[Snyk] Fix for 11 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ACORN-559469	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-EXPRESSFILEUPLOAD-595969	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-JQUERY-565129	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-JQUERY-567880	Yes	Proof of Concept
	715/1000 Why? Has a fix available, CVSS 9.8	DLL Injection SNYK-JS-KERBEROS-568900	No	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-LODASH-590103	No	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	520/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS ) SNYK-JS-MARKED-584281	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @snyk/nodejs-runtime-agent

The new version differs by 28 commits.

• ade9436 Merge pull request [Snyk Update] New fixes for 6 vulnerable dependency paths snyk-labs/nodejs-goof#111 from snyk/snyk-fix-93368b07b9de27f1dbf0560f8ba14c21
• 4b5269a test: update test fixture to match [email protected]
• 919477e fix: package.json & package-lock.json to reduce vulnerabilities
• a502cbb Merge pull request [Snyk Update] New fixes for 7 vulnerable dependency paths snyk-labs/nodejs-goof#107 from snyk/docs/readme
• dde1526 docs: describe supported Node versions on our README.md
• 83fe936 Merge pull request [Snyk] Security upgrade tap from 5.8.0 to 18.0.0 #103 from snyk/chore/codeowners
• 4b0109f chore: codeowners
• 435f878 Merge pull request [Snyk] Fix for 2 vulnerabilities #99 from snyk/chore/bumps
• 8ef98c8 test: limit concurrency to 1
• c53384a chore: upgrade tap; js-yaml is no longer
• 50a0844 chore: bump semver
• 391a2c5 chore: low-risk bumps
• 800766c chore: run tests on random port
• 3d90fb9 test: try and close the demo server cleanly
• 4b9407e Merge pull request [Snyk] Fix for 1 vulnerabilities #95 from snyk/snyk-upgrade-a55862565132729ebb483a4754f7857d
• cb5af6b chore: upgrade needle from 2.2.1 to 2.4.0
• b8fde78 Merge pull request [Snyk] Fix for 4 vulnerabilities #94 from snyk/feat/lazy-class
• f58306c feat: allow lazy || wrapper classes
• 626c3b7 Merge pull request [Snyk] Security upgrade express from 4.12.4 to 4.21.2 #91 from snyk/chore/bump-travis
• eee4a01 Merge pull request [Snyk] Security upgrade mongoose from 4.2.4 to 6.13.6 #92 from snyk/chore/update_func_snapshot
• 5c6e90c fix: de/normalise all file separators in a string
• 8129211 chore: update repo functions snapshot
• 5d8f892 chore: removing unused clone_depth from appveyor.yaml
• d577eac chore: bump travis to xenial

See the full diff

Package name: express-fileupload

The new version differs by 250 commits.

• 9f22db7 version bump
• 9fca550 Merge pull request [Snyk Update] New fixes for 2 vulnerable dependency paths snyk-labs/nodejs-goof#240 from AmazingMech2418/patch-1
• 1530cf5 Make Travis happy
• e43bfcf Fix typo
• 8bf7427 Update processNested.js
• fd40389 version bump
• 94c9cf9 prototype pollution fix [Snyk-local] Fix for 45 vulnerabilities #2
• 829f395 version bump
• db49535 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#237 from richardgirges/fix-236-proto-pollution
• d81bee9 Upgrade latest packages; run npm audit fix; add logic to prevent prototype pollution in parseNested
• e9848fc Update package-lock.json
• d536cfb Update package.json
• c7a6b9c Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#233 from RomanBurunkov/master
• a53b93f Update tests to support empty files
• d8c00c5 Add empty files support for tempFileHandler
• b24233d Comment extra condition in fileFactory(issue [Snyk-local] Fix for 44 vulnerabilities #1), add more logging
• d57ee02 Formatting utilities
• b6097df Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#232 from RomanBurunkov/master
• 05004b7 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#230 from Code42Cate/readme-timeout
• 1afa527 Update dependencies
• 880c2b7 Improve timeout option documentation
• 3f130b0 Add timeout option to README.MD
• d55fa83 Merge pull request [Snyk Update] New fixes for 2 vulnerable dependency paths snyk-labs/nodejs-goof#222 from wbt/patch-1
• d61f02f Fix some small typos

See the full diff

Package name: marked

The new version differs by 250 commits.

• 1ad8e69 Merge pull request #1731 from UziTech/release-1.1.1
• 7e17526 1.1.1
• 7fbee6e Merge pull request #1730 from UziTech/update-deps
• 6f7522f Merge pull request #1729 from UziTech/quick-ref
• f8024eb remove ending slash
• 524ae66 remove ending slash
• 0d6e056 build
• 04ac593 update dev deps
• f36f676 🗜️ build [skip ci]
• dddf9ae Merge pull request #1686 from calculuschild/EmphasisFixes
• 6b729ed Merge branch 'EmphasisFixes' of https://github.com/calculuschild/marked into EmphasisFixes
• e27e6f9 Sorted strong and em into sub-objects
• a761316 Merge pull request #1726 from UziTech/show-rules
• f8193ed add npm run rules
• ad720c1 Make emEnd const
• 1fb141d Make strEnd const
• 226bbe7 Lint
• cc778ad Removed redundancy in "startEM" check
• 211b9f9 Removed Lookbehinds
• 982b57e Merge pull request #1720 from vassudanagunta/docs-patch-1
• 2a847e6 clarify level of support for Markdown flavors
• bd4f8c4 Fix unrestricted "any character" for REDOS
• 4e7902e Gaaaah lint
• 4db32dc Links are masked only once per inline string

See the full diff

Package name: mongoose

The new version differs by 35 commits.

• de88912 release 4.2.5
• fae7c94 fix; correctly handle changes in update hook (Fix #3549)
• 5e58d83 repro; #3549
• 68e394d fix; dont flatten empty arrays in updateValidators (Fix #3554)
• f0b0f61 repro; #3554
• 73de49c fix; proper support for .update(doc) (Fix #3221)
• b5329a1 repro; #3221
• 932cdbe upgrade; node driver -> 2.0.48 (re: #3544)
• 6ff39ef fix; unhandled rejection using Query.then() (Fix #3543)
• 8cccafb Merge pull request #3548 from ChristianMurphy/node-5
• 2ff09cc Merge pull request #3547 from ChristianMurphy/eslint-update
• 6d0df2f Test against Node 4 LTS and Node 5 Stable
• fc3f645 update ESLint and add a lint script to the package.json
• aac346a Update README examples to comma last style
• 352d80d fix; ability to use mongos for standalones (Fix #3537)
• 043c958 repro; #3537
• 4023f12 docs; fix bad connection string example
• a55fba7 fix; allow undefined for min/max validators (Fix #3539)
• cfc3194 repro; #3539
• a2a3b8b fix; issue with fix for #3535
• 171e694 docs; deep populate docs (Fix #3528)
• 0922d78 fix; call toObject() when setting single embedded schema to doc (Fix #3535)
• ce11be0 repro; #3535
• b3472ac fix; apply methods to single embedded schemas (Fix #3534)

See the full diff

Package name: tap

The new version differs by 250 commits.

• fa3f6e2 12.6.2
• b8be134 new computer, phantom png changes
• 3833522 update js-yaml and nyc for vuln advisories
• 1871736 12.6.1
• 066f159 updates for npm audit --fix
• ad3bed4 Passes `-r ts-node/register` argument to node
• 4645ecf Fix font-family typo
• 63ff608 12.6.0
• 040f61f Add --no-esm flag to disable '-r esm' behavior
• e2c0c1d update tap-mocha-reporter
• a73e95b update esm, and audit fix
• 2233376 12.5.3
• b45105f [email protected]
• 611ced8 12.5.2
• 99a989c update write-file-atomic
• e255dd9 update ts-node and typescript
• b674382 [email protected]
• 555ecd4 including esm.js in stack traces is almost never helpful
• ccf2b44 Don't emit end while waiting for pipes to clear
• d3bf1f7 less impact
• 7fbf13f try something else
• b97f460 fix: allow for pipes to drain
• 740e695 [email protected]
• d03f383 12.5.1

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic