[Snyk] Fix for 44 vulnerabilities

[u-crew]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	No	Proof of Concept
	768/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-DOTTIE-3332763	No	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Directory Traversal SNYK-JS-GRUNT-2635969	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Race Condition SNYK-JS-GRUNT-2813632	No	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Improper Restriction of Security Token Assignment SNYK-JS-JSONWEBTOKEN-3180024	Yes	No Known Exploit
	554/1000 Why? Has a fix available, CVSS 6.8	Use of a Broken or Risky Cryptographic Algorithm SNYK-JS-JSONWEBTOKEN-3180026	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Validation Bypass SNYK-JS-SANITIZEHTML-1070780	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Access Restriction Bypass SNYK-JS-SANITIZEHTML-1070786	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SANITIZEHTML-2957526	Yes	No Known Exploit
	684/1000 Why? Has a fix available, CVSS 9.4	Arbitrary Code Execution SNYK-JS-SANITIZEHTML-585892	Yes	No Known Exploit
	791/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.4	SQL Injection SNYK-JS-SEQUELIZE-2932027	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Information Exposure SNYK-JS-SEQUELIZE-3324089	Yes	No Known Exploit
	529/1000 Why? Has a fix available, CVSS 6.3	Access of Resource Using Incompatible Type ('Type Confusion') SNYK-JS-SEQUELIZE-3324090	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SQLITE3-2388645	No	Proof of Concept
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-SQLITE3-3358947	No	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	No	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	No	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	No	No Known Exploit
	811/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.8	Sandbox Bypass SNYK-JS-VM2-1585918	No	Proof of Concept
	811/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.8	Sandbox Bypass SNYK-JS-VM2-2309905	No	Proof of Concept
	811/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.8	Arbitrary Code Execution SNYK-JS-VM2-2990237	No	Proof of Concept
	816/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.9	Sandbox Bypass SNYK-JS-VM2-3018201	No	Proof of Concept
	816/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.9	Sandbox Escape SNYK-JS-VM2-5415299	No	Proof of Concept
	811/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.8	Sandbox Escape SNYK-JS-VM2-5422057	No	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Improper Handling of Exceptional Conditions SNYK-JS-VM2-5426093	No	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:moment:20160126	No	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:moment:20161019	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	No	No Known Exploit
	429/1000 Why? Has a fix available, CVSS 4.3	Cross-site Scripting (XSS) npm:sanitize-html:20141024	No	No Known Exploit
	449/1000 Why? Has a fix available, CVSS 4.7	Cross-site Scripting (XSS) npm:sanitize-html:20160801	No	No Known Exploit
	656/1000 Why? Mature exploit, Has a fix available, CVSS 5.4	Cross-site Scripting (XSS) npm:sanitize-html:20161026	No	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: body-parser

The new version differs by 16 commits.

• 424dadd 1.19.2
• 11248a2 deps: raw-body@2.4.3
• 7a088eb build: Node.js@14.19
• ecedf31 build: Node.js@16.14
• b6bfabd build: Node.js@17.5
• badd6b2 build: fix code coverage aggregate upload
• 96b448a build: Node.js@17.4
• 70560b1 build: mocha@9.2.0
• 548a06f build: supertest@6.2.2
• 3b00678 deps: bytes@3.1.2
• d5acb61 build: mocha@9.1.4
• 82c8a7c tests: add limit + inflate tests
• b356758 deps: qs@6.9.7
• c631b58 build: supertest@6.2.1
• c81a8e2 build: eslint-plugin-import@2.25.4
• 3c4dcb8 build: Node.js@17.3

See the full diff

Package name: dottie

The new version differs by 6 commits.

• e0c8bae 2.0.4
• 7d3aee1 rudimentary __proto__ guarding
• b48e227 add github action to run tests
• 001ca40 2.0.3
• dbf26a6 Setting a null value should convert it to object (test mod alexeisnyk/juice-shop#37)
• b581120 added power support arch ppc64le on yml file. (fix: removed --legacy-peer-deps no longer needed with package-lock alexeisnyk/juice-shop#35)

See the full diff

Package name: express

The new version differs by 30 commits.

• 3d7fce5 4.17.3
• f906371 build: update example dependencies
• 6381bc6 deps: qs@6.9.7
• a007863 deps: body-parser@1.19.2
• e98f584 Revert "build: use minimatch@3.0.4 for Node.js < 4"
• a659137 tests: use strict mode
• a39e409 tests: prevent leaking changes to NODE_ENV
• 82de4de examples: fix path traversal in downloads example
• 12310c5 build: use nyc for test coverage
• 884657d examples: remove bitwise syntax for includes check
• 7511d08 build: use minimatch@3.0.4 for Node.js < 4
• 2585f20 tests: fix test missing assertion
• 9d09762 build: supertest@6.2.2
• 43cc56e build: clean up gitignore
• 1c7bbcc build: Node.js@14.19
• 9cbbc8a deps: cookie@0.4.2
• 6fbc269 pref: remove unnecessary regexp for trust proxy
• 2bc734a deps: accepts@~1.3.8
• 89bb531 docs: fix typo in res.download jsdoc
• 744564f tests: add test for multiple ips in "trust proxy"
• da6cb0e tests: add range tests to res.download
• 00ad5be tests: add more tests for app.request & app.response
• 141914e tests: fix tests that did not bubble errors
• bd4fdfe tests: remove global dependency on should

See the full diff

Package name: grunt

The new version differs by 21 commits.

• 82d79b8 1.5.3
• 572d79b Merge pull request #1745 from gruntjs/fix-copy-op
• 58016ff Patch up race condition in symlink copying.
• 0749e1d Merge pull request Bug/code injection juice-shop/juice-shop#1746 from JamieSlome/patch-1
• 69b7c50 Create SECURITY.md
• ac667b2 1.5.2
• 7f15fd5 Update Changelog
• b0ec6e1 Merge pull request Fix error rendering bug in 'Change Password' form juice-shop/juice-shop#1743 from gruntjs/cleanup-link
• 433f91b Clean up link handling
• d5969ec 1.5.1
• ad22608 Merge pull request testen juice-shop/juice-shop#1742 from gruntjs/update-symlink-test
• 0652305 Fix symlink test
• a7ab0a8 1.5.0
• b2b2c2b Updated changelog
• 3eda6ae Merge pull request Add .circleci/config.yml juice-shop/juice-shop#1740 from gruntjs/update-deps-22-10
• 47d32de Update testing matrix
• 2e9161c More updates
• 04b960e Remove console log
• aad3d45 Update dependencies, tests...
• fdc7056 Merge pull request [ImgBot] Optimize images juice-shop/juice-shop#1736 from justlep/main
• e35fe54 support .cjs extension

See the full diff

Package name: juicy-chat-bot

The new version differs by 13 commits.

• 11bbd8b Bump CI/CD to Node.js 18
• 3b677b5 Bump to v0.7.1
• 4a90dc5 Merge remote-tracking branch 'origin/develop' into develop
• 7b32e43 Pin version of VM2 to 3.9.17 without vulnerability ([Snyk] Security upgrade @angular-devkit/build-angular from 0.1000.8 to 13.0.0 #14)
• 8e63414 Pin version of VM2 to 3.9.17 without vulnerability ([Snyk] Security upgrade @angular-devkit/build-angular from 0.1000.8 to 13.0.0 #14)
• 61a1f1a Bump version
• 5ef0011 Add typescript definition for juicy-chat-bot
• d816d29 Bump copyright notes to include 2023
• 53fdc22 Update contributor statistics
• d5bc807 Bump to recent supported Node.js versions
• 956f6df Merge pull request [Snyk] Fix for 1 vulnerabilities #13 from pattyjogal/pattyjogal-patch-1
• 24c7cbd Pin version of VM2 to version w/o vulnerability
• 93e1fab Add contributors chart

See the full diff

Package name: sequelize

The new version differs by 250 commits.

• d9e0728 fix: throw if where receives an invalid value (#15699)
• 48d6193 fix: update moment-timezone version (#15685)
• fd4afa6 feat(types): use retry-as-promised types for retry options to match documentation (#15484)
• 1247c01 feat: add support for bigints (backport of #14485) (#15413)
• 94beace feat(postgres): add support for lock_timeout [#15345] (#15355)
• 7885000 fix(oracle): remove hardcoded maxRows value (#15323)
• bc39fd6 fix: fix parameters not being replaced when after $$ strings (#15307)
• a205765 fix(postgres): invalidate connection after client-side timeout (#15283)
• 67e69cd fix: remove options.model overwrite on bulkUpdate (#15252)
• 00c6da3 fix(types): add instance.dataValues property to model.d.ts (#15240)
• bf98d7c meta: swap Slack links (#15159)
• 7990095 fix: don't treat \ as escape in standard strings, support E-strings, support vars after ->> operator, treat lowercase e as valid e-string prefix (#15139)
• 851daaf fix(types): fix TS 4.9 excessive depth error on `InferAttributes` (v6) (#15135)
• 9dd93b8 fix(types): expose legacy "types" folder in export alias ( #15123)
• 06ad05d feat(oracle): add support for `dialectOptions.connectString` (#15042)
• a44772e feat(snowflake): Add support for `QueryGenerator#tableExistsQuery` (#15087)
• 55051d0 docs: add missing ssl options for sequelize instance (v6) (#15049)
• 5c88734 docs(model): Added paranoid option for Model.BelongsToMany.through (#15065)
• 7203b66 fix(postgres): add custom order direction to subQuery ordering with minified alias (#15056)
• 5f621d7 fix(oracle): add support for Oracle DB 18c CI (#15016)
• 3468378 feat(types): add typescript 4.8 compatibility (#14990)
• 1da6657 fix(types): missing type for oracle dialect in v6 (#14992)
• c230d80 feat(oracle): add oracle dialect support (#14638)
• 33d94b2 fix(types): backport #14704 for v6 (#14964)

See the full diff

Package name: sqlite3

The new version differs by 129 commits.

• 6a806f8 v5.1.5
• edb1934 Fixed code execution vulnerability due to Object coercion
• 3a48888 Updated bundled SQLite to v3.41.1
• c1440bd Fixed rpath linker option when using a custom sqlite ([🚀] Fixes for the coding challenges juice-shop/juice-shop#1654)
• 93affa4 Update microsoft/setup-msbuild action to v1.3
• 6f6318e v5.1.4
• aeafe25 Revert "Renamed `master` references to `main`"
• 57ce2d4 Fixed glib compatibility by downgrading to Ubuntu 20
• af8e567 Renamed `master` references to `main`
• 8fd18a3 Extracted function checking code into macro
• 5c94f75 v5.1.3
• aec0d31 Updated bundled SQLite to v3.40.0
• 1980f10 v5.1.2
• 7aa29fe Updated bundled SQLite to v3.39.4
• c4fca9f v5.1.1
• ea71343 Added Darwin ARM64 to prebuilt binaries list in README
• ec154ab Added Darwin ARM64 prebuilt binaries
• 9290d8c v5.1.0
• 9e9079d Updated types file
• 946a3f6 Added ability to receive updates from `sqlite3_update_hook`
• 97cc584 Added yarn.lock to gitignore
• 572f05e Fixed importing `sqlite3#verbose` using destructuring syntax ([🐛] Basket Access challenge solved by switching between two users juice-shop/juice-shop#1632)
• c366ef9 Fixed remaining method declarations (Ugh juice-shop/juice-shop#1633)
• f0090b8 Added `.configure('limit', ...` to library type file

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Directory Traversal
🦉 More lessons are available in Snyk Learn