[Snyk] Fix for 23 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	No	Proof of Concept
	630/1000 Why? Has a fix available, CVSS 8.1	Internal Property Tampering SNYK-JS-BSON-561052	No	No Known Exploit
	526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Filter Bypass SNYK-JS-EXPRESSVALIDATOR-174763	Yes	Proof of Concept
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-MONGODB-473855	No	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MONGOOSE-1086688	No	Proof of Concept
	671/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7	Prototype Pollution SNYK-JS-MONGOOSE-2961688	No	Proof of Concept
	509/1000 Why? Has a fix available, CVSS 5.9	Information Exposure SNYK-JS-MONGOOSE-472486	No	No Known Exploit
	661/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.8	Arbitrary Code Injection SNYK-JS-MORGAN-72579	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MPATH-1577289	No	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MPATH-72672	No	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MQUERY-1050858	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MQUERY-1089718	No	Proof of Concept
	751/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.6	Command Injection SNYK-JS-NODEMAILER-1038834	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	HTTP Header Injection SNYK-JS-NODEMAILER-1296415	Yes	Proof of Concept
	454/1000 Why? Has a fix available, CVSS 4.8	Session Fixation SNYK-JS-PASSPORT-2840631	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: express-validator

The new version differs by 97 commits.

• cd4136e 6.5.0
• 612e2d9 Don't modify requests if oneOf chain didn't succeed (#877)
• 7595c94 chain: comment out isDate for now
• 8b604af chain: add missing methods to Validators interface
• ab6ffe4 npm: upgrade validator to 13.0.0 (#874)
• 29374cb 6.4.1
• 70af46e npm: audit fix dependencies
• efbfe3a Only consider . to be special char for now
• 42819ae npm: update dependencies
• 7736384 Remove console.log
• 3814c0a Fix use of special chars in selectors
• 0c450a9 docs: fix... typo? (#842)
• 246f2ea docs: improve wording in matchedData page (#846)
• 6123155 docs: improve wording in whole-body validation (#845)
• 3124129 docs: fix typo in schema validation and improve wording (#844)
• d85b368 docs: fix verb tense in the custom validator page (#841)
• 19531ec docs: fix verb tense in the validationResult page (#847)
• f868e23 docs: small fixes in the wildcard feature (#843)
• 31d73c2 npm: add build script
• 008a0ae docs: migrate usages of sanitize to check
• 4bbe421 6.4.0
• acb2ad7 npm: run docs:build before git add on versioning
• 5e293cf Compile TS to ES2017 (#826)
• 0163461 npm: upgrade a few packages (#825)

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• ca7996b chore: release 5.13.15
• e75732a Merge pull request #12307 from Automattic/vkarpov15/fix-5x-build
• a1144dc test: run node 7 tests with upgraded npm re: #12297
• dfc4ad7 test: try upgrading npm for node v4 tests re: #12297
• b9e985c test: more strict @ types/node version
• 4d813fa test: fix @ types/node version in tests re: #12297
• 99b4189 Merge pull request #12297 from shubanker/issue/prototype-pollution-5.x-patch
• 5eb11dd made function non async
• 6a19731 fix(schema): disallow setting __proto__ when creating schema with dotted properties
• a2ec28d Merge pull request #11366 from laissonsilveira/5.x
• 05ce577 Fix broken link from findandmodify method deprecation
• d2b846f chore: release 5.13.14
• 69c1f6c docs(models): fix up nModified example for 5.x
• 4cfc4d6 fix(timestamps): avoid setting `createdAt` on documents that already exist but dont have createdAt
• a738440 chore: release 5.13.13
• 4d12a62 Merge pull request #10942 from jneal-afs/fix-query-set-ts-type
• c3463c4 Merge pull request #10916 from iovanom/gh-10902-v5
• ff5ddb5 fix: hardcode base 10 for nodeMajorVersion parseInt() call
• d205c4d make value optional
• c6fd7f7 Fix ts types for query set
• 22e9b3b [gh-10902 v5] Add node major version to utils
• 5468642 [gh-10902 v5] Emit end event in before close
• 271bc60 Merge pull request #10910 from lorand-horvath/patch-2
• b7ebeec Update mongodb driver to 3.7.3

See the full diff

Package name: morgan

The new version differs by 27 commits.

• 572dd93 1.9.1
• e02de38 lint: apply standard 12 style
• e329663 Fix using special characters in format
• eb1968a tests: use strict equality checks
• 310b206 build: use yaml eslint configuration
• 5810937 build: [email protected]
• f60afd5 build: [email protected]
• 5295b0c build: [email protected]
• 178daaf build: [email protected]
• 7b08641 build: [email protected]
• 73cb666 build: [email protected]
• edc95aa build: [email protected]
• ace86c3 build: [email protected]
• 4dd1180 lint: apply standard 11 style
• 60c31e8 build: [email protected]
• 05e382f build: [email protected]
• 1a5be20 build: [email protected]
• cf9565f docs: remove gratipay badge
• b66251d build: [email protected]
• 0113732 build: [email protected]
• 47659a9 deps: depd@~1.1.2
• 695f659 build: support Node.js 9.x
• f4c51e9 build: [email protected]
• 4f15f36 build: [email protected]

See the full diff

Package name: nodemailer

The new version differs by 99 commits.

• 7e02648 v6.6.1
• 1750c0f v6.6.0
• 0636d58 Merge branch 'master' of github.com:nodemailer/nodemailer
• 058d414 v6.6.0
• fcb0d1f test: 💍 aws ses SDK v3 support
• 2ef39e3 test: 💍 aws ses connection verification
• 6107585 fix: 🐛 ses verify, add support for v3 API
• bf57cf5 Fixes resolveContent with streams overriding data
• 91108d7 v6.5.0
• 87d9b25 Pass through textEncoding to subnodes.
• 271f91b Update index.js
• 9b5fb94 v6.4.18
• 625a9ed Update README.md
• 1d24d8b docs: added rudimentary sponsor quote block
• a455716 Added OhMySMTP to services
• 6e045d1 v6.4.17
• ba31c64 v6.4.16
• 7e7b2b2 v6.4.15
• fca2041 Update CHANGELOG.md
• b4ccfa3 Oups
• 24b93bf Add ethereal.email to well-known/services.json
• 0f132fa doc: make the code a little more accessible with some code comments.
• 1815bad v6.4.14
• dd26ddd v6.4.13

See the full diff

Package name: passport

The new version differs by 126 commits.

• c33067b 0.6.0
• 3052bb4 Update changelog.
• 42630cb Merge pull request #900 from jaredhanson/fix-fixation
• 8dd79fe Use utils-merge rather than Object.assign for compatibility.
• 4f6bd5b Change keepSessionData to keepSessionData.
• 46756e5 Silence verbose logging.
• 987b191 Add tests.
• f8a175f Add tests.
• 29a90d6 No need to guard callback existence.
• bfba8a1 Add tests.
• 17111d7 Add option to keep session data on logout.
• a349c2b Add option to keep session data.
• e69834e Add optional options to login and logout.
• 8825a9a Add tests.
• c1991cf Add tests.
• 294f22c Better session detection and exceptions.
• 80cc4e3 Add tests.
• 3001654 Add tests.
• b395106 Clean up tests.
• cfa8259 Add tests.
• ee0bf81 Add tests.
• cc7606c Add tests.
• 71c54f6 Add test.
• 88c1f1b Handle logout without session manager.

See the full diff

Package name: request

The new version differs by 31 commits.

• 6420240 2.88.0
• bd22e21 fix: massive dependency upgrade, fixes all production vulnerabilities
• 925849a Merge pull request #2996 from kwonoj/fix-uuid
• 7b68551 fix(uuid): import versioned uuid
• 5797963 Merge pull request #2994 from dlecocq/oauth-sign-0.9.0
• 628ff5e Update to oauth-sign 0.9.0
• 10987ef Merge pull request #2993 from simov/fix-header-tests
• cd848af These are not going to fail if there is a server listening on those ports
• a92e138 #515, #2894 Strip port suffix from Host header if the protocol is known. (#2904)
• 45ffc4b Improve AWS SigV4 support. (#2791)
• a121270 Merge pull request #2977 from simov/update-cert
• bd16414 Update test certificates
• 536f0e7 2.87.1
• 02fc5b1 Update changelog
• de1ed5a 2.87.0
• a6741d4 Replace hawk dependency with a local implemenation (#2943)
• a7f0a36 2.86.1
• 8f2fd4d Update changelog
• 386c7d8 2.86.0
• 76a6e5b Merge pull request #2885 from ChALkeR/patch-1
• db76838 Merge branch 'patch-1' of github.com:ChALkeR/request
• fb7aeb3 Merge pull request #2942 from simov/fix-tests
• e47ce95 Add Node v10 build target explicitly
• 0c5db42 Skip status code 105 on Node > v10

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn