[Snyk] Fix for 36 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

✨ Snyk has automatically assigned this pull request, set who gets assigned.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-MONGODB-473855	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Information Exposure SNYK-JS-MONGOOSE-472486	No	No Known Exploit
	661/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.8	Arbitrary Code Injection SNYK-JS-MORGAN-72579	Yes	Proof of Concept
	816/1000 Why? Mature exploit, Has a fix available, CVSS 8.6	Uninitialized Memory Exposure npm:base64-url:20180512	Yes	Mature
	641/1000 Why? Mature exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:concat-stream:20160901	Yes	Mature
	579/1000 Why? Has a fix available, CVSS 7.3	Insecure Randomness npm:crypto-browserify:20140722	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:deep-extend:20180409	No	No Known Exploit
	405/1000 Why? CVSS 8.1	Arbitrary Code Execution npm:ejs:20161128	Yes	No Known Exploit
	295/1000 Why? CVSS 5.9	Cross-site Scripting (XSS) npm:ejs:20161130	Yes	No Known Exploit
	295/1000 Why? CVSS 5.9	Denial of Service (DoS) npm:ejs:20161130-1	Yes	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Insecure Defaults npm:engine.io-client:20160426	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:hawk:20160119	No	No Known Exploit
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:node-forge:20180226	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:qs:20140806	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Denial of Service (DoS) npm:qs:20140806-1	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	Yes	No Known Exploit
	469/1000 Why? Has a fix available, CVSS 5.1	Remote Memory Exposure npm:request:20160119	No	No Known Exploit
	634/1000 Why? Has a fix available, CVSS 8.4	Command Injection npm:shell-quote:20160621	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Potential Script Injection npm:syntax-error:20140715	Yes	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	No	Proof of Concept
	629/1000 Why? Has a fix available, CVSS 8.3	Improper minification of non-boolean comparisons npm:uglify-js:20150824	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) npm:validator:20130705-1	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) npm:validator:20130705-2	No	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Remote Memory Exposure npm:ws:20160104	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20160624	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Insecure Randomness npm:ws:20160920	No	No Known Exploit
	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20171108	No	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: apn

The new version differs by 250 commits.

• c1458be Update changelog for 2.1.5
• 7f38a17 Fix issues 571 and 572 by adding .nvmrc and updating .gitignore
• 615d703 Update dependencies
• 51545c7 Fix certificate tests on systems which don’t run in UTC timezone
• ebf1e31 Run tests on Node.js 8
• 5d3d9a6 update node-forge to 0.7.1
• 757f865 Fix documentation for thread-id
• a2d4dee Provider creation fix
• b3fc329 change auth-key file .pem to .p8 in README.md
• a024d3d Sync up README and doc/apn.markdown
• 6749bde Document `apn.Provider.shutdown()` in README
• 2c122a3 add typings for `Notification#aps`
• 5b6cc89 Provider class extends EventEmitter
• f7456df Update changelog for 2.1.4
• adfc778 Update node-http2 fork
• a8422e0 fix typo
• f1d79cc Change endpoint name to match APNs definition
• c915b9a Update APN dev endpoint (#528)
• 5d6bfb4 avoid mutating given payload
• b4c31cb Update changelog for 2.1.3
• 7aab2f0 Update npm dependencies
• 61495d2 Merge pull request #480 from cmdkoh/master
• e0f7a54 Change _pingedThreshold to 2.5 times of headbeat
• 448b621 Update the document. (#509)

See the full diff

Package name: express

The new version differs by 250 commits.

• f974d22 4.16.0
• 8d4ceb6 docs: add more information to installation
• c0136d8 Add express.json and express.urlencoded to parse bodies
• 86f5df0 deps: serve-static@1.13.0
• 4196458 deps: send@0.16.0
• ddeb713 tests: add maxAge option tests for res.sendFile
• 7154014 Add "escape json" setting for res.json and res.jsonp
• 628438d deps: update example dependencies
• a24fd0c Add options to res.download
• 95fb5cc perf: remove dead .charset set in res.jsonp
• 44591fe deps: vary@~1.1.2
• 2df1ad2 Improve error messages when non-function provided as middleware
• 12c3712 Use safe-buffer for improved Buffer API
• fa272ed docs: fix typo in jsdoc comment
• d9d09b8 perf: re-use options object when generating ETags
• 02a9d5f deps: proxy-addr@~2.0.2
• c2f4fb5 deps: finalhandler@1.1.0
• 673d51f deps: utils-merge@1.0.1
• 5cc761c deps: parseurl@~1.3.2
• ad7d96d deps: qs@6.5.1
• e62bb8b deps: etag@~1.8.1
• 70589c3 deps: content-type@~1.0.4
• 9a99c15 deps: accepts@~1.3.4
• 550043c deps: setprototypeof@1.1.0

See the full diff

Package name: express-session

The new version differs by 97 commits.

• 89fd715 1.15.6
• d4344fb build: express@4.15.5
• 6cf886d deps: debug@2.6.9
• d190faa deps: utils-merge@1.0.1
• f24d228 lint: run eslint against README
• 44ee046 docs: remove trailing newline in README
• 68e210d deps: parseurl@~1.3.2
• 8b4f668 lint: add editorconfig and eslint to enforce
• 917b03d docs: add memorystore to the list of session stores
• 65781dd build: Node.js@8.4
• 71c9d7c build: express@4.15.4
• 11b3e97 deps: uid-safe@~2.1.5
• 0e97d6f docs: fix formatting in history
• d63a3e9 1.15.5
• c226301 Fix TypeError when req.url is an empty string
• 62c4d15 tests: add test for mounted middleware
• 8518200 tests: move the cookie path tests
• 2b08370 docs: improve code readability
• 310d288 deps: depd@~1.1.1
• fc60bb6 build: Node.js@8.2
• 521e6bd tests: add leak checking for variables and handles
• 7b26d57 1.15.4
• fc9d474 build: Node.js@8.1
• d367b33 build: Node.js@6.11

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• 87f691e chore: release 5.4.10
• 09dd3cf docs(jest): improve docs about fake timers
• e778e0b chore: upgrade to mongodb driver 3.1.13
• 42aa401 refactor: be slightly more defensive about setting document arrays
• e5948b8 fix(document): copy atomics when setting document array to an existing document array
• a4e33dd test(document): repro #7472
• 704a5a4 docs: remove confusing references to executing a query immediately
• bc95a22 docs(guides+schematypes): link to custom schematypes docs
• ad71535 style: fix lint
• bc5d96a Merge branch 'gh6706'
• ab208b1 docs: hook up navbar search
• 3fc3e2b docs: add basic search page re: #6706
• a7ccba7 chore: add domainwheel.com as a sponsor
• 91755fa Merge branch 'master' into gh6706
• 3150958 docs(api): dont display type if method or function
• bfb3a9a style: fix lint
• 899ccdd Merge pull request #7478 from chrischen/master
• ef2ab11 chore(Makefile): remove unused rule
• bb1e8b4 chore: now working on 5.4.10
• 6032685 Added dot sytnax support for alias queries.
• 316936f chore: release 5.4.9
• 1bfdafd Merge pull request #7474 from arniu/fix-doc
• f67e30c docs: add Marcus Hiles and monovm as sponsors
• f08a4bd docs(documents): improve explanation of documents and use more modern syntax

See the full diff

Package name: socket.io

The new version differs by 46 commits.

• a10dc8d [chore] Release 2.0.2
• 2b21690 [fix] Fix timing issues with middleware (#2948)
• 832b8fc [chore] Release 2.0.1
• a005690 [fix] Update path of client file (#2934)
• 3367eaa [chore] Release 2.0.0
• 6c0705f [docs] Add an example of custom parser (#2929)
• 1980fb4 [chore] Merge history of 1.7.x and 0.9.x branches (#2930)
• 0d07c47 [chore] Added backers and sponsors on the README (#2933)
• a086588 [chore] Bump dependencies (#2926)
• 87b06ad [feat] Move binary detection to the parser (#2923)
• 199eec6 [docs] Replace non-breaking space with proper whitespace (#2913)
• f1b39a6 [docs] Update emit cheatsheet (#2906)
• 240b154 [docs] Explicitly document that Server extends EventEmitter (#2874)
• c5b7738 [docs] Add server.engine.generateId attribute (#2880)
• 03f3bc9 [docs] Fix wrong space character in README (#2900)
• e40accf [docs] Fix documentation for 'connect' event (#2898)
• 01a4623 [feat] Allow to join several rooms at once (#2879)
• 2d5b002 [docs] Add webpack build example (#2828)
• 5ae06e6 [chore] Bump socket.io-adapter to version 1.0.0 (#2867)
• 4d8f68c [chore] Bump engine.io to version 2.0.2 (#2864)
• 5b79ab1 [docs] Update the wording to match the code example (#2853)
• 54ff591 [feature] Merge Engine.IO and Socket.IO handshake packets (#2833)
• e1facd5 [docs] Small addition to the Express Readme Part (#2846)
• 3b92cc2 [feature] Allow the use of custom parsers (#2829)

See the full diff

Package name: socket.io-client

The new version differs by 250 commits.

• 18d8f2b [chore] Release 1.7.4
• 3420770 [chore] Bump engine.io-client to version 1.8.4
• 70f8888 [chore] Release 1.7.3
• c70d98e [chore] bump engine.io-client to version 1.8.3
• 177a65f [chore] Release 1.7.2 (#1045)
• 766cef4 [chore] Bump engine.io-client to version 1.8.2 (#1044)
• 9dec44a [chore] Speed up lint by avoiding '**/*.js' matching pattern (#1043)
• 8f18970 [chore] Release 1.7.1 (#1037)
• d47bbd8 [fix] Fix json import in slim build (#1036)
• 1aa91eb [docs] Add saucelabs browser matrix in README (#1035)
• 5ecf06a [chore] Release 1.7.0 (#1033)
• 3d20b0f [chore] Bump engine.io-client to 1.8.1 (#1032)
• c1dd34c [chore] Provide a slim build without JSON3 and debug (#1030)
• 3ba3fe3 [chore] Move generated files to `dist` folder (#1025)
• fa14f91 [chore] Release 1.6.0 (#1027)
• ed63f96 [chore] Bump dependencies (#1026)
• 1f55bf2 [feature] Support minified `socket.io.min.js` (#1021)
• 4d1c20d [feature] emit sourcemap for socket.io.js (#953)
• 3df7e09 [chore] Release 1.5.1 (#1016)
• 838c9c2 [chore] Bump engine.io-client to 1.7.2 and socket.io-parser to 2.3.1 (#1015)
• c2fb41c [chore] Add Github issue and PR templates (#1013)
• 298034f [chore] Update zuul browser settings (#1011)
• cbc3d67 [chore] Bump engine.io-client to 1.7.1 (#1010)
• d9e4931 [chore] Bump socket.io-parser to 2.3.0 (#1009)

See the full diff

Package name: socket.io-redis

The new version differs by 68 commits.

• f978d24 [chore] Release 5.1.0
• dfe1401 [chore] Bump dependencies ([Bug] Openhab-Cloud Docker-Container throws error after Login openhab/openhab-cloud#227)
• b3ad4ad [feat] Add support for ArrayBuffer ([Enhancement] Too many open ports openhab/openhab-cloud#226)
• 4f08b1a [fix] Use the requestid from response when deleting requests (Google home - Brazilian portuguese openhab/openhab-cloud#225)
• c743d61 [chore] Release 5.0.1
• 8dd84c7 [fix] Fix broken protocol in 5.0.0 (504 Gateway Time-out openhab/openhab-cloud#221)
• 5f475fb [chore] Release 5.0.0
• f42e26d [perf] Use notepack instead of msgpack-lite (Rollershutter not listed in IFTTT and in https://myopenhab.org/items openhab/openhab-cloud#218)
• 05f926e [perf] Use pattern matching at the namespace level (Fixes #184 openhab/openhab-cloud#217)
• d3d000b [chore] Release 4.0.1
• a33499d [docs] Add link to Go implementation of socket.io-emitter (Timeout when openhab-cloud is used for notifications only openhab/openhab-cloud#199)
• bceab01 [fix] Fix duplicate identifier declaration (Escape username to use inside RegExp openhab/openhab-cloud#213)
• 2354068 [chore] Release 4.0.0 (logon problems openhab/openhab-cloud#202)
• 7ae896a [fix] Fix remoteJoin/remoteLeave methods (Notifications from other openhab instances openhab/openhab-cloud#201)
• 1dc1a9b [docs] Update code examples in the Readme (Initial contribution of Kubernetes and OpenShift deployment for openHAB-cloud openhab/openhab-cloud#194)
• 38b8a2b [docs] Update History.md regarding the `return_buffers` option (Update dependencies and remove unused ones openhab/openhab-cloud#189)
• 01028d0 [feature] Make customHook async (Add MAINTAINERS file openhab/openhab-cloud#181)
• 2e0ca4e [chore] Release 3.1.0 (IFTTT integration: Listen to all item events if no itemStatus is defined within the trigger openhab/openhab-cloud#180)
• 8876d54 [docs] Document remoteDisconnect method (Show QR code with url, username and password openhab/openhab-cloud#179)
• 11ab62b [feature] Implement remoteDisconnect method (Basic authentication? openhab/openhab-cloud#177)
• df7cc77 [fix] Subscribe only once per room (Add severity, icon and timestamp to notifications. openhab/openhab-cloud#175)
• a1861cb [test] Fix 'Connection is closed' errors when cleaning up tests (FR: Allow deleting/hiding seen notifications openhab/openhab-cloud#178)
• 598583c [test] Use quit() instead of end() to close Redis connection (Updated docker-compose and dockerization of openHAB-cloud openhab/openhab-cloud#176)
• ddd6906 [chore] Release 3.0.0 (Post fix for JSON data, Fixes #142 openhab/openhab-cloud#170)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

👩‍💻 Set who automatically gets assigned

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic