[Snyk] Upgrade: async, body-parser, cheerio, exceljs, express, faker, mongoose, multer, multer-s3, nodemailer, public-ip, socket.io, xlsx

[AlbertoCime14]

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

async
from 3.2.0 to 3.2.6 | 6 versions ahead of your current version | 22 days ago
on 2024-08-19
body-parser
from 1.19.0 to 1.20.2 | 5 versions ahead of your current version | 2 years ago
on 2023-02-22
cheerio
from 1.0.0-rc.3 to 1.0.0 | 10 versions ahead of your current version | a month ago
on 2024-08-09
exceljs
from 4.1.1 to 4.4.0 | 4 versions ahead of your current version | a year ago
on 2023-10-19
express
from 4.17.1 to 4.19.2 | 9 versions ahead of your current version | 6 months ago
on 2024-03-25
faker
from 5.1.0 to 5.5.3 | 8 versions ahead of your current version | 3 years ago
on 2021-04-08
mongoose
from 5.10.5 to 5.13.22 | 74 versions ahead of your current version | 8 months ago
on 2024-01-02
multer
from 1.4.2 to 1.4.4 | 3 versions ahead of your current version | 3 years ago
on 2021-12-07
multer-s3
from 2.9.0 to 2.10.0 | 2 versions ahead of your current version | 3 years ago
on 2021-10-17
nodemailer
from 6.4.11 to 6.9.14 | 39 versions ahead of your current version | 3 months ago
on 2024-06-19
public-ip
from 4.0.2 to 4.0.4 | 2 versions ahead of your current version | 3 years ago
on 2021-05-29
socket.io
from 2.3.0 to 2.5.1 | 4 versions ahead of your current version | 3 months ago
on 2024-06-19
xlsx
from 0.16.8 to 0.18.5 | 13 versions ahead of your current version | 2 years ago
on 2022-03-24

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Prototype Pollution SNYK-JS-ASYNC-2441827	696	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	696	Proof of Concept
	Denial of Service (DoS) SNYK-JS-WS-7266574	696	Proof of Concept
	Denial of Service (DoS) SNYK-JS-XLSX-1311137	696	Proof of Concept
	Denial of Service (DoS) SNYK-JS-XLSX-1311139	696	Proof of Concept
	Denial of Service (DoS) SNYK-JS-XLSX-1311141	696	Proof of Concept
	Uncaught Exception SNYK-JS-SOCKETIO-7278048	696	No Known Exploit
	Remote Memory Exposure SNYK-JS-DNSPACKET-1293563	696	No Known Exploit
	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	696	Proof of Concept
	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	696	Proof of Concept
	Denial of Service (DoS) SNYK-JS-ENGINEIO-3136336	696	No Known Exploit
	Arbitrary Code Injection SNYK-JS-XMLHTTPREQUESTSSL-1082936	696	Proof of Concept
	Access Restriction Bypass SNYK-JS-XMLHTTPREQUESTSSL-1255647	696	Proof of Concept
	Denial of Service (DoS) SNYK-JS-WS-7266574	696	Proof of Concept
	Prototype Pollution SNYK-JS-MQUERY-1050858	696	Proof of Concept
	Prototype Pollution SNYK-JS-MQUERY-1089718	696	Proof of Concept
	Command Injection SNYK-JS-NODEMAILER-1038834	696	Proof of Concept
	Code Injection SNYK-JS-LODASH-1040724	696	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-NTHCHECK-1586032	696	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	696	Proof of Concept
	Prototype Pollution SNYK-JS-MONGOOSE-2961688	696	Proof of Concept
	Prototype Pollution SNYK-JS-MONGOOSE-5777721	696	Proof of Concept
	Denial of Service (DoS) SNYK-JS-JSZIP-1251497	696	Proof of Concept
	Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JS-JSZIP-3188562	696	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	696	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	696	Proof of Concept
	Server-Side Request Forgery (SSRF) SNYK-JS-IP-7148531	696	Proof of Concept
	Insecure Defaults SNYK-JS-SOCKETIO-1024859	696	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ISSVG-1085627	696	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ISSVG-1243891	696	Proof of Concept
	Open Redirect SNYK-JS-EXPRESS-6474509	696	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	696	Proof of Concept
	Prototype Pollution SNYK-JS-MPATH-1577289	696	Proof of Concept
	HTTP Header Injection SNYK-JS-NODEMAILER-1296415	696	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-NODEMAILER-6219989	696	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	696	No Known Exploit
	Information Exposure SNYK-JS-MONGODB-5871303	696	No Known Exploit
	Prototype Pollution SNYK-JS-MONGOOSE-1086688	696	Proof of Concept

Release notes

Package name: async

• 3.2.6 - 2024-08-19
  

  Version 3.2.6

• 3.2.5 - 2023-11-03
  

  Version 3.2.5

• 3.2.4 - 2022-06-07
  

  Version 3.2.4

• 3.2.3 - 2022-01-10
  

  Version 3.2.3

• 3.2.2 - 2021-10-28
  

  Version 3.2.2

• 3.2.1 - 2021-08-05
  

  Version 3.2.1

• 3.2.0 - 2020-02-24
  

  Version 3.2.0

from async GitHub release notes

Package name: body-parser

• 1.20.2 - 2023-02-22
  
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
    • perf: skip value escaping when unnecessary
  • deps: raw-body@2.5.2
• 1.20.1 - 2022-10-06
  
  • deps: qs@6.11.0
  • perf: remove unnecessary object clone
• 1.20.0 - 2022-04-03
  
  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: depd@2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: http-errors@2.0.0
    • deps: depd@2.0.0
    • deps: statuses@2.0.1
  • deps: on-finished@2.4.1
  • deps: qs@6.10.3
  • deps: raw-body@2.5.1
    • deps: http-errors@2.0.0
• 1.19.2 - 2022-02-16
  
  • deps: bytes@3.1.2
  • deps: qs@6.9.7
    • Fix handling of __proto__ keys
  • deps: raw-body@2.4.3
    • deps: bytes@3.1.2
• 1.19.1 - 2021-12-10
  
  • deps: bytes@3.1.1
  • deps: http-errors@1.8.1
    • deps: inherits@2.0.4
    • deps: toidentifier@1.0.1
    • deps: setprototypeof@1.2.0
  • deps: qs@6.9.6
  • deps: raw-body@2.4.2
    • deps: bytes@3.1.1
    • deps: http-errors@1.8.1
  • deps: safe-buffer@5.2.1
  • deps: type-is@~1.6.18
• 1.19.0 - 2019-04-26
  
  • deps: bytes@3.1.0
    • Add petabyte (pb) support
  • deps: http-errors@1.7.2
    • Set constructor name when possible
    • deps: setprototypeof@1.1.1
    • deps: statuses@'>= 1.5.0 < 2'
  • deps: iconv-lite@0.4.24
    • Added encoding MIK
  • deps: qs@6.7.0
    • Fix parsing array brackets after index
  • deps: raw-body@2.4.0
    • deps: bytes@3.1.0
    • deps: http-errors@1.7.2
    • deps: iconv-lite@0.4.24
  • deps: type-is@~1.6.17
    • deps: mime-types@~2.1.24
    • perf: prevent internal throw on invalid type

from body-parser GitHub release notes

Package name: cheerio

• 1.0.0 - 2024-08-09
  

  Cheerio 1.0 is here! 🎉

  Announcement Blog Post

  Breaking Changes

  • The minimum NodeJS version is now 18.17 or higher #3959

  • Import paths were simplified. For example, use cheerio/slim instead of
    cheerio/lib/slim. #3970

  • The deprecated default Cheerio instance and static methods were removed. #3974

    Before, it was possible to write code like this:

    import cheerio, { html } from 'cheerio';

    html(cheerio('<test></test>')); // ~ '<test></test>' -- NO LONGER WORKS

    Make sure to always load documents first:

    import * as cheerio from 'cheerio';

    cheerio.load('<test></test>').html();

  • Node types previously re-exported by Cheerio must now be imported directly
    from (domhandler)(https://github.com/fb55/domhandler). #3969

  • htmlparser2 options now reside exclusively under the xml key (#2916):

    const $ = cheerio.load('<html>', {
      xml: {
        withStartIndices: true,
      },
    });

  New Features

  • Add functions to load buffers, streams & URLs in NodeJS by @ fb55 in #2857
  • Add extract method by @ fb55 in #2750

  Fixes

  • Allow imports of cheerio/utils by @ blixt in #2601
  • Allow empty string in data, and simplify by @ fb55 in #2818
  • Make closest be able to start from text nodes by @ Qualtagh in #2811
  • Fix potential github action smells by @ ceddy4395 in #3826

  Other

  • Cheerio has a new website, featuring updated API docs and guides! #2950

  Full Changelog: v1.0.0-rc.12...v1.0.0

• 1.0.0-rc.12 - 2022-06-26
  

  Bugfix release. Fixed issues:

  • Align prop undefined handling with jQuery by @ fb55 in #2557
  • Allow deep imports of cheerio/lib/utils by @ blixt in #2601

  New Contributors

  • @ blixt made their first contribution in #2601

  Full Changelog: v1.0.0-rc.11...v1.0.0-rc.12

• 1.0.0-rc.11 - 2022-05-20
  

  cheerio@1.0.0-rc.11 is hopefully the last RC before the 1.0.0 release of Cheerio. There are two APIs that will be added for the next major release: An exract method (#2523) and NodeJS specific loader methods (#2051). These are still in flux and I'd appreciate feedback on the proposals.

  A big thank you to everyone that contributed to this release! This includes code contributors, as well as the amazing financial support on GitHub Sponsors!

  Under the hood, a lot of work for this release went into updating parse5, cheerio's default HTML parser. Have a look at parse5's release notes to see what has changed there.

  Breaking

  • Cheerio is now a dual CommonJS and ESM module. That means that deep imports will now fail in newer versions of Node. #2508
  • script and style contents are added again in .text() #2509
    • To keep the old behavior, switch .text() to .prop('innerText')
  • The TypeScript types inherited from upstream dependencies have changed. #2503
    • Node types are now using tagged unions, which will make consumption a bit easier.

  Features

  • Relevant options are now forwarded to cheerio-select #2511
    • Custom pseudo classes can now be specified using the pseudos option.
  • For the .prop() method:
    • Add textContent and innerText props #2214
    • Users can now specify a baseURI option, which will lead to href and src props to be resolved as URLs. #2510
  • Added a slim export, which will always use htmlparser2 #1960

  Fixes

  • Have text turn passed values to strings #2047
  • Include undefined in the return type of get by @ glen-84 in #2392
  • Recognise comments as HTML #2504
  • Add missing undefined return value #2505
  • Export missing static methods #2506
  • Have style parsing add malformed fields to previous field #2521

  Refactor

  • Use domutils module directly #1928
  • Hand-roll isHTML #1935
  • Move initialization logic to load #1951
  • Only return elements in closest #2057
  • Remove unnecessary code, be more explicit #2279
  • Use stricter TS, ESLint configs #2507
  • Update exported values #2512

  Development Experience

  • Migrate husky to v6 by @ DavideViolante in #1934
  • Update CI by @ XhmikosR in #2149
  • Set permissions for GitHub actions by @ neilnaveen in #2453

  Docs

  • Update README "is not a web browser" section by @ mxschmitt in #2127

  New Contributors

  • @ DavideViolante made their first contribution in #1934
  • @ mxschmitt made their first contribution in #2127
  • @ glen-84 made their first contribution in #2392
  • @ neilnaveen made their first contribution in #2453

  Full Changelog: v1.0.0-rc.10...v1.0.0-rc.11

• 1.0.0-rc.10 - 2021-06-08
  

  Fixes:

  • .html(node) now moves passed nodes (#1923, fixes #940) 258b26b
  • Boolean attributes are no longer special in xmlMode (#1903, fixes #1805) b393e4a
  • Rename parser adapter files (#1873, fixes #1847) 8f55dd8
  • Make filter work on all collections (#1870, fixes #1867) fb8d31e
  • Bump cheerio-select (#1922, fixes https://www.npmjs.com/advisories/1754) 5cd2b9c

  Documentation:

  • Document how to define TS types for Plug-Ins (#1915, fixes #1778) 880fd2c
  • Remove obsolete Testing section e0c7cbb
  • Remove now-invalid require 5dfbd35

  Refactors:

  • Wrap shared behavior in traversing (#1909) 58e090a
  • Move is to traversing, optimize (#1908) 1c6fa3e
  • Change order of arguments of internal domEach (#1892) feda230
  • Have load export a function (#1869) c370f4e

  v1.0.0-rc.9...v1.0.0-rc.10

• 1.0.0-rc.9 - 2021-05-06
  

  Port to TypeScript

  Cheerio has been ported entirely to TypeScript (in #1816)! This eliminates a lot of edge-cases within Cheerio and will allow you to use Cheerio with confidence. This release also features a new documentation website based on TypeDoc, allowing you to quickly navigate all available methods: https://cheerio.js.org

  ---

  Breaking change: If you were using the function exported by Cheerio directly instead of first load()ing a document, you will now have to update the require to use the default export.

  - const cheerio = require("cheerio");
  + const cheerio = require("cheerio").default;

  cheerio('div', dom)

  Please note that this way of using Cheerio is deprecated and might be removed in a future version. Please consider updating your code to:

  const cheerio = require("cheerio");

  const $ = cheerio.load(dom)
  $('div')

  ---

  Note: Cheerio uses template literal types to determine return types. These are available starting with TypeScript 4.1, so you might have to bump your TypeScript version.

  For TypeScript types, Cheerio now implements the ArrayLike<T> interface. That means that Cheerio instances can contain objects of arbitrary types, but not all methods can be called on them.

  The TypeScript compiler will figure out what structures you are operating on:

  • When calling a loaded Cheerio instance with an HTML string like $('<div>'), it will product a Cheerio<Node> type.
    • Node is the base class for DOM elements and includes eg. comment and text nodes.
  • When calling Cheerio with a selector like $('.foo'), it will produce a Cheerio<Element>, as only Elements can be part of the result set.
    • Element is the class representing tags.
  • You can still use $('...').map() to map to arbitrary values, and will get a compiler error when trying to call method that are not supported.
    • Eg. $('.foo').map((i, el) => $(el).text()).attr('test') will no longer be possible, as .attr is not allowed to be called on a Cheerio<string>.

  ---

  This release does not contain other changes to functionality. Feedback is greatly appreciated; if you encounter a problem, please file an issue!

  v1.0.0-rc.6...v1.0.0-rc.9

• 1.0.0-rc.8 - 2021-05-06
  

  Second botched release. Please use v1.0.0-rc.9 instead.

• 1.0.0-rc.7 - 2021-05-06
  

  Published without a lib directory — please ignore.

• 1.0.0-rc.6 - 2021-04-08
  

  Breaking:

  • Fixed the ordering of the output of several methods, including prevAll, prevUntil and parentsUntil. The new order matches jQuery.

  This release contains three breaking changes inherited from dependencies.

  • Selectors (see css-select@4.0.0):
    • Several pseudo selectors are now stricter, in line with the HTML spec.
    • Some attributes are now case-insensitive based on the HTML spec.
  • DOM:
    • In XML mode, all elements will have type: 'tag'.

  New features:

  • Add .unwrap (#1651 by @ 5saviahv) 2037d83
  • Add .wrapAll (#1590 by @ 5saviahv) cd4a4d9
  • Support prop('innerHTML') (#1578 by @ fb55) c58258f
  • Expose the scriptingEnabled parse5 option (#1707 by @ 5saviahv) 7eb4cc4
    • By setting scriptingEnabled to false, it is now possible to parse the contents of <noscript> tags.

  Types:

  • Improve .load type (#1584 by @ f0x52) 6a90bda
  • Improve type for .get (