Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade: node-fetch, bcrypt, envfile, express, express-session, jimp, mongoose, openai, qrcode, sanitize-html, socket.io, string-argv, web-push #1

Merged
merged 1 commit into from
Sep 21, 2024

Conversation

SimplyTiramisu
Copy link
Owner

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

node-fetch
from 2.6.9 to 2.7.0 | 5 versions ahead of your current version | a year ago
on 2023-08-23
bcrypt
from 5.1.0 to 5.1.1 | 1 version ahead of your current version | a year ago
on 2023-08-16
envfile
from 6.18.0 to 6.22.0 | 8 versions ahead of your current version | 10 months ago
on 2023-11-23
express
from 4.18.2 to 4.19.2 | 4 versions ahead of your current version | 6 months ago
on 2024-03-25
express-session
from 1.17.3 to 1.18.0 | 1 version ahead of your current version | 8 months ago
on 2024-01-28
jimp
from 0.13.0 to 0.22.12 | 119 versions ahead of your current version | 7 months ago
on 2024-02-23
mongoose
from 6.10.4 to 6.13.0 | 19 versions ahead of your current version | 3 months ago
on 2024-06-06
openai
from 3.2.1 to 3.3.0 | 1 version ahead of your current version | a year ago
on 2023-06-13
qrcode
from 1.5.1 to 1.5.4 | 3 versions ahead of your current version | a month ago
on 2024-08-05
sanitize-html
from 2.10.0 to 2.13.0 | 4 versions ahead of your current version | 6 months ago
on 2024-03-20
socket.io
from 4.6.1 to 4.7.5 | 7 versions ahead of your current version | 6 months ago
on 2024-03-14
string-argv
from 0.3.1 to 0.3.2 | 1 version ahead of your current version | a year ago
on 2023-05-01
web-push
from 3.5.0 to 3.6.7 | 7 versions ahead of your current version | 8 months ago
on 2024-01-16

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Uncaught Exception
SNYK-JS-ENGINEIO-5496331
586 No Known Exploit
high severity Uncaught Exception
SNYK-JS-SOCKETIO-7278048
586 No Known Exploit
high severity Denial of Service (DoS)
SNYK-JS-SOCKETIOPARSER-5596892
586 No Known Exploit
high severity Prototype Pollution
SNYK-JS-MONGOOSE-5777721
586 Proof of Concept
high severity Improper Handling of Extra Parameters
SNYK-JS-FOLLOWREDIRECTS-6141137
586 Proof of Concept
medium severity Information Exposure
SNYK-JS-SANITIZEHTML-6256334
586 Proof of Concept
medium severity Uncontrolled Resource Consumption ('Resource Exhaustion')
SNYK-JS-TAR-6476909
586 Proof of Concept
medium severity Information Exposure
SNYK-JS-MONGODB-5871303
586 No Known Exploit
medium severity Open Redirect
SNYK-JS-EXPRESS-6474509
586 No Known Exploit
medium severity Prototype Pollution
SNYK-JS-XML2JS-5414874
586 Proof of Concept
medium severity Information Exposure
SNYK-JS-FOLLOWREDIRECTS-6444610
586 Proof of Concept
medium severity Exposure of Sensitive Information to an Unauthorized Actor
SNYK-JS-PHIN-6598077
586 No Known Exploit
Release notes
Package name: node-fetch from node-fetch GitHub release notes
Package name: bcrypt from bcrypt GitHub release notes
Package name: envfile from envfile GitHub release notes
Package name: express from express GitHub release notes
Package name: express-session
  • 1.18.0 - 2024-01-28
    • Add debug log for pathname mismatch
    • Add partitioned to cookie options
    • Add priority to cookie options
    • Fix handling errors from setting cookie
    • Support any type in secret that crypto.createHmac supports
    • deps: [email protected]
      • Fix expires option to reject invalid dates
      • perf: improve default decode speed
      • perf: remove slow string split in parse
    • deps: [email protected]
  • 1.17.3 - 2022-05-11
from express-session GitHub release notes
Package name: mongoose
  • 6.13.0 - 2024-06-06
  • 6.12.9 - 2024-05-24
  • 6.12.8 - 2024-04-10
  • 6.12.7 - 2024-03-01
  • 6.12.6 - 2024-01-22
  • 6.12.5 - 2024-01-03
  • 6.12.4 - 2023-12-27
  • 6.12.3 - 2023-11-07
  • 6.12.2 - 2023-10-25
  • 6.12.1 - 2023-10-12
  • 6.12.0 - 2023-08-24
  • 6.11.6 - 2023-08-21
  • 6.11.5 - 2023-08-01
  • 6.11.4 - 2023-07-17
  • 6.11.3 - 2023-07-11
  • 6.11.2 - 2023-06-08
  • 6.11.1 - 2023-05-08
  • 6.11.0 - 2023-05-01
  • 6.10.5 - 2023-04-06
  • 6.10.4 - 2023-03-21
from mongoose GitHub release notes
Package name: openai from openai GitHub release notes
Package name: qrcode from qrcode GitHub release notes
Package name: sanitize-html from sanitize-html GitHub release notes
Package name: socket.io
  • 4.7.5 - 2024-03-14

    Bug Fixes

    • close the adapters when the server is closed (bf64870)
    • remove duplicate pipeline when serving bundle (e426f3e)

    Links

  • 4.7.4 - 2024-01-12
  • 4.7.3 - 2024-01-03
  • 4.7.2 - 2023-08-02
  • 4.7.1 - 2023-06-28
  • 4.7.0 - 2023-06-22
  • 4.6.2 - 2023-05-31
  • 4.6.1 - 2023-02-20
from socket.io GitHub release notes
Package name: string-argv
  • 0.3.2 - 2023-05-01
  • 0.3.1 - 2019-08-29
from string-argv GitHub release notes
Package name: web-push from web-push GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

[//]: # 'snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"node-fetch","from":"2.6.9","to":"2.7.0"},{"name":"bcrypt","from":"5.1.0","to":"5.1.1"},{"name":"envfile","from":"6.18.0","to":"6.22.0"},{"name":"express","from":"4.18.2","to":"4.19.2"},{"name":"express-session","from":"1.17.3","to":"1.18.0"},{"name":"jimp","from":"0.13.0","to":"0.22.12"},{"name":"mongoose","from":"6.10.4","to":"6.13.0"},{"name":"openai","from":"3.2.1","to":"3.3.0"},{"name":"qrcode","from":"1.5.1","to":"1.5.4"},{"name":"sanitize-html","from":"2.10.0","to":"2.13.0"},{"name":"socket.io","from":"4.6.1","to":"4.7.5"},{"name":"string-argv","from":"0.3.1","to":"0.3.2"},{"name":"web-push","from":"3.5.0","to":"3.6.7"}],"env":"prod","hasFixes":true,"isBreakingChange":false,"isMajorUpgrade":false,"issuesToFix":[{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-ENGINEIO-5496331","issue_id":"SNYK-JS-ENGINEIO-5496331","priority_score":589,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"7.5","score":375},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Uncaught Exception"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-SOCKETIO-7278048","issue_id":"SNYK-JS-SOCKETIO-7278048","priority_score":649,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"8.7","score":435},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Uncaught Exception"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-SOCKETIOPARSER-5596892","issue_id":"SNYK-JS-SOCKETIOPARSER-5596892","priority_score":375,"priority_score_factors":[{"type":"cvssScore","label":"7.5","score":375},{"type":"scoreVersion","label":"v1","score":1}],"severity":"high","title":"Denial of Service (DoS)"},{"exploit_maturity":...

Snyk has created this PR to upgrade:
  - node-fetch from 2.6.9 to 2.7.0.
    See this package in npm: https://www.npmjs.com/package/node-fetch
  - bcrypt from 5.1.0 to 5.1.1.
    See this package in npm: https://www.npmjs.com/package/bcrypt
  - envfile from 6.18.0 to 6.22.0.
    See this package in npm: https://www.npmjs.com/package/envfile
  - express from 4.18.2 to 4.19.2.
    See this package in npm: https://www.npmjs.com/package/express
  - express-session from 1.17.3 to 1.18.0.
    See this package in npm: https://www.npmjs.com/package/express-session
  - jimp from 0.13.0 to 0.22.12.
    See this package in npm: https://www.npmjs.com/package/jimp
  - mongoose from 6.10.4 to 6.13.0.
    See this package in npm: https://www.npmjs.com/package/mongoose
  - openai from 3.2.1 to 3.3.0.
    See this package in npm: https://www.npmjs.com/package/openai
  - qrcode from 1.5.1 to 1.5.4.
    See this package in npm: https://www.npmjs.com/package/qrcode
  - sanitize-html from 2.10.0 to 2.13.0.
    See this package in npm: https://www.npmjs.com/package/sanitize-html
  - socket.io from 4.6.1 to 4.7.5.
    See this package in npm: https://www.npmjs.com/package/socket.io
  - string-argv from 0.3.1 to 0.3.2.
    See this package in npm: https://www.npmjs.com/package/string-argv
  - web-push from 3.5.0 to 3.6.7.
    See this package in npm: https://www.npmjs.com/package/web-push

See this project in Snyk:
https://app.snyk.io/org/simplytiramisu/project/f3e7bd03-6d64-49c8-a054-dc00fe39be06?utm_source=github&utm_medium=referral&page=upgrade-pr
@SimplyTiramisu SimplyTiramisu merged commit 26b8987 into main Sep 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

"socket hang up" / ECONNRESET on consecutive requests with Node.js 19 and Node.js 20
2 participants