Skip to content

[Snyk] Fix for 9 vulnerabilities#2

Open
snyk-bot wants to merge 1 commit into
masterfrom
snyk-fix-813826a115842312f89376178dfa6087
Open

[Snyk] Fix for 9 vulnerabilities#2
snyk-bot wants to merge 1 commit into
masterfrom
snyk-fix-813826a115842312f89376178dfa6087

Conversation

@snyk-bot

Copy link
Copy Markdown

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 741/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.4
DLL Injection
SNYK-JS-KERBEROS-568900
No Proof of Concept
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Denial of Service (DoS)
SNYK-JS-MONGODB-473855
Yes No Known Exploit
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6
Prototype Pollution
SNYK-JS-MONGOOSE-1086688
Yes Proof of Concept
medium severity 509/1000
Why? Has a fix available, CVSS 5.9
Information Exposure
SNYK-JS-MONGOOSE-472486
No No Known Exploit
medium severity 661/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.8
Arbitrary Code Injection
SNYK-JS-MORGAN-72579
No Proof of Concept
medium severity 601/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.6
Prototype Pollution
SNYK-JS-MPATH-1577289
Yes Proof of Concept
high severity 686/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-MQUERY-1050858
Yes Proof of Concept
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Prototype Pollution
SNYK-JS-MQUERY-1089718
Yes Proof of Concept
low severity 399/1000
Why? Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:mime:20170907
No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: connect-mongo The new version differs by 171 commits.
  • 63ca966 docs: update readme and bump version to 3.0.0
  • aceb1ee chore: bump version to 3.0.0-rc.2
  • 0e4a234 test: add test cases on event listener
  • e77a7f1 test: replace mocha with jest (#324)
  • ad39e88 test: replace deprecated collection.insert to collection.insertOne
  • 545c06e docs: update README on testing
  • 2d5442e chore: upgrade depns mocha
  • 5d3a321 chore: upgrade nyc depns
  • 54cd91d chore: upgrade depns
  • afb7a12 docs: remove some badges
  • 6c2484b docs: update README for supporting version
  • c925c92 test: fix test case
  • 6827330 chore: bump version to 3.0.0-rc.1
  • f62692b ci: update .npmignore
  • aa2637d ci: remove node 6 support and add linting in travis
  • 801291b fix linting error
  • f928547 travis add test on Node 12
  • 12275f0 better linting
  • eb23b1e linting fix
  • 66194c7 bump major version to 3.0.0-rc
  • f29084f Wait for client open, before calling db. (#321)
  • d252bfc Install Stale bot
  • 15d91c1 Transparent crypto support (#314)
  • 08ccada Update readme refer to latest release to avoid confusion

See the full diff

Package name: express The new version differs by 250 commits.
  • f974d22 4.16.0
  • 8d4ceb6 docs: add more information to installation
  • c0136d8 Add express.json and express.urlencoded to parse bodies
  • 86f5df0 deps: serve-static@1.13.0
  • 4196458 deps: send@0.16.0
  • ddeb713 tests: add maxAge option tests for res.sendFile
  • 7154014 Add "escape json" setting for res.json and res.jsonp
  • 628438d deps: update example dependencies
  • a24fd0c Add options to res.download
  • 95fb5cc perf: remove dead .charset set in res.jsonp
  • 44591fe deps: vary@~1.1.2
  • 2df1ad2 Improve error messages when non-function provided as middleware
  • 12c3712 Use safe-buffer for improved Buffer API
  • fa272ed docs: fix typo in jsdoc comment
  • d9d09b8 perf: re-use options object when generating ETags
  • 02a9d5f deps: proxy-addr@~2.0.2
  • c2f4fb5 deps: finalhandler@1.1.0
  • 673d51f deps: utils-merge@1.0.1
  • 5cc761c deps: parseurl@~1.3.2
  • ad7d96d deps: qs@6.5.1
  • e62bb8b deps: etag@~1.8.1
  • 70589c3 deps: content-type@~1.0.4
  • 9a99c15 deps: accepts@~1.3.4
  • 550043c deps: setprototypeof@1.1.0

See the full diff

Package name: mongoose The new version differs by 250 commits.
  • 07946be chore: release v5.13.9
  • 264554f fix: upgrade to mpath v0.8.4 re: security issue
  • fc5fc7e fix: peg @ types/bson version to 1.x || 4.0.x to avoid stubbed 4.2.x release
  • 1f28237 fix(populate): avoid setting empty array on lean document when populate result is undefined
  • 1dc9b45 style: fix lint
  • 3f7dfc5 fix(document): make `depopulate()` handle populated paths underneath document arrays
  • b34d1d5 fix(index.d.ts): simplify UpdateQuery to avoid "excessively deep and possibly infinite" errors with `extends Document` and `any`
  • 2a3399e docs: another layout fix for 5.x docs
  • 5bf3c29 chore: update makefile again
  • 191678c chore: update makefile re: #10607
  • 776fae9 docs: fix up 5.x docs navbar
  • a803885 test(typescript): add coverage for #10590
  • bf43078 fix(index.d.ts): allow specifying `weights` as an IndexOption
  • cb1e787 chore: release 5.13.8
  • 5c0140c fix(index.d.ts): add `match` to `VirtualTypeOptions.options`
  • 6122f4b docs(api): add `Document#$where` to API docs
  • 2871c1b style: fix lint
  • 8d00f62 Merge pull request #10587 from osmanakol/master
  • 57e729b allow QueryOptions populate parameter use PopulateOptions
  • 6c36263 fix(index.d.ts): allow strings for ObjectIds in nested properties
  • e90aab1 docs(History): make a note about #10555
  • fca0627 style: fix lint
  • 6b92599 fix(populate): handle populating subdoc array virtual with sort
  • 283d43f test(populate): repro #10552

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant