[Snyk] Upgrade: dotenv, farmhash, fs-extra, fuse.js, js2xmlparser, rate-limiter-flexible, request-ip, svcorelib, url-parse, xss

[usernamerandom11]

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

dotenv
from 8.2.0 to 8.6.0 | 5 versions ahead of your current version | 3 years ago
on 2021-05-05
farmhash
from 3.1.0 to 3.3.1 | 6 versions ahead of your current version | 5 months ago
on 2024-04-17
fs-extra
from 9.0.1 to 9.1.0 | 1 version ahead of your current version | 4 years ago
on 2021-01-19
fuse.js
from 6.4.1 to 6.6.2 | 12 versions ahead of your current version | 2 years ago
on 2022-05-11
js2xmlparser
from 4.0.1 to 4.0.2 | 1 version ahead of your current version | 3 years ago
on 2021-10-31
rate-limiter-flexible
from 2.2.1 to 2.4.2 | 19 versions ahead of your current version | a year ago
on 2023-07-27
request-ip
from 2.1.3 to 2.2.0 | 1 version ahead of your current version | 2 years ago
on 2022-06-01
svcorelib
from 1.11.1 to 1.18.2 | 12 versions ahead of your current version | 2 years ago
on 2023-02-20
url-parse
from 1.4.7 to 1.5.10 | 11 versions ahead of your current version | 3 years ago
on 2022-02-22
xss
from 1.0.8 to 1.0.15 | 7 versions ahead of your current version | 7 months ago
on 2024-03-03

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	696	Proof of Concept
	Improper Input Validation SNYK-JS-URLPARSE-2407770	696	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-XSS-1584355	696	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	696	Proof of Concept
	Information Exposure SNYK-JS-SIMPLEGET-2361683	696	Proof of Concept
	Authorization Bypass SNYK-JS-URLPARSE-2407759	696	Proof of Concept
	Authorization Bypass Through User-Controlled Key SNYK-JS-URLPARSE-2412697	696	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	696	No Known Exploit
	Improper Input Validation SNYK-JS-URLPARSE-1078283	696	No Known Exploit
	Open Redirect SNYK-JS-URLPARSE-1533425	696	Proof of Concept
	Access Restriction Bypass SNYK-JS-URLPARSE-2401205	696	Proof of Concept

Release notes

Package name: dotenv

• 8.6.0 - 2021-05-05
  

  Show as 'added' in changelog

• 8.5.1 - 2021-05-05
  

  Bump version 8.5.1

• 8.5.0 - 2021-05-05
  

  Bump version 8.5.0

• 8.4.0 - 2021-05-05
  

  Point to types file for VS Code. Bump 8.4.0

• 8.3.0 - 2021-05-05
  

  Drop node 8 support

• 8.2.0 - 2019-10-16
  

  chore(release): 8.2.0

from dotenv GitHub release notes

Package name: farmhash

• 3.3.1 - 2024-04-17
  No content.
• 3.3.0 - 2023-02-04
  No content.
• 3.2.2 - 2021-12-03
  No content.
• 3.2.1 - 2021-03-23
  No content.
• 3.2.0 - 2020-12-01
  No content.
• 3.1.1 - 2020-11-05
  No content.
• 3.1.0 - 2020-05-06
  No content.

from farmhash GitHub release notes

Package name: fs-extra

• 9.1.0 - 2021-01-19
  

  9.1.0

• 9.0.1 - 2020-06-04
  

  9.0.1

from fs-extra GitHub release notes

Package name: fuse.js

• 6.6.2 - 2022-05-11
  

  Bug Fixes

  • value fetched at the end must be a string (1de1dff), closes #661
• 6.6.1 - 2022-05-06
  

  Bug Fixes

  • typescript: Change fieldNormWeight to be optional, fixes [#658]
  • typescript: type definition for FuseOptionKeyObject, fixes [#655] and [#656]
• 6.6.0 - 2022-05-03
  

  Features

  • allow passing getFn for a specific key (1d445b9), closes #627

  Bug Fixes

  • excessive splitting in parseQuery (2c78022)
  • type mismatch on toJSON (f5425ea)
• 6.5.3 - 2021-12-23
  

  6.5.3 (2021-12-23)

  Bug Fixes

  • logical: scoring for logical OR (6f6af51), closes #593
• 6.5.2 - 2021-12-23
  

  6.5.2 (2021-12-23)

  Purely created this version as minification failed in the prior one.

• 6.5.1 - 2021-12-23
  

  6.5.1 (2021-12-23)

  Bug Fixes

  • rollback min node version (9918f67)
• 6.5.0 - 2021-12-22
  

  chore(release): 6.5.0

• 6.4.6 - 2021-01-05
  

  Bug Fixes

  • typescript: fix search typings (94766b2), closes #527
• 6.4.5 - 2021-01-01
  

  Bug Fixes

  • typescript: export FuseIndex type (2e60bee), closes #519
• 6.4.4 - 2020-12-29
  

  Bug Fixes

  • extended: correctly score include-match results (443c863), closes #522
• 6.4.3 - 2020-10-30
• 6.4.2 - 2020-10-20
• 6.4.1 - 2020-07-26

from fuse.js GitHub release notes

Package name: js2xmlparser

• 4.0.2 - 2021-10-31
  
  • Update dependencies
  • Export options interfaces in main module
  • Update example to include root attribute
• 4.0.1 - 2020-02-02
  
  • Update dependencies
  • Use ESLint instead of TSLint
  • Use npm instead of gulp

from js2xmlparser GitHub release notes

Package name: rate-limiter-flexible

• 2.4.2 - 2023-07-27
• 2.4.1 - 2022-10-24
  

  Thank you @ dmozgovoi for the quick improvement.

• 2.4.0 - 2022-10-21
  

  In some cases especially with insuranceLimiter set it is important to reject requests quickly based on Redis client status being not ready. Thanks @ dmozgovoi

• 2.3.12 - 2022-10-13
  

  Thank you @ svsool

• 2.3.11 - 2022-09-25
  
  • RateLimiterQueue getTokensRemaining with RateLimiterPostgres fixed. #125
  • clear timeout on key delete from memory storage. #146 Thank you @ jiddmeye
  • clearExpiredByTimeout is added to TS types for MySQL and Postgres limiters. #156
  • fix negative remaining points in memory limiter. #172 Thank you @ MiniKraken-Team
  • added browser package.json settings to allow bundling. 6ce34b3 Thank you @ achingbrain
  • use nodejs.util.inspect.custom for Symbol flexibility. 2c8bedb Thank you @ shlavik
  • inmemoryBlockOnConsumed and inmemoryBlockDuration options are renamed to inMemoryBlockOnConsumed and inMemoryBlockDuration. Old options are still supported, but deprecated and will be removed in v3 major release. #106
• 2.3.10 - 2022-09-12
• 2.3.9 - 2022-09-06
• 2.3.8 - 2022-07-29
• 2.3.7 - 2022-05-01
• 2.3.6 - 2021-12-01
• 2.3.5 - 2021-11-21
• 2.3.4 - 2021-11-09
  
  • MongoDB version detection is fixed for mongoose client. Thank you @ adrianvlupu
  • MongoDB version detection is fixed for 3.6.7+. Thank you @ pavittarx
  • Internal fix of get method. It incorrectly processed undefined result from a store. Thank you @ animir
  • .editorconfig added. Thank you @ vinibeloni
  • TypeScript type for RateLimiterQueueError added. Thank you @ adilhafeez
  • TypeScript type for deleteInMemoryBlockedAll method is added. Thank you @ animir
• 2.3.3 - 2021-11-01
• 2.3.2 - 2021-10-26
• 2.3.1 - 2021-10-02
• 2.3.0 - 2021-09-28
  
  • replace replaceOne with findOneAndUpdate to fix a bug related to absent ops attribute in MongoDB client v4+. Thank you @ vdiez
  • delete method on any store limiter deletes inMemoryBlocked key if it is there. Thank you @ evan361425
  • new deleteInMemoryBlockedAll method added to clean up all blocked keys at once. Thank you @ evan361425 again :-)
  • @ evan361425 also added tests to cover new lines 🥇
• 2.2.4 - 2021-07-24
• 2.2.3 - 2021-07-10
  
  • Missing get/set Typescript types added and documentation improved. Thanks @ rijkvanzanten
  • mongodb client v4 support. Thank you @ backflip
• 2.2.2 - 2021-05-04
• 2.2.1 - 2021-01-10
  
  • TypeORM Support for RateLimitPostgres, thank you @ seromenho
  • Readme links fixed, thanks @ mriedem
  • RateLimiterQueue TS types fixed
  • Fix postgres consumed points increment on block, issue #95

from rate-limiter-flexible GitHub release notes

Package name: request-ip

• 2.2.0 - 2022-06-01
  

  2.2.0

• 2.1.3 - 2018-10-29
  

  bump version number and add new build

from request-ip GitHub release notes

Package name: svcorelib

• 1.18.2 - 2023-02-20
  

  Fixes:

  • Made system.inDebugger() no longer dependant on V8's inspector module which errored in environments like pkg
  • Corrected wrong color code for colors.fat
  • Fixed docs in a few places
• 1.18.1 - 2022-10-11
  

  Fixes:

  • Fix some TS typings
• 1.18.0 - 2022-10-11
  
  • Additions
    • splitIntoParts() function to split an array into n parts
    • splitIntoPartsOfLength() function to split an array into parts of n length
  • Fixes
    • Reverted dynamic imports issue #51
    • Support Error options issue #52
• 1.17.0 - 2022-08-13
  
  • Additions
    • Added function allInstanceOf() to check if all items in an array are an instance of a class
    • Added function isClass() to check if a value is a reference to a class
    • Added function randomItemIndex() to get a random item and its index from an array
    • Added function takeRandomItem() to delete a random item from an array and return it
    • colors
      • Added colors.fgb and colors.bgb for bright colors
      • Added dim, underscore, reverse and hidden
  • Breaking changes
    • Changed state fulfilled to resolved in StatePromise
    • colors
      • Removed brightness modifier from colors.fg and colors.bg
      • Renamed colors.fat to colors.bright
  • Fixes
    • Added missing documentation for allOfType()
    • Fixed docs in various places
• 1.16.0 - 2022-06-29
  
  • Additions
    • Added clamp() to ensure a number is between a min and max limit
  • Fixes
    • randRange() now doesn't depend on the performance module anymore
    • Updated deps
• 1.15.0 - 2022-06-15
  
  • Breaking changes
    • Shortened namespace names:
      • generateUUID -> uuid
      • filesystem -> files
    • Renamed functions:
      • seededRNG.generateRandomSeed() -> seededRNG.randomSeed()
      • seededRNG.generateRandomNumbers() -> seededRNG.generateNumbers()
      • pause() -> system.pause()
  • Additions
    • Added function halves() to get the two halves of an array
    • Added function parseDuration() to parse out time units from a passed duration in milliseconds
    • Added function formatDuration() to convert a duration in milliseconds to a string with custom format
    • Added function files.existsSync() as a synchronous counterpart to files.exists()
    • SelectionMenu now supports EventEmitter's .on("submit") method
  • Fixes
    • reserialize() now keeps the type of the passed object (#38)
    • seededRNG.validateSeed() now returns false when a seed starts with 0 (#34)
    • Fixed missing argument in system.inDebugger() (#37)
    • Updated dependencies
• 1.14.2 - 2021-08-08
  
  • Fixes
    • Fixed .d.ts type declarations (#27)
    • Fixed system.inDebugger() not detecting debugger (#30)
    • Set mysql as a peer dependency (#29)
    • Improved documentation a little bit
  • Internal stuff
    • Added CodeQL analysis workflow
• 1.14.1 - 2021-06-07
  

  Fixed bug where filesystem.exists() wasn't exported (see #25)

• 1.14.0 - 2021-05-11
  
  • Additions
    • Added class StatePromise that keeps track of the state of a promise
    • Added single-parameter overload to randRange()
    • Added string array overload to generateUUID.custom(), deprecated older overload
    • softShutdown() now accepts a Promise for async code execution before shutdown
  • Changes
    • Moved repository to @ Sv443-Network
    • Improved type declaration file (.d.ts) by a lot
  • Security
    • Audited dependencies
• 1.13.1 - 2021-03-30
• 1.13.0 - 2021-03-17
  

  Migration warnings:

  • You will need to modify all occurrences of FolderDaemon with the new syntax shown in the docs
  • The namespace of a few functions has changed (see changes)

  
  
  

  Added functions:

  • filesystem.exists() to provide a reimplementation to fs' deprecated exists() function (#14)
  • filesystem.ensureDirs() to ensure a set of directories exists (#18)
  • filesystem.ensureDirsSync() as a synchronous counterpart to ensureDirs() (#18)
  • system.usedHeap() to get the current heap usage in percent (#19)

  Changes:

  • Replaced FolderDaemon's configuration parameters with a single settings object (#13)
  • Added base class SCLError to all errors to implement the date property (#17)
  • Moved a few functions to the new system namespace:
    • noShutdown() - moved to system
    • yesShutdown() - moved to system
    • softShutdown() - moved to system
    • inDebugger() - moved to system
    • setWindowTitle() - moved to system

  Fixed bugs:

  • isEmpty() with value null threw a TypeError (#15)
  • Package mysql isn't included in the dependencies (#21)
  • Definition of system.softShutdown()'s callback function was wrong (#20)
• 1.12.0 - 2021-01-26
• 1.11.1 - 2020-08-31

from svcorelib GitHub release notes

Package name: url-parse

• 1.5.10 - 2022-02-22
  

  1.5.10

• 1.5.9 - 2022-02-20
  

  1.5.9

• 1.5.8 - 2022-02-19
  

  1.5.8

• 1.5.7 - 2022-02-16
  

  1.5.7

• 1.5.6 - 2022-02-13
  

  1.5.6

• 1.5.5 - 2022-02-13
  

  1.5.5

• 1.5.4 - 2021-12-28
  

  [dist] 1.5.4

• 1.5.3 - 2021-07-25
  

  [dist] 1.5.3

• 1.5.2 - 2021-07-25
  

  [dist] 1.5.2

• 1.5.1 - 2021-02-18
  

  [dist] 1.5.1

• 1.5.0 - 2021-02-17
• 1.4.7 - 2019-04-26

from url-parse GitHub release notes

Package name: xss

• 1.0.15 - 2024-03-03
  

  v1.0.15

• 1.0.14 - 2022-08-16
  

  v1.0.14

• 1.0.13 - 2022-06-06
  

  v1.0.13

• 1.0.12 - 2022-06-03
  No content.
• 1.0.11 - 2022-03-06
  

  v1.0.11

• 1.0.10 - 2021-10-08
  

  v1.0.10

• 1.0.9 - 2021-05-06
  No content.
• 1.0.8 - 2020-07-27
  

  v1.0.8

from xss GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs