[Snyk] Fix for 59 vulnerabilities

[cniweb]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	/1000 Why?	Prototype Pollution SNYK-JS-ASYNC-2441827	Yes	Proof of Concept
	/1000 Why?	Insecure Encryption SNYK-JS-BCRYPT-572911	Yes	No Known Exploit
	/1000 Why?	Cryptographic Issues SNYK-JS-BCRYPT-575033	Yes	Proof of Concept
	/1000 Why?	Denial of Service (DoS) SNYK-JS-ENGINEIO-3136336	Yes	No Known Exploit
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	Yes	No Known Exploit
	/1000 Why?	Denial of Service (DoS) SNYK-JS-HTMLTOTEXT-571464	Yes	No Known Exploit
	631/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.2	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept
	/1000 Why?	Prototype Pollution SNYK-JS-INI-1048974	Yes	Proof of Concept
	/1000 Why?	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	/1000 Why?	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	Yes	Proof of Concept
	/1000 Why?	Prototype Pollution SNYK-JS-MQUERY-1050858	No	Proof of Concept
	/1000 Why?	Command Injection SNYK-JS-NODEMAILER-1038834	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	HTTP Header Injection SNYK-JS-NODEMAILER-1296415	Yes	Proof of Concept
	658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-NODEMAILER-6219989	Yes	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	Yes	Proof of Concept
	/1000 Why?	Remote Code Execution (RCE) SNYK-JS-PUG-1071616	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	/1000 Why?	Insecure Defaults SNYK-JS-SOCKETIO-1024859	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	Yes	No Known Exploit
	/1000 Why?	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	/1000 Why?	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	/1000 Why?	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	/1000 Why?	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	/1000 Why?	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	/1000 Why?	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	Yes	Proof of Concept
	/1000 Why?	Prototype Pollution SNYK-JS-UNDERSCOREDEEP-2936792	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution npm:deep-extend:20180409	Yes	Proof of Concept
	619/1000 Why? Has a fix available, CVSS 8.1	Insecure Defaults npm:engine.io-client:20160426	No	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) npm:ms:20151024	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:parsejson:20170908	Yes	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) npm:underscore.string:20170908	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Remote Memory Exposure npm:ws:20160104	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20160624	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Insecure Randomness npm:ws:20160920	No	No Known Exploit
	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20171108	No	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: bcrypt

The new version differs by 193 commits.

• 2f124bd Fix artifact upload path
• 10eacf5 Prepare v5.0.1
• 6eacfe1 Merge pull request #856 from kelektiv/update-deps
• feb477c Update node-pre-gyp to 1.0.0
• 42c8b0c Merge pull request #852 from kelektiv/update-deps
• bafefc3 Update packages
• 7c5d8df Merge pull request #851 from recrsn/node-15-ci
• 1ba55f9 Add Node 15 to CI
• 19c06c1 Update Node version compatibility info
• 09cb4fc Merge pull request #825 from dogon11/patch-1
• 2821c03 Merge pull request #811 from techhead/use_buffers
• 63c8403 Merge pull request #838 from alete89/docs/improve-hash-info
• 984ef18 remove reference to $2y$ algo identifier
• 630c897 fixes: #828
• 0f93284 README.md typo fix
• 4125ebc Update README.md
• f503e57 Create SECURITY.md
• f158e6e Allow optional use of Node Buffers.
• 8866277 Deploy on any travis tag
• 61139e6 v5.0.0
• 1bde62c Update node-pre-gyp to 0.15.0
• 40770d6 Add NodeJS 14 to appveyor CI
• 5916a46 Merge pull request #807 from techhead/known_length
• f28e916 Reword comment

See the full diff

Package name: body-parser

The new version differs by 101 commits.

• 424dadd 1.19.2
• 11248a2 deps: raw-body@2.4.3
• 7a088eb build: Node.js@14.19
• ecedf31 build: Node.js@16.14
• b6bfabd build: Node.js@17.5
• badd6b2 build: fix code coverage aggregate upload
• 96b448a build: Node.js@17.4
• 70560b1 build: mocha@9.2.0
• 548a06f build: supertest@6.2.2
• 3b00678 deps: bytes@3.1.2
• d5acb61 build: mocha@9.1.4
• 82c8a7c tests: add limit + inflate tests
• b356758 deps: qs@6.9.7
• c631b58 build: supertest@6.2.1
• c81a8e2 build: eslint-plugin-import@2.25.4
• 3c4dcb8 build: Node.js@17.3
• d0a214b 1.19.1
• fb172d4 build: eslint-plugin-promise@5.2.0
• c5e63cb build: Node.js@17.2
• c6d43bd build: eslint-plugin-import@2.25.3
• 313ed6d build: eslint-plugin-promise@5.1.1
• 8389b51 deps: bytes@3.1.1
• aae94b2 deps: http-errors@1.8.1
• 7f84d4f deps: raw-body@2.4.2

See the full diff

Package name: email-templates

The new version differs by 189 commits.

• e8b8cfc 11.1.1
• 44940e2 chore: added note to README
• e03100c 11.1.0
• 45bb875 feat: upgrade to @ ladjs/consolidate (modern fork of consolidate)
• 871a2e8 11.0.5
• d4b46fa chore: bump deps (enhanced preview-email <https://github.com/forwardemail/preview-email\#browser>)
• b5e3c81 11.0.4
• 36789d2 chore: bump deps
• cfc2d41 11.0.3
• 2576f25 fix: fixed xo rule from warn > off
• 11c5c6e fix: switch off node: specific modules (per https://github.com/[fix] preview-email is failing due to require('node:child_process') is not getting processed on mac intel forwardemail/test-preview-emails-cross-browsers-ios-simulator-nodejs-javascript#35)
• 2acb1c3 11.0.2
• ecf5a72 chore: bump deps
• f1f19dc 11.0.1
• 800cec4 docs: updated inline CSS example
• a18debc 11.0.0
• 9c26e5e feat: breaking - drop CSS inlining and `<style>` tag removal by default
• 85b8129 10.0.1
• f9bf71a feat: added iOS Simulator support 🎉
• edac7f4 10.0.0
• 1b0ecdc feat: modernize, require node >= 14, bump deps
• 8a73adc v9.0.0
• 3cd75b4 chore: upgrade web-resource-inliner, support node v10+
• 6ba0098 v8.1.0

See the full diff

Package name: less-middleware

The new version differs by 21 commits.

• 8471bff Version 3.0.0
• b9556a0 Version 2.3.0
• a8559d5 Merge branch 'master' of github.com:emberfeather/less.js-middleware
• 136bd2e Fixing the style of the DI shield.
• 9f4e712 Merge pull request Apple Notifications issues openhab/openhab-cloud#151 from emberfeather/feature/circleci
• 0b6ea0e Fixing the syntax for the circle config.
• 19edda6 Fixing the docker user.
• 7bac1f7 Adding basic config and test for circle.
• 9b57cbf Updating dependencies.
• 76f8886 Updating version.
• 7471d55 Updating the node 8 fs `fileWrite` usage.
• 2e10150 Updating dependencies.
• b1c023f Merge branch 'master' of github.com:emberfeather/less.js-middleware
• 6f3056c Merge pull request Error running npm install: error: use of undeclared identifier 'daylight' openhab/openhab-cloud#149 from Jorundur/patch-1
• 7a9cb9b "preprocessing" -> "postprocessing"
• 8832b44 Reordering packages.o
• e4c6a63 Updating dependencies.
• ea9c121 Adding yarn.
• 695b71a Updating link on dependency managment.
• c216bbd Updating CI to CircleCI
• 66dca8b Adding a dependency tracker for the repo.

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• d7fc59c chore: release 5.11.7
• d318339 fix(index.d.ts): make `Document#id` optional so types that use `id` can use `Model<IMyType & Document>`
• a9b317a chore: upgrade mquery -> 3.2.3
• 43f88db fix(document): ensure calling `get()` with empty string returns undefined for mongoose-plugin-autoinc
• 369efe1 Merge pull request #9692 from sahasayan/patch-4
• f879c4d chore: update opencollective sponsors
• 1be4d87 fix(model): set `isNew` to false for documents that were successfully inserted by `insertMany` with `ordered = false` when an error occurred
• b2da840 test(model): repro #9677
• 15d6660 fix(index.d.ts): add missing Aggregate#skip() & Aggregate#limit()
• dd348b1 chore: release 5.11.6
• 3ec01fa fix(index.d.ts): allow calling `mongoose.model()` and `Connection#model()` with model as generic param
• ccfa041 Merge pull request #9686 from cjroebuck/patch-1
• 7a52e45 Merge pull request #9685 from sahasayan/patch-3
• a5c98c2 Allow array of validators in SchemaTypeOptions
• 48907ea fix(index.d.ts): allow 2 generic types in mongoose.model function
• a17a2c3 Merge pull request #9683 from isengartz/master
• 61595f0 fix(index.d.ts): allow passing ObjectId properties as strings to `create()` and `findOneAndReplace()`
• 8e20ee6 optional next() parameter for post middleware
• 8a52485 Merge pull request #9680 from orgads/aggregate
• 1ef8274 fix(middleware): ensure sync errors in pre hooks always bubble up to the calling code
• 067e3a2 fix(index.d.ts): Fix return type of Model#aggregate()
• 0e2058d chore: release 5.11.5
• 6d9fb4d fix(index.d.ts): add missing `SchemaTypeOpts` and `ConnectionOptions` aliases for backwards compat
• a85adb9 test: fix tests re: #9669

See the full diff

Package name: nodemailer

The new version differs by 172 commits.

• ba31c64 v6.4.16
• 7e7b2b2 v6.4.15
• fca2041 Update CHANGELOG.md
• b4ccfa3 Oups
• 24b93bf Add ethereal.email to well-known/services.json
• 0f132fa doc: make the code a little more accessible with some code comments.
• 1815bad v6.4.14
• dd26ddd v6.4.13
• 455cfbe v6.4.12
• 1787f22 Includes all information from the oath2 error response in the error message (#1191)
• e3055c4 v6.4.11
• 3cfbf60 Create pull_request_template.md
• 35f9e33 Create CODE_OF_CONDUCT.md
• 8985bde v6.4.10
• a0cab71 v6.4.8
• 5874437 Updated testable node versions
• 643c039 v6.4.7
• b039ca5 Force charset for Content-Type headers even if not needed
• 5702a71 catch errors from invalid crypto.sign
• 5e00fb5 Update issue templates
• c32431d Delete ISSUE_TEMPLATE.md
• c034548 v6.4.6
• 3bfc545 fix: `requeueAttempts=n` should requeue `n` times
• c73bb33 v6.4.5

See the full diff

Package name: socket.io

The new version differs by 250 commits.

• baa6804 chore(release): 2.5.0
• f223178 fix: prevent the socket from joining a room after disconnection
• 226cc16 fix: only set 'connected' to true after middleware execution
• 05e1278 fix: fix race condition in dynamic namespaces
• 22d4bdf fix: ignore packet received after disconnection
• dfded53 chore: update engine.io version to 3.6.0
• e6b8697 chore(release): 2.4.1
• a169050 revert: fix(security): do not allow all origins by default
• 873fdc5 chore(release): 2.4.0
• f78a575 fix(security): do not allow all origins by default
• d33a619 fix: properly overwrite the query sent in the handshake
• 3951a79 chore: bump engine.io version
• 6fa026f ci: migrate to GitHub Actions
• 47161a6 [chore] Release 2.3.0
• cf39362 [chore] Bump socket.io-parser to version 3.4.0
• 4d01b2c test: remove deprecated Buffer usage (#3481)
• 8227192 [docs] Fix the default value of the 'origins' parameter (#3464)
• 1150eb5 [chore] Bump engine.io to version 3.4.0
• 9c1e73c [chore] Update the license of the chat example (#3410)
• df05b73 [chore] Release 2.2.0
• b00ae50 [feat] Add cache-control header when serving the client source (#2907)
• d3c653d [docs] Add Touch Support to the whiteboard example (#3104)
• a7fbd1a [fix] Throw an error when trying to access the clients of a dynamic namespace (#3355)
• 190d22b [chore] Bump dependencies

See the full diff

Package name: socket.io-redis

The new version differs by 47 commits.

• 4f51fdd Release 1.0.0
• 1dc700c Merge pull request Code-Cleanup app.js openhab/openhab-cloud#82 from nkzawa/patch-3
• 4fc675c Merge pull request Add a new system module which holds system configuration openhab/openhab-cloud#81 from nkzawa/patch-2
• 55bcb2f update .travis.yml and package.json
• c8a7be3 add tests
• 2387733 changes according to Adapter's Room class
• 3124d2b fix Add password complexity checks for openhab-cloud account openhab/openhab-cloud#80
• 1cf6ce8 Release 0.2.0
• f6770c7 Merge pull request [Snyk] Fix for 17 vulnerabilities #66 from Kosta-Github/Kosta/performance_opt
• 7d78149 Merge pull request [Snyk] Fix for 6 vulnerabilities #74 from komachi/master
• 11c7b8a package: bump `debug`
• 5b6468c Merge pull request [Snyk] Security upgrade mongoose from 5.11.7 to 6.4.6 #57 from inversion/patch-1
• 4321b93 Merge pull request Configure Mend Bolt for GitHub #71 from dazorni/master
• 0d75c5c Replace detect_buffers with return_buffers, update redis.
• 52b575a Working travis build status
• abc23f2 remove duplicated `#`
• 9ab4b84 remove redundancy and minor performance optimization
• df7a8df Update README.md
• c07b3bd fix [Snyk] Fix for 2 vulnerabilities #55
• d2dec66 expose props
• 4e9801e restore async (still used in `index`)
• 1d40652 refactor tests ^^ goodbye `async`
• 36a8f5a package: remove `async` and bump `socket.io-adapter`
• df2c677 fix shadowing

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	/1000 Why?	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Insecure Encryption
🦉 More lessons are available in Snyk Learn