[Snyk] Fix for 29 vulnerabilities

[rasputtintin]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	630/1000 Why? Has a fix available, CVSS 8.1	Internal Property Tampering SNYK-JS-BSON-561052	Yes	No Known Exploit
	630/1000 Why? Has a fix available, CVSS 8.1	Internal Property Tampering SNYK-JS-BSON-6056525	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-HAPIACCEPT-548917	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-HAPIAMMO-548918	Yes	No Known Exploit
	475/1000 Why? Has a fix available, CVSS 5	Prototype Pollution SNYK-JS-HAPIHOEK-548452	Yes	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-HAPISUBTEXT-548912	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-HAPISUBTEXT-548916	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-INI-1048974	Yes	Proof of Concept
	644/1000 Why? Has a fix available, CVSS 8.6	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-Y18N-1021887	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @hapi/hapi

The new version differs by 102 commits.

• d5c665a v20.0.0
• b3f2eb5 remove route timeout assertions (#4123)
• 501a264 update to teamwork@5.x.x (#4130)
• 783aa8a add isInjected property to request object (#4117)
• c31bd6d update to travis templates
• 815c854 update most out of date dependencies
• f46f864 Replace joi with validate
• f7e9193 headers: avoid sending null content-type
• 5c08509 Merge pull request #4132 from lloydbenson/master
• 3f25515 README needs this change to parse the slogan for site
• dc48d06 19.2.0
• 23abbfe Update README.md
• b2aa822 Merge pull request #4101 from dkozma/patch-1
• 5360d6d H3->H4 heading for `server.options.info.remote`
• 8f24209 Merge pull request #4094 from jonathansamines/feature/server-validator-docs
• efc9afe Update API.md
• 05109d7 Merge pull request #4087 from jonathansamines/feature/update-routes-config
• faab7a2 Closes #4079
• 6f3e08d Support node v14
• a8f5688 [server-validator-docs] Update server.validator() documentation to detail child plugins usage
• 07c95da [server-validator-docs] Improve server.validator() documentation to clarify it's usage inside plugins
• fa76016 Merge pull request #4090 from Yahkob/patch-2
• 3c3fc29 Update LICENSE.md
• cb96e07 [update-routes-config] Update API reference to use route.options instead of route.config

See the full diff

Package name: @hapi/inert

The new version differs by 14 commits.

• b3e4e44 6.0.1
• 48e3bd0 Update hapi version. Closes [Snyk] Fix for 2 vulnerabilities #139. Closes [Snyk] Fix for 2 vulnerabilities #140
• 5bc7ca4 Merge pull request [Snyk] Fix for 2 vulnerabilities #138 from mattboutet/master
• ca5b6a3 Update for hapi v19
• ca6eb11 6.0.0
• 08125b4 Node version. Closes [Snyk] Fix for 2 vulnerabilities #137
• 609e416 Merge pull request [Snyk] Fix for 2 vulnerabilities #136 from nwhitmont/master
• 986596c add link to changelog
• 546d56f rm changelog
• 9322023 Merge pull request [Snyk] Fix for 3 vulnerabilities #133 from jarrodyellets/master
• ff278b8 Update README to new template
• f70b849 Merge pull request [Snyk] Fix for 2 vulnerabilities #132 from jarrodyellets/master
• 60bb2e8 Move Readme to API
• e1de8fe Update README.md

See the full diff

Package name: @mojaloop/central-ledger

The new version differs by 213 commits.

• 04e2a8d chore(release): 15.1.3 [skip ci]
• 140ebdf chore: fixed typo
• c8b69b3 chore: updates to readme for header badges [skip ci] (#910)
• f0ac068 chore: add ci to publish npm package (#909)
• a2b1e17 chore(release): 15.1.2 [skip ci]
• 4e3a969 chore: fix audit-resolve
• e77de0a fix(mojaloop/#2810): timeout evts are being prod for transfers with an int-state of ABORTED_ERROR (#907)
• 319a470 chore(release): 15.1.1 [skip ci]
• a146431 fix: set ttk func tests as dependency (#906)
• 35969ef chore(release): 15.1.0 [skip ci]
• 2dd0dae feat: added functonal test pipline to circle-cicd (#905)
• 84c0329 chore(release): 15.0.2 [skip ci]
• b01f079 fix: docker file using ci instead of install (#904)
• 9d68223 chore(release): 15.0.1 [skip ci]
• 83a197c fix: error codes for liquidity and ndc limit check (#901)
• 82b7f05 chore(release): 15.0.0 [skip ci]
• 49b3f06 fix: ci publish issue (#903)
• defff30 feat(mojaloop/#2092): upgrade nodeJS version for core services (#902)
• c283a70 chore(release): 14.0.0 [skip ci]
• 2e33a5a feat: update liquidity check (#899)
• d30c0b1 chore(release): 13.16.3 [skip ci]
• 4b036a4 fix: package.json & package-lock.json to reduce vulnerabilities (#893)
• 519c329 chore(release): 13.16.2 [skip ci]
• df2495b chore: updated populateTestData.sh script (#892)

See the full diff

Package name: @mojaloop/central-services-error-handling

The new version differs by 7 commits.

• 3e636fd Feature/openapi backend changes ([Snyk] Fix for 2 vulnerabilities #140)
• 7242737 Added error handlers to factory for bug 1314 ([Snyk] Fix for 2 vulnerabilities #139)
• b1270b6 #1339: Fixes for 'cause' and '_cause' extension exclusion in error responses ([Snyk] Fix for 2 vulnerabilities #137)
• 143c7a2 [Security] Bump acorn from 7.1.0 to 7.1.1 ([Snyk] Fix for 1 vulnerabilities #124)
• 68dfbe7 Added updated Mojaloop license ([Snyk] Fix for 1 vulnerabilities #118)
• 3321654 updated to latest node lts version 12.16.0 ([Snyk] Fix for 1 vulnerabilities #112)
• 01324f6 Issue893-ValidateIncomingErrorCodesForErrorEnd-pointCallbackRequestsPerMojaloopSpec ([Snyk] Fix for 1 vulnerabilities #96)

See the full diff

Package name: @mojaloop/central-services-shared

The new version differs by 92 commits.

• 14f0b3e feat(2151)!: helm-release-v12.1.0 (Bump npm-check-updates from 4.0.4 to 5.0.0 mojaloop/central-settlement#297)
• a5d9141 chore: fix service type typescript enum (Bump tape from 4.13.2 to 5.0.0 mojaloop/central-settlement#296)
• 5aaf087 fix(#2182)!: regex validations against swagger interface spec no longer working (Release/v9.5.0 mojaloop/central-settlement#295)
• 0e538d8 chore: bump package version (release v9.5.0 mojaloop/central-settlement#294)
• fc4fe7e chore: add 'example' as whitelisted keyword (Bump @mojaloop/central-services-shared from 9.3.0 to 9.5.5 mojaloop/central-settlement#293)
• 6f9496d chore: address vulnerabilities (Bump @mojaloop/central-services-shared from 9.3.0 to 9.5.3 mojaloop/central-settlement#291)
• 6275eb0 chore: add services endpoints (Bump npm-check-updates from 4.0.4 to 4.1.2 mojaloop/central-settlement#290)
• 5860510 feat(#2119): fixes for updated for AJV error objects change (Bump @mojaloop/central-services-shared from 9.3.0 to 9.5.2 mojaloop/central-settlement#289)
• b83a8bd fixed typo (Bump nyc from 15.0.0 to 15.0.1 mojaloop/central-settlement#288)
• aee59ed Feature/#2057 refactoring for cs ([Snyk] Fix for 1 vulnerabilities #3) (Bump npm-check-updates from 4.0.4 to 4.1.0 mojaloop/central-settlement#284)
• 082d373 chore: add PATCH consentRequests endpoint (Bump mustache from 4.0.0 to 4.0.1 mojaloop/central-settlement#279)
• 7702879 chore: add enums to interface (Bump standard from 14.3.1 to 14.3.3 mojaloop/central-settlement#278)
• 5dcbe73 chore: add consent and consent request events and patch action (Bump @hapi/joi from 16.1.8 to 17.1.1 mojaloop/central-settlement#277)
• 9f8713f chore: add accounts callback endpoints (Bump @hapi/boom from 9.0.0 to 9.1.0 mojaloop/central-settlement#275)
• 5e49222 chore: add enums and bump package (Fixed Dockerfile to have the correct run command for the new module s… mojaloop/central-settlement#274)
• f6009d7 chore: 1975 update deps (Bump sinon from 9.0.0 to 9.0.1 mojaloop/central-settlement#273)
• f678b43 [Security] Bump axios from 0.21.0 to 0.21.1 (Bump npm-check-updates from 4.0.2 to 4.0.4 mojaloop/central-settlement#269)
• a8bfb9c Bump urijs from 1.19.2 to 1.19.5 (Settlement v2 mojaloop/central-settlement#270)
• 7b00ed8 [Security] Bump urijs from 1.19.2 to 1.19.5 (Feature/1241 get settlements by params to include currency mojaloop/central-settlement#268)
• 46d88e6 #1885: Fix for "multiple servers per repo" use case (Bump @hapi/hapi and hapi-swagger mojaloop/central-settlement#267)
• cbd0434 Hotfix: Fix dependencies for API documentation (Settlement v2 mojaloop/central-settlement#264)
• 327a51c chore: update license file (Bump tape from 4.13.0 to 4.13.2 mojaloop/central-settlement#265)
• df81389 #1885: Add API documentation utility, plugin, and endpoints (Enhance central-settlement : Return settlement window content for every settlement window when getting settlements by id. mojaloop/central-settlement#263)
• 9c88000 Add FSPIOP headers validation for bulk transfers (Bump npm-check-updates from 4.0.2 to 4.0.3 mojaloop/central-settlement#262)

See the full diff

Package name: @mojaloop/central-services-stream

The new version differs by 11 commits.

• 65913b6 Updated dependencies ([Snyk] Fix for 1 vulnerabilities #106)
• d64d4b2 make audit resolver run on production only by default, bump package to 10.2.0 ([Snyk] Fix for 1 vulnerabilities #100)
• b1c5d75 #1289 Log optimisation ([Snyk] Fix for 1 vulnerabilities #91)
• 398c429 Update version to v9.2.0 ([Snyk] Fix for 1 vulnerabilities #81)
• be4acac Added updated Mojaloop license ([Snyk] Fix for 1 vulnerabilities #78)
• 1c70e43 Added updated Mojaloop license ([Snyk] Fix for 1 vulnerabilities #77)
• 0f2dfc1 updated dependencies and node version to latest LTS version ([Snyk] Fix for 1 vulnerabilities #75)
• 7b2f9f1 reduced log verbosity ([Snyk] Fix for 1 vulnerabilities #59)
• bcd2456 removed unnecessary logger ([Snyk] Fix for 1 vulnerabilities #58)
• 623d5c1 Bug/1114 kafka queue full ([Snyk] Fix for 1 vulnerabilities #57)
• 90bd4b8 Remove unused code and dependencies ([Snyk] Fix for 1 vulnerabilities #56)

See the full diff

Package name: blipp

The new version differs by 3 commits.

• eea0f6c 4.0.2
• f9f94ce Update dependencies (including the Joi package rename) ([Snyk] Fix for 1 vulnerabilities #56)
• 86280cf Bump handlebars from 4.1.0 to 4.5.3 ([Snyk] Fix for 1 vulnerabilities #46)

See the full diff

Package name: hapi-openapi

The new version differs by 3 commits.

• a4dd048 updated changelog and version to new major (breaking changes upgrading hapi)
• d18bbb5 Upgrade dependencies to support hapi 19 ([Snyk] Fix for 2 vulnerabilities #173)
• 429bfbf fix(validation): respect `allowUnknown` route property ([Snyk] Fix for 3 vulnerabilities #169)

See the full diff

Package name: hapi-pagination

The new version differs by 9 commits.

• ade4c6e Option to always include headers, address range-not-satisfiable ([Snyk] Fix for 1 vulnerabilities #87)
• 3e18216 Make hapi v19 a peer rather than a direct dependency ([Snyk] Fix for 1 vulnerabilities #86)
• 6addedd Hapi 19 support ([Snyk] Fix for 1 vulnerabilities #85)
• 449eb04 Update .travis.yml
• e93a55b Bump eslint-utils from 1.4.0 to 1.4.3 ([Snyk] Fix for 1 vulnerabilities #78)
• 58df4ae Bump handlebars from 4.1.2 to 4.7.6 ([Snyk] Fix for 1 vulnerabilities #84)
• f690eac Bump acorn from 6.2.1 to 6.4.1 ([Snyk] Fix for 1 vulnerabilities #82)
• fb1ae3d Optionally allow for a starting page index of 0 instead of 1 ([Snyk] Fix for 1 vulnerabilities #83)
• e055886 fix remove global enabled option from README.md

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Command Injection
🦉 More lessons are available in Snyk Learn