[Snyk] Fix for 58 vulnerabilities #68

baophucct · 2023-12-19T17:09:45Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	Yes	Proof of Concept
616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	Yes	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	Yes	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JS-AXIOS-174505	Yes	Proof of Concept
676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Cross-site Request Forgery (CSRF) SNYK-JS-AXIOS-6032459	Yes	Proof of Concept
658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-6124857	Yes	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-COOKIEJAR-3149984	Yes	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	Yes	Proof of Concept
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-DOTPROP-543489	Yes	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	Yes	Proof of Concept
344/1000 Why? Has a fix available, CVSS 2.6	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	Yes	No Known Exploit
579/1000 Why? Has a fix available, CVSS 7.3	Arbitrary File Overwrite SNYK-JS-FSTREAM-174725	No	No Known Exploit
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	No	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-GRPC-598671	Yes	Proof of Concept
584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	Yes	No Known Exploit
504/1000 Why? Has a fix available, CVSS 5.8	Prototype Pollution SNYK-JS-HIGHLIGHTJS-1045326	No	No Known Exploit
703/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.2	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-INI-1048974	Yes	Proof of Concept
644/1000 Why? Has a fix available, CVSS 8.6	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	Yes	No Known Exploit
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-NODEFORGE-598677	Yes	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	No	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
/1000 Why?	Arbitrary File Overwrite SNYK-JS-TAR-174125	No	Proof of Concept
/1000 Why?	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	No	Proof of Concept
/1000 Why?	Prototype Pollution SNYK-JS-Y18N-1021887	Yes	Proof of Concept
711/1000 Why? Mature exploit, Has a fix available, CVSS 6.5	Uninitialized Memory Exposure npm:atob:20180429	Yes	Mature
741/1000 Why? Mature exploit, Has a fix available, CVSS 7.1	Uninitialized Memory Exposure npm:base64url:20180511	Yes	Mature
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	No	Proof of Concept
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:bson:20180225	No	Proof of Concept
434/1000 Why? Has a fix available, CVSS 4.4	Time of Check Time of Use (TOCTOU) npm:chownr:20180731	Yes	No Known Exploit
479/1000 Why? Has a fix available, CVSS 5.3	Insecure Randomness npm:cryptiles:20180710	Yes	No Known Exploit
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	Proof of Concept
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution npm:deep-extend:20180409	No	Proof of Concept
579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	Yes	No Known Exploit
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:sshpk:20180409	Yes	Proof of Concept
646/1000 Why? Mature exploit, Has a fix available, CVSS 5.2	Uninitialized Memory Exposure npm:stringstream:20180511	Yes	Mature
509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: axios

The new version differs by 250 commits.

a64050a Releasing 0.21.1
d57cd97 Updating changelog for 0.21.1 release
8b0f373 Use different socket for Win32 test (#3375)
e426910 Protocol not parsed when setting proxy config from env vars (#3070)
c7329fe Hotfix: Prevent SSRF (#3410)
f472e5d Adding a type guard for `AxiosError` (#2949)
7688255 Remove the skipping of the `socket` http test (#3364)
820fe6e Updating axios in types to be lower case (#2797)
94ca24b Releasing 0.21.0
2130a0c Updating changelog for 0.21.0 release
fbdc150 Lock travis to not use node v15 (#3361)
3a8b87d Fixing an issue that type 'null' and 'undefined' is not assignable to validateStatus when typescript strict option is enabled (#3200)
9a78465 Revert "Fixing overwrite Blob/File type as Content-Type in browser. (#1773)" (#3289)
6d05b96 Fix typos (#3309)
fa36737 fix axios.delete ignores config.data (#3282)
b7e954e Fixing node types (#3237)
04d45f2 Fixing requestHeaders.Authorization (#3287)
e8c6e19 docs: Fix simple typo, existant -> existent (#3252)
0d87655 Releasing 0.20.0
cd27741 Updating changelog for 0.20.0 release
ffea034 Releasing 0.20.0-0
fe147fb Updating changlog for 0.20.0 beta release
16aa2ce Fixing response with utf-8 BOM can not parse to json (#2419)
c4300a8 Adding support for URLSearchParams in node (#1900)

See the full diff

Package name: chai-http

The new version differs by 92 commits.

a3715c4 4.4.0
83f4f9e build
ce9866f Dependency updates to fix security vulnerabilities (Update trustwallet/trust-ray#306)
dbba17c ci: update npm token (Device type trustwallet/trust-ray#289)
0c2c350 docs: add badges to the README
be1d005 ci: don't run publish-npm job unless push
0e78cee build(dev-deps): update semantic-release packages to latest versions
ee4952e docs: update README examples to modern syntax
233118b feat: drop support for node < 10
04ebb3d ci: update release token (Getting user balance for a token trustwallet/trust-ray#287)
edb5bca docs: add auth example with Bearer Token (Update trustwallet/trust-ray#282)
56e15ff ci: install node deps before release (Update @types/mongoose to the latest version 🚀 trustwallet/trust-ray#285)
55c0e80 ci: use correct `event_name` property (Update trustwallet/trust-ray#284)
c34b299 ci: correctly template github event in `if` condition for release (Add Amon trustwallet/trust-ray#283)
4a196eb feat(deps): update superagent to ^6.1.0 (Update trustwallet/trust-ray#281)
601854f Build: Use GitHub Actions for CI/CD (Implement 721 parsing! Let's do it! trustwallet/trust-ray#255)
50d9db4 feat: add charset assertion (Update express-validator to the latest version 🚀 trustwallet/trust-ray#253)
7f5f260 docs: add extended request method explanations (Tokens show balance trustwallet/trust-ray#256)
7f9a8a5 ci: build before release, commit assets, remove .npmrc (Faster tokens fetch trustwallet/trust-ray#252)
9a99ed4 Merge pull request Update trustwallet/trust-ray#250 from chaijs/ci/fix-tokens
cfd84e3 ci: add secure variables to release stage
da01dba ci: add semantic-release, update ci (Update Contracts_2 trustwallet/trust-ray#248)
799f668 4.3.0
9b8fea3 feat: configures redirectTo to accept regex

See the full diff

Package name: coinmarketcap-api

The new version differs by 28 commits.

b0133d7 2.0.1
8cda6a3 2.0.0
f7321d1 Simplify
334b53b Switch to Standard
39a881b Merge pull request [Snyk] Security upgrade coinmarketcap-api from 2.0.0 to 2.0.1 #14 from tiaanduplessis/fixv2
565838b Added test cases to increase coverage
0a57ff8 Rewrote getTicker method for CMC API v2
3ef066c 1.1.0
38dfab7 Merge pull request [Snyk] Security upgrade firebase-admin from 5.12.1 to 6.0.0 #12 from abhinavk99/v2
e3866c4 Reinstalled modules with yarn to fix Travis build fail
24ded7c Updated wrapper to work with CMC API v2
5478b18 1.0.3
4279272 Update deps & add keywords
68c5297 Build docs
5d21f6a 1.0.2
eede67b Fix argument parsing
9120e06 1.0.1
11554d9 Update docs
e44da9e Update deps
e0d791b Merge pull request [Snyk] Fix for 1 vulnerabilities #8 from bennyn/patch-1
56e324c Merge branch 'master' into patch-1
c39f712 Merge pull request [Snyk] Security upgrade web3 from 1.0.0-beta.26 to 1.2.0 #7 from cryptofuture/master
192f042 Merge pull request [Snyk] Upgrade tslint from 5.8.0 to 5.20.1 #6 from abhinavk99/ticker-start-option
201ba2f fix(package): Add trailing comma

See the full diff

Package name: mongoose

The new version differs by 250 commits.

76fae6d chore: release 5.3.9
40d4177 Merge pull request #7213 from NewEraCracker/master
751397c fix(document): run setter only once when doing `.set()` underneath a single nested subdoc
10837d4 test(document): repro #7196
10a63a9 Bump version of bson dependency to match mongodb-core
d10274e docs(transactions): add example of aborting a transaction
d245847 Merge branch 'master' of github.com:Automattic/mongoose
551a75b chore: add cpc to some pages that were missing it
1ca3514 Merge pull request #7210 from gfranco93/patch-1
c1606b6 Merge pull request #7207 from lineus/fix-7098
e9d538e Merge pull request #7203 from lineus/fix-7202
8f16b67 fix(document): surface errors in subdoc pre validate
87005a1 test(document): repro #7187
5b1d81c Documentation fix: fixed anchor link
eebfb36 docs(query): add note re: cursor()
c1e2617 docs(query): improve find() docs re: #7188
526f82d fix(query): run default functions after hydrating the loaded document
320d5f8 test(query): repro #7182
64c6d15 if our update schema path is a nested array do not skip query casting.
5d122e8 test for #7098
5ba13a7 refactor(test): move strictQuery tests to query.test.js since they do not use findOneAndUpdate()
4121629 chore: refer to correct issue #7178
22ed5d2 fix(query): handle strictQuery: 'throw' with nested path correctly
8c16354 test(query): repro #7152