[Snyk] Upgrade: express-robots-txt, feature-policy, file-stream-rotator, i18n, jsonwebtoken, node-pre-gyp, pdfkit, sanitize-html, unzipper

[caishenwong]

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

express-robots-txt
from 0.4.1 to 0.5.0 | 1 version ahead of your current version | 4 years ago
on 2020-08-17
feature-policy
from 0.5.0 to 0.6.0 | 1 version ahead of your current version | 4 years ago
on 2020-12-23
file-stream-rotator
from 0.5.7 to 0.6.1 | 2 versions ahead of your current version | 3 years ago
on 2022-01-22
i18n
from 0.11.1 to 0.15.1 | 11 versions ahead of your current version | 2 years ago
on 2022-09-22
jsonwebtoken
from 9.0.0 to 9.0.2 | 2 versions ahead of your current version | a year ago
on 2023-08-30
node-pre-gyp
from 0.15.0 to 0.17.0 | 2 versions ahead of your current version | 4 years ago
on 2020-12-07
pdfkit
from 0.14.0 to 0.15.0 | 1 version ahead of your current version | 6 months ago
on 2024-03-24
sanitize-html
from 2.12.1 to 2.13.0 | 1 version ahead of your current version | 6 months ago
on 2024-03-20
unzipper
from 0.12.1 to 0.12.3 | 2 versions ahead of your current version | a month ago
on 2024-07-31

Release notes

Package name: express-robots-txt

• 0.5.0 - 2020-08-17
  

  0.5.0

• 0.4.1 - 2019-07-14
  

  0.4.1

from express-robots-txt GitHub release notes

Package name: feature-policy

• 0.6.0 - 2020-12-23
  

  0.6.0

• 0.5.0 - 2020-04-16
  

  0.5.0

from feature-policy GitHub release notes

Package name: file-stream-rotator

• 0.6.1 - 2022-01-22
  No content.
• 0.6.0 - 2022-01-21
  No content.
• 0.5.7 - 2020-01-20

from file-stream-rotator GitHub release notes

Package name: i18n

• 0.15.1 - 2022-09-22
• 0.15.0 - 2022-05-19
  

  add YAML support by parser config

• 0.14.2 - 2022-03-05
  

  Fixed

  Fixes #493 - using i18n with a combination of retry and sync settings lead to a 'Maximum call stack size exceeded' exception due to an infinite loop while writing phrases to all locale files.

  const i18n = new I18n({
      // [...]
      retryInDefaultLocale: true,
      syncFiles: true,
  })

• 0.14.1 - 2022-01-30
  

  Fixed

  • upgrade all dev dependencies without breaking changes
  • upgrade all dependencies without breaking changes

  This also updates to mocha 9.2.0 (mochajs/mocha#4814) which fixes GHSA-qrpm-p2h7-hrv2

• 0.14.0 - 2022-01-23
  

  Changed

  • replaces sprintf-js with fast-printf #453
  • replaces deprecated messageformat with @ messageformat/core #472
  • drops node support <10
  • local dev defaults to node 16
• 0.13.4 - 2021-12-29
  

  Fixed

  • upgrade all dev dependencies without breaking changes
  • upgrade all dependencies without breaking changes

  see aa60ac7, 3139881 and 4e6963f for details

  Added

  • test directory traversal (#486)
• 0.13.3 - 2021-05-08
  

  Fixed

  • upgrade transitive dev dependency of eslint, mocha, zombie to [email protected]
  • upgrade transitive dev dependency of zombie to [email protected]
  • upgrade transitive dev dependency of eslint-plugin-import to [email protected]
• 0.13.2 - 2020-08-21
  

  Fixed

  • moved devDeps from dependencies to devDependencies #446
  • removed unused packages from all dependencies
• 0.13.1 - 2020-08-20
  

  Fixed

  • npx npm-force-resolutions failed #445

  Details

  A preinstall script was added to force resolving specific versions of lodash and ajv. Those are sub-dependencies of zombie and its packages. Zombie is devDependency of i18n. But zombie still refers to older versions reported to vulnerable - so I decided to force fixed versions.

  Of course that preinstall should count on any npm install i18n, it's renamed to force-resolutions so I can still resolve audit issues in dev while also supporting clean installs.

  "scripts": {
    "preinstall": "npx npm-force-resolutions"
  }

  now reads as

  "scripts": {
    "force-resolutions": "npx npm-force-resolutions"
  }

  And doesn't get triggered by npm install.

• 0.13.0 - 2020-08-20
  

  Added

  • new option retryInDefaultLocale as proposed by PR #206
  • new option header as proposed by PRs #390 and #407
  • pre-commit hooks to ensure code-style (even on contributions)

  Fixed

  • typos in README

  Changed

  • tooling: eslint with standard.js & prettier presets replaces jshint
• 0.12.0 - 2020-08-16
• 0.11.1 - 2020-08-04

from i18n GitHub release notes

Package name: jsonwebtoken

• 9.0.2 - 2023-08-30
  

  Release 9.0.2 (#935)

• 9.0.1 - 2023-07-05
  

  Updating package version to 9.0.1 (#920)

• 9.0.0 - 2022-12-21
  

  • Check if node version supports asymmetricKeyDetails

  • Validate algorithms for ec key type

  • Rename variable

  • Rename function

  • Add early return for symmetric keys

  • Validate algorithm for RSA key type

  • Validate algorithm for RSA-PSS key type

  • Check key types for EdDSA algorithm

  • Rename function

  • Move validateKey function to module

  • Convert arrow to function notation

  • Validate key in verify function

  • Simplify if

  • Convert if to switch..case

  • Guard against empty key in validation

  • Remove empty line

  • Add lib to check modulus length

  • Add modulus length checks

  • Validate mgf1HashAlgorithm and saltLength

  • Check node version before using key details API

  • Use built-in modulus length getter

  • Fix Node version validations

  • Remove duplicate validateKey

  • Add periods to error messages

  • Fix validation in verify function

  • Make asymmetric key validation the latest validation step

  • Change key curve validation

  • Remove support for ES256K

  • Fix old test that was using wrong key types to sign tokens

  • Enable RSA-PSS for old Node versions

  • Add specific RSA-PSS validations on Node 16 LTS+

  • Improve error message

  • Simplify key validation code

  • Fix typo

  • Improve error message

  • Change var to const in test

  • Change const to let to avoid reassigning problem

  • Improve error message

  • Test incorrect private key type

  • Rename invalid to unsupported

  • Test verifying of jwt token with unsupported key

  • Test invalid private key type

  • Change order of object parameters

  • Move validation test to separate file

  • Move all validation tests to separate file

  • Add prime256v1 ec key

  • Remove modulus length check

  • WIP: Add EC key validation tests

  • Fix node version checks

  • Fix error message check on test

  • Add successful tests for EC curve check

  • Remove only from describe

  • Remove only

  • Remove duplicate block of code

  • Move variable to a different scope and make it const

  • Convert allowed curves to object for faster lookup

  • Rename variable

  • Change variable assignment order

  • Remove unused object properties

  • Test RSA-PSS happy path and wrong length

  • Add missing tests

  • Pass validation if no algorithm has been provided

  • Test validation of invalid salt length

  • Test error when signing token with invalid key

  • Change var to const/let in verify tests

  • Test verifying token with invalid key

  • Improve test error messages

  • Add parameter to skip private key validation

  • Replace DSA key with a 4096 bit long key

  • Test allowInvalidPrivateKeys in key signing

  • Improve test message

  • Rename variable

  • Add key validation flag tests

  • Fix variable name in Readme

  • Change private to public dsa key in verify

  • Rename flag

  • Run EC validation tests conditionally

  • Fix tests in old node versions

  • Ignore block of code from test coverage

  • Separate EC validations tests into two different ones

  • Add comment

  • Wrap switch in if instead of having an early return

  • Remove unsupported algorithms from asymmetric key validation

  • Rename option to allowInvalidAsymmetricKeyTypes and improve Readme

  • 9.0.0

  • adding migration notes to readme

  • adding changelog for version 9.0.0

  Co-authored-by: julienwoll [email protected]

from jsonwebtoken GitHub release notes

Package name: node-pre-gyp

• 0.17.0 - 2020-12-07
• 0.16.0 - 2020-10-29
• 0.15.0 - 2020-05-29

from node-pre-gyp GitHub release notes

Package name: pdfkit

• 0.15.0 - 2024-03-24
  
  • Add subset for PDF/UA
  • Fix for line breaks in list items (#1486)
  • Fix for soft hyphen not being replaced by visible hyphen if necessary (#457)
  • Optimize output files by ignoring identity transforms
  • Fix for Acroforms - setting an option to false will still apply the flag (#1495)
  • Fix for text extraction in PDFium-based viewers due to invalid ToUnicodeMap (#1498)
  • Remove deprecated write method
  • Drop support for Node.js < 18 and for browsers released before 2020
• 0.14.0 - 2023-11-09
  
  • Add support for PDF/A-1b, PDF/A-1a, PDF/A-2b, PDF/A-2a, PDF/A-3b, PDF/A-3a
  • Update crypto-js to v4.2.0 (properly fix security issue)

from pdfkit GitHub release notes

Package name: sanitize-html

• 2.13.0 - 2024-03-20
  

  release 2.13.0

• 2.12.1 - 2024-02-22
  

  release 2.12.1

from sanitize-html GitHub release notes

Package name: unzipper

• 0.12.3 - 2024-07-31
  

  Add @ ts-ignore to unblock typescript errors

• 0.12.2 - 2024-07-14
  
  • Support for @ AWS-SDK version 3 (@ alice-was-here)
  • Fix zip64 extra field (@ Cruaier)
  • Upgrade bluebird (snyk)
• 0.12.1 - 2024-06-08
  
  • unmaintained fstream replaced with fs-extra
  • empty directories in a zip file will now be created when zip file is extracted
  • big-integer replaced with node-int64 (up to 20x performance increase on large encrypted files)
  • npm deployment added to github actions

from unzipper GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs