[Snyk] Fix for 27 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	584/1000 Why? Has a fix available, CVSS 7.4	Directory Traversal SNYK-JS-ADMZIP-1065796	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	751/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.6	Prototype Pollution SNYK-JS-DUSTJSLINKEDIN-1089257	Yes	Proof of Concept
	526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-FILETYPE-2958042	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	No	No Known Exploit
	429/1000 Why? Has a fix available, CVSS 4.3	Reverse Tabnabbing SNYK-JS-ISTANBULREPORTS-2328088	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JS-JSZIP-1251497	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-1070800	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MONGOOSE-1086688	No	Proof of Concept
	671/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7	Prototype Pollution SNYK-JS-MONGOOSE-2961688	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MPATH-1577289	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MQUERY-1050858	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MQUERY-1089718	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-NCONF-2395478	No	Proof of Concept
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Server-side Request Forgery (SSRF) SNYK-JS-NETMASK-1089716	No	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-PACRESOLVER-1564857	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Command Injection SNYK-JS-SSH2-1656673	No	No Known Exploit
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: adm-zip

The new version differs by 84 commits.

• c5aeed4 Incremented version number
• 119dcad Fixed path traversal issue GHSL-2020-198
• 1d22ff6 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#341 from 5saviahv/history
• 492d148 added changelog
• dd415ae Incremented version
• 0f011a3 Fixed outFileName
• bc19fee Added extra parameter to extractEntryTo so target filename can be renamed
• 92e9836 Updated dev dependency
• 2b8d9ab Merge pull request [Snyk-dev Update] New fixes for 54 vulnerable dependency paths snyk-labs/nodejs-goof#315 from enecciari/work_in_browser
• 4fe58d1 Merge pull request [Snyk-dev Update] New fixes for 14 vulnerable dependency paths snyk-labs/nodejs-goof#322 from cthackers/dependabot/npm_and_yarn/lodash-4.17.19
• 49218a4 Merge pull request [Snyk-dev Update] New fixes for 15 vulnerable dependency paths snyk-labs/nodejs-goof#327 from kosuke-suzuki/multibyte-comment
• a7e8932 Merge pull request [Snyk-dev] Fix for 65 vulnerable dependency paths snyk-labs/nodejs-goof#331 from 5saviahv/master
• 7db0eda modified addLocalFolder method
• e114929 typo
• dc81063 modified addLocalFile method
• bc0f594 Deflate needs min V2.0
• dde4f51 Node v6
• 003d4cf Added ZipCrypto decrypting ability
• 63ed6e2 Detect and throw error with encrypted files
• c64ac14 LICENSE filename in package.json
• 1a334b2 add multibyte-encoded comment with byte length instead of character length
• 96d492a Bump lodash from 4.17.15 to 4.17.19
• b77f380 now it works in browser
• 218feee Merge remote-tracking branch 'upstream/master'

See the full diff

Package name: cfenv

The new version differs by 3 commits.

• fb0a2aa update dependencies, now at version 1.2.4
• 63e072a version 1.2.3
• 02bb92d Issue 45 Remove '.cfignore'

See the full diff

Package name: dustjs-linkedin

The new version differs by 36 commits.

• 5cd5529 Release v3.0.1
• 0d72e0b Merge pull request Circleci project setup snyk-labs/nodejs-goof#808 from sumeetkakkar/topic/update-deps
• b2aaa47 Merge branch 'master' into topic/update-deps
• bd397ea Update tests.yaml: add --legacy-peer-deps to support npm 8 restrictions
• 115f78c dependency update: chokidar
• d951a90 Update tests.yml
• ea9ae70 Create tests.yml
• 2e8795c Release v3.0.0
• 6f98371 merge from 2.7
• db6d8b9 Merge pull request build(deps): bump bl from 2.2.0 to 2.2.1 snyk-labs/nodejs-goof#805 from sumeetkakkar/fix/proto-pollution
• ddb6523 fix for prototype pollution vulnerability
• e0e25f7 Merge pull request build(deps): bump jquery from 2.2.4 to 3.5.0 snyk-labs/nodejs-goof#756 from danactive/master
• eeb1c17 Decrease security vulnerabilities by upgrading cli dependency ([Snyk-local] Fix for 2 vulnerabilities snyk-labs/nodejs-goof#754 [Snyk] Upgrade morgan from 1.9.1 to 1.10.0 snyk-labs/nodejs-goof#748)
• d485a72 {?exists} and {^exists} resolve Promises and check if the result exists ([Snyk-dev] Security upgrade jquery from 2.2.4 to 3.5.0 snyk-labs/nodejs-goof#753)
• 43c0831 place location provided by peg 0.9 onto the AST
• 07b73b3 Merge pull request [Snyk-local] Fix for 3 vulnerabilities snyk-labs/nodejs-goof#744 from sethkinast/is-context
• ae69314 Don't use instanceof to determine if a Context is a Context
• dc1e1dc Merge pull request build(deps): bump acorn from 5.7.1 to 5.7.4 snyk-labs/nodejs-goof#736 from brianmhunt/master
• 6f6c49f Prioritize .then on thenable functios ([Snyk-local] Fix for 4 vulnerabilities snyk-labs/nodejs-goof#735)
• 487da8d Merge pull request [Snyk] Security upgrade browserify from 13.3.0 to 15.0.0 snyk-labs/nodejs-goof#734 from sethkinast/master
• a671ebd Bump deps
• 7bc3b77 Update streaming-incremental example to work with newer q
• 3fc12ef Merge pull request [Snyk] Fix for 8 vulnerabilities snyk-labs/nodejs-goof#703 from sethkinast/peg-0.9
• c1d9e21 Merge pull request [Snyk-onprem] Fix for 3 vulnerabilities snyk-labs/nodejs-goof#705 from sethkinast/context-templatename

See the full diff

Package name: file-type

The new version differs by 218 commits.

• b5fe3b9 16.5.4
• d868356 Fix: Malformed MKV could cause an infinite loop
• 3b08ab1 Upgrade and unlock dependencies
• c011315 Lock strtok3 dependency
• 9102f1c Update dependency to token-types v3, supporting BigInt ([Snyk] Fix for 3 vulnerable dependencies snyk-labs/nodejs-goof#465)
• ac866f9 16.5.1
• 0012c56 Fix `mimeTypes` TypeScript type (Feat/runtime agent snyk-labs/nodejs-goof#464)
• 92f3f50 Meta tweaks
• 4ea7bff 16.5.0
• 57ecf2d Add support for JPEG XL image format ([Snyk] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#455)
• 07101ac Remove ASAR 240 bytes of JSON payload length limitation ([Snyk-dev] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#453)
• 3df0ed1 Remove an unnecessary dependency ([Snyk-test] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#458)
• 1e4e8df 16.4.0
• 29618c8 Add support for VCF (and fix ICS detection) ([Snyk] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#451)
• 6ab25f3 Add support for XCF ([Snyk] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#450)
• 7021d9a Remove moot check for sync word at odd offsets for MPEG detection ([Snyk] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#448)
• fd1e72c 16.3.0
• 9319167 Add support for Zstandard compressed file ([Snyk] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#439)
• 2cc0869 Add file type descriptions ([Snyk] Fix for 2 vulnerable dependencies snyk-labs/nodejs-goof#433)
• 98e6886 16.2.0
• 9736aa3 Improve PDF / AI (Adobe Illustrator) recognition ([Snyk-dev] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#396)
• 7f95cd2 Add support for 3mf ([Snyk-local] Fix for 34 vulnerable dependencies snyk-labs/nodejs-goof#415)
• 579f8cb 16.1.0
• e43cdc9 Add support for CHM ([Snyk-dev] Fix for 2 vulnerable dependencies snyk-labs/nodejs-goof#424)

See the full diff

Package name: lodash

The new version differs by 1 commits.

• c6e281b Bump to v4.17.21

See the full diff

Package name: marked

The new version differs by 250 commits.

• ae01170 chore(release): 4.0.10 [skip ci]
• fceda57 🗜️ build [skip ci]
• 8f80657 fix(security): fix redos vulnerabilities
• c4a3ccd Merge pull request from GHSA-rrrm-qjm4-v8hf
• d7212a6 chore(deps-dev): Bump jasmine from 4.0.0 to 4.0.1 (#2352)
• 5a84db5 chore(deps-dev): Bump rollup from 2.62.0 to 2.63.0 (#2350)
• 2bc67a5 chore(deps-dev): Bump markdown-it from 12.3.0 to 12.3.2 (#2351)
• 98996b8 chore(deps-dev): Bump @ babel/preset-env from 7.16.5 to 7.16.7 (#2353)
• ebc2c95 chore(deps-dev): Bump highlight.js from 11.3.1 to 11.4.0 (#2354)
• e5171a9 chore(release): 4.0.9 [skip ci]
• 41990a5 🗜️ build [skip ci]
• a9696e2 fix: retain line breaks in tokens properly (#2341)
• 6aacd13 chore(deps-dev): Bump jasmine from 3.10.0 to 4.0.0 (#2343)
• 55e5df9 chore(deps-dev): Bump @ babel/core from 7.16.5 to 7.16.7 (#2344)
• 4f4cab4 chore(deps-dev): Bump eslint-plugin-import from 2.25.3 to 2.25.4 (#2345)
• 97ea9f2 chore(deps-dev): Bump eslint from 8.5.0 to 8.6.0 (#2346)
• 4c3b853 chore(deps-dev): Bump rollup-plugin-license from 2.6.0 to 2.6.1 (#2347)
• 9396896 chore(deps-dev): Bump rollup from 2.61.1 to 2.62.0 (#2338)
• 103a56c chore(deps-dev): Bump @ babel/preset-env from 7.16.4 to 7.16.5 (#2333)
• be771c9 chore(deps-dev): Bump eslint from 8.4.1 to 8.5.0 (#2334)
• 67d5a65 chore(deps-dev): Bump @ babel/core from 7.16.0 to 7.16.5 (#2335)
• 991493a chore(deps-dev): Bump eslint-plugin-promise from 5.2.0 to 6.0.0 (#2336)
• 59375fb chore(release): 4.0.8 [skip ci]
• 4734c82 🗜️ build [skip ci]

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• ca7996b chore: release 5.13.15
• e75732a Merge pull request #12307 from Automattic/vkarpov15/fix-5x-build
• a1144dc test: run node 7 tests with upgraded npm re: #12297
• dfc4ad7 test: try upgrading npm for node v4 tests re: #12297
• b9e985c test: more strict @ types/node version
• 4d813fa test: fix @ types/node version in tests re: #12297
• 99b4189 Merge pull request #12297 from shubanker/issue/prototype-pollution-5.x-patch
• 5eb11dd made function non async
• 6a19731 fix(schema): disallow setting __proto__ when creating schema with dotted properties
• a2ec28d Merge pull request #11366 from laissonsilveira/5.x
• 05ce577 Fix broken link from findandmodify method deprecation
• d2b846f chore: release 5.13.14
• 69c1f6c docs(models): fix up nModified example for 5.x
• 4cfc4d6 fix(timestamps): avoid setting `createdAt` on documents that already exist but dont have createdAt
• a738440 chore: release 5.13.13
• 4d12a62 Merge pull request #10942 from jneal-afs/fix-query-set-ts-type
• c3463c4 Merge pull request #10916 from iovanom/gh-10902-v5
• ff5ddb5 fix: hardcode base 10 for nodeMajorVersion parseInt() call
• d205c4d make value optional
• c6fd7f7 Fix ts types for query set
• 22e9b3b [gh-10902 v5] Add node major version to utils
• 5468642 [gh-10902 v5] Emit end event in before close
• 271bc60 Merge pull request #10910 from lorand-horvath/patch-2
• b7ebeec Update mongodb driver to 3.7.3

See the full diff

Package name: snyk

The new version differs by 250 commits.

• 4cc1a94 Merge pull request #2105 from snyk/feat/webpack
• 7737f75 Merge pull request #2181 from snyk/test/migrate-old-snyk-format
• 418e6ad Merge pull request #2180 from snyk/test/migrate-is-docker
• 95631e7 test: migrate is-docker to jest
• babe22a test: migrate old-snyk-format to jest
• e22e94f feat: Snyk CLI is bundled with Webpack
• dd46c19 Merge pull request #2175 from snyk/fix/snyk-protect-multiple
• e7c314f Merge pull request #2178 from snyk/test/server-close
• 5e824c0 fix(protect): skip previously patched files
• ca2177a fix(protect): catch and log unexpected errors
• c9ddb44 chore(protect): move api url warnings to stderr
• e8fed38 refactor(protect): move stdout logs to top level
• 55e88f9 Merge pull request #2177 from snyk/test/set-jest-acceptance-timeout
• 1522c5f test: server.close uses callbacks, not promises
• 13dce51 test: increase timeout for slow oauth test
• 65c35be Merge pull request #2172 from snyk/chore/no-run-test-on-master
• a1e3992 chore: don't run tests on master
• 20feb67 Merge pull request #2165 from snyk/chore/dont-wait-for-regression-tests
• f50bca7 Merge pull request #2167 from snyk/refactor/replace-cc-parser-with-split-functions
• 1ed7d11 refactor: replace cc parser with split functions
• 707801d Merge pull request #2166 from snyk/fix/support_quotes_in_poetry_toml
• dc6b784 Merge pull request #2163 from snyk/chore/remove-store-test-results
• 7973015 fix: support quoted keys in inline tables
• 18f0d2a Merge pull request #2164 from snyk/chore/upgrade-snyk-nuget-plugin

See the full diff

Package name: tap

The new version differs by 250 commits.

• bc49fb7 15.0.0
• 4378608 remove publishConfig beta tag
• 2c2e75f provide mkdirRecursive polyfill for old node versions
• 8f4c855 correctly specify 10.0.x versions
• 5e61672 update deps
• c44c418 Support 10.0 and test in CI
• dc5c841 [email protected]
• 385b6d2 Add .taprc.yml/yaml handling to change log
• 4f87466 just run regular test script as snap script
• 315a921 delete FORCE_COLOR/NO_COLOR rather than setting to '0'
• 564e96f Add detection for .yaml and .yml
• 75bae93 update cli doc
• c1289bf 15.0.0-3
• d6fe32f Do not CI on node 10
• d2e0428 do not use equals() alias in self-test
• 3f787c4 tell npm to be colorful in CI
• 1512818 run tests with color on github actions
• 4626fa1 Docs: update documentation for tap v15
• 02d536b [email protected]
• f7c7c58 update cli doc
• 2aa497c 15.0.0-2
• 8d7f62e Add support for overriding libtap's internal settings
• 29eed63 new snapshot folder layout
• 3a28d4d update libtap git ref to isaacs/tap-v15-prep branch

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Arbitrary Code Injection
🦉 Remote Code Execution (RCE)
🦉 Server-side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn