[Snyk] Fix for 31 vulnerabilities

[claytonbrown]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Arbitrary Code Injection SNYK-JS-EJS-1049328	No	Proof of Concept
	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	No	Proof of Concept
	Prototype Pollution SNYK-JS-FIREBASEUTIL-1038324	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	Improper Authentication SNYK-JS-JSONWEBTOKEN-3180022	Yes	No Known Exploit
	Improper Restriction of Security Token Assignment SNYK-JS-JSONWEBTOKEN-3180024	Yes	No Known Exploit
	Use of a Broken or Risky Cryptographic Algorithm SNYK-JS-JSONWEBTOKEN-3180026	Yes	No Known Exploit
	SQL Injection SNYK-JS-KNEX-3175610	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	Information Exposure SNYK-JS-NODEFETCH-2342118	Yes	No Known Exploit
	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	Open Redirect SNYK-JS-NODEFORGE-2330875	Yes	Proof of Concept
	Prototype Pollution SNYK-JS-NODEFORGE-2331908	Yes	No Known Exploit
	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430337	Yes	No Known Exploit
	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430339	Yes	No Known Exploit
	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430341	Yes	No Known Exploit
	Prototype Pollution SNYK-JS-NODEFORGE-598677	Yes	Proof of Concept
	Session Fixation SNYK-JS-PASSPORT-2840631	No	No Known Exploit
	Prototype Poisoning SNYK-JS-QS-3153490	No	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	Arbitrary Code Injection SNYK-JS-SERIALIZEJAVASCRIPT-570062	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	Yes	Proof of Concept

Commit messages

Package name: body-parser

The new version differs by 101 commits.

• 424dadd 1.19.2
• 11248a2 deps: [email protected]
• 7a088eb build: [email protected]
• ecedf31 build: [email protected]
• b6bfabd build: [email protected]
• badd6b2 build: fix code coverage aggregate upload
• 96b448a build: [email protected]
• 70560b1 build: [email protected]
• 548a06f build: [email protected]
• 3b00678 deps: [email protected]
• d5acb61 build: [email protected]
• 82c8a7c tests: add limit + inflate tests
• b356758 deps: [email protected]
• c631b58 build: [email protected]
• c81a8e2 build: [email protected]
• 3c4dcb8 build: [email protected]
• d0a214b 1.19.1
• fb172d4 build: [email protected]
• c5e63cb build: [email protected]
• c6d43bd build: [email protected]
• 313ed6d build: [email protected]
• 8389b51 deps: [email protected]
• aae94b2 deps: [email protected]
• 7f84d4f deps: [email protected]

See the full diff

Package name: express

The new version differs by 117 commits.

• 3d7fce5 4.17.3
• f906371 build: update example dependencies
• 6381bc6 deps: [email protected]
• a007863 deps: [email protected]
• e98f584 Revert "build: use [email protected] for Node.js < 4"
• a659137 tests: use strict mode
• a39e409 tests: prevent leaking changes to NODE_ENV
• 82de4de examples: fix path traversal in downloads example
• 12310c5 build: use nyc for test coverage
• 884657d examples: remove bitwise syntax for includes check
• 7511d08 build: use [email protected] for Node.js < 4
• 2585f20 tests: fix test missing assertion
• 9d09762 build: [email protected]
• 43cc56e build: clean up gitignore
• 1c7bbcc build: [email protected]
• 9cbbc8a deps: [email protected]
• 6fbc269 pref: remove unnecessary regexp for trust proxy
• 2bc734a deps: accepts@~1.3.8
• 89bb531 docs: fix typo in res.download jsdoc
• 744564f tests: add test for multiple ips in "trust proxy"
• da6cb0e tests: add range tests to res.download
• 00ad5be tests: add more tests for app.request & app.response
• 141914e tests: fix tests that did not bubble errors
• bd4fdfe tests: remove global dependency on should

See the full diff

Package name: firebase-functions

The new version differs by 38 commits.

• 4fdf9db 3.6.2
• f907d68 Update CHANGELOG.md (Bump lint-staged from 9.5.0 to 10.5.2 kriasoft/react-firebase-starter#694)
• 9431102 fix: move jsonwebtoken to dev dependencies (Bump @babel/polyfill from 7.7.0 to 7.12.1 kriasoft/react-firebase-starter#677)
• 8d0a6c2 pin @ types/express version (Bump lint-staged from 9.5.0 to 10.5.1 kriasoft/react-firebase-starter#686)
• 1bd2736 Fixes to reference doc generation for functions.https (Bump pg from 7.17.0 to 8.5.0 kriasoft/react-firebase-starter#690)
• b1f9b5a Revise docs for handler namespace (Bump knex from 0.20.7 to 0.21.7 kriasoft/react-firebase-starter#680)
• 5c18afe Modify return type of DataSnapshot.forEach to `boolean | void` (Bump knex from 0.20.7 to 0.21.6 kriasoft/react-firebase-starter#666)
• df35c1b fix: onCreate, onUpdate and onDelete receive a DocumentQuerySnapshopt (Bump pg from 7.17.0 to 8.4.1 kriasoft/react-firebase-starter#670)
• 1dde3db [firebase-release] Removed change log and reset repo after 3.6.1 release
• 1fb57c5 3.6.1
• 2784d5d Update TypeScript dependency to v3.8 to fix build issues (Issue [Question] What's the usual cost for maintaining this setup on gcloud+firebase? kriasoft/react-firebase-starter#667) (Bump pg from 7.17.0 to 8.4.0 kriasoft/react-firebase-starter#668)
• d3e8951 [firebase-release] Removed change log and reset repo after 3.6.0 release
• c9a3a0e 3.6.0
• 95d4a4a Update CHANGELOG.md (Bump uuid from 3.3.3 to 8.3.0 kriasoft/react-firebase-starter#640)
• 7f4c957 Enable users to define async HTTP functions ([Security] Bump dot-prop from 4.2.0 to 4.2.1 kriasoft/react-firebase-starter#651)
• e1df823 Adding testlab event to eventTypes list ([Security] Bump serialize-javascript from 2.1.2 to 3.1.0 kriasoft/react-firebase-starter#649)
• 468455d Updating docs TOC with Testlab paths. (Bump @babel/runtime from 7.7.7 to 7.11.0 kriasoft/react-firebase-starter#643)
• 5250110 Add support for europe-west3 region. (Bump uuid from 3.3.3 to 8.2.0 kriasoft/react-firebase-starter#627)
• 0921c78 [firebase-release] Removed change log and reset repo after 3.5.0 release
• 1ed7345 3.5.0
• 15bf0da Update CHANGELOG ([Security] Bump lodash from 4.17.15 to 4.17.19 kriasoft/react-firebase-starter#639)
• df543dc Update dependencies to fix TS build issue (Bump @babel/runtime from 7.7.7 to 7.10.5 kriasoft/react-firebase-starter#638)
• 9e05b7f Add entry for maxInstances (Bump @babel/register from 7.7.7 to 7.10.5 kriasoft/react-firebase-starter#636)
• bf52fa3 add support for maxInstances in RuntimeOptions (Bump @babel/register from 7.7.7 to 7.10.3 kriasoft/react-firebase-starter#624)

See the full diff

Package name: got

The new version differs by 250 commits.

• 5e17bb7 11.8.5
• bce8ce7 Backport 861ccd9ac2237df762a9e2beed7edd88c60782dc
• 8ced192 Fix build
• 670eb04 11.8.4
• 20f29fe Backport #1543: Initialize globalResponse in case of ignored HTTPError (#2017)
• 0da732f 11.8.3
• 9463bb6 Bump cacheable-request dependency (#1921)
• 0e167b8 HTTPError code set to 'HTTPError' #1711 (#1739)
• f896aa5 11.8.2
• 3bd245f Instantiate CacheableLookup only when needed (#1529)
• a72ed84 11.8.1
• 4c815c3 Do not throw on custom stack traces (#1491)
• e0cb820 11.8.0
• f65c9ef Upgrade dependencies
• 7acd380 Fix for sending files with size `0` on `stat` (#1488)
• 6aa86f2 Fix indentation in the readme
• 3dd2273 `beforeRetry` allows stream body if different from original (#1501)
• b1afa2b Fix readme example comment (#1505)
• 390b145 Set default value for an options object (#1495)
• 87dadd5 Fixed documentation example for `responseType` (#1494)
• 3bf3e3b Add `lookup` option documentation (#1483)
• c31366b Add a test for #1438 (#1469)
• 5d62958 11.7.0
• 88b32ea Fix a regression where body was sent after redirect

See the full diff

Package name: jsonwebtoken

The new version differs by 17 commits.

• e1fa9dc Merge pull request from GHSA-8cf7-32gw-wr33
• 5eaedbf chore(ci): remove github test actions job (#861)
• cd4163e chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
• ecdf6cc fix!: Prevent accidental use of insecure key sizes & misconfiguration of secrets (#852)
• 8345030 fix(sign&verify)!: Remove default `none` support from `sign` and `verify` methods, and require it to be explicitly configured (#851)
• 7e6a86b Upload OpsLevel YAML (#849)
• 74d5719 docs: update references vercel/ms references (Bump dns-packet from 1.3.1 to 1.3.4 kriasoft/react-firebase-starter#770)
• d71e383 docs: document "invalid token" error
• 3765003 docs: fix spelling in README.md: Peak -> Peek ([Security] Bump ssri from 6.0.1 to 6.0.2 kriasoft/react-firebase-starter#754)
• a46097e docs: make decode impossible to discover before verify
• 15a1bc4 refactor: make decode non-enumerable
• 5f10bf9 docs: add jwtid to options of jwt.verify (Bump husky from 4.0.4 to 4.3.6 kriasoft/react-firebase-starter#704)
• 88cb9df Replace tilde-indexOf with includes (Bump knex from 0.20.7 to 0.21.3 kriasoft/react-firebase-starter#647)
• a6235fa Adds not to README on decoded payload validation (Bump @babel/runtime from 7.7.7 to 7.11.2 kriasoft/react-firebase-starter#646)
• 5ed1f06 docs: fix tiny style change in readme (Bump lint-staged from 9.5.0 to 10.2.11 kriasoft/react-firebase-starter#622)
• 9fb90ca style: add missing semicolon ([Security] Bump elliptic from 6.4.1 to 6.5.3 kriasoft/react-firebase-starter#641)
• a9e38b8 ci: use circleci (Bump pg from 7.17.0 to 8.0.3 kriasoft/react-firebase-starter#589)

See the full diff

Package name: knex

The new version differs by 250 commits.

• 3475d81 Prepare to release 2.4.0
• e97f922 Bump tsd from 0.24.1 to 0.25.0 (#5396)
• e145322 1227: add assertion for basic where clause values (#5417)
• 962bb0a Bump sinon from 14.0.2 to 15.0.1 (#5413)
• ab45314 Add JSDoc (TS Flavour) to mjs stub file (#5390)
• 72bd1f7 Fix: orWhereJson (#5361)
• 4fc939a Fixes unexpected max acquire-timeout (#5377)
• 5c4837c Fix lib/.gitignore path separator on Windows. (#5325)
• 7dbbd00 Bump actions/setup-node from 3.4.1 to 3.5.1 (#5356)
• d39051f fix: add missing type for 'expirationChecker' on PgConnectionConfig (#5334)
• f7ccde8 Make compiling SQL in error message optional (#5282)
• 82610ca Bump tsd from 0.23.0 to 0.24.1 (#5329)
• cb5be88 Bump typescript from 4.8.2 to 4.8.3 (#5324)
• dc6dbbf fix: insert array into json column (#5321)
• 864530c feat: support partial unique indexes (#5316)
• 6bed5e9 Fix changing the default value of a boolean column in SQLite (#5319)
• f52b2c5 Merge remote-tracking branch 'origin/master'
• 05c4707 Prepare to release 2.3.0
• 13b61c0 Update dependencies (#5317)
• 97fccdf Explicit jsonb support for custom pg clients (#5201)
• 1cc1df9 chore: remove bindingHolder for proper scoping (#5235)
• e0c0fa9 Implement mapBinding mssql dialect option (#5292)
• 29283a1 Bump tsd from 0.22.0 to 0.23.0 (#5314)
• 57692d3 Infer specific column value type in aggregations (#5297)

See the full diff

Package name: minimist

The new version differs by 21 commits.

• 7efb22a 1.2.6
• ef88b93 security notice for additional prototype pollution issue
• c2b9819 isConstructorOrProto adapted from PR
• bc8ecee test from prototype pollution PR
• aeb3e27 1.2.5
• 278677b 1.2.4
• 4cf1354 security notice
• 1043d21 additional test for constructor prototype pollution
• 6457d74 1.2.3
• 38a4d1c even more aggressive checks for protocol pollution
• 13c01a5 more failing proto pollution tests
• f34df07 1.2.2
• 67d3722 cleanup
• 63e7ed0 don't assign onto __proto__
• 47acf72 console.dir -> console.log
• 0efed03 failing test for protocol pollution
• 29783cd 1.2.1
• 6be5dae add test
• ac3fc79 fix bad boolean regexp
• 4cf45a2 Merge pull request window object not available on server rendering kriasoft/react-firebase-starter#63 from lydell/dash-dash-docs-fix
• 5fa440e move the `opts['--']` example back where it belongs

See the full diff

Package name: passport

The new version differs by 100 commits.

• c33067b 0.6.0
• 3052bb4 Update changelog.
• 42630cb Merge pull request #900 from jaredhanson/fix-fixation
• 8dd79fe Use utils-merge rather than Object.assign for compatibility.
• 4f6bd5b Change keepSessionData to keepSessionData.
• 46756e5 Silence verbose logging.
• 987b191 Add tests.
• f8a175f Add tests.
• 29a90d6 No need to guard callback existence.
• bfba8a1 Add tests.
• 17111d7 Add option to keep session data on logout.
• a349c2b Add option to keep session data.
• e69834e Add optional options to login and logout.
• 8825a9a Add tests.
• c1991cf Add tests.
• 294f22c Better session detection and exceptions.
• 80cc4e3 Add tests.
• 3001654 Add tests.
• b395106 Clean up tests.
• cfa8259 Add tests.
• ee0bf81 Add tests.
• cc7606c Add tests.
• 71c54f6 Add test.
• 88c1f1b Handle logout without session manager.

See the full diff

Package name: pg

The new version differs by 213 commits.

• 7ffe68e Publish
• 125a268 Update changelog
• da2bb85 Bump node-fetch from 2.6.0 to 2.6.1
• 7649890 Update SPONSORS.md
• c5445f0 Fix metadata for pg-connection-string
• a02dfac Replace semver with optional peer dependencies
• 5825843 Public export of DatabaseError
• e421167 Add ssl=true into the test
• 9cbea21 Solve issues caused by config.ssl = true
• 6be3b90 Add support for ?sslmode connection string param
• f0fc470 Update README.md (#2330)
• 95b5daa Publish
• 1f0d3d5 Add test for pgpass check function scope
• 0758b76 Fix context (this) in _checkPgPass.
• acfbafa Publish
• 07ee1ba Bump version
• 65156e7 Small readme updates & auto-formatting
• 61e4b7f Merge pull request #2309 from chris--young/ssl-err
• f4d123b Prevents bad ssl credentials from causing a crash
• 316bec3 Merge pull request #2294 from charmander/test-fixes
• 3edcbb7 Fix most SSL negotiation packet tests being ignored
• 1b022f8 Remove accidentally duplicated methods
• b8773ce Merge pull request #2289 from brianc/dependabot/npm_and_yarn/lodash-4.17.19
• 692e418 Fix documenation typo in README (#2291)

See the full diff

Package name: serialize-javascript

The new version differs by 17 commits.

• b54341e v3.1.0
• 7cee7e4 Revert "support for bigint (Why is this callback asynchronous kriasoft/react-firebase-starter#80)"
• 026a445 Bump mocha from 7.1.2 to 7.2.0 (Request: Redux Support kriasoft/react-firebase-starter#83)
• 5130a71 support for bigint (Why is this callback asynchronous kriasoft/react-firebase-starter#80)
• ea76b23 Bump mocha from 7.1.1 to 7.1.2 (not working after NCU kriasoft/react-firebase-starter#82)
• 073c8d8 Bump nyc from 15.0.0 to 15.0.1 (Update on blog index route - FIXED kriasoft/react-firebase-starter#81)
• f21a6fb Don't replace regex / function placeholders within string literals (Fresh install broken kriasoft/react-firebase-starter#79)
• 1ac487e [Security] Bump minimist from 1.2.0 to 1.2.5 (Just one entry point? kriasoft/react-firebase-starter#78)
• c795cef Bump mocha from 7.1.0 to 7.1.1 (json-loader is referenced in webpack.config but missing in package kriasoft/react-firebase-starter#77)
• 3064431 Bump mocha from 7.0.1 to 7.1.0 (Fix for the .jsx extension in the page directory kriasoft/react-firebase-starter#74)
• 9dbe8f6 Update example in README (404 kriasoft/react-firebase-starter#73)
• f5957ee v3.0.0
• eed510c Introduce support for Infinity (Use Kinto as Distributed Database kriasoft/react-firebase-starter#72)
• 82bb2d2 Bump mocha from 7.0.0 to 7.0.1 (using react-font-awesome in webpack config kriasoft/react-firebase-starter#71)
• fdfb10a Test on Node.js v12 (Routes Loader Broken? kriasoft/react-firebase-starter#70)
• 2f5f126 Bump mocha from 6.2.2 to 7.0.0 (Support SCSS @mixin kriasoft/react-firebase-starter#69)
• 35062c0 Bump nyc from 14.1.1 to 15.0.0 (include jsx files kriasoft/react-firebase-starter#68)

See the full diff

Package name: validator

The new version differs by 250 commits.

• 47ee5ad 13.7.0
• 496fc8b fix(rtrim): remove regex to prevent ReDOS attack (#1738)
• 45901ec Merge pull request #1851 from validatorjs/chore/fix-merge-conflicts
• 83cb7f8 chore: merge conflict clean-up
• f17e220 feat(isMobilePhone): add El Salvador es-SV locale
• 5b06703 feat(isMobilePhone): add Palestine ar-PS locale
• a3faa83 feat(isMobilePhone): add Botswana en-BW locale
• 26605f9 feat(isMobilePhone): add Turkmenistan tk-TM
• 0e5d5d4 feat(isMobilePhone): add Guyana en-GY locale
• f7ff349 feat(isMobilePhone): add Frech Polynesia fr-PF locale
• 8627e48 feat(isMobilePhone): add Kiribati en-KI locale
• ed60123 feat(isMobilePhone): add Tajikistan tg-TJ locale (#1846)
• c96d805 feat(isMobilePhone): add Maldives dv-MV locale
• 5c2d69e feat(isMobilePhone): regex for Burkina Faso fr-BF and Namibia en-NA locales
• fc0fefc feat(isMobilePhone): add Bhutan dz-BT locale (#1770)
• 01d3da3 feat(isMobilePhone): add Tajikistan tg-TJ locale (#1846)
• af2b43c feat(isUUID): add support for validation of version v1 and v2 (#1848)
• 769f6d5 feat(contains): add possibility to check that string contains seed multiple times (#1836)
• f2381e0 feat: (isMobilePhone): add Cameroon fr-CM locale (#1772)
• 5773869 feat(isVAT): add dutch NL locale (#1825)
• de1cb29 fix: Russian passport number regex (#1810)
• 7bee611 add CDN use option with unpkg (#1844)
• 57cc14e feat(isIdentityCard): add finnish locale (#1838)
• 2201869 feat: added finnish locale to isAlpha and isAlphanumeric (#1837)

See the full diff

With a Snyk patch:

Severity	Issue	Exploit Maturity
	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Arbitrary Code Injection
🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn