)

See the full diff

Package name: gulp-sass

The new version differs by 38 commits.

• 5775044 Update CHANGELOG.md
• 978b8f6 Update to major version 5 (How to do that session expiring automatically? meanjs/mean#802)
• 10eae93 Update changelog for 4.1.1
• 947b26c Upgrade lodash to fix a security issue (fixing typos across documentation in gh-pages meanjs/mean#776)
• 8d6ac29 Update changelog
• 43c0547 4.1.0
• ebe3ec6 Set appropriate file stat times (Request for JSCS meanjs/mean#763)
• 7ab018e Migrate to the lodash package
• fa670c6 4.0.2
• fefa00e Revert package.json version bump
• 98254d2 Fix README typos
• 8a14419 Continue loading Node Sass by default
• 938afbe Add a note about synchronous versus asynchronous speed
• 7cc2db1 Make this package implementation-agnostic
• 643f73b Add documentation for synchronous code options
• 0b3c7e7 4.0.1
• daca90d Merge pull request Support Deploying MEANJS To Cloud Foundry meanjs/mean#681 from DKvistgaard/master
• 71471c2 Declaring logError as function instead of arrow function.
• 450a7b8 4.0.0
• e9b1fe8 Fix node versions in appveyor.yml
• 44be409 Merge pull request adding more client tests causes $location:nobase error meanjs/mean#667 from dlmanning/next
• 7656eff Adopt airbnb eslint preset
• 1293169 Bump autoprefixer@^8.1.0, gulp-postcss@^7.0.1
• 9fa817b Bump gulp-sourcemaps@^2.6.4

See the full diff

Package name: imagemin-pngquant

The new version differs by 7 commits.

• be923c2 6.0.0
• fcf28bb Update to pngquant 2.12.0
• ec458e9 Require Node.js 6
• 6b65fa9 Add `strip` option ([Snyk] Security upgrade ubuntu from latest to 22.10 #44)
• 5c3b75c 5.1.0
• bded797 Bump dependencies
• a89bebb Add support for streams

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• 76fae6d chore: release 5.3.9
• 40d4177 Merge pull request #7213 from NewEraCracker/master
• 751397c fix(document): run setter only once when doing `.set()` underneath a single nested subdoc
• 10837d4 test(document): repro #7196
• 10a63a9 Bump version of bson dependency to match mongodb-core
• d10274e docs(transactions): add example of aborting a transaction
• d245847 Merge branch 'master' of github.com:Automattic/mongoose
• 551a75b chore: add cpc to some pages that were missing it
• 1ca3514 Merge pull request #7210 from gfranco93/patch-1
• c1606b6 Merge pull request #7207 from lineus/fix-7098
• e9d538e Merge pull request #7203 from lineus/fix-7202
• 8f16b67 fix(document): surface errors in subdoc pre validate
• 87005a1 test(document): repro #7187
• 5b1d81c Documentation fix: fixed anchor link
• eebfb36 docs(query): add note re: cursor()
• c1e2617 docs(query): improve find() docs re: #7188
• 526f82d fix(query): run default functions after hydrating the loaded document
• 320d5f8 test(query): repro #7182
• 64c6d15 if our update schema path is a nested array do not skip query casting.
• 5d122e8 test for #7098
• 5ba13a7 refactor(test): move strictQuery tests to query.test.js since they do not use findOneAndUpdate()
• 4121629 chore: refer to correct issue #7178
• 22ed5d2 fix(query): handle strictQuery: 'throw' with nested path correctly
• 8c16354 test(query): repro #7152

See the full diff

Package name: run-sequence

The new version differs by 5 commits.

• 31103da 2.2.1
• 209e46c Drop dependency on deprecated `gulp-util` (Remove space which messes up the url local variable meanjs/mean#100)
• 37e17be 2.2.0
• c450122 Changelog, cleanup for orchestration events change
• 2155560 handle orchestration aborted events (Minor language fixes for front page. meanjs/mean#97)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn