[Snyk] Upgrade: body-parser, cookie-parser, express, mongodb, mongoose, validator #133

officialmofabs · 2024-09-14T15:01:03Z

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

body-parser
from 1.19.0 to 1.20.2 | 5 versions ahead of your current version | 2 years ago
on 2023-02-22
cookie-parser
from 1.4.5 to 1.4.6 | 1 version ahead of your current version | 3 years ago
on 2021-11-16
express
from 4.17.1 to 4.19.2 | 9 versions ahead of your current version | 6 months ago
on 2024-03-25
mongodb
from 3.6.5 to 3.7.4 | 12 versions ahead of your current version | a year ago
on 2023-06-21
mongoose
from 6.0.9 to 6.13.0 | 100 versions ahead of your current version | 3 months ago
on 2024-06-06
validator
from 13.7.0 to 13.12.0 | 3 versions ahead of your current version | 4 months ago
on 2024-05-09

Issues fixed by the recommended upgrade:

Issue	Score	Exploit Maturity
Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	696	Proof of Concept
Prototype Pollution SNYK-JS-MONGOOSE-2961688	696	Proof of Concept
Prototype Pollution SNYK-JS-MONGOOSE-5777721	696	Proof of Concept
Prototype Poisoning SNYK-JS-QS-3153490	696	Proof of Concept
Open Redirect SNYK-JS-EXPRESS-6474509	696	No Known Exploit
Information Exposure SNYK-JS-MONGODB-5871303	696	No Known Exploit
Information Exposure SNYK-JS-MONGODB-5871303	696	No Known Exploit

Release notes

Package name: body-parser

1.20.2 - 2023-02-22
- Fix strict json error message on Node.js 19+
- deps: content-type@~1.0.5
  - perf: skip value escaping when unnecessary
- deps: [email protected]
1.20.1 - 2022-10-06
- deps: [email protected]
- perf: remove unnecessary object clone
1.20.0 - 2022-04-03
- Fix error message for json parse whitespace in strict
- Fix internal error when inflated body exceeds limit
- Prevent loss of async hooks context
- Prevent hanging when request already read
- deps: [email protected]
  - Replace internal eval usage with Function constructor
  - Use instance methods on process to check for listeners
- deps: [email protected]
  - deps: [email protected]
  - deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
  - deps: [email protected]
1.19.2 - 2022-02-16
- deps: [email protected]
- deps: [email protected]
  - Fix handling of __proto__ keys
- deps: [email protected]
  - deps: [email protected]
1.19.1 - 2021-12-10
- deps: [email protected]
- deps: [email protected]
  - deps: [email protected]
  - deps: [email protected]
  - deps: [email protected]
- deps: [email protected]
- deps: [email protected]
  - deps: [email protected]
  - deps: [email protected]
- deps: [email protected]
- deps: type-is@~1.6.18
1.19.0 - 2019-04-26
- deps: [email protected]
  - Add petabyte (pb) support
- deps: [email protected]
  - Set constructor name when possible
  - deps: [email protected]
  - deps: statuses@'>= 1.5.0 < 2'
- deps: [email protected]
  - Added encoding MIK
- deps: [email protected]
  - Fix parsing array brackets after index
- deps: [email protected]
  - deps: [email protected]
  - deps: [email protected]
  - deps: [email protected]
- deps: type-is@~1.6.17
  - deps: mime-types@~2.1.24
  - perf: prevent internal throw on invalid type

from body-parser GitHub release notes

Package name: cookie-parser

1.4.6 - 2021-11-16
- deps: [email protected]
1.4.5 - 2020-03-15
- deps: [email protected]

from cookie-parser GitHub release notes

Package name: express

4.19.2 - 2024-03-25
4.19.1 - 2024-03-20
What's Changed
- Fix ci after location patch by @ wesleytodd in #5552
- fixed un-edited version in history.md for 4.19.0 by @ wesleytodd in #5556
Full Changelog: 4.19.0...4.19.1
4.19.0 - 2024-03-20
What's Changed
- fix typo in release date by @ UlisesGascon in #5527
- docs: nominating @ wesleytodd to be project captian by @ wesleytodd in #5511
- docs: loosen TC activity rules by @ wesleytodd in #5510
- Add note on how to update docs for new release by @ crandmck in #5541
- Prevent open redirect allow list bypass due to encodeurl
- Release 4.19.0 by @ wesleytodd in #5551
New Contributors
- @ crandmck made their first contribution in #5541
Full Changelog: 4.18.3...4.19.0
4.18.3 - 2024-02-29
Main Changes
- Fix routing requests without method
- deps: [email protected]
  - Fix strict json error message on Node.js 19+
  - deps: content-type@~1.0.5
  - deps: [email protected]
Other Changes
- Use https: protocol instead of deprecated git: protocol by @ vcsjones in #5032
- build: [email protected] and [email protected] by @ abenhamdine in #5034
- ci: update actions/checkout to v3 by @ armujahid in #5027
- test: remove unused function arguments in params by @ raksbisht in #5124
- Remove unused originalIndex from acceptParams by @ raksbisht in #5119
- Fixed typos by @ raksbisht in #5117
- examples: remove unused params by @ raksbisht in #5113
- fix: parameter str is not described in JSDoc by @ raksbisht in #5130
- fix: typos in History.md by @ raksbisht in #5131
- build : add [email protected] by @ abenhamdine in #5028
- test: remove unused function arguments in params by @ raksbisht in #5137
- use random port in test so it won't fail on already listening by @ rluvaton in #5162
- tests: use cb() instead of done() by @ kristof-low in #5233
- examples: remove multipart example by @ riddlew in #5195
- Update support Node.js@18 in the CI by @ UlisesGascon in #5490
- Fix favicon-related bug in cookie-sessions example by @ DmytroKondrashov in #5414
- Release 4.18.3 by @ UlisesGascon in #5505
New Contributors
- @ vcsjones made their first contribution in #5032
- @ abenhamdine made their first contribution in #5034
- @ armujahid made their first contribution in #5027
- @ raksbisht made their first contribution in #5124
- @ rluvaton made their first contribution in #5162
- @ kristof-low made their first contribution in #5233
- @ riddlew made their first contribution in #5195
- @ DmytroKondrashov made their first contribution in #5414
Full Changelog: 4.18.2...4.18.3
4.18.2 - 2022-10-08
- Fix regression routing a large stack in a single route
- deps: [email protected]
  - deps: [email protected]
  - perf: remove unnecessary object clone
- deps: [email protected]
4.18.1 - 2022-04-29
- Fix hanging on large stack of sync routes
4.18.0 - 2022-04-25
- Add "root" option to res.download
- Allow options without filename in res.download
- Deprecate string and non-integer arguments to res.status
- Fix behavior of null/undefined as maxAge in res.cookie
- Fix handling very large stacks of sync middleware
- Ignore Object.prototype values in settings through app.set/app.get
- Invoke default with same arguments as types in res.format
- Support proper 205 responses using res.send
- Use http-errors for res.format error
- deps: [email protected]
  - Fix error message for json parse whitespace in strict
  - Fix internal error when inflated body exceeds limit
  - Prevent loss of async hooks context
  - Prevent hanging when request already read
  - deps: [email protected]
  - deps: [email protected]
  - deps: [email protected]
  - deps: [email protected]
  - deps: [email protected]
- deps: [email protected]
  - Add priority option
  - Fix expires option to reject invalid dates
- deps: [email protected]
  - Replace internal eval usage with Function constructor
  - Use instance methods on process to check for listeners
- deps: [email protected]
  - Remove set content headers that break response
  - deps: [email protected]
  - deps: [email protected]
- deps: [email protected]
  - Prevent loss of async hooks context
- deps: [email protected]
- deps: [email protected]
  - Fix emitted 416 error missing headers property
  - Limit the headers removed for 304 response
  - deps: [email protected]
  - deps: [email protected]
  - deps: [email protected]
  - deps: [email protected]
  - deps: [email protected]
- deps: [email protected]
  - deps: [email protected]
- deps: [email protected]
  - Remove code 306
  - Rename 425 Unordered Collection to standard 425 Too Early
4.17.3 - 2022-02-17
- deps: accepts@~1.3.8
  - deps: mime-types@~2.1.34
  - deps: [email protected]
- deps: [email protected]
  - deps: [email protected]
  - deps: [email protected]
  - deps: [email protected]
- deps: [email protected]
- deps: [email protected]
  - Fix handling of __proto__ keys
- pref: remove unnecessary regexp for trust proxy
4.17.2 - 2021-12-17
- Fix handling of undefined in res.jsonp
- Fix handling of undefined when "json escape" is enabled
- Fix incorrect middleware execution with unanchored RegExps
- Fix res.jsonp(obj, status) deprecation message
- Fix typo in res.is JSDoc
- deps: [email protected]
  - deps: [email protected]
  - deps: [email protected]
  - deps: [email protected]
  - deps: [email protected]
  - deps: [email protected]
  - deps: type-is@~1.6.18
- deps: [email protected]
  - deps: [email protected]
- deps: [email protected]
  - Fix maxAge option to reject invalid values
- deps: proxy-addr@~2.0.7
  - Use req.socket over deprecated req.connection
  - deps: [email protected]
  - deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
  - deps: [email protected]
  - deps: [email protected]
  - pref: ignore empty http tokens
- deps: [email protected]
  - deps: [email protected]
- deps: [email protected]
4.17.1 - 2019-05-26

from express GitHub release notes

Package name: mongodb

3.7.4 - 2023-06-21
The MongoDB Node.js team is pleased to announce version 3.7.4 of the mongodb package!

Release Highlights

This release fixes a bug that throws a type error when SCRAM-SHA-256 is used with saslprep in a webpacked environment.

3.7.4 (2023-06-21)

Bug Fixes
- NODE-3711: retry txn end on retryable write (#3047) (1595140)
- NODE-5355: prevent error when saslprep is not a function (#3733) (152425a)
Documentation
- Reference
- API
- Changelog
We invite you to try the mongodb library immediately, and report any issues to the NODE project.
3.7.3 - 2021-10-20
3.7.2 - 2021-10-05
3.7.1 - 2021-09-14
3.7.0 - 2021-08-31
3.6.12 - 2021-08-30
3.6.11 - 2021-08-05
3.6.10 - 2021-07-06
3.6.9 - 2021-05-26
3.6.8 - 2021-05-21
3.6.7 - 2021-05-18
3.6.6 - 2021-04-06
3.6.5 - 2021-03-16

from mongodb GitHub release notes

Package name: mongoose

6.13.0 - 2024-06-06
6.12.9 - 2024-05-24
6.12.8 - 2024-04-10
6.12.7 - 2024-03-01
6.12.6 - 2024-01-22
6.12.5 - 2024-01-03
6.12.4 - 2023-12-27
6.12.3 - 2023-11-07
6.12.2 - 2023-10-25
6.12.1 - 2023-10-12
6.12.0 - 2023-08-24
6.11.6 - 2023-08-21
6.11.5 - 2023-08-01
6.11.4 - 2023-07-17
6.11.3 - 2023-07-11
6.11.2 - 2023-06-08
6.11.1 - 2023-05-08
6.11.0 - 2023-05-01
6.10.5 - 2023-04-06
6.10.4 - 2023-03-21
6.10.3 - 2023-03-13
6.10.2 - 2023-03-07
6.10.1 - 2023-03-03
6.10.0 - 2023-02-22
6.9.3 - 2023-02-22
6.9.2 - 2023-02-16
6.9.1 - 2023-02-06
6.9.0 - 2023-01-25
6.8.4 - 2023-01-17
6.8.3 - 2023-01-06
6.8.2 - 2022-12-28
6.8.1 - 2022-12-19
6.8.0 - 2022-12-05
6.7.5 - 2022-11-30
6.7.4 - 2022-11-28
6.7.3 - 2022-11-22
6.7.2 - 2022-11-07
6.7.1 - 2022-11-02
6.7.0 - 2022-10-24
6.6.7 - 2022-10-21
6.6.6 - 2022-10-20
6.6.5 - 2022-10-05
6.6.4 - 2022-10-03
6.6.3 - 2022-09-30
6.6.2 - 2022-09-26
6.6.1 - 2022-09-14
6.6.0 - 2022-09-08
6.5.5 - 2022-09-07
6.5.4 - 2022-08-30
6.5.3 - 2022-08-25
6.5.2 - 2022-08-10
6.5.1 - 2022-08-03
6.5.0 - 2022-07-26
6.4.7 - 2022-07-25
6.4.6 - 2022-07-20
6.4.5 - 2022-07-18
6.4.4 - 2022-07-08
6.4.3 - 2022-07-05
6.4.2 - 2022-07-01
6.4.1 - 2022-06-27
6.4.0 - 2022-06-17
6.3.9 - 2022-06-17
6.3.8 - 2022-06-13
6.3.7 - 2022-06-13
6.3.6 - 2022-06-07
6.3.5 - 2022-05-30
6.3.4 - 2022-05-19
6.3.3 - 2022-05-09
6.3.2 - 2022-05-02
6.3.1 - 2022-04-21
6.3.0 - 2022-04-14
6.2.11 - 2022-04-13
6.2.10 - 2022-04-04
6.2.9 - 2022-03-28
6.2.8 - 2022-03-23
6.2.7 - 2022-03-16
6.2.6 - 2022-03-11
6.2.5 - 2022-03-09
6.2.4 - 2022-02-28
6.2.3 - 2022-02-21
6.2.2 - 2022-02-16
6.2.1 - 2022-02-07
6.2.0 - 2022-02-02
6.1.10 - 2022-02-01
6.1.9 - 2022-01-31
6.1.8 - 2022-01-24
6.1.7 - 2022-01-17
6.1.6 - 2022-01-10
6.1.5 - 2022-01-04
6.1.4 - 2021-12-27
6.1.3 - 2021-12-21
6.1.2 - 2021-12-15
6.1.1 - 2021-12-09
6.1.0 - 2021-12-07
6.0.15 - 2021-12-06
6.0.14 - 2021-11-29
6.0.13 - 2021-11-15
6.0.12 - 2021-10-21
6.0.11 - 2021-10-14
6.0.10 - 2021-10-08
6.0.9 - 2021-10-04

from mongoose GitHub release notes

Package name: validator

13.12.0 - 2024-05-09
What's Changed

New Features / Validators
- #2143 isAbaRouting @ songyuew
Fixes, New Locales and Enhancements
- #2207 isLicensePlate add Pakistani en-PK locale @ anasshakil
- #2208 isPort fix invalid leading zeros @ anasshakil
- #2224 isTaxID added Argentina es-AR locale @ estefrare
- #2257 isDate timezone offset fix @ tomaspanek
- #2265 isPassportNumber added ZA locale @ GMorris-professional
- isMobilePhone:
  - #2267 added en-MW locale @ SimranSiddiqui
  - #2140 fix am-AM locale @ AlexKrupko
- #2271 isPostalAddress fix NL locale @ RobinvanderVliet
- #2273 isISO4217 add SLE currency @ urg
- #2278 isStrongPassword fix symbolRegex to include \ @ nandavikas
- #2279 isVAT fixed KZ locale @ MatthieuLemoine
- #2285 isAlpha, isAlphanumeric added eo locale @ RobinvanderVliet
- #2320 isIBAN add Algeria DZ locale @ thibault-lr
- #2343 isVATimprove AU locale @ matthewberryman
- #2345 isUUID add support for v7 @ ruscon
- #2358 isTaxID add Ukraine uk-UA locale @ arttiger
- #2381 isDate disallow hiphen before year @ Sumit-tech-joshi
- Doc fixes and others:
New Contributors
- @ tomaspanek made their first contribution in #2257
- @ estefrare made their first contribution in #2224
- @ GMorris-professional made their first contribution in #2265
- @ SimranSiddiqui made their first contribution in #2267
- @ ZhulinskiiDanil made their first contribution in #2368
- @ devmanbud made their first contribution in #2371
- @ ruscon made their first contribution in #2345
- @ amaliacatalina made their first contribution in #2284
- @ RobinvanderVliet made their first contribution in #2285
- @ anasshakil made their first contribution in #2211
- @ AlexKrupko made their first contribution in #2140
- @ urg made their first contribution in #2273
- @ meyfa made their first contribution in #2276
- @ nandavikas made their first contribution in #2278

Snyk has created this PR to upgrade: - body-parser from 1.19.0 to 1.20.2. See this package in npm: https://www.npmjs.com/package/body-parser - cookie-parser from 1.4.5 to 1.4.6. See this package in npm: https://www.npmjs.com/package/cookie-parser - express from 4.17.1 to 4.19.2. See this package in npm: https://www.npmjs.com/package/express - mongodb from 3.6.5 to 3.7.4. See this package in npm: https://www.npmjs.com/package/mongodb - mongoose from 6.0.9 to 6.13.0. See this package in npm: https://www.npmjs.com/package/mongoose - validator from 13.7.0 to 13.12.0. See this package in npm: https://www.npmjs.com/package/validator See this project in Snyk: https://app.snyk.io/org/supportigedevteam.onmicrosoft.com/project/03e82df9-3c6a-4f34-adad-57840790f49d?utm_source=github&utm_medium=referral&page=upgrade-pr

socket-security · 2024-09-14T15:03:36Z

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher

View full report↗︎

socket-security · 2024-09-14T15:03:38Z

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Critical CVE	npm/[email protected]	CVE: GHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utils (CRITICAL) Affected versions: < 1.4.1 Patched version: 1.4.1	`angular/angular/package-lock.json`	⚠︎

View full report↗︎

Next steps

What is a critical CVE?

Contains a Critical Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

@SocketSecurity ignore npm/[email protected]

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Upgrade: body-parser, cookie-parser, express, mongodb, mongoose, validator #133

[Snyk] Upgrade: body-parser, cookie-parser, express, mongodb, mongoose, validator #133

officialmofabs commented Sep 14, 2024

What's Changed

What's Changed

New Contributors

Main Changes

Other Changes

New Contributors

Release Highlights

3.7.4 (2023-06-21)

Bug Fixes

Documentation

What's Changed

New Features / Validators

Fixes, New Locales and Enhancements

New Contributors

socket-security bot commented Sep 14, 2024

socket-security bot commented Sep 14, 2024

[Snyk] Upgrade: body-parser, cookie-parser, express, mongodb, mongoose, validator #133

Are you sure you want to change the base?

[Snyk] Upgrade: body-parser, cookie-parser, express, mongodb, mongoose, validator #133

Conversation

officialmofabs commented Sep 14, 2024

Snyk has created this PR to upgrade multiple dependencies.

Issues fixed by the recommended upgrade:

What's Changed

What's Changed

New Contributors

Main Changes

Other Changes

New Contributors

Release Highlights

3.7.4 (2023-06-21)

Bug Fixes

Documentation

What's Changed

New Features / Validators

Fixes, New Locales and Enhancements

New Contributors

socket-security bot commented Sep 14, 2024

socket-security bot commented Sep 14, 2024

Next steps