[Snyk] Fix for 11 vulnerabilities

[adisnyk]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	584/1000 Why? Has a fix available, CVSS 7.4	Directory Traversal SNYK-JS-ADMZIP-1065796	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-EXPRESSFILEUPLOAD-473997	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-EXPRESSFILEUPLOAD-595969	Yes	Proof of Concept
	741/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.4	DLL Injection SNYK-JS-KERBEROS-568900	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-MONGODB-473855	Yes	No Known Exploit
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept
	899/1000 Why? Mature exploit, Has a fix available, CVSS 9.4	Arbitrary File Write via Archive Extraction (Zip Slip) npm:adm-zip:20180415	No	Mature
	469/1000 Why? Has a fix available, CVSS 5.1	Denial of Service (DoS) npm:mem:20180117	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: adm-zip

The new version differs by 134 commits.

• c5aeed4 Incremented version number
• 119dcad Fixed path traversal issue GHSL-2020-198
• 1d22ff6 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#341 from 5saviahv/history
• 492d148 added changelog
• dd415ae Incremented version
• 0f011a3 Fixed outFileName
• bc19fee Added extra parameter to extractEntryTo so target filename can be renamed
• 92e9836 Updated dev dependency
• 2b8d9ab Merge pull request [Snyk-dev Update] New fixes for 54 vulnerable dependency paths snyk-labs/nodejs-goof#315 from enecciari/work_in_browser
• 4fe58d1 Merge pull request [Snyk-dev Update] New fixes for 14 vulnerable dependency paths snyk-labs/nodejs-goof#322 from cthackers/dependabot/npm_and_yarn/lodash-4.17.19
• 49218a4 Merge pull request [Snyk-dev Update] New fixes for 15 vulnerable dependency paths snyk-labs/nodejs-goof#327 from kosuke-suzuki/multibyte-comment
• a7e8932 Merge pull request [Snyk-dev] Fix for 65 vulnerable dependency paths snyk-labs/nodejs-goof#331 from 5saviahv/master
• 7db0eda modified addLocalFolder method
• e114929 typo
• dc81063 modified addLocalFile method
• bc0f594 Deflate needs min V2.0
• dde4f51 Node v6
• 003d4cf Added ZipCrypto decrypting ability
• 63ed6e2 Detect and throw error with encrypted files
• c64ac14 LICENSE filename in package.json
• 1a334b2 add multibyte-encoded comment with byte length instead of character length
• 96d492a Bump lodash from 4.17.15 to 4.17.19
• b77f380 now it works in browser
• 218feee Merge remote-tracking branch 'upstream/master'

See the full diff

Package name: cfenv

The new version differs by 3 commits.

• fb0a2aa update dependencies, now at version 1.2.4
• 63e072a version 1.2.3
• 02bb92d Issue 45 Remove '.cfignore'

See the full diff

Package name: errorhandler

The new version differs by 85 commits.

• c41e9aa 1.4.3
• ffce329 build: [email protected]
• 90a8777 build: [email protected]
• 38b745b deps: accepts@~1.3.0
• 80aea51 deps: escape-html@~1.0.3
• b0be93a docs: fix typo in readme
• 2f688d0 build: support Node.js 5.x
• 1238ed4 build: [email protected]
• fdeb13c build: [email protected]
• cc6fd1f build: support Node.js 4.x
• 3a2117a build: support io.js 3.x
• 75b9ee1 build: reduce runtime versions to one per major
• 6797752 tests: add test for util.inspect in HTML response
• b6e53d7 docs: add more documentation regarding util.inspect
• 88b9a58 deps: accepts@~1.2.13
• ac75d3f build: [email protected]
• 5ee62b7 deps: [email protected]
• 1e89ae7 build: [email protected]
• ef1e8f1 build: [email protected]
• a7a6dce 1.4.2
• 692e2e7 deps: accepts@~1.2.12
• 6f2e8d2 build: [email protected]
• 564c117 build: fix running Node.js 0.8 tests on Travis CI
• 2dfd872 1.4.1

See the full diff

Package name: express

The new version differs by 151 commits.

• 9375a9a 4.14.0
• 14cf9c5 deps: update example dependencies
• 605983f build: [email protected]
• e06766c deps: [email protected]
• 76eaa32 Encode URL in res.location/res.redirect if not already encoded
• c12cc88 build: support Node.js 6.x
• 23c22ce build: support Node.js 5.x
• 791cabf deps: serve-static@~1.11.1
• fc40702 deps: [email protected]
• c762b16 Improve error with invalid arguments to req.get()
• 5d642af Add "options" argument to req.range
• 7fcf1d7 docs: update the req.range jsdoc comment
• 7ee41cc deps: range-parser@~1.2.0
• 8ddab69 build: [email protected]
• d038689 build: [email protected]
• c9531ac build: [email protected]
• 98224d2 build: [email protected]
• 2e1284b Fix Windows absolute path check using forward slashes
• 999546d deps: [email protected]
• cc25a04 deps: type-is@~1.6.13
• f90f9dd Improve performance for res.json/res.jsonp in most cases
• b69b760 perf: use strict equality when possible
• c6039af deps: proxy-addr@~1.1.2
• bdf604a deps: [email protected]

See the full diff

Package name: express-fileupload

The new version differs by 250 commits.

• 9f22db7 version bump
• 9fca550 Merge pull request [Snyk Update] New fixes for 2 vulnerable dependency paths snyk-labs/nodejs-goof#240 from AmazingMech2418/patch-1
• 1530cf5 Make Travis happy
• e43bfcf Fix typo
• 8bf7427 Update processNested.js
• fd40389 version bump
• 94c9cf9 prototype pollution fix [Snyk] Security upgrade typeorm from 0.2.24 to 0.3.0 #2
• 829f395 version bump
• db49535 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#237 from richardgirges/fix-236-proto-pollution
• d81bee9 Upgrade latest packages; run npm audit fix; add logic to prevent prototype pollution in parseNested
• e9848fc Update package-lock.json
• d536cfb Update package.json
• c7a6b9c Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#233 from RomanBurunkov/master
• a53b93f Update tests to support empty files
• d8c00c5 Add empty files support for tempFileHandler
• b24233d Comment extra condition in fileFactory(issue [Snyk] Fix for 11 vulnerabilities #1), add more logging
• d57ee02 Formatting utilities
• b6097df Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#232 from RomanBurunkov/master
• 05004b7 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#230 from Code42Cate/readme-timeout
• 1afa527 Update dependencies
• 880c2b7 Improve timeout option documentation
• 3f130b0 Add timeout option to README.MD
• d55fa83 Merge pull request [Snyk Update] New fixes for 2 vulnerable dependency paths snyk-labs/nodejs-goof#222 from wbt/patch-1
• d61f02f Fix some small typos

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• 87f691e chore: release 5.4.10
• 09dd3cf docs(jest): improve docs about fake timers
• e778e0b chore: upgrade to mongodb driver 3.1.13
• 42aa401 refactor: be slightly more defensive about setting document arrays
• e5948b8 fix(document): copy atomics when setting document array to an existing document array
• a4e33dd test(document): repro #7472
• 704a5a4 docs: remove confusing references to executing a query immediately
• bc95a22 docs(guides+schematypes): link to custom schematypes docs
• ad71535 style: fix lint
• bc5d96a Merge branch 'gh6706'
• ab208b1 docs: hook up navbar search
• 3fc3e2b docs: add basic search page re: #6706
• a7ccba7 chore: add domainwheel.com as a sponsor
• 91755fa Merge branch 'master' into gh6706
• 3150958 docs(api): dont display type if method or function
• bfb3a9a style: fix lint
• 899ccdd Merge pull request #7478 from chrischen/master
• ef2ab11 chore(Makefile): remove unused rule
• bb1e8b4 chore: now working on 5.4.10
• 6032685 Added dot sytnax support for alias queries.
• 316936f chore: release 5.4.9
• 1bfdafd Merge pull request #7474 from arniu/fix-doc
• f67e30c docs: add Marcus Hiles and monovm as sponsors
• f08a4bd docs(documents): improve explanation of documents and use more modern syntax

See the full diff

Package name: tap

The new version differs by 110 commits.

• fa3f6e2 12.6.2
• b8be134 new computer, phantom png changes
• 3833522 update js-yaml and nyc for vuln advisories
• 1871736 12.6.1
• 066f159 updates for npm audit --fix
• ad3bed4 Passes `-r ts-node/register` argument to node
• 4645ecf Fix font-family typo
• 63ff608 12.6.0
• 040f61f Add --no-esm flag to disable '-r esm' behavior
• e2c0c1d update tap-mocha-reporter
• a73e95b update esm, and audit fix
• 2233376 12.5.3
• b45105f [email protected]
• 611ced8 12.5.2
• 99a989c update write-file-atomic
• e255dd9 update ts-node and typescript
• b674382 [email protected]
• 555ecd4 including esm.js in stack traces is almost never helpful
• ccf2b44 Don't emit end while waiting for pipes to clear
• d3bf1f7 less impact
• 7fbf13f try something else
• b97f460 fix: allow for pipes to drain
• 740e695 [email protected]
• d03f383 12.5.1

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal
🦉 Arbitrary Code Injection