[Snyk] Fix for 7 vulnerabilities

[mfolker]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • src/package.json
  • src/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	Yes	Proof of Concept
	509/1000 Why? Has a fix available, CVSS 5.9	Timing Attack SNYK-JS-JOSE-1251487	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JS-JOSE-3018688	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-NORMALIZEURL-1296539	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: log4js

The new version differs by 171 commits.

• 9fdbed5 6.4.0
• 788c7a8 Merge pull request #1150 from log4js-node/update-changelog
• 7fdb141 chore: updated changelog for 6.4.0
• e6bd888 Merge pull request #1151 from log4js-node/feat-zero-backup
• ac599e4 allow for zero backup - in sync with https://github.com/fix: allow for zero backups and zero daysToKeep log4js-node/streamroller#74
• 53248cd Merge pull request #1149 from log4js-node/migrate-daysToKeep-to-numBackups
• 436d9b4 Merge pull request #1148 from log4js-node/update-docs
• d6b017e chore(docs): updated fileSync.md and misc comments
• d4617a7 chore(deps): migrated from daysToKeep to numBackups due to streamroller@^3.0.0
• 0ad0133 Merge pull request #1147 from log4js-node/update-deps
• 773962b Merge pull request #1146 from log4js-node/update-deps
• 823bb46 Merge pull request #1145 from log4js-node/update-deps
• 6cc0035 chore(deps): bump streamroller from 3.0.1 to 3.0.2
• 0f39859 chore(deps): bump date-format from 4.0.2 to 4.0.3
• 85ac31e chore(deps-dev): bump eslint from from 8.6.0 to 8.7.0
• acd41ef Merge pull request #1144 from log4js-node/refactor
• 4c4bbe8 chore(refactor): using writer.writable instead of alive for checking
• e86a809 Merge pull request #1097 from 4eb0da/datefile-error-handling
• 34ab3b2 Merge pull request #1143 from log4js-node/update-test
• 8cba85f chore(test): renamed tap.teardown() to tap.tearDown() for consistency (while both works, only tap.tearDown() is documented)
• a0baec2 chore(test): fixed teardown() causing tests to fail due to fs errors on removal
• 51ac865 Merge pull request #1103 from polo-language/recording-typescript
• 653a20f Merge pull request #1028 from techmunk/master
• 43a2199 chore(test): Changed default TAP test suite timeout from 30s to 45s because Windows takes a long time

See the full diff

Package name: oidc-provider

The new version differs by 250 commits.

• 286b8d8 chore(release): 7.0.0
• 238786b docs: update readme
• 5efbf9b chore: move package json fields to rc files
• ee74dcf feat: control whether underlying Grant gets destroyed during logout and revocation
• 9dc7921 feat: allow pre-existing Grants to be loaded during authorization
• efd3dab feat: The key used to asymmetrically sign PASETO Access Tokens can now be chosen based on its Key ID.
• 2e78582 feat: PASETO Access Tokens can now be encrypted with a symmetric secret shared with the recipient using v1.local
• dff2a72 feat: PASETO Access Tokens now support both v1.public and v2.public
• 4efe741 feat: PASETO Access Tokens are now just issued and not stored anymore
• d1ee6b7 feat: JWT Access Tokens are now just issued and not stored anymore
• 8b32707 feat: The key used to asymmetrically sign JWT Access Tokens can now be chosen based on its Key ID.
• d2a63b7 feat: JWT Access Tokens can now be encrypted with an asymmetric public key of the recipient
• 0f76c65 feat: JWT Access Tokens can now be encrypted with a symmetric secret shared with the recipient
• 5041158 feat: JWT Access Tokens can now be HMAC-signed with a symmetric secret shared with the recipient
• f48a44e ci: only download failed certification html results
• ceb3cd1 fix: remap `invalid_redirect_uri` as `invalid_request` in PAR
• d1d9421 refactor: idToken.issue() now requires the `use` option
• 5572e0e refactor: use jose@3 instead of jose@2
• bf8abdb refactor: use private class fields in favour of weakmap where possible
• 72058a5 feat: helper function to decide whether to validate client.sector_identifier_uri
• 202e4c5 feat: sector_identifier_uri can be used without pairwise subject_type
• 59d6c52 ci: continue on lint errors
• 33f3a83 feat: PAR no longer requires otherwise enabled `features.requestObjects`
• a1f7466 refactor: use clearer allow/block list definitions

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Arbitrary Code Injection
🦉 Regular Expression Denial of Service (ReDoS)