[Snyk] Fix for 35 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	584/1000 Why? Has a fix available, CVSS 7.4	Authorization Bypass SNYK-JS-EXPRESSJWT-575022	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-LODASH-590103	No	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Hash Injection SNYK-JS-SEQUELIZE-174147	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	SQL Injection SNYK-JS-SEQUELIZE-450221	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	SQL Injection SNYK-JS-SEQUELIZE-450222	No	Proof of Concept
	550/1000 Why? Has a fix available, CVSS 6.5	Denial of Service (DoS) SNYK-JS-SEQUELIZE-543029	Yes	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-536840	Yes	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Arbitrary Code Injection SNYK-JS-SERIALIZEJAVASCRIPT-570062	Yes	Proof of Concept
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: body-parser

The new version differs by 40 commits.

• b2659a7 1.18.2
• 6339bf7 perf: remove argument reassignment
• d5f9a4a deps: debug@2.6.9
• d041563 1.18.1
• 9efa9ab deps: content-type@~1.0.4
• f1ef6cc deps: qs@6.5.1
• e438db5 deps: raw-body@2.3.2
• 15c3585 deps: iconv-lite@0.4.19
• adfa01c 1.18.0
• 0632e2f Include the "type" property on all generated errors
• b8f97cd Include the "body" property on verify errors
• c659e8a tests: add test for err.body on json parse error
• 4e15325 tests: reorganize json error tests
• 5bd7ed5 tests: reorganize json strict option tests
• 3cb380b tests: store server on mocha context instead of variable shadowing
• 29c8cd0 docs: document too many parameters error
• 7b9cb14 Use http-errors to set status code on errors
• 29a27f1 docs: fix typo in jsdoc comment
• 448dc57 Fix JSON strict violation error to match native parse error
• 87df7e6 tests: add leading whitespace strict json test
• 1841248 deps: raw-body@2.3.1
• e666dbe deps: http-errors@~1.6.2
• c2a110a deps: bytes@3.0.0
• a1a2e31 build: Node.js@8.4

See the full diff

Package name: express

The new version differs by 68 commits.

• f974d22 4.16.0
• 8d4ceb6 docs: add more information to installation
• c0136d8 Add express.json and express.urlencoded to parse bodies
• 86f5df0 deps: serve-static@1.13.0
• 4196458 deps: send@0.16.0
• ddeb713 tests: add maxAge option tests for res.sendFile
• 7154014 Add "escape json" setting for res.json and res.jsonp
• 628438d deps: update example dependencies
• a24fd0c Add options to res.download
• 95fb5cc perf: remove dead .charset set in res.jsonp
• 44591fe deps: vary@~1.1.2
• 2df1ad2 Improve error messages when non-function provided as middleware
• 12c3712 Use safe-buffer for improved Buffer API
• fa272ed docs: fix typo in jsdoc comment
• d9d09b8 perf: re-use options object when generating ETags
• 02a9d5f deps: proxy-addr@~2.0.2
• c2f4fb5 deps: finalhandler@1.1.0
• 673d51f deps: utils-merge@1.0.1
• 5cc761c deps: parseurl@~1.3.2
• ad7d96d deps: qs@6.5.1
• e62bb8b deps: etag@~1.8.1
• 70589c3 deps: content-type@~1.0.4
• 9a99c15 deps: accepts@~1.3.4
• 550043c deps: setprototypeof@1.1.0

See the full diff

Package name: express-jwt

The new version differs by 13 commits.

• 678f3b0 6.0.0
• 7ecab5f Merge pull request from GHSA-6g6m-m6h5-w9gf
• 304a1c5 Made algorithms mandatory
• e9ed6d2 5.3.3
• 8662579 Make clearer sections in the Readme
• d3e86bf Update README.md
• c5d8419 Add a note about OAuth2 bearer tokens
• 888f0e9 Update Readme and use a consistent JS style for code examples
• 6591014 5.3.2
• f4f4d1d fix license field
• 1789282 fix dependencies vulnerabilities and test against 8, 10 and 12 from now on
• 5766a24 Merge pull request only render a component on client-side kriasoft/react-starter-kit#186 from auth0/jwt_update
• 11f3ac4 Update jsonwebtoken dependency to 8.1.0

See the full diff

Package name: isomorphic-fetch

The new version differs by 12 commits.

