[Snyk] Fix for 15 vulnerabilities #4

snyk-bot · 2020-11-26T08:33:46Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

✨ Snyk has automatically assigned this pull request, set who gets assigned.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOCHA-561476	Yes	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIM-1017038	No	No Known Exploit
399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	No Known Exploit
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:eslint:20180222	Yes	Proof of Concept
579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	Yes	No Known Exploit
704/1000 Why? Has a fix available, CVSS 9.8	Arbitrary Code Injection npm:growl:20160721	Yes	No Known Exploit
399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	Yes	No Known Exploit
399/1000 Why? Has a fix available, CVSS 3.7	Denial of Service (DoS) npm:superagent:20170807	Yes	No Known Exploit
479/1000 Why? Has a fix available, CVSS 5.3	Information Exposure npm:superagent:20181108	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: body-parser

The new version differs by 92 commits.

b2659a7 1.18.2
6339bf7 perf: remove argument reassignment
d5f9a4a deps: [email protected]
d041563 1.18.1
9efa9ab deps: content-type@~1.0.4
f1ef6cc deps: [email protected]
e438db5 deps: [email protected]
15c3585 deps: [email protected]
adfa01c 1.18.0
0632e2f Include the "type" property on all generated errors
b8f97cd Include the "body" property on verify errors
c659e8a tests: add test for err.body on json parse error
4e15325 tests: reorganize json error tests
5bd7ed5 tests: reorganize json strict option tests
3cb380b tests: store server on mocha context instead of variable shadowing
29c8cd0 docs: document too many parameters error
7b9cb14 Use http-errors to set status code on errors
29a27f1 docs: fix typo in jsdoc comment
448dc57 Fix JSON strict violation error to match native parse error
87df7e6 tests: add leading whitespace strict json test
1841248 deps: [email protected]
e666dbe deps: http-errors@~1.6.2
c2a110a deps: [email protected]
a1a2e31 build: [email protected]

See the full diff

Package name: connect

The new version differs by 25 commits.

e96d53a 3.6.5
9c5e609 deps: [email protected]
32da5af deps: [email protected]
5689353 3.6.4
8878b59 docs: add security policy
61b8084 docs: add expanded People section to README
5fc91dd docs: remove trailing whitespace in README
dc861fc deps: [email protected]
1ba8fab deps: [email protected]
a63e416 build: [email protected]
a971f2a build: [email protected]
863b9d7 lint: add editorconfig and eslint to enforce
5010822 deps: parseurl@~1.3.2
f686ab2 build: [email protected]
777b09a 3.6.3
b800916 build: [email protected]
0b6279d deps: [email protected]
ad2c288 docs: fix typo in app.use example text
b15a29c build: [email protected]
d0aa681 build: use nyc for coverage
8311a45 build: support Node.js 8.x
adcafdf build: simplify gitignore to minimum
8ceedaa build: [email protected]
89f3058 build: [email protected]

See the full diff

Package name: cookie-session

The new version differs by 20 commits.

9e9c681 1.3.2
62a6ec8 deps: [email protected]
3d81629 1.3.1
269e5dd build: [email protected]
84414e9 docs: fix date of 1.3.0 release
6d6c0b5 docs: add some comparison to express-session
0718b0b deps: [email protected]
096353e 1.3.0
dfe1279 build: [email protected]
ef47255 build: [email protected]
3cf0b6c build: support Node.js 4.x - 8.x
0739b01 deps: [email protected]
f8c02a3 build: support io.js 3.x
a53eb76 deps: on-headers@~1.0.1
7eb6a41 build: reduce runtime versions to one per major
64de88f build: [email protected]
f11ffdc deps: [email protected]
c8867bc build: remove unnecessary Travis CI command
92608fb build: [email protected]
e7613aa build: fix running Node.js 0.8 tests on Travis CI

See the full diff

Package name: eslint

The new version differs by 250 commits.

22ff6f3 4.18.2
817b84b Build: changelog update for 4.18.2
6b71fd0 Fix: [email protected], because 4.0.3 needs "ajv": "^6.0.1" (#10022)
3c697de Chore: fix incorrect comment about linter.verify return value (#10030)
9df8653 Chore: refactor parser-loading out of linter.verify (#10028)
f6901d0 Fix: remove catastrophic backtracking vulnerability (fixes #10002) (#10019)
e4f52ce Chore: Simplify dataflow in linter.verify (#10020)
33177cd Chore: make library files non-executable (#10021)
558ccba Chore: refactor directive comment processing (#10007)
18e15d9 Chore: avoid useless catch clauses that just rethrow errors (#10010)
a1c3759 Chore: refactor populating configs with defaults in linter (#10006)
aea07dc Fix: Make max-len ignoreStrings ignore JSXText (fixes #9954) (#9985)
8c237d8 4.18.1
537b5c3 Build: changelog update for 4.18.1
f417506 Fix: ensure no-await-in-loop reports the correct node (fixes #9992) (#9993)
3e99363 Docs: Fixed typo in key-spacing rule doc (#9987)
7c2cd70 Docs: deprecate experimentalObjectRestSpread (#9986)
883a2a2 4.18.0
89d55ca Build: changelog update for 4.18.0
70f22f3 Chore: Apply memoization to config creation within glob utils (#9944)
0e4ae22 Update: fix indent bug with binary operators/ignoredNodes (fixes #9882) (#9951)
47ac478 Update: add named imports and exports for object-curly-newline (#9876)
e8efdd0 Fix: support Rest/Spread Properties (fixes #9885) (#9943)
f012b8c Fix: support Async iteration (fixes #9891) (#9957)

See the full diff

Package name: eslint-plugin-markdown

The new version differs by 40 commits.

a248c9a 1.0.0
902d0f7 Build: changelog update for 1.0.0
2a8482e Fix: `overrides` general docs and Atom linter-eslint tips (fixes #109) (I don't understand how this module works. expressjs/csurf#111)
4a5fd82 1.0.0-rc.1
3920041 Build: changelog update for 1.0.0-rc.1
a2f4492 Fix: Allowing eslint-plugin-prettier to work (fixes #101) (#107)
f9258b7 1.0.0-rc.0
8bc7c0c Build: changelog update for 1.0.0-rc.0
8fe9a0e New: Enable autofix with --fix (fixes #58) (#97)
a5d0cce Fix: Ignore anything after space in code fence's language (fixes #98) (#99)
6fd340d Upgrade: [email protected] (#100)
dff8e9c Fix: Emit correct endLine numbers (Option to pass errors the connect way. expressjs/csurf#88)
83f00d0 Docs: Suggest disabling strict in .md files (fixes #94) (#95)
3b4ff95 Build: Test against Node v10 (#96)
6777977 Breaking: required node version 6+ (Invalid Token when using 'Ignoring Routes' example expressjs/csurf#89)
5582fce Docs: Updating CLA link (#93)
24070e6 Build: Upgrade to [email protected] (#92)
6cfd1f0 Docs: Add unicode-bom to list of unsatisfiable rules (Update split token generation/validation branch from master expressjs/csurf#91)
9ab6173 1.0.0-beta.8
8952ac6 Build: changelog update for 1.0.0-beta.8
a1544c2 Chore: Add .npmrc to disable creating package-lock.json (#90)
47ad3f9 Chore: Replace global comment integration test with unit test (refs Options now looping over object properties using hasOwnProperty() expressjs/csurf#81) (#85)
e34acc6 Fix: Add unicode-bom to unsatisfiable rules (refs ignoreRoutes as extension of ignoreMethods expressjs/csurf#75) (Update readme to highlight the danger of ignoring CSRF checks expressjs/csurf#84)
7c19f8b Fix: Support globals (fixes added example of csurf ignoring routers expressjs/csurf#79) (Options now looping over object properties using hasOwnProperty() expressjs/csurf#81)

See the full diff

Package name: mocha

The new version differs by 250 commits.

eb781e2 Release v6.2.3
10dbe94 update CHANGELOG for v6.2.3 [ci skip]
848d6fb security: update mkdirp, yargs, yargs-parser
843a322 6.2.2
aec8b02 update CHANGELOG for v6.2.2 [ci skip]
7a8b95a npm audit fixes
cebddf2 Improve reporter documentation for mocha in browser. (#4026)
3f7b987 uncaughtException: report more than one exception per test (#4033)
ee82d38 modify alt text of image from Backers to Sponsors inside Sponsors section in Readme (#4046)
e9c036c special-case parsing of "require" in unparseNodeArgs(); closes #4035 (#4063)
954cf0b Fix HTMLCollection iteration to make unhide function work as expected (#4051)
816dc27 uncaughtException: fix double EVENT_RUN_END events (#4025)
9650d3f add OpenJS Foundation logo to website (#4008)
f04b81d Adopt the OpenJSF Code of Conduct (#3971)
aca8895 Add link checking to docs build step (#3972)
ef6c820 Release v6.2.1
9524978 updated CHANGELOG for v6.2.1 [ci skip]
dfdb8b3 Update yargs to v13.3.0 (#3986)
18ad1c1 treat '--require esm' as Node option (#3983)
fcffd5a Update yargs-unparser to v1.6.0 (#3984)
ad4860e Remove extraGlobals() (#3970)
b269ad0 Clarify effect of .skip() (#3947)
1e6cf3b Add Matomo to website (#3765)
91b3a54 fix style on mochajs.org (#3886)

See the full diff

Package name: supertest

The new version differs by 45 commits.

199506d Prepare 3.0.0 release. Small readme updates, update dev libs.
1d82e5b Allow TestAgent pass a cert and key to request (#373)
188f8f2 Update readme (#392)
bd63752 Use superagent 3 (#400)
3c16aa1 Couple small updates to README
5930d2c Change package.json to 2.0.1 version and update engines field.
4d21f0d Remove node 0.12 from travis testing. A little early for 0.12 EOF but I want the new eslint libs which don't support 0.12.
6fcd9b3 Update dev deps. Fix couple lint issues. Add node v6 and remove 0.10 for travis tests.
2026549 Prepare for 2.0.1 release.
e07e981 fix request with content-length > 0 and content-encoding: gzip (#371)
cf9f991 Update Release History for v2.0.0
df45dd7 Handle server not-running & superagent system errors (#348)
054ad57 Prepare for 2.0.0 release.
7ca0574 Upgrade superagent to 2.x (#347)
7d35f22 Change 'super-agent' to 'superagent' in Readme. (#343)
d0c1457 Fix eslint checks .pem (#331)
076ce21 Fix typo on line 74 (#330)
a920af5 MISC Update dev deps, small updates to README.
25665c0 Fix readme for .expect(fn), fixes #253 (#262)
480b9bb Merge pull request #324 from visionmedia/eslint-refactor
af3c013 Slight cleanup to esline rules. Remove some overrides, refactor logic in _assertHeader function.
1849094 Refactor source code to use eslint with airbnb legacy rules.
ecced93 Merge pull request #318 from oskarcieslik/patch-1
a1533e5 Changed example with cookie-parser