Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade: argon2, async, bluebird, body-parser, bunyan, cookie-parser, docdash, ejs, express, express-rate-limit, express-session, external-ip, formidable, geoip-lite, jimp, jsdoc, json2csv, mcc-mnc-list, moment, moment-timezone, mongodb, nginx-conf, nodemailer, properties-parser, puppeteer, request, underscore #112

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

srom23
Copy link
Owner

@srom23 srom23 commented Sep 16, 2024

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

argon2
from 0.24.0 to 0.41.0 | 31 versions ahead of your current version | 21 days ago
on 2024-08-25
async
from 2.6.3 to 2.6.4 | 1 version ahead of your current version | 2 years ago
on 2022-04-13
bluebird
from 3.5.5 to 3.7.2 | 4 versions ahead of your current version | 5 years ago
on 2019-11-28
body-parser
from 1.19.0 to 1.20.2 | 5 versions ahead of your current version | 2 years ago
on 2023-02-22
bunyan
from 1.8.12 to 1.8.15 | 3 versions ahead of your current version | 4 years ago
on 2021-01-08
cookie-parser
from 1.4.4 to 1.4.6 | 2 versions ahead of your current version | 3 years ago
on 2021-11-16
docdash
from 1.1.1 to 1.2.0 | 1 version ahead of your current version | 5 years ago
on 2020-01-26
ejs
from 2.6.2 to 2.7.4 | 4 versions ahead of your current version | 5 years ago
on 2019-11-19
express
from 4.16.4 to 4.19.2 | 11 versions ahead of your current version | 6 months ago
on 2024-03-25
express-rate-limit
from 5.0.0 to 5.5.1 | 12 versions ahead of your current version | 3 years ago
on 2021-11-06
express-session
from 1.16.2 to 1.18.0 | 5 versions ahead of your current version | 8 months ago
on 2024-01-28
external-ip
from 2.1.1 to 2.3.1 | 1 version ahead of your current version | 4 years ago
on 2020-04-26
formidable
from 1.2.1 to 1.2.6 | 5 versions ahead of your current version | 3 years ago
on 2021-10-30
geoip-lite
from 1.3.7 to 1.4.10 | 12 versions ahead of your current version | 7 months ago
on 2024-02-15
jimp
from 0.6.4 to 0.22.12 | 203 versions ahead of your current version | 7 months ago
on 2024-02-23
jsdoc
from 3.6.3 to 3.6.11 | 8 versions ahead of your current version | 2 years ago
on 2022-07-20
json2csv
from 4.5.2 to 4.5.4 | 2 versions ahead of your current version | 5 years ago
on 2019-10-09
mcc-mnc-list
from 1.0.82 to 1.1.11 | 11 versions ahead of your current version | a year ago
on 2023-04-04
moment
from 2.24.0 to 2.30.1 | 14 versions ahead of your current version | 9 months ago
on 2023-12-27
moment-timezone
from 0.5.26 to 0.5.45 | 19 versions ahead of your current version | 7 months ago
on 2024-02-04
mongodb
from 3.2.7 to 3.7.4 | 42 versions ahead of your current version | a year ago
on 2023-06-21
nginx-conf
from 1.5.0 to 1.7.0 | 2 versions ahead of your current version | 4 years ago
on 2020-12-27
nodemailer
from 6.3.0 to 6.9.14 | 51 versions ahead of your current version | 3 months ago
on 2024-06-19
properties-parser
from 0.3.1 to 0.6.0 | 4 versions ahead of your current version | a year ago
on 2023-05-26
puppeteer
from 1.19.0 to 1.20.0 | 1 version ahead of your current version | 5 years ago
on 2019-09-13
request
from 2.88.0 to 2.88.2 | 1 version ahead of your current version | 5 years ago
on 2020-02-11
underscore
from 1.9.1 to 1.13.7 | 19 versions ahead of your current version | 2 months ago
on 2024-07-24

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Directory Traversal
SNYK-JS-MOMENT-2440688
506 No Known Exploit
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MOMENT-2944238
506 Proof of Concept
high severity Command Injection
SNYK-JS-NODEMAILER-1038834
506 Proof of Concept
high severity Prototype Poisoning
SNYK-JS-QS-3153490
506 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-JPEGJS-2859218
506 Proof of Concept
high severity Prototype Pollution
SNYK-JS-ASYNC-2441827
506 Proof of Concept
high severity Prototype Poisoning
SNYK-JS-QS-3153490
506 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-MINIMIST-559764
506 Proof of Concept
medium severity HTTP Header Injection
SNYK-JS-NODEMAILER-1296415
506 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-NODEMAILER-6219989
506 Proof of Concept
medium severity Exposure of Sensitive Information to an Unauthorized Actor
SNYK-JS-PHIN-6598077
506 No Known Exploit
medium severity Denial of Service (DoS)
SNYK-JS-JPEGJS-570039
506 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKDOWNIT-2331914
506 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKDOWNIT-459438
506 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-2342073
506 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-2342082
506 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-584281
506 No Known Exploit
medium severity Remote Code Execution (RCE)
SNYK-JS-BUNYAN-573166
506 No Known Exploit
medium severity Open Redirect
SNYK-JS-EXPRESS-6474509
506 No Known Exploit
low severity Prototype Pollution
SNYK-JS-MINIMIST-2429795
506 Proof of Concept
Release notes
Package name: argon2
  • 0.41.0 - 2024-08-25

    What's Changed

    New Contributors

    Full Changelog: v0.40.2...v0.41.0

  • 0.40.3 - 2024-05-25
  • 0.40.2 - 2024-05-25

    Fix issue with publishing tags starting with v

  • 0.40.1 - 2024-02-22
  • 0.40.0-alpha.3 - 2024-01-10
  • 0.40.0-alpha.2 - 2023-12-30
  • 0.40.0-alpha.1 - 2023-12-20
  • 0.31.2 - 2023-11-04

    Note: this is the last version that will support Node 16 since it's support has ended on 2023-09-11. Please upgrade to 18 or preferably 20 as soon as possible.

    What's Changed

    New Contributors

    Full Changelog: v0.31.1...v0.31.2

  • 0.31.1 - 2023-09-01

    Maintenance release intended to fix missing prebuilts due to failure when building v0.31.0

    Note: v0.31.x will be the last version supporting Node v16. Please update to Node v18 or newer.

    Full Changelog: v0.31.0...v0.31.1

  • 0.31.0 - 2023-08-02

    What's Changed

    Please update to v0.31.0 as soon as possible.

    New Contributors

    Full Changelog: v0.30.3...v0.31.0

  • 0.30.3 - 2023-01-05

    What's Changed

    • Change binding resolution to mitigate "Module parse failed" errors by @ Voltra in #366

    New Contributors

    Full Changelog: v0.30.2...v0.30.3

  • 0.30.2 - 2022-11-08

    Fixes #362

  • 0.30.1 - 2022-10-13

    Defaults have been updated to use RFC recommended values, see #360

  • 0.29.1 - 2022-08-23

    Added builds for FreeBSD, closes #320 and hopefully fixes coder/code-server#4669 coder/code-server#4670

  • 0.29.0 - 2022-08-22
  • 0.28.7 - 2022-07-03
  • 0.28.5 - 2022-03-01
  • 0.28.4 - 2022-02-02
  • 0.28.3 - 2021-11-25
  • 0.28.2 - 2021-06-08
  • 0.28.1 - 2021-06-02
  • 0.28.0 - 2021-06-02
  • 0.27.2 - 2021-03-31
  • 0.27.1 - 2020-12-11
  • 0.27.0 - 2020-08-13
  • 0.26.2 - 2020-04-08
  • 0.26.1 - 2020-02-28
  • 0.26.0 - 2020-02-11
  • 0.25.1 - 2019-11-04
  • 0.25.0 - 2019-10-01
  • 0.24.1 - 2019-08-27
  • 0.24.0 - 2019-06-18
from argon2 GitHub release notes
Package name: async from async GitHub release notes
Package name: bluebird from bluebird GitHub release notes
Package name: body-parser
  • 1.20.2 - 2023-02-22
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
      • perf: skip value escaping when unnecessary
    • deps: raw-body@2.5.2
  • 1.20.1 - 2022-10-06
    • deps: qs@6.11.0
    • perf: remove unnecessary object clone
  • 1.20.0 - 2022-04-03
    • Fix error message for json parse whitespace in strict
    • Fix internal error when inflated body exceeds limit
    • Prevent loss of async hooks context
    • Prevent hanging when request already read
    • deps: depd@2.0.0
      • Replace internal eval usage with Function constructor
      • Use instance methods on process to check for listeners
    • deps: http-errors@2.0.0
      • deps: depd@2.0.0
      • deps: statuses@2.0.1
    • deps: on-finished@2.4.1
    • deps: qs@6.10.3
    • deps: raw-body@2.5.1
      • deps: http-errors@2.0.0
  • 1.19.2 - 2022-02-16
    • deps: bytes@3.1.2
    • deps: qs@6.9.7
      • Fix handling of __proto__ keys
    • deps: raw-body@2.4.3
      • deps: bytes@3.1.2
  • 1.19.1 - 2021-12-10
    • deps: bytes@3.1.1
    • deps: http-errors@1.8.1
      • deps: inherits@2.0.4
      • deps: toidentifier@1.0.1
      • deps: setprototypeof@1.2.0
    • deps: qs@6.9.6
    • deps: raw-body@2.4.2
      • deps: bytes@3.1.1
      • deps: http-errors@1.8.1
    • deps: safe-buffer@5.2.1
    • deps: type-is@~1.6.18
  • 1.19.0 - 2019-04-26
    • deps: bytes@3.1.0
      • Add petabyte (pb) support
    • deps: http-errors@1.7.2
      • Set constructor name when possible
      • deps: setprototypeof@1.1.1
      • deps: statuses@'>= 1.5.0 < 2'
    • deps: iconv-lite@0.4.24
      • Added encoding MIK
    • deps: qs@6.7.0
      • Fix parsing array brackets after index
    • deps: raw-body@2.4.0
      • deps: bytes@3.1.0
      • deps: http-errors@1.7.2
      • deps: iconv-lite@0.4.24
    • deps: type-is@~1.6.17
      • deps: mime-types@~2.1.24
      • perf: prevent internal throw on invalid type
from body-parser GitHub release notes
Package name: bunyan from bunyan GitHub release notes
Package name: cookie-parser from cookie-parser GitHub release notes
Package name: docdash
  • 1.2.0 - 2020-01-26
    • [feature] host fonts locally
    • [feature] separate styles for headers inside user markdown
    • [feature] hide static/private method depending of the config
    • [fix] fix empty source code lines in some browsers
    • [fix] improved viewing theme on smaller screens
  • 1.1.1 - 2019-05-21
    • [feature] scroll to currently opened method on page load
    • [fix] fixed searching in IE11
    • [fix] hiding/showing find exact match to open only single relevant section
from docdash GitHub release notes
Package name: ejs
  • 2.7.4 - 2019-11-19

    Bug fixes

    • Fixed Node 4 support, which broke in v2.7.3 (5e42d6c, @ mde)
  • 2.7.3 - 2019-11-19

    Bug fixes

  • 2.7.2 - 2019-11-13

    Features

    • Added support for destructuring locals (#452, @ ExE-Boss)
    • Added support for disabling legacy include directives (#458, #459, @ ExE-Boss)
    • Compiled functions are now shown in the debugger (#456, @ S2-)
    • function.name is now set to the file base name in environments that support this (#466, @ ExE-Boss)

    Bug Fixes

    • The error message when async != true now correctly mention the existence of the async option (#460, @ ExE-Boss)
    • Improved performance of HTML output generation (#470, @ nwoltman)
  • 2.7.1 - 2019-09-02

    Deprecated:

    • Added deprecation notice for use of require.extensions (@ mde)
  • 2.6.2 - 2019-06-15
    • Examples for client-side EJS compiled with Express middleware (@ mjgs)
    • Make Template constructor public (@ ThisNameWasTaken)
    • Added remove function to cache (@ S2-)
    • Recognize both 'Nix and Windows absolute paths (@ mde)
from ejs GitHub release notes
Package name: express

Snyk has created this PR to upgrade:
  - argon2 from 0.24.0 to 0.41.0.
    See this package in npm: https://www.npmjs.com/package/argon2
  - async from 2.6.3 to 2.6.4.
    See this package in npm: https://www.npmjs.com/package/async
  - bluebird from 3.5.5 to 3.7.2.
    See this package in npm: https://www.npmjs.com/package/bluebird
  - body-parser from 1.19.0 to 1.20.2.
    See this package in npm: https://www.npmjs.com/package/body-parser
  - bunyan from 1.8.12 to 1.8.15.
    See this package in npm: https://www.npmjs.com/package/bunyan
  - cookie-parser from 1.4.4 to 1.4.6.
    See this package in npm: https://www.npmjs.com/package/cookie-parser
  - docdash from 1.1.1 to 1.2.0.
    See this package in npm: https://www.npmjs.com/package/docdash
  - ejs from 2.6.2 to 2.7.4.
    See this package in npm: https://www.npmjs.com/package/ejs
  - express from 4.16.4 to 4.19.2.
    See this package in npm: https://www.npmjs.com/package/express
  - express-rate-limit from 5.0.0 to 5.5.1.
    See this package in npm: https://www.npmjs.com/package/express-rate-limit
  - express-session from 1.16.2 to 1.18.0.
    See this package in npm: https://www.npmjs.com/package/express-session
  - external-ip from 2.1.1 to 2.3.1.
    See this package in npm: https://www.npmjs.com/package/external-ip
  - formidable from 1.2.1 to 1.2.6.
    See this package in npm: https://www.npmjs.com/package/formidable
  - geoip-lite from 1.3.7 to 1.4.10.
    See this package in npm: https://www.npmjs.com/package/geoip-lite
  - jimp from 0.6.4 to 0.22.12.
    See this package in npm: https://www.npmjs.com/package/jimp
  - jsdoc from 3.6.3 to 3.6.11.
    See this package in npm: https://www.npmjs.com/package/jsdoc
  - json2csv from 4.5.2 to 4.5.4.
    See this package in npm: https://www.npmjs.com/package/json2csv
  - mcc-mnc-list from 1.0.82 to 1.1.11.
    See this package in npm: https://www.npmjs.com/package/mcc-mnc-list
  - moment from 2.24.0 to 2.30.1.
    See this package in npm: https://www.npmjs.com/package/moment
  - moment-timezone from 0.5.26 to 0.5.45.
    See this package in npm: https://www.npmjs.com/package/moment-timezone
  - mongodb from 3.2.7 to 3.7.4.
    See this package in npm: https://www.npmjs.com/package/mongodb
  - nginx-conf from 1.5.0 to 1.7.0.
    See this package in npm: https://www.npmjs.com/package/nginx-conf
  - nodemailer from 6.3.0 to 6.9.14.
    See this package in npm: https://www.npmjs.com/package/nodemailer
  - properties-parser from 0.3.1 to 0.6.0.
    See this package in npm: https://www.npmjs.com/package/properties-parser
  - puppeteer from 1.19.0 to 1.20.0.
    See this package in npm: https://www.npmjs.com/package/puppeteer
  - request from 2.88.0 to 2.88.2.
    See this package in npm: https://www.npmjs.com/package/request
  - underscore from 1.9.1 to 1.13.7.
    See this package in npm: https://www.npmjs.com/package/underscore

See this project in Snyk:
https://app.snyk.io/org/0sus0/project/68555b57-2a0e-4eb0-91f9-c90c1ebc544f?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants