Skip to content

[Snyk] Upgrade: argon2, async, bluebird, body-parser, bunyan, cookie-parser, docdash, ejs, express, express-rate-limit, express-session, external-ip, formidable, geoip-lite, jimp, jsdoc, json2csv, mcc-mnc-list, moment, moment-timezone, mongodb, nginx-conf, nodemailer, properties-parser, puppeteer, request, underscore #112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Upgrade: argon2, async, bluebird, body-parser, bunyan, cookie-parser, docdash, ejs, express, express-rate-limit, express-session, external-ip, formidable, geoip-lite, jimp, jsdoc, json2csv, mcc-mnc-list, moment, moment-timezone, mongodb, nginx-conf, nodemailer, properties-parser, puppeteer, request, underscore #112

wants to merge 1 commit into from

Conversation

@srom23
Copy link
Owner

@srom23 srom23 commented Sep 16, 2024

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

argon2
from 0.24.0 to 0.41.0 | 31 versions ahead of your current version | 21 days ago
on 2024-08-25
async
from 2.6.3 to 2.6.4 | 1 version ahead of your current version | 2 years ago
on 2022-04-13
bluebird
from 3.5.5 to 3.7.2 | 4 versions ahead of your current version | 5 years ago
on 2019-11-28
body-parser
from 1.19.0 to 1.20.2 | 5 versions ahead of your current version | 2 years ago
on 2023-02-22
bunyan
from 1.8.12 to 1.8.15 | 3 versions ahead of your current version | 4 years ago
on 2021-01-08
cookie-parser
from 1.4.4 to 1.4.6 | 2 versions ahead of your current version | 3 years ago
on 2021-11-16
docdash
from 1.1.1 to 1.2.0 | 1 version ahead of your current version | 5 years ago
on 2020-01-26
ejs
from 2.6.2 to 2.7.4 | 4 versions ahead of your current version | 5 years ago
on 2019-11-19
express
from 4.16.4 to 4.19.2 | 11 versions ahead of your current version | 6 months ago
on 2024-03-25
express-rate-limit
from 5.0.0 to 5.5.1 | 12 versions ahead of your current version | 3 years ago
on 2021-11-06
express-session
from 1.16.2 to 1.18.0 | 5 versions ahead of your current version | 8 months ago
on 2024-01-28
external-ip
from 2.1.1 to 2.3.1 | 1 version ahead of your current version | 4 years ago
on 2020-04-26
formidable
from 1.2.1 to 1.2.6 | 5 versions ahead of your current version | 3 years ago
on 2021-10-30
geoip-lite
from 1.3.7 to 1.4.10 | 12 versions ahead of your current version | 7 months ago
on 2024-02-15
jimp
from 0.6.4 to 0.22.12 | 203 versions ahead of your current version | 7 months ago
on 2024-02-23
jsdoc
from 3.6.3 to 3.6.11 | 8 versions ahead of your current version | 2 years ago
on 2022-07-20
json2csv
from 4.5.2 to 4.5.4 | 2 versions ahead of your current version | 5 years ago
on 2019-10-09
mcc-mnc-list
from 1.0.82 to 1.1.11 | 11 versions ahead of your current version | a year ago
on 2023-04-04
moment
from 2.24.0 to 2.30.1 | 14 versions ahead of your current version | 9 months ago
on 2023-12-27
moment-timezone
from 0.5.26 to 0.5.45 | 19 versions ahead of your current version | 7 months ago
on 2024-02-04
mongodb
from 3.2.7 to 3.7.4 | 42 versions ahead of your current version | a year ago
on 2023-06-21
nginx-conf
from 1.5.0 to 1.7.0 | 2 versions ahead of your current version | 4 years ago
on 2020-12-27
nodemailer
from 6.3.0 to 6.9.14 | 51 versions ahead of your current version | 3 months ago
on 2024-06-19
properties-parser
from 0.3.1 to 0.6.0 | 4 versions ahead of your current version | a year ago
on 2023-05-26
puppeteer
from 1.19.0 to 1.20.0 | 1 version ahead of your current version | 5 years ago
on 2019-09-13
request
from 2.88.0 to 2.88.2 | 1 version ahead of your current version | 5 years ago
on 2020-02-11
underscore
from 1.9.1 to 1.13.7 | 19 versions ahead of your current version | 2 months ago
on 2024-07-24

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Directory Traversal
SNYK-JS-MOMENT-2440688		 506 No Known Exploit
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MOMENT-2944238		 506 Proof of Concept
high severity Command Injection
SNYK-JS-NODEMAILER-1038834		 506 Proof of Concept
high severity Prototype Poisoning
SNYK-JS-QS-3153490		 506 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-JPEGJS-2859218		 506 Proof of Concept
high severity Prototype Pollution
SNYK-JS-ASYNC-2441827		 506 Proof of Concept
high severity Prototype Poisoning
SNYK-JS-QS-3153490		 506 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-MINIMIST-559764		 506 Proof of Concept
medium severity HTTP Header Injection
SNYK-JS-NODEMAILER-1296415		 506 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-NODEMAILER-6219989		 506 Proof of Concept
medium severity Exposure of Sensitive Information to an Unauthorized Actor
SNYK-JS-PHIN-6598077		 506 No Known Exploit
medium severity Denial of Service (DoS)
SNYK-JS-JPEGJS-570039		 506 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKDOWNIT-2331914		 506 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKDOWNIT-459438		 506 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-2342073		 506 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-2342082		 506 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKED-584281		 506 No Known Exploit
medium severity Remote Code Execution (RCE)
SNYK-JS-BUNYAN-573166		 506 No Known Exploit
medium severity Open Redirect
SNYK-JS-EXPRESS-6474509		 506 No Known Exploit
low severity Prototype Pollution
SNYK-JS-MINIMIST-2429795		 506 Proof of Concept
Release notes
Package name: argon2
  • 0.41.0 - 2024-08-25

    What's Changed

    New Contributors

    Full Changelog: v0.40.2...v0.41.0

  • 0.40.3 - 2024-05-25
  • 0.40.2 - 2024-05-25

    Fix issue with publishing tags starting with v

  • 0.40.1 - 2024-02-22
  • 0.40.0-alpha.3 - 2024-01-10
  • 0.40.0-alpha.2 - 2023-12-30
  • 0.40.0-alpha.1 - 2023-12-20
  • 0.31.2 - 2023-11-04

    Note: this is the last version that will support Node 16 since it's support has ended on 2023-09-11. Please upgrade to 18 or preferably 20 as soon as possible.

    What's Changed

    New Contributors

    Full Changelog: v0.31.1...v0.31.2

  • 0.31.1 - 2023-09-01

    Maintenance release intended to fix missing prebuilts due to failure when building v0.31.0

    Note: v0.31.x will be the last version supporting Node v16. Please update to Node v18 or newer.

    Full Changelog: v0.31.0...v0.31.1

  • 0.31.0 - 2023-08-02

    What's Changed

    Please update to v0.31.0 as soon as possible.

    New Contributors

    Full Changelog: v0.30.3...v0.31.0

  • 0.30.3 - 2023-01-05

    What's Changed

    • Change binding resolution to mitigate "Module parse failed" errors by @ Voltra in #366

    New Contributors

    Full Changelog: v0.30.2...v0.30.3

  • 0.30.2 - 2022-11-08

    Fixes #362

  • 0.30.1 - 2022-10-13

    Defaults have been updated to use RFC recommended values, see #360

  • 0.29.1 - 2022-08-23

    Added builds for FreeBSD, closes #320 and hopefully fixes coder/code-server#4669 coder/code-server#4670

  • 0.29.0 - 2022-08-22
  • 0.28.7 - 2022-07-03
  • 0.28.5 - 2022-03-01
  • 0.28.4 - 2022-02-02
  • 0.28.3 - 2021-11-25
  • 0.28.2 - 2021-06-08
  • 0.28.1 - 2021-06-02
  • 0.28.0 - 2021-06-02
  • 0.27.2 - 2021-03-31
  • 0.27.1 - 2020-12-11
  • 0.27.0 - 2020-08-13
  • 0.26.2 - 2020-04-08
  • 0.26.1 - 2020-02-28
  • 0.26.0 - 2020-02-11
  • 0.25.1 - 2019-11-04
  • 0.25.0 - 2019-10-01
  • 0.24.1 - 2019-08-27
  • 0.24.0 - 2019-06-18
from argon2 GitHub release notes
Package name: async from async GitHub release notes
Package name: bluebird from bluebird GitHub release notes
Package name: body-parser from body-parser GitHub release notes
Package name: bunyan from bunyan GitHub release notes
Package name: cookie-parser from cookie-parser GitHub release notes
Package name: docdash
  • 1.2.0 - 2020-01-26
    • [feature] host fonts locally
    • [feature] separate styles for headers inside user markdown
    • [feature] hide static/private method depending of the config
    • [fix] fix empty source code lines in some browsers
    • [fix] improved viewing theme on smaller screens
  • 1.1.1 - 2019-05-21
    • [feature] scroll to currently opened method on page load
    • [fix] fixed searching in IE11
    • [fix] hiding/showing find exact match to open only single relevant section
from docdash GitHub release notes
Package name: ejs
  • 2.7.4 - 2019-11-19

    Bug fixes

    • Fixed Node 4 support, which broke in v2.7.3 (5e42d6c, @ mde)
  • 2.7.3 - 2019-11-19

    Bug fixes

  • 2.7.2 - 2019-11-13

    Features

    • Added support for destructuring locals (#452, @ ExE-Boss)
    • Added support for disabling legacy include directives (#458, #459, @ ExE-Boss)
    • Compiled functions are now shown in the debugger (#456, @ S2-)
    • function.name is now set to the file base name in environments that support this (#466, @ ExE-Boss)

    Bug Fixes

    • The error message when async != true now correctly mention the existence of the async option (#460, @ ExE-Boss)
    • Improved performance of HTML output generation (#470, @ nwoltman)
  • 2.7.1 - 2019-09-02

    Deprecated:

    • Added deprecation notice for use of require.extensions (@ mde)
  • 2.6.2 - 2019-06-15
    • Examples for client-side EJS compiled with Express middleware (@ mjgs)
    • Make Template constructor public (@ ThisNameWasTaken)
    • Added remove function to cache (@ S2-)
    • Recognize both 'Nix and Windows absolute paths (@ mde)
from ejs GitHub release notes
Package name: express

@snyk-bot
fix: upgrade multiple dependencies with Snyk
ec24f3a 
Snyk has created this PR to upgrade:
  - argon2 from 0.24.0 to 0.41.0.
    See this package in npm: https://www.npmjs.com/package/argon2
  - async from 2.6.3 to 2.6.4.
    See this package in npm: https://www.npmjs.com/package/async
  - bluebird from 3.5.5 to 3.7.2.
    See this package in npm: https://www.npmjs.com/package/bluebird
  - body-parser from 1.19.0 to 1.20.2.
    See this package in npm: https://www.npmjs.com/package/body-parser
  - bunyan from 1.8.12 to 1.8.15.
    See this package in npm: https://www.npmjs.com/package/bunyan
  - cookie-parser from 1.4.4 to 1.4.6.
    See this package in npm: https://www.npmjs.com/package/cookie-parser
  - docdash from 1.1.1 to 1.2.0.
    See this package in npm: https://www.npmjs.com/package/docdash
  - ejs from 2.6.2 to 2.7.4.
    See this package in npm: https://www.npmjs.com/package/ejs
  - express from 4.16.4 to 4.19.2.
    See this package in npm: https://www.npmjs.com/package/express
  - express-rate-limit from 5.0.0 to 5.5.1.
    See this package in npm: https://www.npmjs.com/package/express-rate-limit
  - express-session from 1.16.2 to 1.18.0.
    See this package in npm: https://www.npmjs.com/package/express-session
  - external-ip from 2.1.1 to 2.3.1.
    See this package in npm: https://www.npmjs.com/package/external-ip
  - formidable from 1.2.1 to 1.2.6.
    See this package in npm: https://www.npmjs.com/package/formidable
  - geoip-lite from 1.3.7 to 1.4.10.
    See this package in npm: https://www.npmjs.com/package/geoip-lite
  - jimp from 0.6.4 to 0.22.12.
    See this package in npm: https://www.npmjs.com/package/jimp
  - jsdoc from 3.6.3 to 3.6.11.
    See this package in npm: https://www.npmjs.com/package/jsdoc
  - json2csv from 4.5.2 to 4.5.4.
    See this package in npm: https://www.npmjs.com/package/json2csv
  - mcc-mnc-list from 1.0.82 to 1.1.11.
    See this package in npm: https://www.npmjs.com/package/mcc-mnc-list
  - moment from 2.24.0 to 2.30.1.
    See this package in npm: https://www.npmjs.com/package/moment
  - moment-timezone from 0.5.26 to 0.5.45.
    See this package in npm: https://www.npmjs.com/package/moment-timezone
  - mongodb from 3.2.7 to 3.7.4.
    See this package in npm: https://www.npmjs.com/package/mongodb
  - nginx-conf from 1.5.0 to 1.7.0.
    See this package in npm: https://www.npmjs.com/package/nginx-conf
  - nodemailer from 6.3.0 to 6.9.14.
    See this package in npm: https://www.npmjs.com/package/nodemailer
  - properties-parser from 0.3.1 to 0.6.0.
    See this package in npm: https://www.npmjs.com/package/properties-parser
  - puppeteer from 1.19.0 to 1.20.0.
    See this package in npm: https://www.npmjs.com/package/puppeteer
  - request from 2.88.0 to 2.88.2.
    See this package in npm: https://www.npmjs.com/package/request
  - underscore from 1.9.1 to 1.13.7.
    See this package in npm: https://www.npmjs.com/package/underscore

See this project in Snyk:
https://app.snyk.io/org/0sus0/project/68555b57-2a0e-4eb0-91f9-c90c1ebc544f?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0.30.1 causing node-gyp build errors upgrade argon2 to 0.29.1 to fix FreeBSD Please consider adding FreeBSD support (pre-built packages)

2 participants

@srom23 @snyk-bot