[Snyk-dev] Fix for 22 vulnerabilities

[Arvi3d]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	No	Proof of Concept
	624/1000 Why? Has a fix available, CVSS 8.2	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	No	No Known Exploit
	601/1000 Why? Recently disclosed, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	No	No Known Exploit
	469/1000 Why? Has a fix available, CVSS 5.1	Cross-site Scripting SNYK-JS-EXPRESS-7926867	No	No Known Exploit
	751/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.6	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-Side Request Forgery (SSRF) SNYK-JS-IP-7148531	No	Proof of Concept
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MOUT-2342654	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	No	No Known Exploit
	666/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Improper Control of Generation of Code ('Code Injection') SNYK-JS-PUGCODEGEN-7086056	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	319/1000 Why? Has a fix available, CVSS 2.1	Cross-site Scripting SNYK-JS-SEND-7926862	No	No Known Exploit
	319/1000 Why? Has a fix available, CVSS 2.1	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	No	No Known Exploit
	761/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.8	Information Exposure SNYK-JS-SIMPLEGET-2361683	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-WS-7266574	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: body-parser

The new version differs by 80 commits.

• 1752951 1.20.3
• 39744cf chore: linter (Update swagger-ui-express to the latest version 🚀 juice-shop/juice-shop#534)
• b2695c4 Merge commit from fork
• ade0f3f add scorecard to readme (Update mocha to the latest version 🚀 juice-shop/juice-shop#531)
• 99a1bd6 deps: qs@6.12.3 (Add reflected XSS challenge juice-shop/juice-shop#521)
• 9478591 fix: pin to node@22.4.1
• 83db46a ci: fix errors in ci github action for node 8 and 9 (Persist language selection in cookie juice-shop/juice-shop#523)
• 9d4e212 chore: add support for OSSF scorecard reporting (New Crowdin translations juice-shop/juice-shop#522)
• ee91374 1.20.2
• 368a93a Fix strict json error message on Node.js 19+
• 0385872 deps: raw-body@2.5.2
• 2c35b41 build: eslint@8.34.0
• f0646c2 build: Node.js@18.14
• f345fb1 build: Node.js@14.21
• 6842efc deps: content-type@~1.0.5
• 5af7315 build: eslint-plugin-promise@6.1.1
• 8e605b3 build: supertest@6.3.3
• cba6e77 build: mocha@10.2.0
• 6a464ab build: eslint-plugin-import@2.27.5
• 7ebf276 build: eslint@8.32.0
• 69bb649 build: Node.js@16.19
• 8ff995f docs: switch badges to badgen
• 850832f build: Node.js@18.13
• dad8f34 build: actions/download-artifact@v3

See the full diff

Package name: check-dependencies

The new version differs by 61 commits.

• 03c8847 Tag 2.0.0
• 65d9ef5 Set Node.js requirement in package.json engines to >=18.3
• 4917ab0 Simplify the spawn logic
• fc04cc8 Drop support for the callback interface
• 28257dd Tweak ESLint settings
• dc16e8a Drop the bluebird devDependency
• 412337a Drop fs-extra & graceful-fs devDependencies
• 091279a Drop the findup-sync dependency
• 10ac9c5 Drop lodash.camelcase & minimist dependencies
• 35dce52 Update dependencies
• 2929ba7 Update tested Node.js versions
• 1f514eb Don't invoke `npm prune`, `npm install` is already enough
• 65107d2 Drop support for Bower & the `checkCustomPackageNames` option
• f28ba1b Avoid `git://` URLs, they're no longer supported
• 8fdc6ad Limit allowed `packageManager` values
• 9809f13 Bump word-wrap from 1.2.3 to 1.2.4 ([Snyk] Fix for 18 vulnerabilities #58)
• e522471 Bump semver from 7.3.8 to 7.5.2 ([Snyk] Fix for 18 vulnerabilities #57)
• 031416d Bump yaml from 2.2.1 to 2.2.2 ([Snyk] Security upgrade @angular-devkit/build-angular from 0.1000.8 to 16.2.15 #56)
• dff3ab9 Build: Fix running tests on Windows
• 062005f Build: Update the GitHub Actions config
• ecf138f Build: Update dependencies
• 15c13b3 Build: Remove AppVeyor
• 89b9df0 Build: Update .gitattributes to files always use LF line endings
• db8c172 Build: Tweak GitHub Actions workflow code style

See the full diff

Package name: cookie-parser

The new version differs by 12 commits.

• 5d61e1e 1.4.7
• ccf1f54 deps: cookie@0.7.2 ([Snyk] Security upgrade @angular-devkit/build-angular from 0.1000.8 to 13.3.6 alexeisnyk/juice-shop#116)
• 429cfd4 ci: Use GITHUB_OUTPUT envvar instead of set-output command ([Snyk] Security upgrade @angular-devkit/build-angular from 0.1000.8 to 13.3.2 alexeisnyk/juice-shop#100)
• ca4c97e ci: fix errors in ci pipeline for node 8 and 9 (Test branch alexeisnyk/juice-shop#104)
• 97bdf39 ci: add support for OSSF scorecard reporting ([Snyk] Security upgrade socket.io-client from 2.4.0 to 3.0.0 alexeisnyk/juice-shop#103)
• e5862bd build: Node.js@17.6
• f0688d2 build: Node.js@14.19
• 44ec541 build: Node.js@16.14
• 695435a deps: cookie@0.4.2
• f66e7e1 build: mocha@9.2.1
• 05e40b1 build: Node.js@17.3
• bc1d501 build: use supertest@3.4.2 for Node.js 6.x

See the full diff

Package name: express

The new version differs by 219 commits.

• 8e229f9 4.21.1
• a024c8a fix(deps): cookie@0.7.1
• 7e562c6 4.21.0
• 1bcde96 fix(deps): qs@6.13.0 (#5946)
• 7d36477 fix(deps): serve-static@1.16.2 (#5951)
• 40d2d8f fix(deps): finalhandler@1.3.1
• 77ada90 Deprecate `"back"` magic string in redirects (#5935)
• 21df421 4.20.0
• 4c9ddc1 feat: upgrade to serve-static@0.16.0
• 9ebe5d5 feat: upgrade to send@0.19.0 (#5928)
• ec4a01b feat: upgrade to body-parser@1.20.3 (#5926)
• 54271f6 fix: don't render redirect values in anchor href
• 125bb74 path-to-regexp@0.1.10 (#5902)
• 2a980ad merge-descriptors@1.0.3 (#5781)
• a3e7e05 docs: specify new instructions for `question` and `discuss`
• c5addb9 deps: path-to-regexp@0.1.8 (#5603)
• e35380a docs: add @ IamLizu to the triage team (#5836)
• f5b6e67 docs: update scorecard link (#5814)
• 2177f67 docs: add OSSF Scorecard badge (#5436)
• f4bd86e Replace Appveyor windows testing with GHA (#5599)
• 2ec589c Fix Contributor Covenant link definition reference in attribution section (#5762)
• 4cf7eed remove minor version pinning from ci (#5722)
• 6d08471 📝 update people, add ctcpip to TC (#5683)
• 61421a8 skip QUERY tests for Node 21 only, still not supported (#5695)

See the full diff

Package name: file-stream-rotator

The new version differs by 13 commits.

• 321241d v1.0.0
• 6daf865 improved readme
• 375dc2e force manual stream rotation
• 7e595e4 rewrite using TS.
• 2b41e6a fix for PR [Snyk-dev] Fix for 6 vulnerabilities #87. no check before setting hashType.
• 0030fb1 fix rotation without date.
• 0a8faeb Merge pull request [Snyk] Fix for 4 vulnerabilities #83 from chneil/master
• 9c487ca Merge pull request [Snyk] Fix for 1 vulnerabilities #81 from afrobros/fix_mkdirSync
• 325ccfa version 0.6.0. Includes fix to [Snyk-dev] Security upgrade @angular-devkit/build-angular from 0.1000.8 to 12.0.0 #85, [Snyk] Security upgrade @angular-devkit/build-angular from 0.1000.8 to 12.0.0 #82
• 7764aac allow to specify hashing algorithm to use for the audit log
• 48d3e61 updated moment to 2.29.1
• 7fd96fe Emitting new event when the logfile is re-created after deletion so that the watcher is readded
• 35b36a8 fix Throw exist error on mkdirSync

See the full diff

Package name: finale-rest

The new version differs by 5 commits.

• d94ee1f 1.2.0
• 5834732 Fix search with substring ([Snyk-dev] Security upgrade @angular-devkit/build-angular from 0.1000.8 to 13.1.0 #90)
• 5d1de6b Add deletedInstance property to context on delete ([Snyk-dev] Fix for 6 vulnerabilities #87)
• b005710 README Update
• 2514b90 Bump lodash from 4.17.15 to 4.17.19 ([Snyk-dev] Fix for 21 vulnerabilities #68)

See the full diff

Package name: grunt-contrib-compress

The new version differs by 5 commits.

• bd9fc8e v2.0.0
• b8565a9 Update Archiver ([Snyk] Security upgrade express from 4.17.2 to 4.21.0 alexeisnyk/juice-shop#232)
• f6815bf Update deps and remove nodeunit loading ([Snyk] Fix for 4 vulnerabilities alexeisnyk/juice-shop#231)
• b70c1d9 Update tests and dependencies ([Snyk] Fix for 4 vulnerabilities alexeisnyk/juice-shop#230)
• 5759edd Bump ini from 1.3.5 to 1.3.7 ([Snyk] Fix for 18 vulnerabilities alexeisnyk/juice-shop#228)

See the full diff

Package name: i18n

The new version differs by 93 commits.

• 02dd49d tests: use arrow function
• fa50268 eslint refactor var -> const,let
• abb05ec refactor to arrow functions
• 5855724 drop node support < 10
• 9e6559a Merge branch 'gajus-master'
• 234b94b (re-)added tests fast-printf Update jasmine to the latest version 🚀 juice-shop/juice-shop#453
• ef5675c Merge branch 'master' of git://github.com/gajus/i18n-node into gajus-master
• 2461a97 typo
• 737b67d refactored test to cover mf plurals
• 42f12d3 Merge branch 'calmonr-fix-messageformat'
• 0faeee0 Merge branch 'fix-messageformat' of https://github.com/calmonr/i18n-node into calmonr-fix-messageformat
• 6018b9f Merge tag '0.13.4'
• 9683cc6 Merge branch 'release/0.13.4' into npm
• bdce606 v0.13.4
• 4e6963f upgrade tested
• 3139881 save update
• aa60ac7 upgraded devDeps
• b6e672d Merge pull request New Crowdin translations juice-shop/juice-shop#482 from Justman10000/patch-1
• ed5c03f should fix coverage report
• 10daf65 publish coverage
• 84008b8 sad to see travis go paid only
• d433ebe Update node.js.yml
• 7b4a0a2 Create node.js.yml
• 5a08ecc Update sinon to the latest version 🚀 juice-shop/juice-shop#486 - test path traversal vulnerability

See the full diff

Package name: juicy-chat-bot

The new version differs by 15 commits.

• 705832f Bump version
• 147fb16 Only load english ([Snyk] Security upgrade sqlite3 from 5.1.6 to 5.1.7 #15)
• 11bbd8b Bump CI/CD to Node.js 18
• 3b677b5 Bump to v0.7.1
• 4a90dc5 Merge remote-tracking branch 'origin/develop' into develop
• 7b32e43 Pin version of VM2 to 3.9.17 without vulnerability ([Snyk] Security upgrade @angular/cli from 10.2.4 to 12.0.0 #14)
• 8e63414 Pin version of VM2 to 3.9.17 without vulnerability ([Snyk] Security upgrade @angular/cli from 10.2.4 to 12.0.0 #14)
• 61a1f1a Bump version
• 5ef0011 Add typescript definition for juicy-chat-bot
• d816d29 Bump copyright notes to include 2023
• 53fdc22 Update contributor statistics
• d5bc807 Bump to recent supported Node.js versions
• 956f6df Merge pull request [Snyk] Security upgrade node-pre-gyp from 0.15.0 to 0.17.0 #13 from pattyjogal/pattyjogal-patch-1
• 24c7cbd Pin version of VM2 to version w/o vulnerability
• 93e1fab Add contributors chart

See the full diff

Package name: socket.io

The new version differs by 57 commits.

• 1af3267 chore(release): 3.0.0
• 02951c4 chore(release): 3.0.0-rc4
• 54bf4a4 feat: emit an Error object upon middleware error
• aa7574f feat: serve msgpack bundle
• 64056d6 docs(examples): update TypeScript example
• cacad70 chore(release): 3.0.0-rc3
• d16c035 refactor: rename ERROR to CONNECT_ERROR
• 5c73733 feat: add support for catch-all listeners
• 129c641 feat: make Socket#join() and Socket#leave() synchronous
• 0d74f29 refactor(typings): export Socket class
• 7603da7 feat: remove prod dependency to socket.io-client
• a81b9f3 docs(examples): add example with TypeScript
• 20ea6bd docs(examples): add example with ES modules
• 0ce5b4c chore(release): 3.0.0-rc2
• 8a5db7f refactor: remove duplicate _sockets map
• 2a05042 refactor: add additional typings
• 91cd255 fix: close clients with no namespace
• 58b66f8 refactor: hide internal methods and properties
• 669592d feat: move binary detection back to the parser
• 2d2a31e chore: publish the wrapper.mjs file
• ebb0575 chore(release): 3.0.0-rc1
• c0d171f test: use the reconnect event of the Manager
• 9c7a48d test: use the complete export name
• 4bd5b23 feat: throw upon reserved event names

See the full diff

Package name: sqlite3

The new version differs by 36 commits.

• ba4ba07 v5.1.7
• d04c1fb Removed Node version from matrix title
• 03d6e75 v5.1.7-rc.0
• 8398daa Fixed uploading assets from Docker
• 8b86e41 Fixed uploading release assets on Windows
• 83c8c0a Configured releases to be created as prereleases
• f792f69 Update dependency node-addon-api to v7
• 4ef11bf Removed extraneous parameter to event emit function
• e99160a Inlined `init()` functions into class header files
• 3372130 Improved `RowToJS` performance by removing `Napi::String::New` instantiation
• 77b327c Increased number of rows inserted into benchmark database
• 603e468 Fixed minor linting warning
• 8bda876 Refactored Database to use macros for method definitions
• 5809f62 Fixed uploading prebuilt binaries from Docker
• aabd297 Update actions/setup-node action to v4
• c775b81 Extracted common Node-API queuing code into macro
• 2595304 Updated list of supported targets
• 605c7f9 Replaced `@ mapbox/node-pre-gyp` in favor of `prebuild` + `prebuild-install`
• a2cee71 Update dependency mocha to v10
• 7674271 Update dependency eslint to v8
• 83e282d Update actions/checkout digest to b4ffde6
• 8482aaf Update docker/setup-buildx-action action to v3
• c74f267 Update docker/setup-qemu-action action to v3
• 9e8b2ee Reworked CI versions

See the full diff

Package name: unzipper

The new version differs by 118 commits.

• ea87bf3 Update package.json
• ba8416b Merge pull request pull from with master juice-shop/juice-shop#321 from ZJONSSON/fix-deploy
• 2357a71 Fix deploy script
• 2608bc2 Merge pull request rebase with v3.2.0 juice-shop/juice-shop#320 from ZJONSSON/update-docs
• 23cc3b8 Merge pull request Travis-CI build stages juice-shop/juice-shop#319 from ZJONSSON/deploy.yml
• 1b4b210 Update docs
• 760f100 Merge pull request Integration Awareness-Training Examples juice-shop/juice-shop#316 from lechuhuuha/master
• 360b0f2 Merge branch 'master' into master
• cbf8db9 add deploy action
• 343956a Merge pull request unknown error deploying to heroku juice-shop/juice-shop#318 from ZJONSSON/ayush-refactor
• 341aa44 Make empty directories
• b1abffa Replace fstream with fs-extra
• 088319e remove new lines and big-integer
• 36585e5 replace bigint with node-int64
• 1149855 eslint (Continue code autosave juice-shop/juice-shop#314)
• a6e0392 Increase buffer to 1k - add tests (Added Scoreboard Autoupdate as suggested in #307. juice-shop/juice-shop#313)
• 637df97 Open methods - only stream up to length (Different behavior of Login with Google juice-shop/juice-shop#310)
• 6a165e5 bump patch (Feature: Add refresh button to score-board. juice-shop/juice-shop#307)
• d161755 Fix spelling
• 46df524 expand test versions (v3.0.0 juice-shop/juice-shop#304)
• 2416da8 fix .npmignore (Corrected contribution links juice-shop/juice-shop#303)
• 3095797 bump minor (After docker crashed there's no way to restore challenges. juice-shop/juice-shop#302)
• d7f01ee fix: use pipeline to propagate errors across all piped streams (Develop customization #277  juice-shop/juice-shop#288)
• 7c4604e Fix: Unix OS's should properly ignore the windows zip slipped files ([Snyk] Security upgrade @angular-devkit/build-angular from 0.1000.8 to 12.2.0 alexeisnyk/juice-shop#179)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Cross-site Scripting (XSS)
🦉 More lessons are available in Snyk Learn