[Snyk] Fix for 37 vulnerabilities
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this Merge Request
- Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json
Vulnerabilities that will be fixed
With an upgrade:
| Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity |
|---|---|---|---|---|
 |
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908 |
No | Proof of Concept |
|
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5 |
Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749 |
Yes | Proof of Concept |
|
584/1000 Why? Has a fix available, CVSS 7.4 |
Authorization Bypass SNYK-JS-EXPRESSJWT-575022 |
Yes | No Known Exploit |
|
589/1000 Why? Has a fix available, CVSS 7.5 |
Denial of Service (DoS) SNYK-JS-FILETYPE-2958042 |
Yes | No Known Exploit |
 |
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3 |
Directory Traversal SNYK-JS-GRUNT-2635969 |
No | Proof of Concept |
|
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5 |
Race Condition SNYK-JS-GRUNT-2813632 |
No | Proof of Concept |
|
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905 |
No | Proof of Concept |
|
681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2 |
Command Injection SNYK-JS-LODASH-1040724 |
No | Proof of Concept |
|
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3 |
Prototype Pollution SNYK-JS-LODASH-450202 |
No | Proof of Concept |
|
731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2 |
Prototype Pollution SNYK-JS-LODASH-567746 |
No | Proof of Concept |
|
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3 |
Prototype Pollution SNYK-JS-LODASH-608086 |
No | Proof of Concept |
|
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3 |
Prototype Pollution SNYK-JS-LODASH-73638 |
No | Proof of Concept |
|
541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639 |
No | Proof of Concept |
|
589/1000 Why? Has a fix available, CVSS 7.5 |
Directory Traversal SNYK-JS-MOMENT-2440688 |
No | No Known Exploit |
|
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5 |
Validation Bypass SNYK-JS-SANITIZEHTML-1070780 |
Yes | Proof of Concept |
|
539/1000 Why? Has a fix available, CVSS 6.5 |
Access Restriction Bypass SNYK-JS-SANITIZEHTML-1070786 |
Yes | No Known Exploit |
|
479/1000 Why? Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-SANITIZEHTML-2957526 |
Yes | No Known Exploit |
 |
684/1000 Why? Has a fix available, CVSS 9.4 |
Arbitrary Code Execution SNYK-JS-SANITIZEHTML-585892 |
Yes | No Known Exploit |
|
791/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.4 |
SQL Injection SNYK-JS-SEQUELIZE-2932027 |
Yes | Proof of Concept |
|
564/1000 Why? Has a fix available, CVSS 7 |
SQL Injection SNYK-JS-SEQUELIZE-2959225 |
Yes | No Known Exploit |
|
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5 |
Denial of Service (DoS) SNYK-JS-SQLITE3-2388645 |
No | Proof of Concept |
|
624/1000 Why? Has a fix available, CVSS 8.2 |
Arbitrary File Overwrite SNYK-JS-TAR-1536528 |
No | No Known Exploit |
|
624/1000 Why? Has a fix available, CVSS 8.2 |
Arbitrary File Overwrite SNYK-JS-TAR-1536531 |
No | No Known Exploit |
 |
410/1000 Why? Has a fix available, CVSS 3.7 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758 |
No | No Known Exploit |
|
639/1000 Why? Has a fix available, CVSS 8.5 |
Arbitrary File Write SNYK-JS-TAR-1579147 |
No | No Known Exploit |
|
639/1000 Why? Has a fix available, CVSS 8.5 |
Arbitrary File Write SNYK-JS-TAR-1579152 |
No | No Known Exploit |
|
639/1000 Why? Has a fix available, CVSS 8.5 |
Arbitrary File Write SNYK-JS-TAR-1579155 |
No | No Known Exploit |
|
741/1000 Why? Mature exploit, Has a fix available, CVSS 7.1 |
Uninitialized Memory Exposure npm:base64url:20180511 |
Yes | Mature |
|
589/1000 Why? Has a fix available, CVSS 7.5 |
Authentication Bypass npm:jsonwebtoken:20150331 |
Yes | No Known Exploit |
|
649/1000 Why? Has a fix available, CVSS 8.7 |
Forgeable Public/Private Tokens npm:jws:20160726 |
Yes | No Known Exploit |
|
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3 |
Prototype Pollution npm:lodash:20180130 |
No | Proof of Concept |
|
479/1000 Why? Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) npm:moment:20160126 |
No | No Known Exploit |
|
509/1000 Why? Has a fix available, CVSS 5.9 |
Regular Expression Denial of Service (ReDoS) npm:moment:20161019 |
No | No Known Exploit |
|
399/1000 Why? Has a fix available, CVSS 3.7 |
Regular Expression Denial of Service (ReDoS) npm:moment:20170905 |
No | No Known Exploit |
|
429/1000 Why? Has a fix available, CVSS 4.3 |
Cross-site Scripting (XSS) npm:sanitize-html:20141024 |
No | No Known Exploit |
|
449/1000 Why? Has a fix available, CVSS 4.7 |
Cross-site Scripting (XSS) npm:sanitize-html:20160801 |
No | No Known Exploit |
|
656/1000 Why? Mature exploit, Has a fix available, CVSS 5.4 |
Cross-site Scripting (XSS) npm:sanitize-html:20161026 |
No | Mature |
(*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: file-type
The new version differs by 123 commits.- b5fe3b9 16.5.4
- d868356 Fix: Malformed MKV could cause an infinite loop
- 3b08ab1 Upgrade and unlock dependencies
- c011315 Lock strtok3 dependency
- 9102f1c Update dependency to token-types v3, supporting BigInt (#465)
- ac866f9 16.5.1
- 0012c56 Fix `mimeTypes` TypeScript type (#464)
- 92f3f50 Meta tweaks
- 4ea7bff 16.5.0
- 57ecf2d Add support for JPEG XL image format (#455)
- 07101ac Remove ASAR 240 bytes of JSON payload length limitation (#453)
- 3df0ed1 Remove an unnecessary dependency (#458)
- 1e4e8df 16.4.0
- 29618c8 Add support for VCF (and fix ICS detection) (#451)
- 6ab25f3 Add support for XCF (#450)
- 7021d9a Remove moot check for sync word at odd offsets for MPEG detection (#448)
- fd1e72c 16.3.0
- 9319167 Add support for Zstandard compressed file (#439)
- 2cc0869 Add file type descriptions (#433)
- 98e6886 16.2.0
- 9736aa3 Improve PDF / AI (Adobe Illustrator) recognition (#396)
- 7f95cd2 Add support for 3mf (#415)
- 579f8cb 16.1.0
- e43cdc9 Add support for CHM (#424)
Package name: grunt
The new version differs by 21 commits.- 82d79b8 1.5.3
- 572d79b Merge pull request #1745 from gruntjs/fix-copy-op
- 58016ff Patch up race condition in symlink copying.
- 0749e1d Merge pull request #1746 from JamieSlome/patch-1
- 69b7c50 Create SECURITY.md
- ac667b2 1.5.2
- 7f15fd5 Update Changelog
- b0ec6e1 Merge pull request #1743 from gruntjs/cleanup-link
- 433f91b Clean up link handling
- d5969ec 1.5.1
- ad22608 Merge pull request #1742 from gruntjs/update-symlink-test
- 0652305 Fix symlink test
- a7ab0a8 1.5.0
- b2b2c2b Updated changelog
- 3eda6ae Merge pull request #1740 from gruntjs/update-deps-22-10
- 47d32de Update testing matrix
- 2e9161c More updates
- 04b960e Remove console log
- aad3d45 Update dependencies, tests...
- fdc7056 Merge pull request #1736 from justlep/main
- e35fe54 support .cjs extension
Package name: sequelize
The new version differs by 250 commits.- 7bb60e3 fix: properly escaoe multiple `$` in `fn` args (#14678)
- 86d35b1 docs: added nest option inside findAll query (#14683)
- 2f3b924 fix(postgres): use schema set in sequelize config by default (#14665)
- cbdf73e feat: exports types to support typescript >= 4.5 nodenext module (#14620)
- a333862 docs(readme): update README to be more like main (#14626)
- e1a9c28 fix: kill connection on commit/rollback error (#14535)
- b37df96 feat: support cyclic foreign keys (#14499)
- e37c572 fix: accept replacements in `ARRAY[]` & followed by `;` (#14518)
- 6c5f8ec test: disable mysql/mariadb deadlock test (#14514)
- 87655eb build: fix esdoc (#14513)
- ccaa399 fix: do not replace `:replacements` inside of strings (#14472)
- 5954d2c feat(types): make `Model.init` aware of pre-configured foreign keys (#14370)
- 0d0aade fix(types): make `WhereOptions` more accurate (#14368)
- 7e8b707 docs: restore Model api reference & make fail on error (#14323)
- ca0e017 test: disable deadlock test for mariadb 10.5.15 (#14314)
- 62564f7 docs: fix dead link in API reference (#14313)
- cdc8881 build: remove v6 docs from repository (#14234)
- 730af27 docs: document scope whereMergeStrategy option (#14201)
- 8349c02 feat: add whereScopeStrategy to merge where scopes with Op.and (#14152)
- e974e20 feat(types): make `Model.getAttributes` stricter (#14017)
- 2d339d0 fix: fix typo in query-generator.js error message (#14151)
- b80aeed fix(types): update return type of `Model.update` (#14155)
- f5c06bd feat(types): infer nullable creation attributes as optional (#14147)
- af6cbe6 build(deps): move @ types/validator to prod deps (#14159)
Package name: socket.io
The new version differs by 57 commits.- 1af3267 chore(release): 3.0.0
- 02951c4 chore(release): 3.0.0-rc4
- 54bf4a4 feat: emit an Error object upon middleware error
- aa7574f feat: serve msgpack bundle
- 64056d6 docs(examples): update TypeScript example
- cacad70 chore(release): 3.0.0-rc3
- d16c035 refactor: rename ERROR to CONNECT_ERROR
- 5c73733 feat: add support for catch-all listeners
- 129c641 feat: make Socket#join() and Socket#leave() synchronous
- 0d74f29 refactor(typings): export Socket class
- 7603da7 feat: remove prod dependency to socket.io-client
- a81b9f3 docs(examples): add example with TypeScript
- 20ea6bd docs(examples): add example with ES modules
- 0ce5b4c chore(release): 3.0.0-rc2
- 8a5db7f refactor: remove duplicate _sockets map
- 2a05042 refactor: add additional typings
- 91cd255 fix: close clients with no namespace
- 58b66f8 refactor: hide internal methods and properties
- 669592d feat: move binary detection back to the parser
- 2d2a31e chore: publish the wrapper.mjs file
- ebb0575 chore(release): 3.0.0-rc1
- c0d171f test: use the reconnect event of the Manager
- 9c7a48d test: use the complete export name
- 4bd5b23 feat: throw upon reserved event names
Package name: sqlite3
The new version differs by 44 commits.- 573784b v5.0.3
- e5a24fd Deleted `examples/` folder
- b05f459 Added note about GitHub Releases to CHANGELOG.md
- 33d0656 Modernised Usage example in README
- 9d05c55 Fixed up more README nits
- 08d6319 Fixed link to API docs
- 0e2235a Altered wording in README
- 76b6c56 Altered README header
- e3df365 Updated README
- 426930f Enabled CI to run when pushing tags
- a21d41f Fixed uploading binaries to commit artifacts
- bc978c7 Fixed CI step wording
- 7f744a1 Added prebuilt binaries via GitHub Releases
- b4b3c3a Deleted `scripts/` directory
- 71bbdea Pinned dev dependencies (#1558)
- a597383 Updated badges in README
- 0eb4a0f Deleted Travis and Appveyor configs
- b58d341 Downgraded `mocha` and `eslint`
- f39b10d Added missing Node versions to CI
- 8db96d4 Replaced Python extraction script with JS (#1570)
- 11c988c Fixed Windows build architecture in CI
- 8e63848 Updated Windows CI runner to `windows-latest`
- d9e7d8b Fixed building on MacOS Monterey 12.3
- 859b95b Updated `node-gyp` to v8.x
Check the changes in this Merge Request to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information: 
🧐 View latest project report
Learn how to fix vulnerabilities with free interactive lessons: