[Snyk] Upgrade: body-parser, chai, chai-http, express, kafkajs, nodemon, standard, swagger-jsdoc, swagger-ui, swagger-ui-express

[seansund]

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

body-parser
from 1.19.0 to 1.20.2 | 5 versions ahead of your current version | 2 years ago
on 2023-02-22
chai
from 4.3.4 to 4.5.0 | 9 versions ahead of your current version | 2 months ago
on 2024-07-25
chai-http
from 4.3.0 to 4.4.0 | 1 version ahead of your current version | a year ago
on 2023-06-09
express
from 4.17.1 to 4.19.2 | 9 versions ahead of your current version | 6 months ago
on 2024-03-25
kafkajs
from 1.15.0 to 1.16.0 | 41 versions ahead of your current version | 3 years ago
on 2022-02-09
nodemon
from 2.0.7 to 2.0.22 | 25 versions ahead of your current version | a year ago
on 2023-03-22
standard
from 16.0.3 to 16.0.4 | 1 version ahead of your current version | 3 years ago
on 2021-10-03
swagger-jsdoc
from 6.1.0 to 6.2.8 | 9 versions ahead of your current version | 2 years ago
on 2023-01-16
swagger-ui
from 3.48.0 to 3.52.5 | 11 versions ahead of your current version | 3 years ago
on 2021-10-14
swagger-ui-express
from 4.1.6 to 4.6.3 | 8 versions ahead of your current version | a year ago
on 2023-05-05

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	372	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	372	Proof of Concept
	Uncontrolled resource consumption SNYK-JS-BRACES-6838727	372	Proof of Concept
	Prototype Pollution SNYK-JS-FASTJSONPATCH-3182961	372	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-GETFUNCNAME-5923417	372	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-NORMALIZEURL-1296539	372	No Known Exploit
	Prototype Poisoning SNYK-JS-QS-3153490	372	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	372	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PRISMJS-1314893	372	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PRISMJS-1585202	372	Proof of Concept
	Prototype Pollution SNYK-JS-DOMPURIFY-7984421	372	No Known Exploit
	Improper Input Validation SNYK-JS-URLPARSE-2407770	372	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	372	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	372	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	372	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-SWAGGERUIDIST-2314884	372	Mature
	Server-side Request Forgery (SSRF) SNYK-JS-SWAGGERUIDIST-6056393	372	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-SWAGGERUIEXPRESS-6815423	372	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-SWAGGERUIEXPRESS-6815424	372	Mature
	Open Redirect SNYK-JS-EXPRESS-6474509	372	No Known Exploit
	Open Redirect SNYK-JS-GOT-2932019	372	No Known Exploit
	Improper Input Validation SNYK-JS-SWAGGERCLIENT-6836803	372	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	372	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-PRISMJS-2404333	372	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-COOKIEJAR-3149984	372	Proof of Concept
	Template Injection SNYK-JS-DOMPURIFY-6474511	372	Proof of Concept
	Open Redirect SNYK-JS-URLPARSE-1533425	372	Proof of Concept
	Access Restriction Bypass SNYK-JS-URLPARSE-2401205	372	Proof of Concept
	Authorization Bypass SNYK-JS-URLPARSE-2407759	372	Proof of Concept
	Authorization Bypass Through User-Controlled Key SNYK-JS-URLPARSE-2412697	372	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	372	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	372	Proof of Concept
	Prototype Pollution SNYK-JS-JSON5-3182856	372	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	372	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WORDWRAP-3149973	372	Proof of Concept
	Prototype Pollution SNYK-JS-MINIMIST-2429795	372	Proof of Concept

Release notes

Package name: body-parser

• 1.20.2 - 2023-02-22
  
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
    • perf: skip value escaping when unnecessary
  • deps: raw-body@2.5.2
• 1.20.1 - 2022-10-06
  
  • deps: qs@6.11.0
  • perf: remove unnecessary object clone
• 1.20.0 - 2022-04-03
  
  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: depd@2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: http-errors@2.0.0
    • deps: depd@2.0.0
    • deps: statuses@2.0.1
  • deps: on-finished@2.4.1
  • deps: qs@6.10.3
  • deps: raw-body@2.5.1
    • deps: http-errors@2.0.0
• 1.19.2 - 2022-02-16
  
  • deps: bytes@3.1.2
  • deps: qs@6.9.7
    • Fix handling of __proto__ keys
  • deps: raw-body@2.4.3
    • deps: bytes@3.1.2
• 1.19.1 - 2021-12-10
  
  • deps: bytes@3.1.1
  • deps: http-errors@1.8.1
    • deps: inherits@2.0.4
    • deps: toidentifier@1.0.1
    • deps: setprototypeof@1.2.0
  • deps: qs@6.9.6
  • deps: raw-body@2.4.2
    • deps: bytes@3.1.1
    • deps: http-errors@1.8.1
  • deps: safe-buffer@5.2.1
  • deps: type-is@~1.6.18
• 1.19.0 - 2019-04-26
  
  • deps: bytes@3.1.0
    • Add petabyte (pb) support
  • deps: http-errors@1.7.2
    • Set constructor name when possible
    • deps: setprototypeof@1.1.1
    • deps: statuses@'>= 1.5.0 < 2'
  • deps: iconv-lite@0.4.24
    • Added encoding MIK
  • deps: qs@6.7.0
    • Fix parsing array brackets after index
  • deps: raw-body@2.4.0
    • deps: bytes@3.1.0
    • deps: http-errors@1.7.2
    • deps: iconv-lite@0.4.24
  • deps: type-is@~1.6.17
    • deps: mime-types@~2.1.24
    • perf: prevent internal throw on invalid type

from body-parser GitHub release notes

Package name: chai

• 4.5.0 - 2024-07-25
  
  • Update type detect (#1631) 1a36d35

  v4.4.1...v4.5.0

  What's Changed

  • Update type detect by @ koddsson in #1631

  Full Changelog: v4.4.1...v4.5.0

• 4.4.1 - 2024-01-12
  

  What's Changed

  • fix: removes ?? for node compat by @ 43081j in #1574

  Full Changelog: v4.4.0...v4.4.1

• 4.4.0 - 2024-01-05
  

  What's Changed

  • Allow deepEqual fonction to be configured globally (4.x.x branch) by @ forty in #1553

  Full Changelog: v4.3.10...v4.4.0

• 4.3.10 - 2023-09-28
• 4.3.9 - 2023-09-27
• 4.3.8 - 2023-08-24
• 4.3.7 - 2022-11-07
• 4.3.6 - 2022-01-26
• 4.3.5 - 2022-01-25
• 4.3.4 - 2021-03-12

from chai GitHub release notes

Package name: chai-http

• 4.4.0 - 2023-06-09
  

  What's Changed

  • ci: add semantic-release by @ austince in #248
  • ci: add secure variables to release stage by @ austince in #250
  • ci: build before release, commit assets, remove .npmrc by @ austince in #252
  • Fix for issue #254, add extended request method explanations to the README by @ theodorewahle in #256
  • Add matcher to check for charset. by @ kierans in #253
  • Build: Use GitHub Actions for CI/CD by @ keithamus in #255
  • Update superagent to ^6.1.0 by @ Exotrom in #281
  • ci: correctly template github event in if condition for release by @ austince in #283
  • ci: use correct event_name property by @ austince in #284
  • ci: install node deps before release by @ austince in #285
  • Added auth example with Bearer Token by @ keyuls in #282
  • Update CI release token by @ keithamus in #287
  • feat: drop support for node < 10 by @ austince in #288
  • docs: add badges to the README by @ austince in #286
  • ci: update npm token by @ austince in #289
  • Dependency updates to fix security vulnerabilities by @ Trickfilm400 in #306

  New Contributors

  • @ theodorewahle made their first contribution in #256
  • @ kierans made their first contribution in #253
  • @ Exotrom made their first contribution in #281
  • @ keyuls made their first contribution in #282
  • @ Trickfilm400 made their first contribution in #306

  Full Changelog: 4.3.0...4.4.0

• 4.3.0 - 2019-04-26
  

  This feature release allows you to pass a Regular Expression to the redirectTo function.

  expect(res).to.redirectTo(/^\/search\/results\?orderBy=desc$/);

  Community Contributions

  Code Features & Fixes

  • #243 configures redirectTo to accept regex (by @ mikemfleming)

from chai-http GitHub release notes

Package name: express

• 4.19.2 - 2024-03-25
• 4.19.1 - 2024-03-20
  

  What's Changed

  • Fix ci after location patch by @ wesleytodd in #5552
  • fixed un-edited version in history.md for 4.19.0 by @ wesleytodd in #5556

  Full Changelog: 4.19.0...4.19.1

• 4.19.0 - 2024-03-20
  

  What's Changed

  • fix typo in release date by @ UlisesGascon in #5527
  • docs: nominating @ wesleytodd to be project captian by @ wesleytodd in #5511
  • docs: loosen TC activity rules by @ wesleytodd in #5510
  • Add note on how to update docs for new release by @ crandmck in #5541
  • Prevent open redirect allow list bypass due to encodeurl
  • Release 4.19.0 by @ wesleytodd in #5551

  New Contributors

  • @ crandmck made their first contribution in #5541

  Full Changelog: 4.18.3...4.19.0

• 4.18.3 - 2024-02-29
  

  Main Changes

  • Fix routing requests without method
  • deps: body-parser@1.20.2
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: raw-body@2.5.2

  Other Changes

  • Use https: protocol instead of deprecated git: protocol by @ vcsjones in #5032
  • build: Node.js@16.18 and Node.js@18.12 by @ abenhamdine in #5034
  • ci: update actions/checkout to v3 by @ armujahid in #5027
  • test: remove unused function arguments in params by @ raksbisht in #5124
  • Remove unused originalIndex from acceptParams by @ raksbisht in #5119
  • Fixed typos by @ raksbisht in #5117
  • examples: remove unused params by @ raksbisht in #5113
  • fix: parameter str is not described in JSDoc by @ raksbisht in #5130
  • fix: typos in History.md by @ raksbisht in #5131
  • build : add Node.js@19.7 by @ abenhamdine in #5028
  • test: remove unused function arguments in params by @ raksbisht in #5137
  • use random port in test so it won't fail on already listening by @ rluvaton in #5162
  • tests: use cb() instead of done() by @ kristof-low in #5233
  • examples: remove multipart example by @ riddlew in #5195
  • Update support Node.js@18 in the CI by @ UlisesGascon in #5490
  • Fix favicon-related bug in cookie-sessions example by @ DmytroKondrashov in #5414
  • Release 4.18.3 by @ UlisesGascon in #5505

  New Contributors

  • @ vcsjones made their first contribution in #5032
  • @ abenhamdine made their first contribution in #5034
  • @ armujahid made their first contribution in #5027
  • @ raksbisht made their first contribution in #5124
  • @ rluvaton made their first contribution in #5162
  • @ kristof-low made their first contribution in #5233
  • @ riddlew made their first contribution in #5195
  • @ DmytroKondrashov made their first contribution in #5414

  Full Changelog: 4.18.2...4.18.3

• 4.18.2 - 2022-10-08
  
  • Fix regression routing a large stack in a single route
  • deps: body-parser@1.20.1
    • deps: qs@6.11.0
    • perf: remove unnecessary object clone
  • deps: qs@6.11.0
• 4.18.1 - 2022-04-29
  
  • Fix hanging on large stack of sync routes
• 4.18.0 - 2022-04-25
  
  • Add "root" option to res.download
  • Allow options without filename in res.download
  • Deprecate string and non-integer arguments to res.status
  • Fix behavior of null/undefined as maxAge in res.cookie
  • Fix handling very large stacks of sync middleware
  • Ignore Object.prototype values in settings through app.set/app.get
  • Invoke default with same arguments as types in res.format
  • Support proper 205 responses using res.send
  • Use http-errors for res.format error
  • deps: body-parser@1.20.0
    • Fix error message for json parse whitespace in strict
    • Fix internal error when inflated body exceeds limit
    • Prevent loss of async hooks context
    • Prevent hanging when request already read
    • deps: depd@2.0.0
    • deps: http-errors@2.0.0
    • deps: on-finished@2.4.1
    • deps: qs@6.10.3
    • deps: raw-body@2.5.1
  • deps: cookie@0.5.0
    • Add priority option
    • Fix expires option to reject invalid dates
  • deps: depd@2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: finalhandler@1.2.0
    • Remove set content headers that break response
    • deps: on-finished@2.4.1
    • deps: statuses@2.0.1
  • deps: on-finished@2.4.1
    • Prevent loss of async hooks context
  • deps: qs@6.10.3
  • deps: send@0.18.0
    • Fix emitted 416 error missing headers property
    • Limit the headers removed for 304 response
    • deps: depd@2.0.0
    • deps: destroy@1.2.0
    • deps: http-errors@2.0.0
    • deps: on-finished@2.4.1
    • deps: statuses@2.0.1
  • deps: serve-static@1.15.0
    • deps: send@0.18.0
  • deps: statuses@2.0.1
    • Remove code 306
    • Rename 425 Unordered Collection to standard 425 Too Early
• 4.17.3 - 2022-02-17
  
  • deps: accepts@~1.3.8
    • deps: mime-types@~2.1.34
    • deps: negotiator@0.6.3
  • deps: body-parser@1.19.2
    • deps: bytes@3.1.2
    • deps: qs@6.9.7
    • deps: raw-body@2.4.3
  • deps: cookie@0.4.2
  • deps: qs@6.9.7
    • Fix handling of __proto__ keys
  • pref: remove unnecessary regexp for trust proxy
• 4.17.2 - 2021-12-17
  
  • Fix handling of undefined in res.jsonp
  • Fix handling of undefined when "json escape" is enabled
  • Fix incorrect middleware execution with unanchored RegExps
  • Fix res.jsonp(obj, status) deprecation message
  • Fix typo in res.is JSDoc
  • deps: body-parser@1.19.1
    • deps: bytes@3.1.1
    • deps: http-errors@1.8.1
    • deps: qs@6.9.6
    • deps: raw-body@2.4.2
    • deps: safe-buffer@5.2.1
    • deps: type-is@~1.6.18
  • deps: content-disposition@0.5.4
    • deps: safe-buffer@5.2.1
  • deps: cookie@0.4.1
    • Fix maxAge option to reject invalid values
  • deps: proxy-addr@~2.0.7
    • Use req.socket over deprecated req.connection
    • deps: forwarded@0.2.0
    • deps: ipaddr.js@1.9.1
  • deps: qs@6.9.6
  • deps: safe-buffer@5.2.1
  • deps: send@0.17.2
    • deps: http-errors@1.8.1
    • deps: ms@2.1.3
    • pref: ignore empty http tokens
  • deps: serve-static@1.14.2
    • deps: send@0.17.2
  • deps: setprototypeof@1.2.0
• 4.17.1 - 2019-05-26

from express GitHub release notes

Package name: kafkajs

• 1.16.0 - 2022-02-09
  

  [1.16.0] - 2022-02-09

  Added

  • Allow manual heartbeating from inside eachMessage handler #1255
  • Add rebalancing consumer event #1067 #1079
  • Add overload typings for all event types #1202
  • Return configSource in admin.decribeConfigs #1023
  • Add topics property to admin.fetchOffsets to fetch offsets for multiple topics #992