[Snyk] Fix for 11 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MPATH-1577289	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	HTTP Header Injection SNYK-JS-NODEMAILER-1296415	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SANITIZEHTML-2957526	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: ajv

The new version differs by 127 commits.

• 521c3a5 6.12.3
• bd7107b Merge pull request #1229 from ajv-validator/dependabot/npm_and_yarn/mocha-8.0.1
• 9c26bb2 Merge pull request #1234 from ajv-validator/dependabot/npm_and_yarn/eslint-7.3.1
• c6a6daa Merge branch 'master' into dependabot/npm_and_yarn/mocha-8.0.1
• 15eda23 Merge branch 'master' into dependabot/npm_and_yarn/eslint-7.3.1
• d6aabb8 test: remove node 8 from travis test
• c4801ca Merge pull request #1242 from ajv-validator/refactor
• 988982d ignore proto properties
• f2b1e3d whitespace
• 65e3678 Merge pull request #1239 from GrahamLea/patch-1
• 68d72c4 update regex
• 9c009a9 validate numbers in multipleOf
• 332b30d Merge pull request #1241 from ajv-validator/refactor
• 1105fd5 ignore proto properties
• 65b2f7d validate numbers in schemas during schema compilation
• 24d4f8f remove code post-processing
• fd64fb4 Add link to CSP section in Security section
• 0e2c346 Add Contents link to CSP section
• c581ff3 Clarify limitations of ajv-pack in README
• 0006f34 Document pre-compiled schemas for CSP in README
• 140cfa6 Merge pull request #1238 from cvlab/patch-1
• e7f0c81 Fix mistype in README.md
• 54c96b0 Bump eslint from 6.8.0 to 7.3.1
• 854dbef Bump mocha from 7.2.0 to 8.0.1

See the full diff

Package name: axios

The new version differs by 2 commits.

• e367be5 [Releasing] 0.21.3
• 83ae383 Correctly add response interceptors to interceptor chain (#4013)

See the full diff

Package name: connect-mongodb-session

The new version differs by 34 commits.

• 50c8051 Merge branch 'master' of github.com:mongodb-js/connect-mongodb-session
• 069c04f fix: upgrade archetype -> 0.13.x
• e57e560 fix: upgrade archetype -> 0.13.x
• db9716a chore: release 3.1.0
• b2a1e6a Merge pull request Initialize multiple language and start translations mrvautin/expressCart#91 from MrSimonEmms/master
• 3a58f51 Merge pull request Import prestashop products in expressCart mrvautin/expressCart#96 from jaller94/patch-1
• b82e5d2 README.md: Remove unused var numExpectedSources
• 6391515 chore: release 3.0.0 with mongodb@5
• f0dfe92 feat: add `expiresKey` and `expiresAfterSeconds` for azure cosmos support
• 3a27eb1 chore: release 2.4.1
• 4b8d75b fix: upgrade archetype to remove dep on standard-error
• 29a43ea chore: release 2.4.0
• e57b387 fix: upgrade to mongodb@3.6
• d53a6d1 test: fix tests
• c82f4cd docs: add `connectionOptions` and `expires` options to README
• 9cd3ecc chore: release 2.3.3
• 9772e86 feat: support creating MongoDBStore without `new`
• 140270e chore: release 2.3.2
• d9b32d6 Merge pull request handlebars variable missing after call helper mrvautin/expressCart#82 from ThomasCrevoisier/bump-archetype
• 35cf3c0 Bump archetype dependency to 0.11.x
• bd633e7 chore: release 2.3.1
• 49569c8 Merge pull request npm install failing mrvautin/expressCart#77 from alpn/master
• 6a50f54 Move to new Server Discovery and Monitoring engine
• f8a48e2 chore: release 2.3.0

See the full diff

Package name: express

The new version differs by 117 commits.

• 3d7fce5 4.17.3
• f906371 build: update example dependencies
• 6381bc6 deps: qs@6.9.7
• a007863 deps: body-parser@1.19.2
• e98f584 Revert "build: use minimatch@3.0.4 for Node.js < 4"
• a659137 tests: use strict mode
• a39e409 tests: prevent leaking changes to NODE_ENV
• 82de4de examples: fix path traversal in downloads example
• 12310c5 build: use nyc for test coverage
• 884657d examples: remove bitwise syntax for includes check
• 7511d08 build: use minimatch@3.0.4 for Node.js < 4
• 2585f20 tests: fix test missing assertion
• 9d09762 build: supertest@6.2.2
• 43cc56e build: clean up gitignore
• 1c7bbcc build: Node.js@14.19
• 9cbbc8a deps: cookie@0.4.2
• 6fbc269 pref: remove unnecessary regexp for trust proxy
• 2bc734a deps: accepts@~1.3.8
• 89bb531 docs: fix typo in res.download jsdoc
• 744564f tests: add test for multiple ips in "trust proxy"
• da6cb0e tests: add range tests to res.download
• 00ad5be tests: add more tests for app.request & app.response
• 141914e tests: fix tests that did not bubble errors
• bd4fdfe tests: remove global dependency on should

See the full diff

Package name: got

The new version differs by 236 commits.

• 5e17bb7 11.8.5
• bce8ce7 Backport 861ccd9ac2237df762a9e2beed7edd88c60782dc
• 8ced192 Fix build
• 670eb04 11.8.4
• 20f29fe Backport #1543: Initialize globalResponse in case of ignored HTTPError (#2017)
• 0da732f 11.8.3
• 9463bb6 Bump cacheable-request dependency (#1921)
• 0e167b8 HTTPError code set to 'HTTPError' #1711 (#1739)
• f896aa5 11.8.2
• 3bd245f Instantiate CacheableLookup only when needed (#1529)
• a72ed84 11.8.1
• 4c815c3 Do not throw on custom stack traces (#1491)
• e0cb820 11.8.0
• f65c9ef Upgrade dependencies
• 7acd380 Fix for sending files with size `0` on `stat` (#1488)
• 6aa86f2 Fix indentation in the readme
• 3dd2273 `beforeRetry` allows stream body if different from original (#1501)
• b1afa2b Fix readme example comment (#1505)
• 390b145 Set default value for an options object (#1495)
• 87dadd5 Fixed documentation example for `responseType` (#1494)
• 3bf3e3b Add `lookup` option documentation (#1483)
• c31366b Add a test for #1438 (#1469)
• 5d62958 11.7.0
• 88b32ea Fix a regression where body was sent after redirect

See the full diff

Package name: gulp-less

The new version differs by 5 commits.

• 9d9e96f chore: update deps, publish v5
• ea13d8a Merge pull request #313 from MisterLuffy/master
• 7ce4b9b feat: support less v4
• 1a9d694 Merge pull request #314 from stamminator/master
• b1a3e18 Update .travis.yml

See the full diff

Package name: nodemailer

The new version differs by 16 commits.

• 7e02648 v6.6.1
• 1750c0f v6.6.0
• 0636d58 Merge branch 'master' of github.com:nodemailer/nodemailer
• 058d414 v6.6.0
• fcb0d1f test: 💍 aws ses SDK v3 support
• 2ef39e3 test: 💍 aws ses connection verification
• 6107585 fix: 🐛 ses verify, add support for v3 API
• bf57cf5 Fixes resolveContent with streams overriding data
• 91108d7 v6.5.0
• 87d9b25 Pass through textEncoding to subnodes.
• 271f91b Update index.js
• 9b5fb94 v6.4.18
• 625a9ed Update README.md
• 1d24d8b docs: added rudimentary sponsor quote block
• a455716 Added OhMySMTP to services
• 6e045d1 v6.4.17

See the full diff

Package name: sanitize-html

The new version differs by 71 commits.

• b4682c1 Merge pull request #557 from apostrophecms/release-2.7.1
• b6c4971 release 2.7.1 (with security fix previously tested and approved by Miro)
• 6683aad remove DoS vulnerability
• 7c7ccb4 credit
• 994f962 Merge pull request #555 from paweljq/fix_protocol_relative_script_tag
• 3c3f075 Merge pull request #556 from cha147/patch-1
• 8e3b00f fix typos in readme
• 329dae7 Fix protocol relative url in scripts tags #531
• 3cdc262 release 2.7.0 (#534)
• 72989f1 Merge pull request #530 from apostrophecms/zade-credit
• 208cdb4 zade credit
• 7338f8b Merge pull request #529 from zadeviggers/patch-1
• 1971a57 Update defaults in readme
• 43f28f3 Update changelog
• 5fccedb Allow srcset
• be9c90d Add common image attributes
• 379b55b Bumps version (#523)
• da9767f Fixes important stripping (#522)
• d077c9f Merge pull request #521 from alex-rantos/fix-trailing-text
• d905b3b typo on changelog
• 836c5ab add CHANGELOG entry
• c1112fb fix trailing text issue
• d737f39 Bumps version (#520)
• e5027ef Merge pull request #515 from apostrophecms/revert-505-504-whatwg-url

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn