[Snyk] Fix for 25 vulnerabilities

[timsnyk]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	159/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00299, Social Trends: No, Days since published: 935, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.65, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	No	Proof of Concept
	/1000 Why?	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	Yes	Proof of Concept
	/1000 Why?	Prototype Pollution SNYK-JS-DOTTIE-3332763	Yes	Proof of Concept
	/1000 Why?	Denial of Service (DoS) SNYK-JS-ENGINEIO-3136336	No	No Known Exploit
	/1000 Why?	Open Redirect SNYK-JS-EXPRESS-6474509	No	No Known Exploit
	/1000 Why?	Directory Traversal SNYK-JS-GRUNT-2635969	No	Proof of Concept
	/1000 Why?	Race Condition SNYK-JS-GRUNT-2813632	No	Proof of Concept
	141/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Local, EPSS: 0.01055, Social Trends: No, Days since published: 126, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.35, Score Version: V5	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	No	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	No	No Known Exploit
	/1000 Why?	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
	114/1000 Why? Confidentiality impact: None, Integrity impact: High, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.0033, Social Trends: No, Days since published: 730, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.9, Score Version: V5	Directory Traversal SNYK-JS-MOMENT-2440688	Yes	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	Yes	Proof of Concept
	/1000 Why?	Prototype Poisoning SNYK-JS-QS-3153490	No	Proof of Concept
	148/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.0013, Social Trends: No, Days since published: 384, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 3.52, Score Version: V5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	No	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	/1000 Why?	Denial of Service (DoS) SNYK-JS-SQLITE3-2388645	No	Proof of Concept
	/1000 Why?	Arbitrary Code Execution SNYK-JS-SQLITE3-3358947	No	No Known Exploit
	/1000 Why?	Arbitrary File Overwrite SNYK-JS-TAR-1536528	No	No Known Exploit
	/1000 Why?	Arbitrary File Overwrite SNYK-JS-TAR-1536531	No	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	No	No Known Exploit
	/1000 Why?	Arbitrary File Write SNYK-JS-TAR-1579147	No	No Known Exploit
	/1000 Why?	Arbitrary File Write SNYK-JS-TAR-1579152	No	No Known Exploit
	/1000 Why?	Arbitrary File Write SNYK-JS-TAR-1579155	No	No Known Exploit
	142/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00043, Social Trends: No, Days since published: 13, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.36, Score Version: V5	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	No	Proof of Concept
	118/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00107, Social Trends: No, Days since published: 279, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 2.81, Score Version: V5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: body-parser

The new version differs by 16 commits.

• 424dadd 1.19.2
• 11248a2 deps: raw-body@2.4.3
• 7a088eb build: Node.js@14.19
• ecedf31 build: Node.js@16.14
• b6bfabd build: Node.js@17.5
• badd6b2 build: fix code coverage aggregate upload
• 96b448a build: Node.js@17.4
• 70560b1 build: mocha@9.2.0
• 548a06f build: supertest@6.2.2
• 3b00678 deps: bytes@3.1.2
• d5acb61 build: mocha@9.1.4
• 82c8a7c tests: add limit + inflate tests
• b356758 deps: qs@6.9.7
• c631b58 build: supertest@6.2.1
• c81a8e2 build: eslint-plugin-import@2.25.4
• 3c4dcb8 build: Node.js@17.3

See the full diff

Package name: check-dependencies

The new version differs by 61 commits.

• 03c8847 Tag 2.0.0
• 65d9ef5 Set Node.js requirement in package.json engines to >=18.3
• 4917ab0 Simplify the spawn logic
• fc04cc8 Drop support for the callback interface
• 28257dd Tweak ESLint settings
• dc16e8a Drop the bluebird devDependency
• 412337a Drop fs-extra & graceful-fs devDependencies
• 091279a Drop the findup-sync dependency
• 10ac9c5 Drop lodash.camelcase & minimist dependencies
• 35dce52 Update dependencies
• 2929ba7 Update tested Node.js versions
• 1f514eb Don't invoke `npm prune`, `npm install` is already enough
• 65107d2 Drop support for Bower & the `checkCustomPackageNames` option
• f28ba1b Avoid `git://` URLs, they're no longer supported
• 8fdc6ad Limit allowed `packageManager` values
• 9809f13 Bump word-wrap from 1.2.3 to 1.2.4 ([Snyk] Fix for 14 vulnerabilities #58)
• e522471 Bump semver from 7.3.8 to 7.5.2 ([Snyk] Fix for 18 vulnerabilities #57)
• 031416d Bump yaml from 2.2.1 to 2.2.2 ([Snyk] Security upgrade @angular-devkit/build-angular from 0.1000.8 to 16.2.15 #56)
• dff3ab9 Build: Fix running tests on Windows
• 062005f Build: Update the GitHub Actions config
• ecf138f Build: Update dependencies
• 15c13b3 Build: Remove AppVeyor
• 89b9df0 Build: Update .gitattributes to files always use LF line endings
• db8c172 Build: Tweak GitHub Actions workflow code style

See the full diff

Package name: dottie

The new version differs by 6 commits.

• e0c8bae 2.0.4
• 7d3aee1 rudimentary __proto__ guarding
• b48e227 add github action to run tests
• 001ca40 2.0.3
• dbf26a6 Setting a null value should convert it to object ([Snyk] Security upgrade @angular/cli from 10.2.4 to 12.0.0 #37)
• b581120 added power support arch ppc64le on yml file. ([Snyk] Security upgrade check-dependencies from 1.1.0 to 2.0.0 #35)

See the full diff

Package name: express

The new version differs by 166 commits.

• b28db2c 4.19.2
• 0b74695 Improved fix for open redirect allow list bypass
• 4f0f6cc 4.19.1
• a003cfa Allow passing non-strings to res.location with new encoding handling checks fixes #5554 #5555
• a1fa90f fixed un-edited version in history.md for 4.19.0
• 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
• 084e365 4.19.0
• 0867302 Prevent open redirect allow list bypass due to encodeurl
• 567c9c6 Add note on how to update docs for new release (#5541)
• 69a4cf2 deps: cookie@0.6.0
• 4ee853e docs: loosen TC activity rules
• 414854b docs: nominating @ wesleytodd to be project captian
• 06c6b88 docs: update release date
• 1b51eda 4.18.3
• b625132 build: pin Node 21.x to minor
• e3eca80 build: pin Node 21.x to minor
• 23b44b3 build: support Node.js 21.6.2
• b9fea12 build: support Node.js 21.x in appveyor
• c259c34 build: support Node.js 21.x
• fdeb1d3 build: support Node.js 20.x in appveyor
• 734b281 build: support Node.js 20.x
• 0e3ab6e examples: improve view count in cookie-sessions
• 59af63a build: Node.js@18.19
• e720c5a docs: add documentation for benchmarks

See the full diff

Package name: grunt

The new version differs by 36 commits.

• 8372e11 1.6.1
• 72f6f03 Changelog updates
• 8d4c183 Merge pull request Facing DatabaseError [SequelizeDatabaseError]: SQLITE_ERROR: no such table: Wallets , while doing npm start after npm install. Also tried changing access rights but got similar error.[🐛]  juice-shop/juice-shop#1755 from gruntjs/rm-dep
• 1c7d483 Add recursive
• 2d4fd38 Merge pull request New Crowdin updates juice-shop/juice-shop#1756 from gruntjs/downgrade-glob
• 902db7c Downgrade glob
• 494f243 Fix syntax
• b01389e remove mkdirp
• 0072510 remove dep on rimraf and mkdirp
• 0afeb5c 1.6.0
• 2805dc3 Merge pull request [🐛] Version 13.1.0 does not work on ARM-based systems (rPi, Mac M1, ...) juice-shop/juice-shop#1750 from gruntjs/dep-update-jan28
• 3f1e423 README updates
• 8fd096d Bump to 16
• 42c5f95 Update more deps
• 1d88050 Bump eslint and node version
• 82d79b8 1.5.3
• 572d79b Merge pull request #1745 from gruntjs/fix-copy-op
• 58016ff Patch up race condition in symlink copying.
• 0749e1d Merge pull request Bug/code injection juice-shop/juice-shop#1746 from JamieSlome/patch-1
• 69b7c50 Create SECURITY.md
• ac667b2 1.5.2
• 7f15fd5 Update Changelog
• b0ec6e1 Merge pull request Fix error rendering bug in 'Change Password' form juice-shop/juice-shop#1743 from gruntjs/cleanup-link
• 433f91b Clean up link handling

