[Snyk] Fix for 11 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-EXPRESSFILEUPLOAD-473997	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-EXPRESSFILEUPLOAD-595969	Yes	Proof of Concept
	701/1000 Why? Mature exploit, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-JQUERY-565129	Yes	Mature
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-JSYAML-174129	Yes	No Known Exploit
	741/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.4	DLL Injection SNYK-JS-KERBEROS-568900	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Cross-site Scripting (XSS) npm:marked:20150520	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Cross-site Scripting (XSS) npm:marked:20170112	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Cross-site Scripting (XSS) npm:marked:20170815	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:marked:20170907	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:marked:20180225	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: express

The new version differs by 250 commits.

• ea3d605 4.15.5
• 40435ec deps: [email protected]
• 7137bf5 deps: [email protected]
• bd1672f deps: finalhandler@~1.0.6
• 9395db4 deps: [email protected]
• 19a2eeb tests: check render error without engine-specific message
• d7da225 build: [email protected]
• 961dbff deps: [email protected]
• 9e0fa7f deps: [email protected]
• 9e067ad deps: [email protected]
• de5fb62 deps: update example dependencies
• b208b24 build: [email protected]
• 78e5510 build: [email protected]
• 48817a7 build: remove minor pin for nightly
• a4bd437 4.15.4
• a50f109 deps: [email protected]
• e2d725e deps: [email protected]
• e006622 lint: remove all unused varaibles
• 44881fa docs: update collaborator guide for lint script
• 1dbaae5 deps: update example dependencies
• 56e90e3 lint: add eslint rules that cover editorconfig
• 713d2ae tests: fix incorrect should usage
• e0aa8bf build: [email protected]
• 85770a7 deps: finalhandler@~1.0.4

See the full diff

Package name: express-fileupload

The new version differs by 250 commits.

• 9f22db7 version bump
• 9fca550 Merge pull request [Snyk Update] New fixes for 2 vulnerable dependency paths snyk-labs/nodejs-goof#240 from AmazingMech2418/patch-1
• 1530cf5 Make Travis happy
• e43bfcf Fix typo
• 8bf7427 Update processNested.js
• fd40389 version bump
• 94c9cf9 prototype pollution fix [Snyk Update] New fixes for 1 vulnerable dependency path #2
• 829f395 version bump
• db49535 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#237 from richardgirges/fix-236-proto-pollution
• d81bee9 Upgrade latest packages; run npm audit fix; add logic to prevent prototype pollution in parseNested
• e9848fc Update package-lock.json
• d536cfb Update package.json
• c7a6b9c Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#233 from RomanBurunkov/master
• a53b93f Update tests to support empty files
• d8c00c5 Add empty files support for tempFileHandler
• b24233d Comment extra condition in fileFactory(issue [Snyk] Fix for 65 vulnerable dependency paths #1), add more logging
• d57ee02 Formatting utilities
• b6097df Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#232 from RomanBurunkov/master
• 05004b7 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#230 from Code42Cate/readme-timeout
• 1afa527 Update dependencies
• 880c2b7 Improve timeout option documentation
• 3f130b0 Add timeout option to README.MD
• d55fa83 Merge pull request [Snyk Update] New fixes for 2 vulnerable dependency paths snyk-labs/nodejs-goof#222 from wbt/patch-1
• d61f02f Fix some small typos

See the full diff

Package name: marked

The new version differs by 250 commits.

• 98c9d14 Update home page
• 5d5fa04 0.3.18
• f886f40 Merge pull request fix: package.json, package-lock.json & .snyk to reduce vulnerabilities snyk-labs/nodejs-goof#1147 from 8fold/update-badges
• 044683b Remove Authors ~Head
• cceac77 Merge remote-tracking branch 'upstream/master' into update-badges
• 265d6c1 pre-commit
• 341d128 Merge branch 'master' into update-badges
• eef9de4 Add /docs directory for GitHub Pages (fix: package.json & package-lock.json to reduce vulnerabilities snyk-labs/nodejs-goof#1138)
• 682b9c6 grammar
• e3489ca Add marked mark maker badge
• 03d0ed0 [editorconfig]: All md files except in test use tab (Iactest snyk-labs/nodejs-goof#1111)
• c22be25 Create CNAME for marked.js.org
• 35214c5 Add initial docs with logo
• 3e681a6 Move most of README.md to /docs/README.md
• 94b8b3e Move existing docs to /docs dir
• 2509660 Rename doc to docs
• d4e7bb4 Code of conduct ([Snyk] Security upgrade node from 14.1.0 to 14.18.0 snyk-labs/nodejs-goof#1094)
• 214468b Merge pull request [Snyk-dev] Security upgrade node from 14.1.0 to 14.17.6 snyk-labs/nodejs-goof#1121 from UziTech/jasmine
• ad0585d Merge pull request Deployment file creation snyk-labs/nodejs-goof#1122 from alextrastero/patch-1
• e3a988c Fix usage links in README
• ecbf4b0 Minor docs update for easier maintenance (Update the CodeQL Workflow snyk-labs/nodejs-goof#1116)
• 5768180 travis build stages ([Snyk-dev] Security upgrade node from 14.1.0 to 14.18.1 snyk-labs/nodejs-goof#1113)
• 9c6c13f fix tests
• 79325aa add tests

See the full diff

Package name: mongoose

The new version differs by 35 commits.

• de88912 release 4.2.5
• fae7c94 fix; correctly handle changes in update hook (Fix #3549)
• 5e58d83 repro; #3549
• 68e394d fix; dont flatten empty arrays in updateValidators (Fix #3554)
• f0b0f61 repro; #3554
• 73de49c fix; proper support for .update(doc) (Fix #3221)
• b5329a1 repro; #3221
• 932cdbe upgrade; node driver -> 2.0.48 (re: #3544)
• 6ff39ef fix; unhandled rejection using Query.then() (Fix #3543)
• 8cccafb Merge pull request #3548 from ChristianMurphy/node-5
• 2ff09cc Merge pull request #3547 from ChristianMurphy/eslint-update
• 6d0df2f Test against Node 4 LTS and Node 5 Stable
• fc3f645 update ESLint and add a lint script to the package.json
• aac346a Update README examples to comma last style
• 352d80d fix; ability to use mongos for standalones (Fix #3537)
• 043c958 repro; #3537
• 4023f12 docs; fix bad connection string example
• a55fba7 fix; allow undefined for min/max validators (Fix #3539)
• cfc3194 repro; #3539
• a2a3b8b fix; issue with fix for #3535
• 171e694 docs; deep populate docs (Fix #3528)
• 0922d78 fix; call toObject() when setting single embedded schema to doc (Fix #3535)
• ce11be0 repro; #3535
• b3472ac fix; apply methods to single embedded schemas (Fix #3534)

See the full diff

Package name: tap

The new version differs by 250 commits.

• fe8158e 11.1.3
• b17542d Upgrade deps (changing semver requirements)
• bc3ba17 update deps
• bd4de92 Clean up nyc output so Travis passes on node 6
• 2292432 Add hexagonal-lambda to the tap 100 list
• fed62c9 Merge remote-tracking branch 'origin/master'
• 3cdf1c7 11.1.2
• ddf938b Only ship files we want to ship
• 5b5e2ee docs: add unique page titles
• 2323c3b Merge tag 'v11.1.1'
• 95faf6c 11.1.1
• 283c8e6 Handle EPIPE better in exceptional edge cases
• b727234 Fix obscure edge case when this.results is not set
• 1699eb9 process: update docs on the master branch
• ac366a0 docs: fix typo ('heirarchical' -> 'hierarchical')
• 13073a7 docs: correct 100 PR link
• b95ee22 v11.1.0
• fcf70aa Add support for disabling autoend
• 94be0a7 v11.0.1
• 6c3f019 remove badges that are no longer accurate or in use
• ae562a7 don't ignore coverage doc
• 9fcfd52 Migrate docs into main repository
• f189c50 v11.0.0
• 5cde128 Merge branch 'v11'

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)
🦉 Prototype Pollution
🦉 Cross-site Scripting (XSS)
🦉 More lessons are available in Snyk Learn