[Snyk-dev] Fix for 20 vulnerabilities

[KorenBenEzri]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	No	Proof of Concept
	696/1000 Why? Recently disclosed, Has a fix available, CVSS 8.2	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-DOTTIE-3332763	No	Proof of Concept
	541/1000 Why? Recently disclosed, Has a fix available, CVSS 5.1	Cross-site Scripting SNYK-JS-EXPRESS-7926867	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	No	Proof of Concept
	751/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.6	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-Side Request Forgery (SSRF) SNYK-JS-IP-7148531	No	Proof of Concept
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MOUT-2342654	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Improper Control of Generation of Code ('Code Injection') SNYK-JS-PUGCODEGEN-7086056	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	391/1000 Why? Recently disclosed, Has a fix available, CVSS 2.1	Cross-site Scripting SNYK-JS-SEND-7926862	No	No Known Exploit
	391/1000 Why? Recently disclosed, Has a fix available, CVSS 2.1	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	No	No Known Exploit
	761/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.8	Information Exposure SNYK-JS-SIMPLEGET-2361683	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: body-parser

The new version differs by 64 commits.

• 1752951 1.20.3
• 39744cf chore: linter (Update swagger-ui-express to the latest version 🚀 juice-shop/juice-shop#534)
• b2695c4 Merge commit from fork
• ade0f3f add scorecard to readme (Update mocha to the latest version 🚀 juice-shop/juice-shop#531)
• 99a1bd6 deps: [email protected] (Add reflected XSS challenge juice-shop/juice-shop#521)
• 9478591 fix: pin to [email protected]
• 83db46a ci: fix errors in ci github action for node 8 and 9 (Persist language selection in cookie juice-shop/juice-shop#523)
• 9d4e212 chore: add support for OSSF scorecard reporting (New Crowdin translations juice-shop/juice-shop#522)
• ee91374 1.20.2
• 368a93a Fix strict json error message on Node.js 19+
• 0385872 deps: [email protected]
• 2c35b41 build: [email protected]
• f0646c2 build: [email protected]
• f345fb1 build: [email protected]
• 6842efc deps: content-type@~1.0.5
• 5af7315 build: [email protected]
• 8e605b3 build: [email protected]
• cba6e77 build: [email protected]
• 6a464ab build: [email protected]
• 7ebf276 build: [email protected]
• 69bb649 build: [email protected]
• 8ff995f docs: switch badges to badgen
• 850832f build: [email protected]
• dad8f34 build: actions/download-artifact@v3

See the full diff

Package name: check-dependencies

The new version differs by 61 commits.

• 03c8847 Tag 2.0.0
• 65d9ef5 Set Node.js requirement in package.json engines to >=18.3
• 4917ab0 Simplify the spawn logic
• fc04cc8 Drop support for the callback interface
• 28257dd Tweak ESLint settings
• dc16e8a Drop the bluebird devDependency
• 412337a Drop fs-extra & graceful-fs devDependencies
• 091279a Drop the findup-sync dependency
• 10ac9c5 Drop lodash.camelcase & minimist dependencies
• 35dce52 Update dependencies
• 2929ba7 Update tested Node.js versions
• 1f514eb Don't invoke `npm prune`, `npm install` is already enough
• 65107d2 Drop support for Bower & the `checkCustomPackageNames` option
• f28ba1b Avoid `git://` URLs, they're no longer supported
• 8fdc6ad Limit allowed `packageManager` values
• 9809f13 Bump word-wrap from 1.2.3 to 1.2.4 ([Snyk] Security upgrade socket.io from 3.0.0 to 3.0.5 #58)
• e522471 Bump semver from 7.3.8 to 7.5.2 ([Snyk-dev] Security upgrade @angular/cli from 10.2.4 to 11.1.0 #57)
• 031416d Bump yaml from 2.2.1 to 2.2.2 ([Snyk] Fix for 1 vulnerabilities #56)
• dff3ab9 Build: Fix running tests on Windows
• 062005f Build: Update the GitHub Actions config
• ecf138f Build: Update dependencies
• 15c13b3 Build: Remove AppVeyor
• 89b9df0 Build: Update .gitattributes to files always use LF line endings
• db8c172 Build: Tweak GitHub Actions workflow code style

See the full diff

Package name: express

The new version differs by 187 commits.

• 7e562c6 4.21.0
• 1bcde96 fix(deps): [email protected] (#5946)
• 7d36477 fix(deps): [email protected] (#5951)
• 40d2d8f fix(deps): [email protected]
• 77ada90 Deprecate `"back"` magic string in redirects (#5935)
• 21df421 4.20.0
• 4c9ddc1 feat: upgrade to [email protected]
• 9ebe5d5 feat: upgrade to [email protected] (#5928)
• ec4a01b feat: upgrade to [email protected] (#5926)
• 54271f6 fix: don't render redirect values in anchor href
• 125bb74 [email protected] (#5902)
• 2a980ad [email protected] (#5781)
• a3e7e05 docs: specify new instructions for `question` and `discuss`
• c5addb9 deps: [email protected] (#5603)
• e35380a docs: add @ IamLizu to the triage team (#5836)
• f5b6e67 docs: update scorecard link (#5814)
• 2177f67 docs: add OSSF Scorecard badge (#5436)
• f4bd86e Replace Appveyor windows testing with GHA (#5599)
• 2ec589c Fix Contributor Covenant link definition reference in attribution section (#5762)
• 4cf7eed remove minor version pinning from ci (#5722)
• 6d08471 📝 update people, add ctcpip to TC (#5683)
• 61421a8 skip QUERY tests for Node 21 only, still not supported (#5695)
• f42b160 [v4] Deprecate `res.clearCookie` accepting `options.maxAge` and `options.expires` (#5672)
• 689073d ✨ bring back query tests for node 21 (#5690)

See the full diff

Package name: file-stream-rotator

The new version differs by 13 commits.

• 321241d v1.0.0
• 6daf865 improved readme
• 375dc2e force manual stream rotation
• 7e595e4 rewrite using TS.
• 2b41e6a fix for PR [Snyk] Security upgrade unzipper from 0.9.15 to 0.12.1 #87. no check before setting hashType.
• 0030fb1 fix rotation without date.
• 0a8faeb Merge pull request [Snyk-dev] Fix for 2 vulnerabilities #83 from chneil/master
• 9c487ca Merge pull request [Snyk] Fix for 1 vulnerabilities #81 from afrobros/fix_mkdirSync
• 325ccfa version 0.6.0. Includes fix to [Snyk-dev] Fix for 4 vulnerabilities #85, [Snyk] Fix for 1 vulnerabilities #82
• 7764aac allow to specify hashing algorithm to use for the audit log
• 48d3e61 updated moment to 2.29.1
• 7fd96fe Emitting new event when the logfile is re-created after deletion so that the watcher is readded
• 35b36a8 fix Throw exist error on mkdirSync

See the full diff

Package name: finale-rest

The new version differs by 5 commits.

• d94ee1f 1.2.0
• 5834732 Fix search with substring ([Snyk] Security upgrade @angular-devkit/build-angular from 0.1000.8 to 14.0.0 #90)
• 5d1de6b Add deletedInstance property to context on delete ([Snyk] Security upgrade unzipper from 0.9.15 to 0.12.1 #87)
• b005710 README Update
• 2514b90 Bump lodash from 4.17.15 to 4.17.19 ([Snyk-dev] Security upgrade sanitize-html from 2.7.1 to 2.12.1 #68)

See the full diff

Package name: grunt-contrib-compress

The new version differs by 5 commits.

• bd9fc8e v2.0.0
• b8565a9 Update Archiver ([Snyk] Security upgrade express from 4.17.2 to 4.21.0 alexeisnyk/juice-shop#232)
• f6815bf Update deps and remove nodeunit loading ([Snyk] Fix for 4 vulnerabilities alexeisnyk/juice-shop#231)
• b70c1d9 Update tests and dependencies ([Snyk] Fix for 4 vulnerabilities alexeisnyk/juice-shop#230)
• 5759edd Bump ini from 1.3.5 to 1.3.7 ([Snyk] Fix for 18 vulnerabilities alexeisnyk/juice-shop#228)

See the full diff

Package name: i18n

The new version differs by 93 commits.

• 02dd49d tests: use arrow function
• fa50268 eslint refactor var -> const,let
• abb05ec refactor to arrow functions
• 5855724 drop node support < 10
• 9e6559a Merge branch 'gajus-master'
• 234b94b (re-)added tests fast-printf Update jasmine to the latest version 🚀 juice-shop/juice-shop#453
• ef5675c Merge branch 'master' of git://github.com/gajus/i18n-node into gajus-master
• 2461a97 typo
• 737b67d refactored test to cover mf plurals
• 42f12d3 Merge branch 'calmonr-fix-messageformat'
• 0faeee0 Merge branch 'fix-messageformat' of https://github.com/calmonr/i18n-node into calmonr-fix-messageformat
• 6018b9f Merge tag '0.13.4'
• 9683cc6 Merge branch 'release/0.13.4' into npm
• bdce606 v0.13.4
• 4e6963f upgrade tested
• 3139881 save update
• aa60ac7 upgraded devDeps
• b6e672d Merge pull request New Crowdin translations juice-shop/juice-shop#482 from Justman10000/patch-1
• ed5c03f should fix coverage report
• 10daf65 publish coverage
• 84008b8 sad to see travis go paid only
• d433ebe Update node.js.yml
• 7b4a0a2 Create node.js.yml
• 5a08ecc Update sinon to the latest version 🚀 juice-shop/juice-shop#486 - test path traversal vulnerability

See the full diff

Package name: jsonwebtoken

The new version differs by 5 commits.

• bc28861 Release 9.0.2 (Full Path Disclosoure Challange juice-shop/juice-shop#935)
• 96b8906 refactor: use specific lodash packages (Sequelize 5.x migration juice-shop/juice-shop#933)
• ed35062 security: Updating semver to 7.5.4 to resolve CVE-2022-25883 (Update mocha to the latest version 🚀 juice-shop/juice-shop#932)
• 84539b2 Updating package version to 9.0.1 (Captcha existence check juice-shop/juice-shop#920)
• a99fd4b fix(stubs): allow decode method to be stubbed (Facelift: New Welcome Banner + Revised design of the login page juice-shop/juice-shop#876)

See the full diff

Package name: juicy-chat-bot

The new version differs by 10 commits.

• 705832f Bump version
• 147fb16 Only load english ([Snyk] Security upgrade juicy-chat-bot from 0.6.5 to 0.6.6 #15)
• 11bbd8b Bump CI/CD to Node.js 18
• 3b677b5 Bump to v0.7.1
• 4a90dc5 Merge remote-tracking branch 'origin/develop' into develop
• 7b32e43 Pin version of VM2 to 3.9.17 without vulnerability ([Snyk] Security upgrade node-sass from 4.14.1 to 7.0.2 #14)
• 8e63414 Pin version of VM2 to 3.9.17 without vulnerability ([Snyk] Security upgrade node-sass from 4.14.1 to 7.0.2 #14)
• 61a1f1a Bump version
• 5ef0011 Add typescript definition for juicy-chat-bot
• d816d29 Bump copyright notes to include 2023

See the full diff

Package name: sequelize

The new version differs by 56 commits.

• 367caf3 feat(types): add TypeScript 5.2 support (#16442)
• e4c780c meta: update lockfile (#16265)
• 2eb7a5d fix(types): remove escape from query-interface types (#15944)
• a3213f0 fix: bump dependencies (#16119)
• 99c3530 fix: move `types` condition to the front (#16085)
• af4f0ae feat(oracle): add width support for numerictype (#16073)
• e07eefb feat(oracle): add new error messages introduced in new driver version (#16075)
• 5c8250e fix(oracle): reordered check constraint for unsigned numeric type (#16074)
• fd38e79 fix(oracle): For Raw queries avoid converting the input parameters passed (#16067)
• eb71077 meta: use Node 18 in CI (#16000)
• a9fd501 fix(postgres): adds support for minifying through join aliases (#15897)
• f2a4535 feat: add beforePoolAcquire and afterPoolAcquire hooks (#15874)
• 58576dd fix(postgres): prevent crash if postgres connection emits multiple errors (#15868)
• 9d864be fix: update Slack invitation link (#15849)
• 295c297 feat(postgres, sqlite): add conflictWhere option to Model.bulkCreate (#15788)
• 338ae6a meta(db2): remove node:util (#15819)
• 2e50bd9 feat(postgres, sqlite): allow override of conflict keys for bulkCreate (#15787)
• 46d3553 fix: pass CLS transaction to model hooks (#15818)
• 1e68681 feat(postgres, sqlite): add conflictWhere option to upsert (#15786)
• 5bda2ce fix: fix unnamed dollar string detection (#15759)
• 1ad9a64 fix(postgres): escape identifier in createSchema and dropSchema (#15752)
• 1b94462 fix(postgres): make sync not fail when trying to create existing enum (#15718)
• d3f5b5a feat: throw an error if attribute includes parentheses (fixes CVE-2023-22578) (#15710)
• 53bd9b7 meta: fix null test getWhereConditions (#15705)

See the full diff

Package name: sqlite3

The new version differs by 126 commits.

• ba4ba07 v5.1.7
• d04c1fb Removed Node version from matrix title
• 03d6e75 v5.1.7-rc.0
• 8398daa Fixed uploading assets from Docker
• 8b86e41 Fixed uploading release assets on Windows
• 83c8c0a Configured releases to be created as prereleases
• f792f69 Update dependency node-addon-api to v7
• 4ef11bf Removed extraneous parameter to event emit function
• e99160a Inlined `init()` functions into class header files
• 3372130 Improved `RowToJS` performance by removing `Napi::String::New` instantiation
• 77b327c Increased number of rows inserted into benchmark database
• 603e468 Fixed minor linting warning
• 8bda876 Refactored Database to use macros for method definitions
• 5809f62 Fixed uploading prebuilt binaries from Docker
• aabd297 Update actions/setup-node action to v4
• c775b81 Extracted common Node-API queuing code into macro
• 2595304 Updated list of supported targets
• 605c7f9 Replaced `@ mapbox/node-pre-gyp` in favor of `prebuild` + `prebuild-install`
• a2cee71 Update dependency mocha to v10
• 7674271 Update dependency eslint to v8
• 83e282d Update actions/checkout digest to b4ffde6
• 8482aaf Update docker/setup-buildx-action action to v3
• c74f267 Update docker/setup-qemu-action action to v3
• 9e8b2ee Reworked CI versions

See the full diff

Package name: unzipper

The new version differs by 118 commits.

• ea87bf3 Update package.json
• ba8416b Merge pull request pull from with master juice-shop/juice-shop#321 from ZJONSSON/fix-deploy
• 2357a71 Fix deploy script
• 2608bc2 Merge pull request rebase with v3.2.0 juice-shop/juice-shop#320 from ZJONSSON/update-docs
• 23cc3b8 Merge pull request Travis-CI build stages juice-shop/juice-shop#319 from ZJONSSON/deploy.yml
• 1b4b210 Update docs
• 760f100 Merge pull request Integration Awareness-Training Examples juice-shop/juice-shop#316 from lechuhuuha/master
• 360b0f2 Merge branch 'master' into master
• cbf8db9 add deploy action
• 343956a Merge pull request unknown error deploying to heroku juice-shop/juice-shop#318 from ZJONSSON/ayush-refactor
• 341aa44 Make empty directories
• b1abffa Replace fstream with fs-extra
• 088319e remove new lines and big-integer
• 36585e5 replace bigint with node-int64
• 1149855 eslint (Continue code autosave juice-shop/juice-shop#314)
• a6e0392 Increase buffer to 1k - add tests (Added Scoreboard Autoupdate as suggested in #307. juice-shop/juice-shop#313)
• 637df97 Open methods - only stream up to length (Different behavior of Login with Google juice-shop/juice-shop#310)
• 6a165e5 bump patch (Feature: Add refresh button to score-board. juice-shop/juice-shop#307)
• d161755 Fix spelling
• 46df524 expand test versions (v3.0.0 juice-shop/juice-shop#304)
• 2416da8 fix .npmignore (Corrected contribution links juice-shop/juice-shop#303)
• 3095797 bump minor (After docker crashed there's no way to restore challenges. juice-shop/juice-shop#302)
• d7f01ee fix: use pipeline to propagate errors across all piped streams (Develop customization #277  juice-shop/juice-shop#288)
• 7c4604e Fix: Unix OS's should properly ignore the windows zip slipped files ([Snyk] Security upgrade @angular-devkit/build-angular from 0.1000.8 to 12.2.0 alexeisnyk/juice-shop#179)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Cross-site Scripting
🦉 More lessons are available in Snyk Learn