[Snyk] Fix for 34 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • goof/package.json
  • goof/package-lock.json
  • goof/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-EXPRESSFILEUPLOAD-473997	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-EXPRESSFILEUPLOAD-595969	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-INI-1048974	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-JQUERY-174006	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-JQUERY-565129	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-JQUERY-567880	Yes	Proof of Concept
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-JSYAML-173999	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-174116	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451540	No	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-MONGODB-473855	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MQUERY-1050858	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Cross-site Scripting (XSS) npm:ejs:20161130	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) npm:ejs:20161130-1	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Cross-site Scripting (XSS) npm:jquery:20150627	Yes	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Cross-site Scripting (XSS) npm:marked:20150520	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Cross-site Scripting (XSS) npm:marked:20170112	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Cross-site Scripting (XSS) npm:marked:20170815	No	No Known Exploit
	454/1000 Why? Has a fix available, CVSS 4.8	Cross-site Scripting (XSS) npm:marked:20170815-1	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:marked:20170907	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:marked:20180225	No	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:moment:20161019	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:ms:20151024	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:semver:20150403	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: cfenv

The new version differs by 7 commits.

• 6927628 version 1.2.1
• 3f19f12 Upgrade js-yaml to avoid Denial of Service
• a5dbceb version 1.2.0
• 1a730e3 Stop using outdated manifest stanza; use random-route instead
• f8b0392 Upgrade underscore version 1.9.x
• b60ef7c add test for local vcapFile port usage
• c6262a6 Locally use the options to read the port

See the full diff

Package name: errorhandler

The new version differs by 85 commits.

• c41e9aa 1.4.3
• ffce329 build: [email protected]
• 90a8777 build: [email protected]
• 38b745b deps: accepts@~1.3.0
• 80aea51 deps: escape-html@~1.0.3
• b0be93a docs: fix typo in readme
• 2f688d0 build: support Node.js 5.x
• 1238ed4 build: [email protected]
• fdeb13c build: [email protected]
• cc6fd1f build: support Node.js 4.x
• 3a2117a build: support io.js 3.x
• 75b9ee1 build: reduce runtime versions to one per major
• 6797752 tests: add test for util.inspect in HTML response
• b6e53d7 docs: add more documentation regarding util.inspect
• 88b9a58 deps: accepts@~1.2.13
• ac75d3f build: [email protected]
• 5ee62b7 deps: [email protected]
• 1e89ae7 build: [email protected]
• ef1e8f1 build: [email protected]
• a7a6dce 1.4.2
• 692e2e7 deps: accepts@~1.2.12
• 6f2e8d2 build: [email protected]
• 564c117 build: fix running Node.js 0.8 tests on Travis CI
• 2dfd872 1.4.1

See the full diff

Package name: express

The new version differs by 250 commits.

• f974d22 4.16.0
• 8d4ceb6 docs: add more information to installation
• c0136d8 Add express.json and express.urlencoded to parse bodies
• 86f5df0 deps: [email protected]
• 4196458 deps: [email protected]
• ddeb713 tests: add maxAge option tests for res.sendFile
• 7154014 Add "escape json" setting for res.json and res.jsonp
• 628438d deps: update example dependencies
• a24fd0c Add options to res.download
• 95fb5cc perf: remove dead .charset set in res.jsonp
• 44591fe deps: vary@~1.1.2
• 2df1ad2 Improve error messages when non-function provided as middleware
• 12c3712 Use safe-buffer for improved Buffer API
• fa272ed docs: fix typo in jsdoc comment
• d9d09b8 perf: re-use options object when generating ETags
• 02a9d5f deps: proxy-addr@~2.0.2
• c2f4fb5 deps: [email protected]
• 673d51f deps: [email protected]
• 5cc761c deps: parseurl@~1.3.2
• ad7d96d deps: [email protected]
• e62bb8b deps: etag@~1.8.1
• 70589c3 deps: content-type@~1.0.4
• 9a99c15 deps: accepts@~1.3.4
• 550043c deps: [email protected]

See the full diff

Package name: express-fileupload

The new version differs by 250 commits.

• 9f22db7 version bump
• 9fca550 Merge pull request [Snyk(Unlimited)] Upgrade from thebespokepixel/string to thebespokepixel/string snyk-fixtures/npm-lockfiles#240 from AmazingMech2418/patch-1
• 1530cf5 Make Travis happy
• e43bfcf Fix typo
• 8bf7427 Update processNested.js
• fd40389 version bump
• 94c9cf9 prototype pollution fix [Snyk] Fix for 1 vulnerabilities #2
• 829f395 version bump
• db49535 Merge pull request [Snyk(Unlimited)] Upgrade adm-zip from 0.4.7 to 0.4.13 snyk-fixtures/npm-lockfiles#237 from richardgirges/fix-236-proto-pollution
• d81bee9 Upgrade latest packages; run npm audit fix; add logic to prevent prototype pollution in parseNested
• e9848fc Update package-lock.json
• d536cfb Update package.json
• c7a6b9c Merge pull request [Snyk(Unlimited)] Upgrade lodash from 4.17.10 to 4.17.11 snyk-fixtures/npm-lockfiles#233 from RomanBurunkov/master
• a53b93f Update tests to support empty files
• d8c00c5 Add empty files support for tempFileHandler
• b24233d Comment extra condition in fileFactory(issue [Snyk] Security upgrade nyc from 14.0.0 to 15.0.0 #1), add more logging
• d57ee02 Formatting utilities
• b6097df Merge pull request [Snyk(Unlimited)] Upgrade color-convert from 1.9.2 to 1.9.3 snyk-fixtures/npm-lockfiles#232 from RomanBurunkov/master
• 05004b7 Merge pull request [Snyk(Unlimited)] Upgrade verbosity from 0.9.2 to 0.10.1 snyk-fixtures/npm-lockfiles#230 from Code42Cate/readme-timeout
• 1afa527 Update dependencies
• 880c2b7 Improve timeout option documentation
• 3f130b0 Add timeout option to README.MD
• d55fa83 Merge pull request [Snyk(Unlimited)] Upgrade adm-zip from 0.4.7 to 0.4.13 snyk-fixtures/npm-lockfiles#222 from wbt/patch-1
• d61f02f Fix some small typos

See the full diff

Package name: humanize-ms

The new version differs by 3 commits.

• e8bc10a Release 1.1.0
• e584c58 add benchmark
• 4cf945f deps: upgrade ms to 0.7.0

See the full diff

Package name: marked

The new version differs by 250 commits.

• 529a8d4 Merge pull request [Snyk(Unlimited)] Upgrade @thebespokepixel/string from 0.5.2 to 0.5.10 snyk-fixtures/npm-lockfiles#1441 from styfle/release-0.6.2
• fc5dbf1 🗜️ minify [skip ci]
• b1ddd3c Merge pull request [Snyk(Unlimited)] Upgrade truwrap from 0.8.1 to 0.8.4 snyk-fixtures/npm-lockfiles#1460 from andersk/inline-text-quadratic
• be27472 Improve worst-case performance of inline.text regex
• 6b88601 0.6.2
• ba1de1e 🗜️ minify [skip ci]
• d94253c Merge pull request [Snyk(Unlimited)] Upgrade adm-zip from 0.4.7 to 0.4.13 snyk-fixtures/npm-lockfiles#1438 from UziTech/html-new-line-fix
• 6eec528 Merge pull request [Snyk(Unlimited)] Upgrade color-convert from 1.9.2 to 1.9.3 snyk-fixtures/npm-lockfiles#1449 from UziTech/use-htmldiffer
• 0cd0333 remove redundant comments
• ff127c5 use template literals
• a16251d fix test spacing
• da57301 use htmldiffer in file tests & update to node 4
• 621f649 abstract htmldiffer
• 42e816c fix again
• 246dd3d fix whitespace after tag
• f1089fe add test
• 0f0b763 allow html without \n after
• d069d0d Merge pull request [Snyk(Unlimited)] Upgrade @thebespokepixel/es-tinycolor from 0.3.1 to 0.3.2 snyk-fixtures/npm-lockfiles#1448 from UziTech/version
• 5d6bde0 Merge pull request [Snyk(Unlimited)] Upgrade sgr-composer from 0.5.0 to 0.5.3 snyk-fixtures/npm-lockfiles#1444 from UziTech/normalize-tests
• 4760772 fix tests
• df310a8 remove header ids from original tests
• 775d08d move redos tests to /redos folder
• b169e7b add excerpt length constant
• fd9dc21 update deps

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• d7fc59c chore: release 5.11.7
• d318339 fix(index.d.ts): make `Document#id` optional so types that use `id` can use `Model<IMyType & Document>`
• a9b317a chore: upgrade mquery -> 3.2.3
• 43f88db fix(document): ensure calling `get()` with empty string returns undefined for mongoose-plugin-autoinc
• 369efe1 Merge pull request #9692 from sahasayan/patch-4
• f879c4d chore: update opencollective sponsors
• 1be4d87 fix(model): set `isNew` to false for documents that were successfully inserted by `insertMany` with `ordered = false` when an error occurred
• b2da840 test(model): repro #9677
• 15d6660 fix(index.d.ts): add missing Aggregate#skip() & Aggregate#limit()
• dd348b1 chore: release 5.11.6
• 3ec01fa fix(index.d.ts): allow calling `mongoose.model()` and `Connection#model()` with model as generic param
• ccfa041 Merge pull request #9686 from cjroebuck/patch-1
• 7a52e45 Merge pull request #9685 from sahasayan/patch-3
• a5c98c2 Allow array of validators in SchemaTypeOptions
• 48907ea fix(index.d.ts): allow 2 generic types in mongoose.model function
• a17a2c3 Merge pull request #9683 from isengartz/master
• 61595f0 fix(index.d.ts): allow passing ObjectId properties as strings to `create()` and `findOneAndReplace()`
• 8e20ee6 optional next() parameter for post middleware
• 8a52485 Merge pull request #9680 from orgads/aggregate
• 1ef8274 fix(middleware): ensure sync errors in pre hooks always bubble up to the calling code
• 067e3a2 fix(index.d.ts): Fix return type of Model#aggregate()
• 0e2058d chore: release 5.11.5
• 6d9fb4d fix(index.d.ts): add missing `SchemaTypeOpts` and `ConnectionOptions` aliases for backwards compat
• a85adb9 test: fix tests re: #9669

See the full diff

Package name: ms

The new version differs by 19 commits.

• 9b88d15 2.0.0
• 94b995c Invalidated cache for slack badge
• bcf5715 Bumped dependencies to the latest version
• b1eaab7 Ignored logs coming from npm
• caae298 Limit str to 100 to avoid ReDoS of 0.3s ([Snyk] Security upgrade body-parser from 1.9.0 to 1.19.2 #89)
• b83b36d chore(package): update eslint to version 3.19.0 ([Snyk] Security upgrade qs from 0.0.6 to 6.2.4 #88)
• 3f2a4d7 chore(package): update husky to version 0.13.3 ([Snyk] Fix for 1 vulnerabilities #86)
• 7daf984 1.0.0
• ee91f30 More suitable name for file containing tests
• e818c35 Removed browser testing
• c9b1fd3 Test on LTS version of Node
• 389840b Badge for XO removed
• 1fbbe97 Removed component specification
• 57b3ef8 Use `prettier` and `eslint`
• 94068ea Removed XO
• 4b7f48f chore(package): update serve to version 5.0.4 ([Snyk] Security upgrade qs from 0.0.6 to 6.2.4 #85)
• bd49cec chore(package): update xo to version 0.18.0 ([Snyk] Fix for 1 vulnerabilities #84)
• d4a94b1 chore(package): update serve to version 5.0.3 ([Snyk] Security upgrade decode-uri-component from 0.2.0 to 0.2.2 #83)
• 923eee1 chore(package): update serve to version 5.0.2 ([Snyk] Security upgrade snyk from 1.389.0 to 1.1064.0 #82)

See the full diff

Package name: tap

The new version differs by 250 commits.

• fe8158e 11.1.3
• b17542d Upgrade deps (changing semver requirements)
• bc3ba17 update deps
• bd4de92 Clean up nyc output so Travis passes on node 6
• 2292432 Add hexagonal-lambda to the tap 100 list
• fed62c9 Merge remote-tracking branch 'origin/master'
• 3cdf1c7 11.1.2
• ddf938b Only ship files we want to ship
• 5b5e2ee docs: add unique page titles
• 2323c3b Merge tag 'v11.1.1'
• 95faf6c 11.1.1
• 283c8e6 Handle EPIPE better in exceptional edge cases
• b727234 Fix obscure edge case when this.results is not set
• 1699eb9 process: update docs on the master branch
• ac366a0 docs: fix typo ('heirarchical' -> 'hierarchical')
• 13073a7 docs: correct 100 PR link
• b95ee22 v11.1.0
• fcf70aa Add support for disabling autoend
• 94be0a7 v11.0.1
• 6c3f019 remove badges that are no longer accurate or in use
• ae562a7 don't ignore coverage doc
• 9fcfd52 Migrate docs into main repository
• f189c50 v11.0.0
• 5cde128 Merge branch 'v11'

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:hawk:20160119	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)
🦉 Cross-site Scripting (XSS)
🦉 Cross-site Scripting (XSS)
🦉 More lessons are available in Snyk Learn