[Snyk] Upgrade: axios, dotenv, express, google-auth-library, redis, reflect-metadata, typeorm, winston

[EchoSkorJjj]

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

axios
from 1.6.4 to 1.7.5 | 13 versions ahead of your current version | 22 days ago
on 2024-08-23
dotenv
from 16.3.1 to 16.4.5 | 7 versions ahead of your current version | 7 months ago
on 2024-02-20
express
from 4.18.2 to 4.19.2 | 4 versions ahead of your current version | 6 months ago
on 2024-03-25
google-auth-library
from 9.4.1 to 9.14.0 | 14 versions ahead of your current version | 25 days ago
on 2024-08-20
redis
from 4.6.11 to 4.7.0 | 5 versions ahead of your current version | 2 months ago
on 2024-07-29
reflect-metadata
from 0.2.1 to 0.2.2 | 1 version ahead of your current version | 6 months ago
on 2024-03-29
typeorm
from 0.3.18 to 0.3.20 | 17 versions ahead of your current version | 8 months ago
on 2024-01-26
winston
from 3.11.0 to 3.14.2 | 7 versions ahead of your current version | a month ago
on 2024-08-14

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Server-side Request Forgery (SSRF) SNYK-JS-AXIOS-7361793	761	Proof of Concept
	Open Redirect SNYK-JS-EXPRESS-6474509	761	No Known Exploit
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	761	Proof of Concept

Release notes

Package name: axios

• 1.7.5 - 2024-08-23
  

  Release notes:

  Bug Fixes

  • adapter: fix undefined reference to hasBrowserEnv (#6572) (7004707)
  • core: add the missed implementation of AxiosError#status property; (#6573) (6700a8a)
  • core: fix ReferenceError: navigator is not defined for custom environments; (#6567) (fed1a4b)
  • fetch: fix credentials handling in Cloudflare workers (#6533) (550d885)

  Contributors to this release

  • Dmitriy Mozgovoy
  • Antonin Bas
  • Hans Otto Wirtz
• 1.7.4 - 2024-08-13
  

  Release notes:

  Bug Fixes

  • sec: CVE-2024-39338 (#6539) (#6543) (6b6b605)
  • sec: disregard protocol-relative URL to remediate SSRF (#6539) (07a661a)

  Contributors to this release

  • Lev Pachmanov
  • Đỗ Trọng Hải
• 1.7.3 - 2024-08-01
  

  Release notes:

  Bug Fixes

  • adapter: fix progress event emitting; (#6518) (e3c76fc)
  • fetch: fix withCredentials request config (#6505) (85d4d0e)
  • xhr: return original config on errors from XHR adapter (#6515) (8966ee7)

  Contributors to this release

  • Dmitriy Mozgovoy
  • Valerii Sidorenko
  • prianYu
• 1.7.2 - 2024-05-21
  

  Release notes:

  Bug Fixes

  • fetch: enhance fetch API detection; (#6413) (4f79aef)

  Contributors to this release

  • Dmitriy Mozgovoy
• 1.7.1 - 2024-05-20
  

  Release notes:

  Bug Fixes

  • fetch: fixed ReferenceError issue when TextEncoder is not available in the environment; (#6410) (733f15f)

  Contributors to this release

  • Dmitriy Mozgovoy
• 1.7.0 - 2024-05-19
  

  Release notes:

  Features

  • adapter: add fetch adapter; (#6371) (a3ff99b)

  Bug Fixes

  • core/axios: handle un-writable error stack (#6362) (81e0455)

  Contributors to this release

  • Dmitriy Mozgovoy
  • Jay
  • Alexandre ABRIOUX
• 1.7.0-beta.2 - 2024-05-19
  

  Release notes:

  Bug Fixes

  • fetch: capitalize HTTP method names; (#6395) (ad3174a)
  • fetch: fix & optimize progress capturing for cases when the request data has a nullish value or zero data length (#6400) (95a3e8e)
  • fetch: fix headers getting from a stream response; (#6401) (870e0a7)

  Contributors to this release

  • Dmitriy Mozgovoy
• 1.7.0-beta.1 - 2024-05-07
  

  Release notes:

  Bug Fixes

  • core/axios: handle un-writable error stack (#6362) (81e0455)
  • fetch: fix cases when ReadableStream or Response.body are not available; (#6377) (d1d359d)
  • fetch: treat fetch-related TypeError as an AxiosError.ERR_NETWORK error; (#6380) (bb5f9a5)

  Contributors to this release

  • Alexandre ABRIOUX
  • Dmitriy Mozgovoy

  Install

  npm i axios@next
  

• 1.7.0-beta.0 - 2024-04-28
  

  Release notes:

  Features

  • adapter: add fetch adapter; (#6371) (a3ff99b)

  Contributors to this release

  • Dmitriy Mozgovoy
  • Jay

  Install

  npm i axios@next
  

• 1.6.8 - 2024-03-15
• 1.6.7 - 2024-01-25
• 1.6.6 - 2024-01-24
• 1.6.5 - 2024-01-05
• 1.6.4 - 2024-01-03

from axios GitHub release notes

Package name: dotenv

• 16.4.5 - 2024-02-20
  

  16.4.5

• 16.4.4 - 2024-02-13
  

  16.4.4

• 16.4.3 - 2024-02-12
  

  16.4.3

• 16.4.2 - 2024-02-10
  

  16.4.2

• 16.4.1 - 2024-01-24
  

  16.4.1

• 16.4.0 - 2024-01-23
  

  16.4.0

• 16.3.2 - 2024-01-19
  

  16.3.2

• 16.3.1 - 2023-06-17
  

  16.3.1

from dotenv GitHub release notes

Package name: express

• 4.19.2 - 2024-03-25
• 4.19.1 - 2024-03-20
  

  What's Changed

  • Fix ci after location patch by @ wesleytodd in #5552
  • fixed un-edited version in history.md for 4.19.0 by @ wesleytodd in #5556

  Full Changelog: 4.19.0...4.19.1

• 4.19.0 - 2024-03-20
  

  What's Changed

  • fix typo in release date by @ UlisesGascon in #5527
  • docs: nominating @ wesleytodd to be project captian by @ wesleytodd in #5511
  • docs: loosen TC activity rules by @ wesleytodd in #5510
  • Add note on how to update docs for new release by @ crandmck in #5541
  • Prevent open redirect allow list bypass due to encodeurl
  • Release 4.19.0 by @ wesleytodd in #5551

  New Contributors

  • @ crandmck made their first contribution in #5541

  Full Changelog: 4.18.3...4.19.0

• 4.18.3 - 2024-02-29
  

  Main Changes

  • Fix routing requests without method
  • deps: body-parser@1.20.2
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: raw-body@2.5.2

  Other Changes

  • Use https: protocol instead of deprecated git: protocol by @ vcsjones in #5032
  • build: Node.js@16.18 and Node.js@18.12 by @ abenhamdine in #5034
  • ci: update actions/checkout to v3 by @ armujahid in #5027
  • test: remove unused function arguments in params by @ raksbisht in #5124
  • Remove unused originalIndex from acceptParams by @ raksbisht in #5119
  • Fixed typos by @ raksbisht in #5117
  • examples: remove unused params by @ raksbisht in #5113
  • fix: parameter str is not described in JSDoc by @ raksbisht in #5130
  • fix: typos in History.md by @ raksbisht in #5131
  • build : add Node.js@19.7 by @ abenhamdine in #5028
  • test: remove unused function arguments in params by @ raksbisht in #5137
  • use random port in test so it won't fail on already listening by @ rluvaton in #5162
  • tests: use cb() instead of done() by @ kristof-low in #5233
  • examples: remove multipart example by @ riddlew in #5195
  • Update support Node.js@18 in the CI by @ UlisesGascon in #5490
  • Fix favicon-related bug in cookie-sessions example by @ DmytroKondrashov in #5414
  • Release 4.18.3 by @ UlisesGascon in #5505

  New Contributors

  • @ vcsjones made their first contribution in #5032
  • @ abenhamdine made their first contribution in #5034
  • @ armujahid made their first contribution in #5027
  • @ raksbisht made their first contribution in #5124
  • @ rluvaton made their first contribution in #5162
  • @ kristof-low made their first contribution in #5233
  • @ riddlew made their first contribution in #5195
  • @ DmytroKondrashov made their first contribution in #5414

  Full Changelog: 4.18.2...4.18.3

• 4.18.2 - 2022-10-08
  
  • Fix regression routing a large stack in a single route
  • deps: body-parser@1.20.1
    • deps: qs@6.11.0
    • perf: remove unnecessary object clone
  • deps: qs@6.11.0

from express GitHub release notes

Package name: google-auth-library

• 9.14.0 - 2024-08-20
  

  9.14.0 (2024-08-19)

  Features

  • Add AnyAuthClient type (#1843) (3ae120d)
  • Extend API Key Support (#1835) (5fc3bcc)
  • Group Concurrent getClient Requests (#1848) (243ce28)

  Bug Fixes

  • deps: Update dependency @ googleapis/iam to v21 (#1847) (e9459f3)
• 9.13.0 - 2024-07-31
  

  9.13.0 (2024-07-29)

  Features

  • Group Concurrent Access Token Requests for Base External Clients (#1840) (0e08fc5)
• 9.12.0 - 2024-07-27
  

  9.12.0 (2024-07-26)

  Features

  • Expose More Public API Types (#1838) (5745a49)

  Bug Fixes

  • deps: Update dependency @ googleapis/iam to v19 (#1823) (b070ffb)
  • deps: Update dependency @ googleapis/iam to v20 (#1832) (e31a831)
• 9.11.0 - 2024-06-12
  

  9.11.0 (2024-06-01)

  Features

  • Adding support of client authentication method. (#1814) (4a14e8c)
• 9.10.0 - 2024-05-13
  

  9.10.0 (2024-05-10)

  Features

  • Implement UserRefreshClient#fetchIdToken (#1811) (ae8bc54)

  Bug Fixes

  • deps: Update dependency @ googleapis/iam to v16 (#1803) (40406a0)
  • deps: Update dependency @ googleapis/iam to v17 (#1808) (4d67f07)
  • deps: Update dependency @ googleapis/iam to v18 (#1809) (b2b9676)
• 9.9.0 - 2024-04-24
  

  9.9.0 (2024-04-18)

  Features

  • Adds suppliers for custom subject token and AWS credentials (#1795) (c680b5d)
• 9.8.0 - 2024-04-15
  

  9.8.0 (2024-04-12)

  Features

  • Enable Retries For Auth Requests (#1791) (9b69a31)
  • Improve gaxios exposure (#1794) (5058726)

  Bug Fixes

  • deps: Update dependency open to v10 (#1782) (16e5cae)
  • deps: Update dependency opn to v6 (#1775) (fc8dfe9)
• 9.7.0 - 2024-03-13
  

  9.7.0 (2024-03-12)

  Features

  • PassThrough AuthClient (#1771) (0003bee)

  Bug Fixes

  • deps: Update dependency @ googleapis/iam to v15 (#1772) (f45f975)
  • Making aws request signer get a new session token each time security credentials are requested. (#1765) (6a6e496)
• 9.6.3 - 2024-02-06
  

  9.6.3 (2024-02-06)

  Bug Fixes

  • Always sign with scopes on Non-Default Universes (#1752) (f3d3a03)
• 9.6.2 - 2024-02-02
  

  9.6.2 (2024-02-02)

  Bug Fixes

  • Allow Get Universe Without Credentials (#1748) (696db72)
• 9.6.1 - 2024-02-01
• 9.6.0 - 2024-01-29
• 9.5.0 - 2024-01-25
• 9.4.2 - 2024-01-10
• 9.4.1 - 2023-12-01

from google-auth-library GitHub release notes

Package name: redis

• 4.7.0 - 2024-07-29
  

  Enhancements

  • Upgrade @ redis/client from 1.5.16 to 1.6.0
  • Upgrade @ redis/json from 1.0.6 to 1.0.7
  • Upgrade @ redis/search from 1.1.6 to 1.2.0
  • Upgrade @ redis/time-series from 1.0.5 to 1.1.0
• 4.6.15 - 2024-07-02
  

  Enhancements

  • Upgrade @ redis/client from 1.5.16 to 1.5.17
• 4.6.14 - 2024-05-16
  

  Enhancements

  • Upgrade @ redis/client from 1.5.14 to 1.5.16
• 4.6.13 - 2024-02-05
• 4.6.12 - 2023-12-18
• 4.6.11 - 2023-11-20

from redis GitHub release notes

Package name: reflect-metadata

• 0.2.2 - 2024-03-29
• 0.2.1 - 2023-12-14
  

  What's Changed

  • Fix stack overflow crash in isProviderFor by @ rbuckton in #155
  • Update main to v0.2.1 by @ rbuckton in #156

  Full Changelog: v0.2.0...v0.2.1

from reflect-metadata GitHub release notes

Package name: typeorm

• 0.3.20 - 2024-01-26
  

  Bug Fixes

  • added missing parentheses in where conditions (#10650) (4624930), closes #10534
  • don't escape indexPredicate (#10618) (dd49a25)
  • fallback runMigrations transaction to DataSourceOptions (#10601) (0cab0dd)
  • hangup when load relations with relationLoadStrategy: query (#10630) (54d8d9e), closes #10481
  • include asExpression columns in returning clause (#10632) (f232ba7), closes #8450 #8450
  • multiple insert in SAP Hana (#10597) (1b34c9a)
  • resolve issue CREATE/DROP Index concurrently (#10634) (8aa8690), closes #10626
  • type inferencing of EntityManager#create (#10569) (99d8249)

  Features

  • add json type support for Oracle (#10611) (7e85460)
  • add postgres multirange column types (#10627) (d0b7670), closes #10556
  • add table comment for postgres (#10613) (4493db4)

  Reverts

  • Revert "fix: prevent using absolute table path in migrations unless required (#10123)" (