See the full diff

Package name: node-pre-gyp

The new version differs by 14 commits.

• de39503 bump to v0.17.0
• 39eb005 update deps
• dda7bdb skip less
• 834bbe0 latest releases
• 9611242 alt solution to Score Board: Unlocking challenges juice-shop/juice-shop#432 in order to fix windows/appveyor builds
• 3d3b4ee remove broken or partially broken badges
• 99b6f50 attempt to fix webkit tests per https://benlimmer.com/2019/01/14/travis-ci-xvfb/
• 6ff06c8 travis-ci.com link
• 27e150d latest node versions
• a78e473 remove tests related to python that shift depending on the node-gyp version
• ac2a149 Merge pull request Add reflected XSS challenge juice-shop/juice-shop#521 from murgatroid99/version_0.16_update
• 8e7c199 Merge pull request added azure steps juice-shop/juice-shop#520 from murgatroid99/abi_crosswalk_update_15
• 00c594c Bump to 0.16.0 and update changelog
• e8e0908 Update ABI crosswalk with new Node versions including 15.x

See the full diff

Package name: semver

The new version differs by 82 commits.

• e7b78de chore: release 7.5.2
• 58c791f fix: diff when detecting major change from prerelease (Update sinon-chai to the latest version 🚀 juice-shop/juice-shop#566)
• 5c8efbc fix: preserve build in raw after inc (Creates basic views and services in Angular. juice-shop/juice-shop#565)
• 717534e fix: better handling of whitespace (Trainer Guide juice-shop/juice-shop#564)
• 2f738e9 chore: bump @ npmcli/template-oss from 4.14.1 to 4.15.1 (Update nyc to the latest version 🚀 juice-shop/juice-shop#558)
• aa016a6 chore: release 7.5.1
• d30d25a fix: show type on invalid semver error (Create myConfig.yml juice-shop/juice-shop#559)
• 09c69e2 chore: bump @ npmcli/template-oss from 4.13.0 to 4.14.1 (UI-Error. juice-shop/juice-shop#555)
• 5b02ad7 chore: release 7.5.0
• e219bb4 fix: throw on bad version with correct error message (Packaged release unpacks in current directory juice-shop/juice-shop#552)
• 503a4e5 feat: allow identifierBase to be false (New Crowdin translations juice-shop/juice-shop#548)
• fc2f3df fix: incorrect results from diff sometimes with prerelease versions (Address #545 bad cipher text premium paywall juice-shop/juice-shop#546)
• 2781767 fix: avoid re-instantiating SemVer during diff compare (CTF deployment help. juice-shop/juice-shop#547)
• 82aa7f6 chore: release 7.4.0
• 731d896 chore: enable CD (Ciphertext for premium paywall challenge is corrupted juice-shop/juice-shop#545)
• 940723d fix: intersects with v0.0.0 and v0.0.0-0 (Editing Admin's reviews is not listed as a challenge juice-shop/juice-shop#538)
• aa516b5 fix: faster parse options (rest/user/whoami requests working with expired jwt juice-shop/juice-shop#535)
• 61e6ea1 fix: faster cache key factory for range (Add Order Dashboard tracking utility juice-shop/juice-shop#536)
• f8b8b61 fix: optimistic parse (New Crowdin translations juice-shop/juice-shop#541)
• 796cbe2 fix: semver.diff prerelease to release recognition (Add SAML authentication and challenge juice-shop/juice-shop#533)
• 3f222b1 fix: reuse comparators on subset (New Crowdin translations juice-shop/juice-shop#537)
• 113f513 feat: identifierBase parameter for .inc (Learn about the TokenSale challenge bypassed? juice-shop/juice-shop#532)
• ea689bc chore: basic type test for RELEASE_TYPES
• c5d29df docs: Add "Constants" section to README

See the full diff

Package name: sequelize

The new version differs by 213 commits.

• 901bceb 6.1.0
• 6b32821 6.0.0-beta.7
• 0ca8d72 docs: prepare for v6 release (#12416)
• 663261b feat(sequelize): allow passing dialectOptions.options from url (#12404)
• c6e4192 fix(postgres): parse enums correctly when describing a table (#12409)
• e33d2bd fix(reload): include default scope (#12399)
• 5611ef0 build: update dependencies (#12395)
• e80501d fix(types): transactionType in Options (#12377)
• 4914367 fix(types): add clientMinMessages to Options interface (#12375)
• b71cd05 fix(query): preserve cls context for logger (#12328)
• 95f7fb5 fix(mssql): empty order array generates invalid FETCH statement (#12261)
• ed2d7a9 fix(model.destroy): return 0 with truncate (#12281)
• 72925cf fix: add missing fields to 'FindOrCreateType' (#12338)
• f367191 fix(query-generator): do not generate GROUP BY clause if options.group is empty (#12343)
• 7afd589 docs(sequelize): omitNull only works for CREATE/UPDATE queries
• f9e660f docs: update feature request template
• 2bf7f7b fix(typings): add support for optional values in "where" clauses (#12337)
• 65a9e1e fix(types): add Association into OrderItem type (#12332)
• 1b86729 docs: responsive (#12308)
• 59b8a7b fix(include): check if attributes specified for included through model (#12316)
• 6d87cc5 docs(associations): belongs to many create with through table
• a2dcfa0 fix(query): ensure correct return signature for QueryTypes.RAW (#12305)
• 0769aea refactor: cleanup query generators (#12304)
• 4d9165b feat(postgres): native upsert (#12301)

See the full diff

Package name: socket.io

The new version differs by 6 commits.

• baa6804 chore(release): 2.5.0
• f223178 fix: prevent the socket from joining a room after disconnection
• 226cc16 fix: only set 'connected' to true after middleware execution
• 05e1278 fix: fix race condition in dynamic namespaces
• 22d4bdf fix: ignore packet received after disconnection
• dfded53 chore: update engine.io version to 3.6.0

See the full diff

Package name: sqlite3

The new version differs by 170 commits.

• ba4ba07 v5.1.7
• d04c1fb Removed Node version from matrix title
• 03d6e75 v5.1.7-rc.0
• 8398daa Fixed uploading assets from Docker
• 8b86e41 Fixed uploading release assets on Windows
• 83c8c0a Configured releases to be created as prereleases
• f792f69 Update dependency node-addon-api to v7
• 4ef11bf Removed extraneous parameter to event emit function
• e99160a Inlined `init()` functions into class header files
• 3372130 Improved `RowToJS` performance by removing `Napi::String::New` instantiation
• 77b327c Increased number of rows inserted into benchmark database
• 603e468 Fixed minor linting warning
• 8bda876 Refactored Database to use macros for method definitions
• 5809f62 Fixed uploading prebuilt binaries from Docker
• aabd297 Update actions/setup-node action to v4
• c775b81 Extracted common Node-API queuing code into macro
• 2595304 Updated list of supported targets
• 605c7f9 Replaced `@ mapbox/node-pre-gyp` in favor of `prebuild` + `prebuild-install`
• a2cee71 Update dependency mocha to v10
• 7674271 Update dependency eslint to v8
• 83e282d Update actions/checkout digest to b4ffde6
• 8482aaf Update docker/setup-buildx-action action to v3
• c74f267 Update docker/setup-qemu-action action to v3
• 9e8b2ee Reworked CI versions

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Open Redirect
🦉 More lessons are available in Snyk Learn