[Snyk] Fix for 27 vulnerabilities

[snyk-io]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	138/1000 Why? Confidentiality impact: None, Integrity impact: High, Availability impact: None, Scope: Changed, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00091, Social Trends: No, Days since published: 29, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 6.65, Likelihood: 2.06, Score Version: V5	Use of Weak Hash SNYK-JS-CRYPTOJS-6028119	No	No Known Exploit
	124/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00066, Social Trends: No, Days since published: 366, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.06, Score Version: V5	Denial of Service (DoS) SNYK-JS-ENGINEIO-3136336	Yes	No Known Exploit
	193/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00197, Social Trends: No, Days since published: 1239, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 98, Impact: 8.63, Likelihood: 2.23, Score Version: V5	Authorization Bypass SNYK-JS-EXPRESSJWT-575022	Yes	No Known Exploit
	175/1000 Why? Confidentiality impact: Low, Integrity impact: High, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): Low, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00046, Social Trends: No, Days since published: 336, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 7.84, Likelihood: 2.23, Score Version: V5	Improper Authentication SNYK-JS-JSONWEBTOKEN-3180022	Yes	No Known Exploit
	193/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): Low, Attack Complexity: High, Attack Vector: Network, EPSS: 0.0005, Social Trends: No, Days since published: 335, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 8.63, Likelihood: 2.23, Score Version: V5	Use of a Broken or Risky Cryptographic Algorithm SNYK-JS-JSONWEBTOKEN-3180026	Yes	No Known Exploit
	63/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00231, Social Trends: No, Days since published: 1010, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.65, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	239/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): High, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00606, Social Trends: No, Days since published: 1010, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 9.79, Likelihood: 2.43, Score Version: V5	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	151/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01362, Social Trends: No, Days since published: 1604, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.67, Score Version: V5	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	150/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1188, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.67, Score Version: V5	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	149/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00117, Social Trends: No, Days since published: 1755, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.64, Score Version: V5	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	133/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): High, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00317, Social Trends: No, Days since published: 1693, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.2, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	114/1000 Why? Confidentiality impact: None, Integrity impact: High, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.0033, Social Trends: No, Days since published: 596, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.9, Score Version: V5	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit
	148/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00137, Social Trends: No, Days since published: 1016, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 3.52, Score Version: V5	Validation Bypass SNYK-JS-SANITIZEHTML-1070780	Yes	Proof of Concept
	106/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00137, Social Trends: No, Days since published: 1016, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 2.52, Score Version: V5	Access Restriction Bypass SNYK-JS-SANITIZEHTML-1070786	Yes	No Known Exploit
	60/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00112, Social Trends: No, Days since published: 450, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.52, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SANITIZEHTML-2957526	Yes	No Known Exploit
	233/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1172, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Critical, Package Popularity Score: 99, Impact: 9.08, Likelihood: 2.56, Score Version: V5	Arbitrary Code Execution SNYK-JS-SANITIZEHTML-585892	Yes	No Known Exploit
	124/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.0011, Social Trends: No, Days since published: 183, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.06, Score Version: V5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-5596892	Yes	No Known Exploit
	246/1000 Why? Confidentiality impact: Low, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Functional, User Interaction (UI): None, Privileges Required (PR): Low, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 2019, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 7.03, Likelihood: 3.5, Score Version: V5	Uninitialized Memory Exposure npm:base64url:20180511	Yes	Mature
	213/1000 Why? Confidentiality impact: High, Integrity impact: None, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00659, Social Trends: No, Days since published: 3158, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 3.54, Score Version: V5	Authentication Bypass npm:jsonwebtoken:20150331	Yes	Proof of Concept
	163/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: None, Scope: Changed, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 2675, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 9.6, Likelihood: 1.69, Score Version: V5	Forgeable Public/Private Tokens npm:jws:20160726	Yes	No Known Exploit
	140/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): Low, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00121, Social Trends: No, Days since published: 2107, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.48, Score Version: V5	Prototype Pollution npm:lodash:20180130	No	Proof of Concept
	45/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00581, Social Trends: No, Days since published: 2851, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 1.9, Score Version: V5	Regular Expression Denial of Service (ReDoS) npm:moment:20160126	No	No Known Exploit
	102/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 2586, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.69, Score Version: V5	Regular Expression Denial of Service (ReDoS) npm:moment:20161019	No	No Known Exploit
	40/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00238, Social Trends: No, Days since published: 2185, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Low, Package Popularity Score: 99, Impact: 2.35, Likelihood: 1.67, Score Version: V5	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	No	No Known Exploit
	46/1000 Why? Confidentiality impact: Low, Integrity impact: None, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00132, Social Trends: No, Days since published: 2939, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 1.93, Score Version: V5	Cross-site Scripting (XSS) npm:sanitize-html:20141024	No	No Known Exploit
	48/1000 Why? Confidentiality impact: None, Integrity impact: Low, Availability impact: None, Scope: Changed, Exploit Maturity: No data, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 2669, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.39, Likelihood: 1.96, Score Version: V5	Cross-site Scripting (XSS) npm:sanitize-html:20160801	No	No Known Exploit
	179/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: Functional, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00117, Social Trends: No, Days since published: 2415, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 4.27, Score Version: V5	Cross-site Scripting (XSS) npm:sanitize-html:20161026	No	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: socket.io

The new version differs by 99 commits.

• 8be95b3 chore(release): 4.5.2
• ba497ee fix(uws): prevent the server from crashing after upgrade
• 2803871 ci: add explicit permissions to workflow (#4466)
• 134226e refactor: add missing constraints (#4431)
• 9890b03 chore: bump dependencies
• 713a6b4 chore: bump mocha to version 10.0.0
• 18f3fda fix: prevent the socket from joining a room after disconnection
• 5ab8289 chore(release): 4.5.1
• 30430f0 fix: forward the local flag to the adapter when using fetchSockets()
• 9b43c91 fix(typings): add HTTPS server to accepted types (#4351)
• 8ecfcba chore(release): 4.5.0
• 572133a docs(examples): update example with webpack
• 6e1bb62 chore: bump engine.io to version 6.2.0
• 06e6838 docs(examples): add server bundling example with rollup
• 1f03a44 docs(examples): update create-react-app example (#4347)
• be3d7f0 docs(examples): add TODO example with Postgres and Node.js cluster
• d12aab2 docs(examples): add example with express-session
• 9f75868 docs(examples): pin the version of karma-jasmine-html-reporter
• 0b35dc7 refactor: make the protocol implementation stricter
• 531104d feat: add support for catch-all listeners for outgoing packets
• 8b20457 feat: broadcast and expect multiple acks
• 0b7d70c chore: bump lockfile to v2
• 2f96438 chore: bump engine.io version to fix CVE-2022-21676 (#4262)
• 02c87a8 fix(typings): ensure compatibility with TypeScript 3.x (#4259)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Use of Weak Hash
🦉 Denial of Service (DoS)
🦉 Improper Authentication
🦉 More lessons are available in Snyk Learn