Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade: async, body-parser, cheerio, exceljs, express, faker, mongoose, multer, multer-s3, nodemailer, public-ip, socket.io, xlsx #43

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

AlbertoCime14
Copy link
Owner

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

async
from 3.2.0 to 3.2.6 | 6 versions ahead of your current version | 22 days ago
on 2024-08-19
body-parser
from 1.19.0 to 1.20.2 | 5 versions ahead of your current version | 2 years ago
on 2023-02-22
cheerio
from 1.0.0-rc.3 to 1.0.0 | 10 versions ahead of your current version | a month ago
on 2024-08-09
exceljs
from 4.1.1 to 4.4.0 | 4 versions ahead of your current version | a year ago
on 2023-10-19
express
from 4.17.1 to 4.19.2 | 9 versions ahead of your current version | 6 months ago
on 2024-03-25
faker
from 5.1.0 to 5.5.3 | 8 versions ahead of your current version | 3 years ago
on 2021-04-08
mongoose
from 5.10.5 to 5.13.22 | 74 versions ahead of your current version | 8 months ago
on 2024-01-02
multer
from 1.4.2 to 1.4.4 | 3 versions ahead of your current version | 3 years ago
on 2021-12-07
multer-s3
from 2.9.0 to 2.10.0 | 2 versions ahead of your current version | 3 years ago
on 2021-10-17
nodemailer
from 6.4.11 to 6.9.14 | 39 versions ahead of your current version | 3 months ago
on 2024-06-19
public-ip
from 4.0.2 to 4.0.4 | 2 versions ahead of your current version | 3 years ago
on 2021-05-29
socket.io
from 2.3.0 to 2.5.1 | 4 versions ahead of your current version | 3 months ago
on 2024-06-19
xlsx
from 0.16.8 to 0.18.5 | 13 versions ahead of your current version | 2 years ago
on 2022-03-24

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Prototype Pollution
SNYK-JS-ASYNC-2441827
696 Proof of Concept
high severity Server-side Request Forgery (SSRF)
SNYK-JS-IP-6240864
696 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-WS-7266574
696 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-XLSX-1311137
696 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-XLSX-1311139
696 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-XLSX-1311141
696 Proof of Concept
high severity Uncaught Exception
SNYK-JS-SOCKETIO-7278048
696 No Known Exploit
high severity Remote Memory Exposure
SNYK-JS-DNSPACKET-1293563
696 No Known Exploit
high severity Denial of Service (DoS)
SNYK-JS-SOCKETIOPARSER-1056752
696 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-ENGINEIO-1056749
696 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-ENGINEIO-3136336
696 No Known Exploit
high severity Arbitrary Code Injection
SNYK-JS-XMLHTTPREQUESTSSL-1082936
696 Proof of Concept
high severity Access Restriction Bypass
SNYK-JS-XMLHTTPREQUESTSSL-1255647
696 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-WS-7266574
696 Proof of Concept
high severity Prototype Pollution
SNYK-JS-MQUERY-1050858
696 Proof of Concept
high severity Prototype Pollution
SNYK-JS-MQUERY-1089718
696 Proof of Concept
high severity Command Injection
SNYK-JS-NODEMAILER-1038834
696 Proof of Concept
high severity Code Injection
SNYK-JS-LODASH-1040724
696 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-NTHCHECK-1586032
696 Proof of Concept
high severity Prototype Poisoning
SNYK-JS-QS-3153490
696 Proof of Concept
high severity Prototype Pollution
SNYK-JS-MONGOOSE-2961688
696 Proof of Concept
high severity Prototype Pollution
SNYK-JS-MONGOOSE-5777721
696 Proof of Concept
medium severity Denial of Service (DoS)
SNYK-JS-JSZIP-1251497
696 Proof of Concept
medium severity Arbitrary File Write via Archive Extraction (Zip Slip)
SNYK-JS-JSZIP-3188562
696 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905
696 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835
696 Proof of Concept
medium severity Server-Side Request Forgery (SSRF)
SNYK-JS-IP-7148531
696 Proof of Concept
medium severity Insecure Defaults
SNYK-JS-SOCKETIO-1024859
696 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ISSVG-1085627
696 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ISSVG-1243891
696 Proof of Concept
medium severity Open Redirect
SNYK-JS-EXPRESS-6474509
696 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835
696 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-MPATH-1577289
696 Proof of Concept
medium severity HTTP Header Injection
SNYK-JS-NODEMAILER-1296415
696 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-NODEMAILER-6219989
696 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MINIMATCH-3050818
696 No Known Exploit
medium severity Information Exposure
SNYK-JS-MONGODB-5871303
696 No Known Exploit
medium severity Prototype Pollution
SNYK-JS-MONGOOSE-1086688
696 Proof of Concept
Release notes
Package name: async from async GitHub release notes
Package name: body-parser
  • 1.20.2 - 2023-02-22
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
      • perf: skip value escaping when unnecessary
    • deps: raw-body@2.5.2
  • 1.20.1 - 2022-10-06
    • deps: qs@6.11.0
    • perf: remove unnecessary object clone
  • 1.20.0 - 2022-04-03
    • Fix error message for json parse whitespace in strict
    • Fix internal error when inflated body exceeds limit
    • Prevent loss of async hooks context
    • Prevent hanging when request already read
    • deps: depd@2.0.0
      • Replace internal eval usage with Function constructor
      • Use instance methods on process to check for listeners
    • deps: http-errors@2.0.0
      • deps: depd@2.0.0
      • deps: statuses@2.0.1
    • deps: on-finished@2.4.1
    • deps: qs@6.10.3
    • deps: raw-body@2.5.1
      • deps: http-errors@2.0.0
  • 1.19.2 - 2022-02-16
    • deps: bytes@3.1.2
    • deps: qs@6.9.7
      • Fix handling of __proto__ keys
    • deps: raw-body@2.4.3
      • deps: bytes@3.1.2
  • 1.19.1 - 2021-12-10
    • deps: bytes@3.1.1
    • deps: http-errors@1.8.1
      • deps: inherits@2.0.4
      • deps: toidentifier@1.0.1
      • deps: setprototypeof@1.2.0
    • deps: qs@6.9.6
    • deps: raw-body@2.4.2
      • deps: bytes@3.1.1
      • deps: http-errors@1.8.1
    • deps: safe-buffer@5.2.1
    • deps: type-is@~1.6.18
  • 1.19.0 - 2019-04-26
    • deps: bytes@3.1.0
      • Add petabyte (pb) support
    • deps: http-errors@1.7.2
      • Set constructor name when possible
      • deps: setprototypeof@1.1.1
      • deps: statuses@'>= 1.5.0 < 2'
    • deps: iconv-lite@0.4.24
      • Added encoding MIK
    • deps: qs@6.7.0
      • Fix parsing array brackets after index
    • deps: raw-body@2.4.0
      • deps: bytes@3.1.0
      • deps: http-errors@1.7.2
      • deps: iconv-lite@0.4.24
    • deps: type-is@~1.6.17
      • deps: mime-types@~2.1.24
      • perf: prevent internal throw on invalid type
from body-parser GitHub release notes
Package name: cheerio
  • 1.0.0 - 2024-08-09

    Cheerio 1.0 is here! 🎉

    Announcement Blog Post

    Breaking Changes

    • The minimum NodeJS version is now 18.17 or higher #3959

    • Import paths were simplified. For example, use cheerio/slim instead of
      cheerio/lib/slim. #3970

    • The deprecated default Cheerio instance and static methods were removed. #3974

      Before, it was possible to write code like this:

      import cheerio, { html } from 'cheerio';

      html(cheerio('<test></test>')); // ~ '<test></test>' -- NO LONGER WORKS

      Make sure to always load documents first:

      import * as cheerio from 'cheerio';

      cheerio.load('<test></test>').html();

    • Node types previously re-exported by Cheerio must now be imported directly
      from (domhandler)(https://github.com/fb55/domhandler). #3969

    • htmlparser2 options now reside exclusively under the xml key (#2916):

      const $ = cheerio.load('<html>', {
        xml: {
          withStartIndices: true,
        },
      });

    New Features

    • Add functions to load buffers, streams & URLs in NodeJS by @ fb55 in #2857
    • Add extract method by @ fb55 in #2750

    Fixes

    Other

    Full Changelog: v1.0.0-rc.12...v1.0.0

  • 1.0.0-rc.12 - 2022-06-26

    Bugfix release. Fixed issues:

    • Align prop undefined handling with jQuery by @ fb55 in #2557
    • Allow deep imports of cheerio/lib/utils by @ blixt in #2601

    New Contributors

    Full Changelog: v1.0.0-rc.11...v1.0.0-rc.12

  • 1.0.0-rc.11 - 2022-05-20

    cheerio@1.0.0-rc.11 is hopefully the last RC before the 1.0.0 release of Cheerio. There are two APIs that will be added for the next major release: An exract method (#2523) and NodeJS specific loader methods (#2051). These are still in flux and I'd appreciate feedback on the proposals.

    A big thank you to everyone that contributed to this release! This includes code contributors, as well as the amazing financial support on GitHub Sponsors!

    Under the hood, a lot of work for this release went into updating parse5, cheerio's default HTML parser. Have a look at parse5's release notes to see what has changed there.

    Breaking

    • Cheerio is now a dual CommonJS and ESM module. That means that deep imports will now fail in newer versions of Node. #2508
    • script and style contents are added again in .text() #2509
      • To keep the old behavior, switch .text() to .prop('innerText')
    • The TypeScript types inherited from upstream dependencies have changed. #2503
      • Node types are now using tagged unions, which will make consumption a bit easier.

    Features

    • Relevant options are now forwarded to cheerio-select #2511
    • For the .prop() method:
      • Add textContent and innerText props #2214
      • Users can now specify a baseURI option, which will lead to href and src props to be resolved as URLs. #2510
    • Added a slim export, which will always use htmlparser2 #1960

    Fixes

    • Have text turn passed values to strings #2047
    • Include undefined in the return type of get by @ glen-84 in #2392
    • Recognise comments as HTML #2504
    • Add missing undefined return value #2505
    • Export missing static methods #2506
    • Have style parsing add malformed fields to previous field #2521

    Refactor

    • Use domutils module directly #1928
    • Hand-roll isHTML #1935
    • Move initialization logic to load #1951
    • Only return elements in closest #2057
    • Remove unnecessary code, be more explicit #2279
    • Use stricter TS, ESLint configs #2507
    • Update exported values #2512

    Development Experience

    Docs

    New Contributors

    Full Changelog: v1.0.0-rc.10...v1.0.0-rc.11

  • 1.0.0-rc.10 - 2021-06-08

    Fixes:

    Documentation:

    Refactors:

    v1.0.0-rc.9...v1.0.0-rc.10

  • 1.0.0-rc.9 - 2021-05-06

    Port to TypeScript

    Cheerio has been ported entirely to TypeScript (in #1816)! This eliminates a lot of edge-cases within Cheerio and will allow you to use Cheerio with confidence. This release also features a new documentation website based on TypeDoc, allowing you to quickly navigate all available methods: https://cheerio.js.org


    Breaking change: If you were using the function exported by Cheerio directly instead of first load()ing a document, you will now have to update the require to use the default export.

    - const cheerio = require("cheerio");
    + const cheerio = require("cheerio").default;

    cheerio('div', dom)

    Please note that this way of using Cheerio is deprecated and might be removed in a future version. Please consider updating your code to:

    const cheerio = require("cheerio");

    const $ = cheerio.load(dom)
    $('div')


    Note: Cheerio uses template literal types to determine return types. These are available starting with TypeScript 4.1, so you might have to bump your TypeScript version.

    For TypeScript types, Cheerio now implements the ArrayLike<T> interface. That means that Cheerio instances can contain objects of arbitrary types, but not all methods can be called on them.

    The TypeScript compiler will figure out what structures you are operating on:

    • When calling a loaded Cheerio instance with an HTML string like $('<div>'), it will product a Cheerio<Node> type.
      • Node is the base class for DOM elements and includes eg. comment and text nodes.
    • When calling Cheerio with a selector like $('.foo'), it will produce a Cheerio<Element>, as only Elements can be part of the result set.
      • Element is the class representing tags.
    • You can still use $('...').map() to map to arbitrary values, and will get a compiler error when trying to call method that are not supported.
      • Eg. $('.foo').map((i, el) => $(el).text()).attr('test') will no longer be possible, as .attr is not allowed to be called on a Cheerio<string>.

    This release does not contain other changes to functionality. Feedback is greatly appreciated; if you encounter a problem, please file an issue!

    v1.0.0-rc.6...v1.0.0-rc.9

  • 1.0.0-rc.8 - 2021-05-06

    Second botched release. Please use v1.0.0-rc.9 instead.

  • 1.0.0-rc.7 - 2021-05-06

    Published without a lib directory — please ignore.

  • 1.0.0-rc.6 - 2021-04-08

    Breaking:

    • Fixed the ordering of the output of several methods, including prevAll, prevUntil and parentsUntil. The new order matches jQuery.

    This release contains three breaking changes inherited from dependencies.

    • Selectors (see css-select@4.0.0):
      • Several pseudo selectors are now stricter, in line with the HTML spec.
      • Some attributes are now case-insensitive based on the HTML spec.
    • DOM:
      • In XML mode, all elements will have type: 'tag'.

    New features:

    Types:

Snyk has created this PR to upgrade:
  - async from 3.2.0 to 3.2.6.
    See this package in npm: https://www.npmjs.com/package/async
  - body-parser from 1.19.0 to 1.20.2.
    See this package in npm: https://www.npmjs.com/package/body-parser
  - cheerio from 1.0.0-rc.3 to 1.0.0.
    See this package in npm: https://www.npmjs.com/package/cheerio
  - exceljs from 4.1.1 to 4.4.0.
    See this package in npm: https://www.npmjs.com/package/exceljs
  - express from 4.17.1 to 4.19.2.
    See this package in npm: https://www.npmjs.com/package/express
  - faker from 5.1.0 to 5.5.3.
    See this package in npm: https://www.npmjs.com/package/faker
  - mongoose from 5.10.5 to 5.13.22.
    See this package in npm: https://www.npmjs.com/package/mongoose
  - multer from 1.4.2 to 1.4.4.
    See this package in npm: https://www.npmjs.com/package/multer
  - multer-s3 from 2.9.0 to 2.10.0.
    See this package in npm: https://www.npmjs.com/package/multer-s3
  - nodemailer from 6.4.11 to 6.9.14.
    See this package in npm: https://www.npmjs.com/package/nodemailer
  - public-ip from 4.0.2 to 4.0.4.
    See this package in npm: https://www.npmjs.com/package/public-ip
  - socket.io from 2.3.0 to 2.5.1.
    See this package in npm: https://www.npmjs.com/package/socket.io
  - xlsx from 0.16.8 to 0.18.5.
    See this package in npm: https://www.npmjs.com/package/xlsx

See this project in Snyk:
https://app.snyk.io/org/mercedes06/project/5bee026b-8b0b-465e-aa92-631d12cc3133?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants