[Snyk] Fix for 4 vulnerabilities

[timsnyk]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	107/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Local, EPSS: 0.0044, Social Trends: No, Days since published: 1442, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: Low, Provider Urgency: High, Package Popularity Score: 98, Impact: 4.89, Likelihood: 2.17, Score Version: V5	DLL Injection SNYK-JS-KERBEROS-568900	No	Proof of Concept
	125/1000 Why? Confidentiality impact: None, Integrity impact: Low, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01036, Social Trends: No, Days since published: 1456, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: Low, Provider Urgency: High, Package Popularity Score: 99, Impact: 3.51, Likelihood: 3.55, Score Version: V5	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	211/1000 Why? Confidentiality impact: High, Integrity impact: Low, Availability impact: High, Scope: Unchanged, Exploit Maturity: Functional, User Interaction (UI): None, Privileges Required (PR): Low, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00301, Social Trends: No, Days since published: 1367, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: Low, Provider Urgency: High, Package Popularity Score: 99, Impact: 4.54, Likelihood: 4.64, Score Version: V5	Prototype Pollution SNYK-JS-TYPEORM-590152	No	Mature
	95/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00087, Social Trends: No, Days since published: 2925, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: Low, Provider Urgency: High, Package Popularity Score: 99, Impact: 4.89, Likelihood: 1.93, Score Version: V5	Cross-site Scripting (XSS) npm:marked:20150520	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: marked

The new version differs by 5 commits.

• eddec20 v0.3.6
• fd0d1a2 Merge pull request [Snyk] Fix for 3 vulnerable dependencies snyk-labs/nodejs-goof#592 from matt-/xss_html_entities
• 0fa05b6 Merge pull request [Snyk] Upgrade body-parser from 1.9.0 to 1.19.0 #1 from rsp/fix/xss_html_entities_semicolon
• 31c7799 add optional semicolon in html entities regex
• 2cff859 added explicit matching for HTML entities to prevent XSS

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• 66d559b chore: release 4.7.7
• 0504ec6 fix(populate): handle nested virtuals in virtual populate
• b412210 test(populate): repro #4581
• 4efecd5 fix(utils): don't crash if to[key] is null
• 066f128 chore: upgrade mongodb -> 2.2.21
• 370ac04 chore: upgrade bson dep to match mongodb-core
• dd8003b fix: add a toBSON to documents for easier querying
• ab680e4 test: repro #4866
• 075213f chore: upgrade mongodb -> 2.2.20
• e4fb16c chore: actually bump to 2.2.19
• f47260b chore: upgrade mongodb -> 2.2.18
• 344a2b7 chore: remove vestigial log
• 625e5cd Merge branch 'master' of github.com:Automattic/mongoose
• 2c020d1 chore: improve spelling re: #4858
• f921d15 Merge pull request #4854 from davidwu226/master
• 32208ba chore: now working on 4.7.7
• faf2c6a chore: release 4.7.6
• 5a1129a Fix warning from Bluebird:
• 175ad20 fix(query): don't call error handler if passRawResult is true and no error occurred
• d1492ce test(query): repro #4836
• 22552c5 docs(populate): remove implicit Model.populate() example
• 62c8b08 fix(populate): use base model name if no discriminator for backwards compat
• f0aa82d test(populate): repro #4843
• 8f39e1b fix: handle refs correctly even if using browser driver

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	125/1000 Why? Confidentiality impact: None, Integrity impact: Low, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01036, Social Trends: No, Days since published: 1456, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: Low, Provider Urgency: High, Package Popularity Score: 99, Impact: 3.51, Likelihood: 3.55, Score Version: V5	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Cross-site Scripting (XSS)