[Snyk] Fix for 24 vulnerabilities

[bentbot]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-MONGODB-473855	Yes	No Known Exploit
	454/1000 Why? Has a fix available, CVSS 4.8	Session Fixation SNYK-JS-PASSPORT-2840631	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-REDIS-1255645	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Insecure Defaults SNYK-JS-SOCKETIO-1024859	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Cross-site Scripting (XSS) SNYK-JS-STRIPTAGS-1312310	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
	816/1000 Why? Mature exploit, Has a fix available, CVSS 8.6	Uninitialized Memory Exposure npm:base64-url:20180512	No	Mature
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Insecure Defaults npm:engine.io-client:20160426	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:ms:20151024	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Remote Memory Exposure npm:ws:20160104	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20160624	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Insecure Randomness npm:ws:20160920	No	No Known Exploit
	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20171108	No	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: body-parser

The new version differs by 205 commits.

• b2659a7 1.18.2
• 6339bf7 perf: remove argument reassignment
• d5f9a4a deps: [email protected]
• d041563 1.18.1
• 9efa9ab deps: content-type@~1.0.4
• f1ef6cc deps: [email protected]
• e438db5 deps: [email protected]
• 15c3585 deps: [email protected]
• adfa01c 1.18.0
• 0632e2f Include the "type" property on all generated errors
• b8f97cd Include the "body" property on verify errors
• c659e8a tests: add test for err.body on json parse error
• 4e15325 tests: reorganize json error tests
• 5bd7ed5 tests: reorganize json strict option tests
• 3cb380b tests: store server on mocha context instead of variable shadowing
• 29c8cd0 docs: document too many parameters error
• 7b9cb14 Use http-errors to set status code on errors
• 29a27f1 docs: fix typo in jsdoc comment
• 448dc57 Fix JSON strict violation error to match native parse error
• 87df7e6 tests: add leading whitespace strict json test
• 1841248 deps: [email protected]
• e666dbe deps: http-errors@~1.6.2
• c2a110a deps: [email protected]
• a1a2e31 build: [email protected]

See the full diff

Package name: express

The new version differs by 250 commits.

• f974d22 4.16.0
• 8d4ceb6 docs: add more information to installation
• c0136d8 Add express.json and express.urlencoded to parse bodies
• 86f5df0 deps: [email protected]
• 4196458 deps: [email protected]
• ddeb713 tests: add maxAge option tests for res.sendFile
• 7154014 Add "escape json" setting for res.json and res.jsonp
• 628438d deps: update example dependencies
• a24fd0c Add options to res.download
• 95fb5cc perf: remove dead .charset set in res.jsonp
• 44591fe deps: vary@~1.1.2
• 2df1ad2 Improve error messages when non-function provided as middleware
• 12c3712 Use safe-buffer for improved Buffer API
• fa272ed docs: fix typo in jsdoc comment
• d9d09b8 perf: re-use options object when generating ETags
• 02a9d5f deps: proxy-addr@~2.0.2
• c2f4fb5 deps: [email protected]
• 673d51f deps: [email protected]
• 5cc761c deps: parseurl@~1.3.2
• ad7d96d deps: [email protected]
• e62bb8b deps: etag@~1.8.1
• 70589c3 deps: content-type@~1.0.4
• 9a99c15 deps: accepts@~1.3.4
• 550043c deps: [email protected]

See the full diff

Package name: express-session

The new version differs by 232 commits.

• 89fd715 1.15.6
• d4344fb build: [email protected]
• 6cf886d deps: [email protected]
• d190faa deps: [email protected]
• f24d228 lint: run eslint against README
• 44ee046 docs: remove trailing newline in README
• 68e210d deps: parseurl@~1.3.2
• 8b4f668 lint: add editorconfig and eslint to enforce
• 917b03d docs: add memorystore to the list of session stores
• 65781dd build: [email protected]
• 71c9d7c build: [email protected]
• 11b3e97 deps: uid-safe@~2.1.5
• 0e97d6f docs: fix formatting in history
• d63a3e9 1.15.5
• c226301 Fix TypeError when req.url is an empty string
• 62c4d15 tests: add test for mounted middleware
• 8518200 tests: move the cookie path tests
• 2b08370 docs: improve code readability
• 310d288 deps: depd@~1.1.1
• fc60bb6 build: [email protected]
• 521e6bd tests: add leak checking for variables and handles
• 7b26d57 1.15.4
• fc9d474 build: [email protected]
• d367b33 build: [email protected]

See the full diff

Package name: mongodb

The new version differs by 250 commits.

• c6f417e chore(release): 3.1.13
• 210c71d fix(db_ops): ensure we async resolve errors in createCollection
• 5ad9fa9 fix(changeStream): properly handle changeStream event mid-close (#1902)
• e806be4 fix(bulk): honor ignoreUndefined in initializeUnorderedBulkOp
• 050267d fix(*): restore ability to webpack by removing `makeLazyLoader`
• 6e896f4 docs: adding aggregation, createIndex, and runCommand examples
• cb3cd12 chore(release): 3.1.12
• 508d685 Revert "chore(release): 3.2.0"
• e7619aa chore(release): 3.2.0
• d0dc228 chore(travis): include forgotten stage info for sharded builds
• ffbe90b chore(travis): run sharded tests in travis as well
• 9bef6e7 feat(core): update to mongodb-core v3.1.11
• e4bb39e chore(release): 3.1.11
• 76c0130 chore(core): bump version of mongodb-core
• a3adb3f fix(bulk): fix error propagation in empty bulk.execute
• ec0e30e doc(change-streams): correct typo, add missing example
• 10ea992 chore(package): update lock file
• fcb3ec1 test(sharded): reduce some sharded errors
• d4eae97 test(sessions): undo hack for apm events in sessions tests
• 0eaca21 test(sessions): fixing broken session test
• 6790a74 test(sharding): fixing old sharding tests
• 98f0c68 test(sharded): fixing sharded operation test
• c6a9baa test(sessions): fixing session tests in sharded env
• 985f0e9 test(drop): fixing drop assertions for sharded tests

See the full diff

Package name: object-manage

The new version differs by 5 commits.

• d27d842 Update notes and dependencies.
• 844a43a * Remove the ability to use `merge-recursive` from the core package as it
• 5ed5d61 * Update dependencies
• b3a742d release 1.0.0 update deps and readme
• 6e56530 build on the container based travis

See the full diff

Package name: passport

The new version differs by 201 commits.

• c33067b 0.6.0
• 3052bb4 Update changelog.
• 42630cb Merge pull request #900 from jaredhanson/fix-fixation
• 8dd79fe Use utils-merge rather than Object.assign for compatibility.
• 4f6bd5b Change keepSessionData to keepSessionData.
• 46756e5 Silence verbose logging.
• 987b191 Add tests.
• f8a175f Add tests.
• 29a90d6 No need to guard callback existence.
• bfba8a1 Add tests.
• 17111d7 Add option to keep session data on logout.
• a349c2b Add option to keep session data.
• e69834e Add optional options to login and logout.
• 8825a9a Add tests.
• c1991cf Add tests.
• 294f22c Better session detection and exceptions.
• 80cc4e3 Add tests.
• 3001654 Add tests.
• b395106 Clean up tests.
• cfa8259 Add tests.
• ee0bf81 Add tests.
• cc7606c Add tests.
• 71c54f6 Add test.
• 88c1f1b Handle logout without session manager.

See the full diff

Package name: serve-favicon

The new version differs by 104 commits.

• 68b34f5 2.4.5
• 930b0a0 deps: [email protected]
• 8105b88 deps: etag@~1.8.1
• c050d26 2.4.4
• d36c44e deps: [email protected]
• c33f25e deps: parseurl@~1.3.2
• 878c248 tests: use mocha context for server
• e24fa4b deps: [email protected]
• 998dcb5 build: [email protected]
• a5cff5d build: [email protected]
• c2e05e8 build: support Node.js 8.x
• 52cb604 build: [email protected]
• 44c4c6e build: [email protected]
• 9293f89 2.4.3
• 53a3778 deps: [email protected]
• b5b9412 build: [email protected]
• df97c51 build: [email protected]
• dcf75b3 build: [email protected]
• 11108e1 Use safe-buffer for improved Buffer API
• 08135aa tests: use temp-path for paths
• ca3ce4e build: [email protected]
• b450452 2.4.2
• 0b0bf0a build: [email protected]
• 4e083b7 build: [email protected]

See the full diff

Package name: socket.io

The new version differs by 250 commits.

• 1af3267 chore(release): 3.0.0
• 02951c4 chore(release): 3.0.0-rc4
• 54bf4a4 feat: emit an Error object upon middleware error
• aa7574f feat: serve msgpack bundle
• 64056d6 docs(examples): update TypeScript example
• cacad70 chore(release): 3.0.0-rc3
• d16c035 refactor: rename ERROR to CONNECT_ERROR
• 5c73733 feat: add support for catch-all listeners
• 129c641 feat: make Socket#join() and Socket#leave() synchronous
• 0d74f29 refactor(typings): export Socket class
• 7603da7 feat: remove prod dependency to socket.io-client
• a81b9f3 docs(examples): add example with TypeScript
• 20ea6bd docs(examples): add example with ES modules
• 0ce5b4c chore(release): 3.0.0-rc2
• 8a5db7f refactor: remove duplicate _sockets map
• 2a05042 refactor: add additional typings
• 91cd255 fix: close clients with no namespace
• 58b66f8 refactor: hide internal methods and properties
• 669592d feat: move binary detection back to the parser
• 2d2a31e chore: publish the wrapper.mjs file
• ebb0575 chore(release): 3.0.0-rc1
• c0d171f test: use the reconnect event of the Manager
• 9c7a48d test: use the complete export name
• 4bd5b23 feat: throw upon reserved event names

See the full diff

Package name: socket.io-client

The new version differs by 250 commits.

• de2ccff chore(release): 2.4.0
• e9dd12a chore: bump engine.io-client version
• 7248c1e ci: migrate to GitHub Actions
• 4631ed6 chore(release): 2.3.1
• 7f73a28 test: fix tests in IE
• 67c54b8 chore: bump engine.io-parser and socket.io-parser
• 15a52ab test: remove arrow function (for now)
• 050108b fix: fix reconnection after opening socket asynchronously (#1253)
• b570025 chore: bump engine.io-client and downgrade debug
• 1fb1b78 chore: remove unused dependencies
• 0c39f14 docs: add section about Debug / logging on the client side (#1278)
• 6ce02ee docs: add server port in the example (#1359)
• f4a4d89 chore: update package-lock.json file
• 3c1d860 chore: bump component-emitter dependency (#1376)
• b7dbbd2 test: fix race condition in the tests
• 661f1e7 [chore] Release 2.3.0
• 71d7b79 [chore] Bump engine.io-client to version 3.4.0
• 8b4a539 [docs] Add CDN link (#1318)
• 40cf185 [ci] use Node.js 10 for compatibility with Gulp v3
• 3020e45 [chore] Release 2.2.0
• 06e9a4c [chore] Bump dependencies
• 4a93871 [chore] Update the Makefile
• eeafa44 [fix] Remove any reference to the `global` variable
• dfc34e4 [chore] Pin zuul version

See the full diff

Package name: striptags

The new version differs by 18 commits.

• f252a6b Merge pull request from GHSA-qxg5-2qff-p49r
• 2719515 fix: throw TypeError if 'html' is non-string argument
• 27a5dd9 Update README.md example output
• 127f2fb v3.1.1
• f80b3b8 add typings
• 94ceaf6 v3.1.0
• 9ed9eb0 Add IE11 support using minimal polyfill
• 5eb9357 Fix typo in README.md
• 7179485 Add notice about uglifyjs issues
• 7427951 v3.0.1
• 517fd77 Fix AMD bindings and fix AMD test.
• cd53825 v3.0.0
• 9d9a804 Update README.md
• eb4d1f0 Add test for streaming mode w/ allowable_tags.
• adf53b6 Update mocha version and rewrite tests.
• 86e95d2 Remove HTML test coverage command and JSHint config.
• 969cebd Move module back into src/ directory.
• dd1ed03 Rewrite core module.

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn