[Snyk] Fix for 9 vulnerabilities

[rasputtintin]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-HAPIACCEPT-548917	Yes	No Known Exploit
	475/1000 Why? Has a fix available, CVSS 5	Prototype Pollution SNYK-JS-HAPIHOEK-548452	Yes	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-HAPISUBTEXT-548912	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-HAPISUBTEXT-548916	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @hapi/hapi

The new version differs by 102 commits.

• d5c665a v20.0.0
• b3f2eb5 remove route timeout assertions (#4123)
• 501a264 update to teamwork@5.x.x (#4130)
• 783aa8a add isInjected property to request object (#4117)
• c31bd6d update to travis templates
• 815c854 update most out of date dependencies
• f46f864 Replace joi with validate
• f7e9193 headers: avoid sending null content-type
• 5c08509 Merge pull request #4132 from lloydbenson/master
• 3f25515 README needs this change to parse the slogan for site
• dc48d06 19.2.0
• 23abbfe Update README.md
• b2aa822 Merge pull request #4101 from dkozma/patch-1
• 5360d6d H3->H4 heading for `server.options.info.remote`
• 8f24209 Merge pull request #4094 from jonathansamines/feature/server-validator-docs
• efc9afe Update API.md
• 05109d7 Merge pull request #4087 from jonathansamines/feature/update-routes-config
• faab7a2 Closes #4079
• 6f3e08d Support node v14
• a8f5688 [server-validator-docs] Update server.validator() documentation to detail child plugins usage
• 07c95da [server-validator-docs] Improve server.validator() documentation to clarify it's usage inside plugins
• fa76016 Merge pull request #4090 from Yahkob/patch-2
• 3c3fc29 Update LICENSE.md
• cb96e07 [update-routes-config] Update API reference to use route.options instead of route.config

See the full diff

Package name: @mojaloop/event-sdk

The new version differs by 25 commits.

• 28ce298 chore(release): 11.0.0 [skip ci]
• 6fa9f74 feat(mojaloop/#2092): upgrade nodeJS version for core services (#67)
• f5d863a chore: add tsconfig option to build declaration file (#64)
• 085a6ae feat(2151): helm release v12.1.0 (fix(mojaloop/#3615): update dependencies mojaloop/event-sidecar#56)
• 4eea6cd feat(2151): helm-release-v12.1.0 (chore(mojaloop/#3533): update dependencies mojaloop/event-sidecar#55)
• 86d4c3d feat(ci/cd): add pr title check (Bump minimist from 1.2.5 to 1.2.6 mojaloop/event-sidecar#47)
• 8eec478 chore: update license file (Bump tar from 6.1.0 to 6.1.11 mojaloop/event-sidecar#45)
• fa0d1ff Bump ini from 1.3.5 to 1.3.7 (Bump ajv from 6.12.0 to 6.12.6 mojaloop/event-sidecar#46)
• 5aef313 Bump highlight.js from 10.1.1 to 10.4.1 (Bump path-parse from 1.0.6 to 1.0.7 mojaloop/event-sidecar#44)
• e6597ac update dependencies to remove vulnerabilities (Bump lodash from 4.17.20 to 4.17.21 mojaloop/event-sidecar#42)
• 45ca858 updated link (Bump normalize-url from 4.5.0 to 4.5.1 mojaloop/event-sidecar#40)
• bd02ba9 Resolve some of the audit issues (Bump glob-parent from 5.1.1 to 5.1.2 mojaloop/event-sidecar#39)
• ea95367 Feature/#1383 doc update (Bump hosted-git-info from 2.8.8 to 2.8.9 mojaloop/event-sidecar#38)
• 726108f Fix/#1263 tracetags refresh (Bump handlebars from 4.7.6 to 4.7.7 mojaloop/event-sidecar#37)
• 678319f Fix/#1263 encode tracestate missing tracestates on new (Bump djv from 2.1.2 to 2.1.4 mojaloop/event-sidecar#36)
• 53735fe Feature/#1263 encode tracestate (Bump y18n from 3.2.1 to 3.2.2 mojaloop/event-sidecar#35)
• 1e3a873 Fix/other tracestate missing 2 (Bump ssri from 8.0.0 to 8.0.1 mojaloop/event-sidecar#34)
• 063e50d Fix/other tracestate missing (fix: refactored dockerfile to follow builder and not use root mojaloop/event-sidecar#33)
• 7f2a082 Release candidate (chore: maintenance- image scan config changes mojaloop/event-sidecar#31)
• 0cc7b60 Added updated Mojaloop license (Bump ini from 1.3.5 to 1.3.7 mojaloop/event-sidecar#29)
• 0f5e7b0 Added updated Mojaloop license (chore: update license file mojaloop/event-sidecar#28)
• 2f7d85c - Upgraded to Node 12.16.0 LTS. (fix(security): 2020 08 mojaloop/event-sidecar#27)
• 656e252 Fix/1167 not returning callback (Bump npm-registry-fetch from 8.0.0 to 8.1.1 mojaloop/event-sidecar#26)
• 936ab7a feature/1104 improve CI/CD ([Snyk] Fix for 17 vulnerabilities #22)

See the full diff

Package name: blipp

The new version differs by 3 commits.

• eea0f6c 4.0.2
• f9f94ce Update dependencies (including the Joi package rename) (fix(mojaloop/#3615): update dependencies mojaloop/event-sidecar#56)
• 86280cf Bump handlebars from 4.1.0 to 4.5.3 (Bump ajv from 6.12.0 to 6.12.6 mojaloop/event-sidecar#46)

See the full diff

Package name: hapi-openapi

The new version differs by 3 commits.

• a4dd048 updated changelog and version to new major (breaking changes upgrading hapi)
• d18bbb5 Upgrade dependencies to support hapi 19 (#173)
• 429bfbf fix(validation): respect `allowUnknown` route property (#169)

See the full diff

Package name: hapi-swagger

The new version differs by 228 commits.

• 002a3fb 14.5.4
• ea26b62 Merge pull request #768 from hapi-swagger/swagger-parser-update
• df315ac Merge pull request #767 from hapi-swagger/fix-examples
• a3d27cb fix: issue #735 no required for arrays in swagger
• c7512f8 fix: yarn.lock without good modules
• 6427bc7 Merge pull request #765 from AndriiNyzhnyk/remove_deprecated_components
• 72ad64b fix: broken example code regression issues
• 19c91af Merge pull request #766 from hapi-swagger/update-repo-urls
• 7b2e92a chore: remove deprecated 'good' module
• 4b544e8 chore: update repo urls to hapi-swagger
• ea35827 update jsDoc
• 73f8838 remove unused variables
• 88c3316 rewrite function 'appendQueryString'
• 22b74c2 14.5.3
• e9839c4 Merge pull request #763 from AndriiNyzhnyk/fix_issue_711
• 9a01c3f Merge pull request #764 from AndriiNyzhnyk/improve_test_coverage
• bc3f65e remove not needed arguments
• f225432 add test for function 'appendQueryString'
• 393a3dc move function 'appendQueryString' to 'Utilities'
• 7358d95 simplify condition
• 2dde132 improve coverage for function 'toJoiObject'
• 3106505 simplify function 'removeTrailingSlash'
• 5c170b1 add test for function 'removeTrailingSlash'
• 84cbf5a add test for function 'getJoiLabel'

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)
🦉 Prototype Pollution
🦉 Command Injection