[Snyk] Fix for 15 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

✨ Snyk has automatically assigned this pull request, set who gets assigned.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIM-1017038	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:eslint:20180222	Yes	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	Yes	No Known Exploit
	704/1000 Why? Has a fix available, CVSS 9.8	Arbitrary Code Injection npm:growl:20160721	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Denial of Service (DoS) npm:superagent:20170807	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Information Exposure npm:superagent:20181108	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: body-parser

The new version differs by 92 commits.

• b2659a7 1.18.2
• 6339bf7 perf: remove argument reassignment
• d5f9a4a deps: [email protected]
• d041563 1.18.1
• 9efa9ab deps: content-type@~1.0.4
• f1ef6cc deps: [email protected]
• e438db5 deps: [email protected]
• 15c3585 deps: [email protected]
• adfa01c 1.18.0
• 0632e2f Include the "type" property on all generated errors
• b8f97cd Include the "body" property on verify errors
• c659e8a tests: add test for err.body on json parse error
• 4e15325 tests: reorganize json error tests
• 5bd7ed5 tests: reorganize json strict option tests
• 3cb380b tests: store server on mocha context instead of variable shadowing
• 29c8cd0 docs: document too many parameters error
• 7b9cb14 Use http-errors to set status code on errors
• 29a27f1 docs: fix typo in jsdoc comment
• 448dc57 Fix JSON strict violation error to match native parse error
• 87df7e6 tests: add leading whitespace strict json test
• 1841248 deps: [email protected]
• e666dbe deps: http-errors@~1.6.2
• c2a110a deps: [email protected]
• a1a2e31 build: [email protected]

See the full diff

Package name: connect

The new version differs by 25 commits.

• e96d53a 3.6.5
• 9c5e609 deps: [email protected]
• 32da5af deps: [email protected]
• 5689353 3.6.4
• 8878b59 docs: add security policy
• 61b8084 docs: add expanded People section to README
• 5fc91dd docs: remove trailing whitespace in README
• dc861fc deps: [email protected]
• 1ba8fab deps: [email protected]
• a63e416 build: [email protected]
• a971f2a build: [email protected]
• 863b9d7 lint: add editorconfig and eslint to enforce
• 5010822 deps: parseurl@~1.3.2
• f686ab2 build: [email protected]
• 777b09a 3.6.3
• b800916 build: [email protected]
• 0b6279d deps: [email protected]
• ad2c288 docs: fix typo in app.use example text
• b15a29c build: [email protected]
• d0aa681 build: use nyc for coverage
• 8311a45 build: support Node.js 8.x
• adcafdf build: simplify gitignore to minimum
• 8ceedaa build: [email protected]
• 89f3058 build: [email protected]

See the full diff

Package name: cookie-session

The new version differs by 20 commits.

• 9e9c681 1.3.2
• 62a6ec8 deps: [email protected]
• 3d81629 1.3.1
• 269e5dd build: [email protected]
• 84414e9 docs: fix date of 1.3.0 release
• 6d6c0b5 docs: add some comparison to express-session
• 0718b0b deps: [email protected]
• 096353e 1.3.0
• dfe1279 build: [email protected]
• ef47255 build: [email protected]
• 3cf0b6c build: support Node.js 4.x - 8.x
• 0739b01 deps: [email protected]
• f8c02a3 build: support io.js 3.x
• a53eb76 deps: on-headers@~1.0.1
• 7eb6a41 build: reduce runtime versions to one per major
• 64de88f build: [email protected]
• f11ffdc deps: [email protected]
• c8867bc build: remove unnecessary Travis CI command
• 92608fb build: [email protected]
• e7613aa build: fix running Node.js 0.8 tests on Travis CI

See the full diff

Package name: eslint

The new version differs by 250 commits.

• 22ff6f3 4.18.2
• 817b84b Build: changelog update for 4.18.2
• 6b71fd0 Fix: [email protected], because 4.0.3 needs "ajv": "^6.0.1" (#10022)
• 3c697de Chore: fix incorrect comment about linter.verify return value (#10030)
• 9df8653 Chore: refactor parser-loading out of linter.verify (#10028)
• f6901d0 Fix: remove catastrophic backtracking vulnerability (fixes #10002) (#10019)
• e4f52ce Chore: Simplify dataflow in linter.verify (#10020)
• 33177cd Chore: make library files non-executable (#10021)
• 558ccba Chore: refactor directive comment processing (#10007)
• 18e15d9 Chore: avoid useless catch clauses that just rethrow errors (#10010)
• a1c3759 Chore: refactor populating configs with defaults in linter (#10006)
• aea07dc Fix: Make max-len ignoreStrings ignore JSXText (fixes #9954) (#9985)
• 8c237d8 4.18.1
• 537b5c3 Build: changelog update for 4.18.1
• f417506 Fix: ensure no-await-in-loop reports the correct node (fixes #9992) (#9993)
• 3e99363 Docs: Fixed typo in key-spacing rule doc (#9987)
• 7c2cd70 Docs: deprecate experimentalObjectRestSpread (#9986)
• 883a2a2 4.18.0
• 89d55ca Build: changelog update for 4.18.0
• 70f22f3 Chore: Apply memoization to config creation within glob utils (#9944)
• 0e4ae22 Update: fix indent bug with binary operators/ignoredNodes (fixes #9882) (#9951)
• 47ac478 Update: add named imports and exports for object-curly-newline (#9876)
• e8efdd0 Fix: support Rest/Spread Properties (fixes #9885) (#9943)
• f012b8c Fix: support Async iteration (fixes #9891) (#9957)

See the full diff

Package name: eslint-plugin-markdown

The new version differs by 40 commits.

• a248c9a 1.0.0
• 902d0f7 Build: changelog update for 1.0.0
• 2a8482e Fix: `overrides` general docs and Atom linter-eslint tips (fixes #109) (I don't understand how this module works. expressjs/csurf#111)
• 4a5fd82 1.0.0-rc.1
• 3920041 Build: changelog update for 1.0.0-rc.1
• a2f4492 Fix: Allowing eslint-plugin-prettier to work (fixes #101) (#107)
• f9258b7 1.0.0-rc.0
• 8bc7c0c Build: changelog update for 1.0.0-rc.0
• 8fe9a0e New: Enable autofix with --fix (fixes #58) (#97)
• a5d0cce Fix: Ignore anything after space in code fence's language (fixes #98) (#99)
• 6fd340d Upgrade: [email protected] (#100)
• dff8e9c Fix: Emit correct endLine numbers (Option to pass errors the connect way. expressjs/csurf#88)
• 83f00d0 Docs: Suggest disabling strict in .md files (fixes #94) (#95)
• 3b4ff95 Build: Test against Node v10 (#96)
• 6777977 Breaking: required node version 6+ (Invalid Token when using 'Ignoring Routes' example expressjs/csurf#89)
• 5582fce Docs: Updating CLA link (#93)
• 24070e6 Build: Upgrade to [email protected] (#92)
• 6cfd1f0 Docs: Add unicode-bom to list of unsatisfiable rules (Update split token generation/validation branch from master expressjs/csurf#91)
• 9ab6173 1.0.0-beta.8
• 8952ac6 Build: changelog update for 1.0.0-beta.8
• a1544c2 Chore: Add .npmrc to disable creating package-lock.json (#90)
• 47ad3f9 Chore: Replace global comment integration test with unit test (refs Options now looping over object properties using hasOwnProperty() expressjs/csurf#81) (#85)
• e34acc6 Fix: Add unicode-bom to unsatisfiable rules (refs ignoreRoutes as extension of ignoreMethods expressjs/csurf#75) (Update readme to highlight the danger of ignoring CSRF checks expressjs/csurf#84)
• 7c19f8b Fix: Support globals (fixes added example of csurf ignoring routers expressjs/csurf#79) (Options now looping over object properties using hasOwnProperty() expressjs/csurf#81)

See the full diff

Package name: mocha

The new version differs by 250 commits.

• eb781e2 Release v6.2.3
• 10dbe94 update CHANGELOG for v6.2.3 [ci skip]
• 848d6fb security: update mkdirp, yargs, yargs-parser
• 843a322 6.2.2
• aec8b02 update CHANGELOG for v6.2.2 [ci skip]
• 7a8b95a npm audit fixes
• cebddf2 Improve reporter documentation for mocha in browser. (#4026)
• 3f7b987 uncaughtException: report more than one exception per test (#4033)
• ee82d38 modify alt text of image from Backers to Sponsors inside Sponsors section in Readme (#4046)
• e9c036c special-case parsing of "require" in unparseNodeArgs(); closes #4035 (#4063)
• 954cf0b Fix HTMLCollection iteration to make unhide function work as expected (#4051)
• 816dc27 uncaughtException: fix double EVENT_RUN_END events (#4025)
• 9650d3f add OpenJS Foundation logo to website (#4008)
• f04b81d Adopt the OpenJSF Code of Conduct (#3971)
• aca8895 Add link checking to docs build step (#3972)
• ef6c820 Release v6.2.1
• 9524978 updated CHANGELOG for v6.2.1 [ci skip]
• dfdb8b3 Update yargs to v13.3.0 (#3986)
• 18ad1c1 treat '--require esm' as Node option (#3983)
• fcffd5a Update yargs-unparser to v1.6.0 (#3984)
• ad4860e Remove extraGlobals() (#3970)
• b269ad0 Clarify effect of .skip() (#3947)
• 1e6cf3b Add Matomo to website (#3765)
• 91b3a54 fix style on mochajs.org (#3886)

See the full diff

Package name: supertest

The new version differs by 45 commits.

• 199506d Prepare 3.0.0 release. Small readme updates, update dev libs.
• 1d82e5b Allow TestAgent pass a cert and key to request (#373)
• 188f8f2 Update readme (#392)
• bd63752 Use superagent 3 (#400)
• 3c16aa1 Couple small updates to README
• 5930d2c Change package.json to 2.0.1 version and update engines field.
• 4d21f0d Remove node 0.12 from travis testing. A little early for 0.12 EOF but I want the new eslint libs which don't support 0.12.
• 6fcd9b3 Update dev deps. Fix couple lint issues. Add node v6 and remove 0.10 for travis tests.
• 2026549 Prepare for 2.0.1 release.
• e07e981 fix request with content-length > 0 and content-encoding: gzip (#371)
• cf9f991 Update Release History for v2.0.0
• df45dd7 Handle server not-running & superagent system errors (#348)
• 054ad57 Prepare for 2.0.0 release.
• 7ca0574 Upgrade superagent to 2.x (#347)
• 7d35f22 Change 'super-agent' to 'superagent' in Readme. (#343)
• d0c1457 Fix eslint checks .pem (#331)
• 076ce21 Fix typo on line 74 (#330)
• a920af5 MISC Update dev deps, small updates to README.
• 25665c0 Fix readme for .expect(fn), fixes #253 (#262)
• 480b9bb Merge pull request #324 from visionmedia/eslint-refactor
• af3c013 Slight cleanup to esline rules. Remove some overrides, refactor logic in _assertHeader function.
• 1849094 Refactor source code to use eslint with airbnb legacy rules.
• ecced93 Merge pull request #318 from oskarcieslik/patch-1
• a1533e5 Changed example with cookie-parser

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

👩‍💻 Set who automatically gets assigned

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic