[Snyk] Fix for 40 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	584/1000 Why? Has a fix available, CVSS 7.4	Directory Traversal SNYK-JS-ADMZIP-1065796	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	751/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.6	Prototype Pollution SNYK-JS-DUSTJSLINKEDIN-1089257	Yes	Proof of Concept
	526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-EXPRESSFILEUPLOAD-473997	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-EXPRESSFILEUPLOAD-595969	Yes	Proof of Concept
	671/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7	Remote Code Execution (RCE) SNYK-JS-HANDLEBARS-1056767	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-HANDLEBARS-1279029	No	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-HANDLEBARS-469063	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-HANDLEBARS-480388	No	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-HANDLEBARS-534478	No	No Known Exploit
	704/1000 Why? Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-HANDLEBARS-534988	No	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-HANDLEBARS-567742	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-INI-1048974	Yes	Proof of Concept
	741/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.4	DLL Injection SNYK-JS-KERBEROS-568900	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-LODASH-590103	No	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-MONGODB-473855	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MQUERY-1050858	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MQUERY-1089718	Yes	Proof of Concept
	801/1000 Why? Mature exploit, Has a fix available, CVSS 8.3	Prototype Pollution SNYK-JS-TYPEORM-590152	No	Mature
	899/1000 Why? Mature exploit, Has a fix available, CVSS 9.4	Arbitrary File Write via Archive Extraction (Zip Slip) npm:adm-zip:20180415	No	Mature
	644/1000 Why? Has a fix available, CVSS 8.6	Code Injection npm:dustjs-linkedin:20160819	No	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution npm:ejs:20161128	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Cross-site Scripting (XSS) npm:ejs:20161130	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) npm:ejs:20161130-1	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Cross-site Scripting (XSS) npm:marked:20150520	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Cross-site Scripting (XSS) npm:marked:20170112	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Cross-site Scripting (XSS) npm:marked:20170815	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:marked:20170907	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:marked:20180225	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	Yes	No Known Exploit
	756/1000 Why? Mature exploit, Has a fix available, CVSS 7.4	Uninitialized Memory Exposure npm:npmconf:20180512	Yes	Mature
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: adm-zip

The new version differs by 134 commits.

• c5aeed4 Incremented version number
• 119dcad Fixed path traversal issue GHSL-2020-198
• 1d22ff6 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#341 from 5saviahv/history
• 492d148 added changelog
• dd415ae Incremented version
• 0f011a3 Fixed outFileName
• bc19fee Added extra parameter to extractEntryTo so target filename can be renamed
• 92e9836 Updated dev dependency
• 2b8d9ab Merge pull request [Snyk-dev Update] New fixes for 54 vulnerable dependency paths snyk-labs/nodejs-goof#315 from enecciari/work_in_browser
• 4fe58d1 Merge pull request [Snyk-dev Update] New fixes for 14 vulnerable dependency paths snyk-labs/nodejs-goof#322 from cthackers/dependabot/npm_and_yarn/lodash-4.17.19
• 49218a4 Merge pull request [Snyk-dev Update] New fixes for 15 vulnerable dependency paths snyk-labs/nodejs-goof#327 from kosuke-suzuki/multibyte-comment
• a7e8932 Merge pull request [Snyk-dev] Fix for 65 vulnerable dependency paths snyk-labs/nodejs-goof#331 from 5saviahv/master
• 7db0eda modified addLocalFolder method
• e114929 typo
• dc81063 modified addLocalFile method
• bc0f594 Deflate needs min V2.0
• dde4f51 Node v6
• 003d4cf Added ZipCrypto decrypting ability
• 63ed6e2 Detect and throw error with encrypted files
• c64ac14 LICENSE filename in package.json
• 1a334b2 add multibyte-encoded comment with byte length instead of character length
• 96d492a Bump lodash from 4.17.15 to 4.17.19
• b77f380 now it works in browser
• 218feee Merge remote-tracking branch 'upstream/master'

See the full diff

Package name: body-parser

The new version differs by 221 commits.

• 0f1bed0 1.17.1
• 0532096 lint: remove unreachable code branches
• b34aab5 build: [email protected]
• 77b1ca1 build: [email protected]
• e51dbc5 deps: [email protected]
• 79bc939 1.17.0
• e6140e1 build: [email protected]
• 42f467d deps: [email protected]
• 4954aec build: test against Node.js 8.x nightly
• e2050df build: [email protected]
• 2f941c4 build: [email protected]
• 6549617 build: [email protected]
• d1c2c7f deps: http-errors@~1.6.1
• e7b86ba build: [email protected]
• 7b630f7 1.16.1
• de574bf build: [email protected]
• 889bcc9 build: [email protected]
• dba8ac4 deps: [email protected]
• 95a3ebb docs: fix history file with incorrect qs version
• c5a73d5 1.16.0
• 9744dda deps: [email protected]
• 7807757 deps: [email protected]
• 0e44768 lint: use standard style in the README
• 14952be build: [email protected]

See the full diff

Package name: errorhandler

The new version differs by 85 commits.

• c41e9aa 1.4.3
• ffce329 build: [email protected]
• 90a8777 build: [email protected]
• 38b745b deps: accepts@~1.3.0
• 80aea51 deps: escape-html@~1.0.3
• b0be93a docs: fix typo in readme
• 2f688d0 build: support Node.js 5.x
• 1238ed4 build: [email protected]
• fdeb13c build: [email protected]
• cc6fd1f build: support Node.js 4.x
• 3a2117a build: support io.js 3.x
• 75b9ee1 build: reduce runtime versions to one per major
• 6797752 tests: add test for util.inspect in HTML response
• b6e53d7 docs: add more documentation regarding util.inspect
• 88b9a58 deps: accepts@~1.2.13
• ac75d3f build: [email protected]
• 5ee62b7 deps: [email protected]
• 1e89ae7 build: [email protected]
• ef1e8f1 build: [email protected]
• a7a6dce 1.4.2
• 692e2e7 deps: accepts@~1.2.12
• 6f2e8d2 build: [email protected]
• 564c117 build: fix running Node.js 0.8 tests on Travis CI
• 2dfd872 1.4.1

See the full diff

Package name: express

The new version differs by 250 commits.

• ea3d605 4.15.5
• 40435ec deps: [email protected]
• 7137bf5 deps: [email protected]
• bd1672f deps: finalhandler@~1.0.6
• 9395db4 deps: [email protected]
• 19a2eeb tests: check render error without engine-specific message
• d7da225 build: [email protected]
• 961dbff deps: [email protected]
• 9e0fa7f deps: [email protected]
• 9e067ad deps: [email protected]
• de5fb62 deps: update example dependencies
• b208b24 build: [email protected]
• 78e5510 build: [email protected]
• 48817a7 build: remove minor pin for nightly
• a4bd437 4.15.4
• a50f109 deps: [email protected]
• e2d725e deps: [email protected]
• e006622 lint: remove all unused varaibles
• 44881fa docs: update collaborator guide for lint script
• 1dbaae5 deps: update example dependencies
• 56e90e3 lint: add eslint rules that cover editorconfig
• 713d2ae tests: fix incorrect should usage
• e0aa8bf build: [email protected]
• 85770a7 deps: finalhandler@~1.0.4

See the full diff

Package name: express-fileupload

The new version differs by 250 commits.

• 9f22db7 version bump
• 9fca550 Merge pull request [Snyk Update] New fixes for 2 vulnerable dependency paths snyk-labs/nodejs-goof#240 from AmazingMech2418/patch-1
• 1530cf5 Make Travis happy
• e43bfcf Fix typo
• 8bf7427 Update processNested.js
• fd40389 version bump
• 94c9cf9 prototype pollution fix [Snyk] Upgrade body-parser from 1.9.0 to 1.19.0 #2
• 829f395 version bump
• db49535 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#237 from richardgirges/fix-236-proto-pollution
• d81bee9 Upgrade latest packages; run npm audit fix; add logic to prevent prototype pollution in parseNested
• e9848fc Update package-lock.json
• d536cfb Update package.json
• c7a6b9c Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#233 from RomanBurunkov/master
• a53b93f Update tests to support empty files
• d8c00c5 Add empty files support for tempFileHandler
• b24233d Comment extra condition in fileFactory(issue [Snyk] Upgrade typeorm from 0.2.24 to 0.2.37 #1), add more logging
• d57ee02 Formatting utilities
• b6097df Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#232 from RomanBurunkov/master
• 05004b7 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#230 from Code42Cate/readme-timeout
• 1afa527 Update dependencies
• 880c2b7 Improve timeout option documentation
• 3f130b0 Add timeout option to README.MD
• d55fa83 Merge pull request [Snyk Update] New fixes for 2 vulnerable dependency paths snyk-labs/nodejs-goof#222 from wbt/patch-1
• d61f02f Fix some small typos

See the full diff

Package name: hbs

The new version differs by 107 commits.

• 00764e0 v4.1.2
• 8dcac86 tests: add test for layout that does not exist
• 1046191 test: add test for layout using async helper
• 9c6ee6f test: add test for async helper with layout
• b109867 lint: fix redeclared variable
• 7920ac6 build: [email protected]
• 5623682 deps: [email protected]
• 81ee48a build: [email protected]
• c90ac58 build: [email protected]
• 5179777 build: [email protected]
• 4c73a69 build: [email protected]
• 0826373 build: [email protected]
• 711c4fa build: [email protected]
• a48b2bf build: [email protected]
• c9ba0a3 build: [email protected]
• dfc44e3 build: [email protected]
• f3f5697 build: [email protected]
• b2a461b build: [email protected]
• 3852e7c build: [email protected]
• 67c942d build: [email protected]
• 14c84ff build: [email protected]
• 1fcbd8b build: [email protected]
• 20afe45 build: [email protected]
• bd96ad1 build: [email protected]

See the full diff

Package name: marked

The new version differs by 250 commits.

• 98c9d14 Update home page
• 5d5fa04 0.3.18
• f886f40 Merge pull request fix: package.json, package-lock.json & .snyk to reduce vulnerabilities snyk-labs/nodejs-goof#1147 from 8fold/update-badges
• 044683b Remove Authors ~Head
• cceac77 Merge remote-tracking branch 'upstream/master' into update-badges
• 265d6c1 pre-commit
• 341d128 Merge branch 'master' into update-badges
• eef9de4 Add /docs directory for GitHub Pages (fix: package.json & package-lock.json to reduce vulnerabilities snyk-labs/nodejs-goof#1138)
• 682b9c6 grammar
• e3489ca Add marked mark maker badge
• 03d0ed0 [editorconfig]: All md files except in test use tab (Iactest snyk-labs/nodejs-goof#1111)
• c22be25 Create CNAME for marked.js.org
• 35214c5 Add initial docs with logo
• 3e681a6 Move most of README.md to /docs/README.md
• 94b8b3e Move existing docs to /docs dir
• 2509660 Rename doc to docs
• d4e7bb4 Code of conduct ([Snyk] Security upgrade node from 14.1.0 to 14.18.0 snyk-labs/nodejs-goof#1094)
• 214468b Merge pull request [Snyk-dev] Security upgrade node from 14.1.0 to 14.17.6 snyk-labs/nodejs-goof#1121 from UziTech/jasmine
• ad0585d Merge pull request Deployment file creation snyk-labs/nodejs-goof#1122 from alextrastero/patch-1
• e3a988c Fix usage links in README
• ecbf4b0 Minor docs update for easier maintenance (Update the CodeQL Workflow snyk-labs/nodejs-goof#1116)
• 5768180 travis build stages ([Snyk-dev] Security upgrade node from 14.1.0 to 14.18.1 snyk-labs/nodejs-goof#1113)
• 9c6c13f fix tests
• 79325aa add tests

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• f8d2721 chore: release 5.12.3
• 58cad73 fix(connection): use queueing instead of event emitter for `createCollection()` and other helpers to avoid event emitter warning
• 5382408 fix(index.d.ts): add `transform` to PopulateOptions interface
• dca1d70 Merge branch 'master' of github.com:Automattic/mongoose
• 2648088 fix(index.d.ts): add DocumentQuery type for backwards compatibility
• 966770f Merge pull request #10063 from Automattic/gh-10044
• 9e4a083 style: fix lint
• f3cd3a8 chore: use variable instead of function
• f24953c fix(query): add `writeConcern()` method to avoid writeConcern deprecation warning
• 7d2e9c9 chore: upgrade mquery -> 3.2.5 re: Security Fix for Prototype Pollution - huntr.dev mongoosejs/mquery#121
• d1a9a1e made requested changes
• cf1b666 Merge pull request #10078 from pezzu/master
• 2aef528 Merge pull request #10062 from Automattic/gh-10025
• 452c77c Fixes #10072
• c9bfb30 Update model.indexes.test.js
• 6f0133a removed comments
• 9e98cd8 Merge pull request #10055 from emrebass/patch-1
• 1c20044 Merge pull request #10054 from coro101/add-discriminator-type
• 4e74ea7 TIL that includes() is also not supported in all browsers
• f231d7b should work and is designed to handle multiple text fields
• c4897f9 TIL Object.values in not supported on all browsers
• 391ecec collation not added to text indexes
• 7a93c16 linter fix
• 6deb668 fix: connection ids are now scoped

See the full diff

Package name: tap

The new version differs by 250 commits.

• bc49fb7 15.0.0
• 4378608 remove publishConfig beta tag
• 2c2e75f provide mkdirRecursive polyfill for old node versions
• 8f4c855 correctly specify 10.0.x versions
• 5e61672 update deps
• c44c418 Support 10.0 and test in CI
• dc5c841 [email protected]
• 385b6d2 Add .taprc.yml/yaml handling to change log
• 4f87466 just run regular test script as snap script
• 315a921 delete FORCE_COLOR/NO_COLOR rather than setting to '0'
• 564e96f Add detection for .yaml and .yml
• 75bae93 update cli doc
• c1289bf 15.0.0-3
• d6fe32f Do not CI on node 10
• d2e0428 do not use equals() alias in self-test
• 3f787c4 tell npm to be colorful in CI
• 1512818 run tests with color on github actions
• 4626fa1 Docs: update documentation for tap v15
• 02d536b [email protected]
• f7c7c58 update cli doc
• 2aa497c 15.0.0-2
• 8d7f62e Add support for overriding libtap's internal settings
• 29eed63 new snapshot folder layout
• 3a28d4d update libtap git ref to isaacs/tap-v15-prep branch

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal
🦉 Prototype Pollution
🦉 Code Injection
🦉 More lessons are available in Snyk Learn