• fc5e0d0 3.0.0
• 496fa43 Add version that was previously uncomitted to the package.json due to the previous release process
• 9f5a8b6 Add a list of alternatives
• 49280e6 Resolve minor security issue
• 0f5edd0 Explain why Isomorphic Fetch is needed in docs (Security issue: ability to download server.js code kriasoft/react-starter-kit#135)
• e32b006 Fix travis (fbjs needs to be dependency, not devDependency kriasoft/react-starter-kit#190)
• db0aa8c Update to latest version
• 8bf02c4 Bump node-fetch from 1.7.3 to 2.6.1 (simplified getBaseUrl method in http.js kriasoft/react-starter-kit#189)
• 89c7e70 Merge pull request Adding bootstrap javascript kriasoft/react-starter-kit#93 from paulmelnikow/fetch_ponyfill
• 25e3cab Add link to fetch-ponyfill
• 8d33aba Merge pull request Update BrowserSync logging prefix to RSK kriasoft/react-starter-kit#90 from josiah0/update-lintspaces-cli
• c22fcda Update lintspaces-cli

See the full diff

Package name: prop-types

The new version differs by 42 commits.

• fa6fbb7 15.6.2
• 5115f5c Merge pull request Jade implementation kriasoft/react-starter-kit#180 from jaller94/master
• 2ac742c Merge pull request Fix errors in README.md kriasoft/react-starter-kit#171 from barrymichaeldoyle/master
• a7a5a64 Merge pull request update docs caused by React Library => separate fbjs. kriasoft/react-starter-kit#194 from facebook/no-fbjs
• d6c9c5c Preserve "Invariant Violation" name
• 07d1b47 Remove fbjs dependency
• 3c99d57 Remove trailing spaces
• a36cda8 Move explanation of `isRequired` and show it in `PropTypes.shape`
• ba3da12 Show that shapes can have required properties
• 2bde8eb Add example for `PropTypes.exact`
• d65f80e Updated vars to consts and lets in PropTypesProductionStandalone-test.js
• c10c93f Updated vars to consts and lets in PropTypesDevelopmentStandalone-test.js
• 8e2b34e Updated vars to consts and lets in PropTypesDevelopmentReact15.js
• c5527c8 Updated vars with consts and lets in PropTypesProductionReact15-test.js
• 7cc8c81 Add 15.6.1 to CHANGELOG
• 5df7296 15.6.1
• b7d03ce Point readme to correct docs for production builds (is it possible to run with forever kriasoft/react-starter-kit#153)
• a94243f Update the repository location (Remove Protractor dependency kriasoft/react-starter-kit#148)
• 77c62a7 Fix failing tests (error "WithContext" is not defined no-undef kriasoft/react-starter-kit#129)
• 644844c Merge pull request Removed unnecessary page load at client boot kriasoft/react-starter-kit#140 from flarnie/master
• 0b5db12 Add `CODE_OF_CONDUCT`
• a6900f0 Add CONTRIBUTING.md
• 492e230 Update README.md with improved importing for CDNs (Cannot find module? kriasoft/react-starter-kit#104)
• 155f4cc v15.6.0 for real

See the full diff

Package name: sequelize

The new version differs by 250 commits.

• 9f47e94 fix(dependencies): update validator dependency to latest version (#13802)
• 71c9130 ci: trigger action rerun
• aca4fbc build: update uuid (#13124)
• 32d1e9e ci: enable semantic-release for v5
• db6d5ec fix(types): allow transaction to be `null` (#13093) (#13101)
• d89dede ci(mssql): fix mssql tests
• d608bc0 ci(typings): fix tests for TS typings in TS 4.0
• a914a47 ci: fix ci
• 4b54342 test: fix 6f74bf62 for Node.js 6
• f42d5f3 ci: move to GitHub Actions
• 5fd55c3 test: add missing dev-dependency
• 6f74bf6 test: improve 'running queries' detection
• 3d2df28 fix(sqlite): describeTable now returns unique and references (#12440)
• 56d07c6 fix(mssql): insert/upsert operations do not return all fields (#12434)
• ad1c153 fix(mssql): bulkUpdate returning values (#12410)
• 26fcbce fix(tests): correct spelling mistakes (#12422)
• 2391d08 feat(sequelize): allow passing dialectOptions.options from url (#12412)
• 8477b07 build: changes for v6 release (#12417)
• 834b9f0 fix(postgres): parse enums correctly when describing a table (#12409) (#12411)
• 7fba668 fix(types): specified 'this' for getters and setters in fields (#12370)
• 41237ae fix(mssql): set correct scale for float (#12340)
• 5c733ef fix(include): check if attributes specified for included through model (#12020)
• 7fdc2dc fix(mssql): tedious connect deprecation (#12275)
• 8a3827d fix(mssql): use uppercase for engine table and columns (#12253)

See the full diff

Package name: serialize-javascript

The new version differs by 58 commits.

• b54341e v3.1.0
• 7cee7e4 Revert "support for bigint (Fix output.publicPath in wepback.config.js kriasoft/react-starter-kit#80)"
• 026a445 Bump mocha from 7.1.2 to 7.2.0 (Cannot seem to get socket.io integrated... kriasoft/react-starter-kit#83)
• 5130a71 support for bigint (Fix output.publicPath in wepback.config.js kriasoft/react-starter-kit#80)
• ea76b23 Bump mocha from 7.1.1 to 7.1.2 (Update package.json kriasoft/react-starter-kit#82)
• 073c8d8 Bump nyc from 15.0.0 to 15.0.1 (Question: ESLint with imports kriasoft/react-starter-kit#81)
• f21a6fb Don't replace regex / function placeholders within string literals (Going to Privacy link and then hitting the Back Button does not work kriasoft/react-starter-kit#79)
• 1ac487e [Security] Bump minimist from 1.2.0 to 1.2.5 (Replace Jest with Mocha and JSDom; replace Node.js with io.js kriasoft/react-starter-kit#78)
• c795cef Bump mocha from 7.1.0 to 7.1.1 (webpack dev does not work whereas release works kriasoft/react-starter-kit#77)
• 3064431 Bump mocha from 7.0.1 to 7.1.0 (Use ESLint Loader kriasoft/react-starter-kit#74)
• 9dbe8f6 Update example in README (Gulp Deploy to GitHub Pages - No static files kriasoft/react-starter-kit#73)
• f5957ee v3.0.0
• eed510c Introduce support for Infinity (Styles from modules not loading to page kriasoft/react-starter-kit#72)
• 82bb2d2 Bump mocha from 7.0.0 to 7.0.1 (Use eslint instead of jshint kriasoft/react-starter-kit#71)
• fdfb10a Test on Node.js v12 (implement auth with the Flux based router kriasoft/react-starter-kit#70)
• 2f5f126 Bump mocha from 6.2.2 to 7.0.0 (fix .jade templates not reloading upon change kriasoft/react-starter-kit#69)
• 35062c0 Bump nyc from 14.1.1 to 15.0.0 (Old content is served kriasoft/react-starter-kit#68)
• 6c43b02 v2.1.2
• 3e05a3f Ignore .nyc_output (Removes requiring of images kriasoft/react-starter-kit#64)
• 3c46e8e Bump mocha from 6.2.0 to 6.2.2 (Stops browsersync from opening kriasoft/react-starter-kit#62)
• 433fc9c 2.1.1
• 16a68ab Merge pull request from GHSA-h9rv-jmmf-4pgx
• 3bab6de Bump mocha from 6.2.1 to 6.2.2 (Use 6to5 rather than jstransform kriasoft/react-starter-kit#60)
• 7a6b13d Bump mocha from 6.2.0 to 6.2.1 (assets versioning kriasoft/react-starter-kit#59)

See the full diff

Package name: sqlite3

The new version differs by 53 commits.

• d02f5c3 update changelog with nan update [skip ci]
• c18c701 [republish binary]
• a3dbf1d upgrade nan to latest
• cb34582 bump to v4.x (drops node v0.x support) [publish binary]
• c4659eb Merge pull request First Commit kriasoft/react-starter-kit#952 from SebastianSchmidt/master
• f937dea Upgrade node-pre-gyp to version 0.9.0
• a469960 Merge pull request Fixed test for required store props in App Layout kriasoft/react-starter-kit#921 from mapbox/visual-studio-fixes
• 2d7c082 [publish binary]
• a719c73 use CALL
• 60c6d28 upgrade node-gyp for node v5 as well
• f7c4627 set NODE_MAJOR variable
• 22fb3d9 attempt to fix bat logic
• 6fc2f8b Start building for node v9 on unix
• 943da93 build against msvs_toolset=14 when we can
• 72bddaf add v3.1.13 to changelog [skip ci]
• 22de94e bump to 3.1.13 [publish binary]
• 7761ce3 use released node-pre-gyp with repaired node v0.10.x support
• 95f2d24 bump to v3.1.12 [publish binary]
• e3f5002 use Nan::ForceSet to avoid v8 deprecation issue
• fa77a07 fix node-gyp version to use released version
• 354d688 remove node-gyp from package.json since it will now break node v0.10.x support
• 105861d point at diff upstream node-pre-gyp
• 6dd888e fix node-pre-gyp testing url
• 9a8a8e9 attempt to fix node v0.10.x build

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	No Known Exploit
	646/1000 Why? Mature exploit, Has a fix available, CVSS 5.2	Uninitialized Memory Exposure npm:stringstream:20180511	Mature
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic