Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade express from 4.16.4 to 4.21.1 #42

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

fix: package.json & yarn.lock to reduce vulnerabilities

a96bfa7
Select commit
Loading
Failed to load commit list.
Open

[Snyk] Security upgrade express from 4.16.4 to 4.21.1 #42

fix: package.json & yarn.lock to reduce vulnerabilities
a96bfa7
Select commit
Loading
Failed to load commit list.
Mend Bolt for GitHub / WhiteSource Security Check failed Oct 13, 2024 in 1m 30s

Security Report

You have successfully remediated 115 vulnerabilities, but introduced 37 new vulnerabilities in this branch.

❌ New vulnerabilities:

CVE Severity CVSS Score Vulnerable Library Suggested Fix Issue
CVE-2022-2564

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> ❌ mongoose-5.3.14.tgz (Vulnerable Library)

Critical 9.8 mongoose-5.3.14.tgz Upgrade to version: mongoose - 6.4.6 None
CVE-2020-7720

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> pubsub-0.29.1.tgz (Root Library)

   -> google-auth-library-3.1.2.tgz

     -> gtoken-2.3.3.tgz

       -> google-p12-pem-1.0.4.tgz

         -> ❌ node-forge-0.8.4.tgz (Vulnerable Library)

Critical 9.8 node-forge-0.8.4.tgz Upgrade to version: node-forge - 0.10.0 None
CVE-2020-7610

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> mongoose-5.3.14.tgz (Root Library)

   -> ❌ bson-1.1.0.tgz (Vulnerable Library)

Critical 9.8 bson-1.1.0.tgz Upgrade to version: bson - 1.1.4 None
CVE-2019-17426

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> ❌ mongoose-5.3.14.tgz (Vulnerable Library)

Critical 9.1 mongoose-5.3.14.tgz Upgrade to version: 5.7.5 None
CVE-2019-10744

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> apollo-server-express-2.3.1.tgz (Root Library)

   -> apollo-server-core-2.3.1.tgz

     -> ❌ lodash-4.17.11.tgz (Vulnerable Library)

Critical 9.1 lodash-4.17.11.tgz Upgrade to version: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0 None
CVE-2019-10744

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> pubsub-0.29.1.tgz (Root Library)

   -> ❌ lodash.merge-4.6.1.tgz (Vulnerable Library)

Critical 9.1 lodash.merge-4.6.1.tgz Upgrade to version: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0 None
CVE-2021-43138

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> mongoose-5.3.14.tgz (Root Library)

   -> ❌ async-2.6.1.tgz (Vulnerable Library)

High 7.8 async-2.6.1.tgz Upgrade to version: async - 2.6.4,3.2.2 None
WS-2020-0111

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> ❌ apollo-server-express-2.3.1.tgz (Vulnerable Library)

High 7.5 apollo-server-express-2.3.1.tgz Upgrade to version: apollo-server-express - 2.14.2 None
WS-2020-0108

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> apollo-server-express-2.3.1.tgz (Root Library)

   -> ❌ apollo-server-core-2.3.1.tgz (Vulnerable Library)

High 7.5 apollo-server-core-2.3.1.tgz Upgrade to version: apollo-server-core - 2.14.2 None
WS-2019-0310

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> pubsub-0.29.1.tgz (Root Library)

   -> google-auth-library-3.1.2.tgz

     -> ❌ https-proxy-agent-2.2.1.tgz (Vulnerable Library)

High 7.5 https-proxy-agent-2.2.1.tgz Upgrade to version: https-proxy-agent - 2.2.3 None
CVE-2024-45590

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> ❌ body-parser-1.18.3.tgz (Vulnerable Library)

High 7.5 body-parser-1.18.3.tgz Upgrade to version: body-parser - 1.20.3 None
CVE-2024-37890

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> apollo-server-express-2.3.1.tgz (Root Library)

   -> apollo-server-core-2.3.1.tgz

     -> ❌ ws-6.1.2.tgz (Vulnerable Library)

High 7.5 ws-6.1.2.tgz Upgrade to version: ws - 5.2.4,6.2.3,7.5.10,8.17.1 None
CVE-2022-24772

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> pubsub-0.29.1.tgz (Root Library)

   -> google-auth-library-3.1.2.tgz

     -> gtoken-2.3.3.tgz

       -> google-p12-pem-1.0.4.tgz

         -> ❌ node-forge-0.8.4.tgz (Vulnerable Library)

High 7.5 node-forge-0.8.4.tgz Upgrade to version: node-forge - 1.3.0 None
CVE-2022-24771

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> pubsub-0.29.1.tgz (Root Library)

   -> google-auth-library-3.1.2.tgz

     -> gtoken-2.3.3.tgz

       -> google-p12-pem-1.0.4.tgz

         -> ❌ node-forge-0.8.4.tgz (Vulnerable Library)

High 7.5 node-forge-0.8.4.tgz Upgrade to version: node-forge - 1.3.0 None
CVE-2022-24434

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> apollo-server-express-2.3.1.tgz (Root Library)

   -> apollo-server-core-2.3.1.tgz

     -> graphql-upload-8.0.2.tgz

       -> busboy-0.2.14.tgz

         -> ❌ dicer-0.2.5.tgz (Vulnerable Library)

High 7.5 dicer-0.2.5.tgz None
CVE-2021-3765

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> ❌ validator-10.9.0.tgz (Vulnerable Library)

High 7.5 validator-10.9.0.tgz Upgrade to version: validator - 13.7.0 None
CVE-2020-7768

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> pubsub-0.29.1.tgz (Root Library)

   -> ❌ grpc-1.21.1.tgz (Vulnerable Library)

High 7.5 grpc-1.21.1.tgz Upgrade to version: grpc 1.24.4, grpc-js 1.1.8 None
CVE-2020-7768

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> pubsub-0.29.1.tgz (Root Library)

   -> google-gax-1.1.1.tgz

     -> ❌ grpc-js-0.4.2.tgz (Vulnerable Library)

High 7.5 grpc-js-0.4.2.tgz Upgrade to version: grpc 1.24.4, grpc-js 1.1.8 None
CVE-2020-8203

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> apollo-server-express-2.3.1.tgz (Root Library)

   -> apollo-server-core-2.3.1.tgz

     -> ❌ lodash-4.17.11.tgz (Vulnerable Library)

High 7.4 lodash-4.17.11.tgz Upgrade to version: lodash - 4.17.19 None
CVE-2021-23337

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> apollo-server-express-2.3.1.tgz (Root Library)

   -> apollo-server-core-2.3.1.tgz

     -> ❌ lodash-4.17.11.tgz (Vulnerable Library)

High 7.2 lodash-4.17.11.tgz Upgrade to version: lodash - 4.17.21, lodash-es - 4.17.21 None
CVE-2021-41249

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> apollo-server-express-2.3.1.tgz (Root Library)

   -> ❌ apollo-server-core-2.3.1.tgz (Vulnerable Library)

High 7.1 apollo-server-core-2.3.1.tgz Upgrade to version: graphql-playground-react - 1.7.28, apollo-server - 2.25.3,3.4.1; apollo-server-core - 2.25.3,3.4.1 None
WS-2022-0008

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> pubsub-0.29.1.tgz (Root Library)

   -> google-auth-library-3.1.2.tgz

     -> gtoken-2.3.3.tgz

       -> google-p12-pem-1.0.4.tgz

         -> ❌ node-forge-0.8.4.tgz (Vulnerable Library)

Medium 6.6 node-forge-0.8.4.tgz Upgrade to version: node-forge - 1.0.0 None
WS-2019-0311

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> mongoose-5.3.14.tgz (Root Library)

   -> ❌ mongodb-3.1.10.tgz (Vulnerable Library)

Medium 6.5 mongodb-3.1.10.tgz Upgrade to version: mongodb - 3.1.13 None
CVE-2022-0235

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> apollo-server-express-2.3.1.tgz (Root Library)

   -> apollo-server-core-2.3.1.tgz

     -> apollo-server-env-2.2.0.tgz

       -> ❌ node-fetch-2.3.0.tgz (Vulnerable Library)

Medium 6.1 node-fetch-2.3.0.tgz Upgrade to version: node-fetch - 2.6.7,3.1.1 None
CVE-2022-0122

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> pubsub-0.29.1.tgz (Root Library)

   -> google-auth-library-3.1.2.tgz

     -> gtoken-2.3.3.tgz

       -> google-p12-pem-1.0.4.tgz

         -> ❌ node-forge-0.8.4.tgz (Vulnerable Library)

Medium 6.1 node-forge-0.8.4.tgz Upgrade to version: node-forge - 1.0.0 None
CVE-2021-23438

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> mongoose-5.3.14.tgz (Root Library)

   -> ❌ mpath-0.5.1.tgz (Vulnerable Library)

Medium 5.6 mpath-0.5.1.tgz Upgrade to version: mpath - 0.8.4 None
WS-2021-0418

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> apollo-server-express-2.3.1.tgz (Root Library)

   -> ❌ apollo-server-core-2.3.1.tgz (Vulnerable Library)

Medium 5.4 apollo-server-core-2.3.1.tgz Upgrade to version: apollo-server-core - 2.25.3,3.4.1 None
WS-2023-0313

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> apollo-server-express-2.3.1.tgz (Root Library)

   -> ❌ apollo-server-core-2.3.1.tgz (Vulnerable Library)

Medium 5.3 apollo-server-core-2.3.1.tgz Upgrade to version: @apollo/server - 4.9.3, apollo-server-core - 2.26.1,3.12.1 None
CVE-2024-37168

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> pubsub-0.29.1.tgz (Root Library)

   -> google-gax-1.1.1.tgz

     -> ❌ grpc-js-0.4.2.tgz (Vulnerable Library)

Medium 5.3 grpc-js-0.4.2.tgz Upgrade to version: @grpc/grpc-js - 1.8.22,1.9.15,1.10.9 None
CVE-2022-25883

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> pubsub-0.29.1.tgz (Root Library)

   -> google-auth-library-3.1.2.tgz

     -> ❌ semver-5.6.0.tgz (Vulnerable Library)

Medium 5.3 semver-5.6.0.tgz Upgrade to version: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2 None
CVE-2022-25883

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> pubsub-0.29.1.tgz (Root Library)

   -> google-gax-1.1.1.tgz

     -> ❌ semver-6.1.1.tgz (Vulnerable Library)

Medium 5.3 semver-6.1.1.tgz Upgrade to version: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2 None
CVE-2022-24773

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> pubsub-0.29.1.tgz (Root Library)

   -> google-auth-library-3.1.2.tgz

     -> gtoken-2.3.3.tgz

       -> google-p12-pem-1.0.4.tgz

         -> ❌ node-forge-0.8.4.tgz (Vulnerable Library)

Medium 5.3 node-forge-0.8.4.tgz Upgrade to version: node-forge - 1.3.0 None
CVE-2021-32640

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> apollo-server-express-2.3.1.tgz (Root Library)

   -> apollo-server-core-2.3.1.tgz

     -> ❌ ws-6.1.2.tgz (Vulnerable Library)

Medium 5.3 ws-6.1.2.tgz Upgrade to version: 5.2.3,6.2.2,7.4.6 None
CVE-2020-35149

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> mongoose-5.3.14.tgz (Root Library)

   -> ❌ mquery-3.2.0.tgz (Vulnerable Library)

Medium 5.3 mquery-3.2.0.tgz Upgrade to version: 3.2.3 None
CVE-2020-28500

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> apollo-server-express-2.3.1.tgz (Root Library)

   -> apollo-server-core-2.3.1.tgz

     -> ❌ lodash-4.17.11.tgz (Vulnerable Library)

Medium 5.3 lodash-4.17.11.tgz Upgrade to version: lodash - 4.17.21 None
CVE-2019-2391

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> mongoose-5.3.14.tgz (Root Library)

   -> ❌ bson-1.1.0.tgz (Vulnerable Library)

Medium 4.2 bson-1.1.0.tgz Upgrade to version: bson - 1.1.4 None
CVE-2020-15168

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> apollo-server-express-2.3.1.tgz (Root Library)

   -> apollo-server-core-2.3.1.tgz

     -> apollo-server-env-2.2.0.tgz

       -> ❌ node-fetch-2.3.0.tgz (Vulnerable Library)

Low 2.6 node-fetch-2.3.0.tgz Upgrade to version: 2.6.1,3.0.0-beta.9 None

✔️ Remediated vulnerabilities:

CVE Vulnerable Library
CVE-2022-0122 node-forge-0.8.5.tgz
WS-2019-0310 https-proxy-agent-2.2.2.tgz
CVE-2020-8203 lodash-4.17.15.tgz
CVE-2022-2218 parse-url-5.0.1.tgz
CVE-2024-28863 tar-4.4.10.tgz
CVE-2021-37713 tar-4.4.10.tgz
CVE-2021-33623 trim-newlines-2.0.0.tgz
CVE-2021-23383 handlebars-4.1.2.tgz
CVE-2021-23337 lodash-4.17.15.tgz
CVE-2021-3807 ansi-regex-4.1.0.tgz
CVE-2021-37701 tar-4.4.10.tgz
CVE-2022-2217 parse-url-5.0.1.tgz
CVE-2021-32804 tar-4.4.10.tgz
MSC-2023-16609 fsevents-1.2.9.tgz
WS-2022-0239 parse-url-5.0.1.tgz
CVE-2020-28500 lodash-4.17.14.tgz
CVE-2021-33502 normalize-url-3.3.0.tgz
CVE-2022-0624 parse-path-4.0.1.tgz
CVE-2021-44906 minimist-0.0.10.tgz
CVE-2021-32803 tar-4.4.10.tgz
CVE-2022-24773 node-forge-0.8.5.tgz
CVE-2023-45311 fsevents-1.2.9.tgz
CVE-2021-37712 tar-4.4.10.tgz
CVE-2021-3918 json-schema-0.2.3.tgz
CVE-2022-2216 parse-url-5.0.1.tgz
CVE-2024-45590 body-parser-1.19.0.tgz
CVE-2019-17426 mongoose-5.6.5.tgz
CVE-2022-4904 node-v11.2.0
CVE-2021-3765 validator-10.11.0.tgz
CVE-2021-33623 trim-newlines-1.0.0.tgz
CVE-2021-23343 path-parse-1.0.6.tgz
CVE-2021-23438 mpath-0.6.0.tgz
CVE-2019-15599 tree-kill-1.2.1.tgz
CVE-2022-24772 node-forge-0.8.5.tgz
CVE-2023-45133 babel-traverse-6.26.0.tgz
CVE-2020-7608 yargs-parser-8.1.0.tgz
CVE-2020-28469 glob-parent-5.0.0.tgz
CVE-2022-3224 parse-url-5.0.1.tgz
CVE-2021-22931 node-v11.2.0
CVE-2024-43800 serve-static-1.14.1.tgz
CVE-2022-24771 node-forge-0.8.5.tgz
CVE-2020-36632 flat-4.1.0.tgz
CVE-2020-7598 minimist-0.0.10.tgz
CVE-2020-28469 glob-parent-2.0.0.tgz
CVE-2020-1971 ring-fips-20180730
CVE-2021-3777 tmpl-1.0.4.tgz
CVE-2024-37890 ws-6.2.1.tgz
CVE-2023-32067 node-v11.2.0
WS-2020-0368 node-v11.2.0
CVE-2024-43796 express-4.17.1.tgz
CVE-2023-31130 node-v11.2.0
CVE-2022-24999 qs-6.7.0.tgz
CVE-2020-7768 grpc-1.22.2.tgz
CVE-2021-41249 apollo-server-core-2.7.0.tgz
CVE-2023-26136 tough-cookie-2.4.3.tgz
WS-2020-0042 acorn-6.2.0.tgz
CVE-2022-0144 shelljs-0.8.3.tgz
CVE-2022-2564 mongoose-5.6.5.tgz
CVE-2021-23369 handlebars-4.1.2.tgz
CVE-2022-25881 http-cache-semantics-4.0.3.tgz
CVE-2020-15366 ajv-6.10.2.tgz
CVE-2020-8203 lodash-4.17.14.tgz
CVE-2019-20920 handlebars-4.1.2.tgz
CVE-2024-43799 send-0.17.1.tgz
CVE-2022-46175 json5-0.5.1.tgz
CVE-2019-2391 bson-1.1.1.tgz
CVE-2020-7608 yargs-parser-9.0.2.tgz
CVE-2019-20922 handlebars-4.1.2.tgz
CVE-2023-45853 node-v11.2.0
WS-2020-0450 handlebars-4.1.2.tgz
CVE-2022-37434 node-v11.2.0
CVE-2021-42740 shell-quote-1.6.1.tgz
CVE-2020-28500 lodash-4.17.15.tgz
WS-2020-0111 apollo-server-express-2.7.0.tgz
CVE-2022-38900 decode-uri-component-0.2.0.tgz
CVE-2022-24434 dicer-0.3.0.tgz
CVE-2020-8116 dot-prop-4.2.0.tgz
CVE-2019-19919 handlebars-4.1.2.tgz
CVE-2020-7789 node-notifier-5.4.0.tgz
CVE-2023-26136 tough-cookie-2.5.0.tgz
CVE-2020-7610 bson-1.1.1.tgz
CVE-2024-45296 path-to-regexp-0.1.7.tgz
CVE-2021-32640 ws-6.2.1.tgz
WS-2022-0008 node-forge-0.8.5.tgz
CVE-2022-33987 got-9.6.0.tgz
CVE-2020-7608 yargs-parser-13.1.1.tgz
CVE-2022-0722 parse-url-5.0.1.tgz
CVE-2020-8116 dot-prop-3.0.0.tgz
CVE-2024-37168 grpc-js-0.5.2.tgz
CVE-2020-22217 node-v11.2.0
CVE-2021-43138 async-2.6.2.tgz
WS-2019-0307 mem-1.1.0.tgz
CVE-2018-25032 node-v11.2.0
WS-2022-0238 parse-url-5.0.1.tgz
CVE-2020-7768 grpc-js-0.5.2.tgz
CVE-2020-7720 node-forge-0.8.5.tgz
CVE-2022-25883 semver-5.7.0.tgz
CVE-2021-23362 hosted-git-info-2.7.1.tgz
CVE-2023-28155 request-2.88.0.tgz
CVE-2020-35149 mquery-3.2.1.tgz
CVE-2024-29041 express-4.17.1.tgz
CVE-2021-33502 normalize-url-4.3.0.tgz
CVE-2017-16137 debug-4.1.1.tgz
CVE-2024-25629 node-v11.2.0
WS-2020-0042 acorn-5.7.3.tgz
CVE-2022-2900 parse-url-5.0.1.tgz
CVE-2020-28499 merge-1.2.1.tgz
CVE-2021-23337 lodash-4.17.14.tgz
CVE-2023-33953 grpc-v1.21.0
WS-2022-0237 parse-url-5.0.1.tgz
WS-2020-0108 apollo-server-core-2.7.0.tgz
WS-2021-0418 apollo-server-core-2.7.0.tgz
CVE-2023-31147 node-v11.2.0
CVE-2021-23425 trim-off-newlines-1.0.1.tgz
CVE-2021-3672 node-v11.2.0

Base branch total remaining vulnerabilities: 146
Base branch commit: null


Total libraries scanned: 373

Scan token: dc332a9180fb4d398a9690b845a52fd6

View more details on Mend Bolt for GitHub