[Snyk] Upgrade: connect-mongo, dotenv, ejs, ejs-mate, express, express-session, fast-csv, fs, joi, mongoose, multer, passport, passport-local-mongoose

[WontonSam]

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Name	Versions	Released on

connect-mongo
from 3.2.0 to 5.1.0 | 19 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | a year ago
on 2023-10-14
dotenv
from 10.0.0 to 16.4.5 | 39 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 7 months ago
on 2024-02-20
ejs
from 3.1.6 to 3.1.10 | 4 versions ahead of your current version | 5 months ago
on 2024-04-12
ejs-mate
from 3.0.0 to 4.0.0 | 1 version ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 years ago
on 2022-05-08
express
from 4.17.1 to 4.19.2 | 9 versions ahead of your current version | 6 months ago
on 2024-03-25
express-session
from 1.17.2 to 1.18.0 | 2 versions ahead of your current version | 8 months ago
on 2024-01-28
fast-csv
from 4.3.6 to 5.0.1 | 2 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 7 months ago
on 2024-02-13
fs
from 0.0.1-security to 0.0.2 | 1 version ahead of your current version | 10 years ago
on 2014-09-12
joi
from 17.4.1 to 17.13.3 | 31 versions ahead of your current version | 3 months ago
on 2024-06-19
mongoose
from 5.13.2 to 8.5.4 | 215 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 24 days ago
on 2024-08-23
multer
from 1.4.2 to 1.4.4 | 3 versions ahead of your current version | 3 years ago
on 2021-12-07
passport
from 0.4.1 to 0.7.0 | 6 versions ahead of your current version | 10 months ago
on 2023-11-27
passport-local-mongoose
from 6.1.0 to 8.0.0 | 9 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 years ago
on 2023-03-14

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	489	Proof of Concept
	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	489	Proof of Concept
	Prototype Pollution SNYK-JS-MONGOOSE-2961688	489	Proof of Concept
	Prototype Pollution SNYK-JS-MONGOOSE-5777721	489	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	489	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	489	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SIDEWAYFORMULA-3317169	489	No Known Exploit
	Information Exposure SNYK-JS-MONGODB-5871303	489	No Known Exploit
	Information Exposure SNYK-JS-MONGODB-5871303	489	No Known Exploit
	Arbitrary Code Injection SNYK-JS-EJS-1049328	489	Proof of Concept
	Improper Control of Dynamically-Managed Code Resources SNYK-JS-EJS-6689533	489	No Known Exploit
	Improper Control of Dynamically-Managed Code Resources SNYK-JS-EJS-6689533	489	No Known Exploit
	Open Redirect SNYK-JS-EXPRESS-6474509	489	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	489	No Known Exploit
	Prototype Pollution SNYK-JS-MPATH-1577289	489	Proof of Concept
	Session Fixation SNYK-JS-PASSPORT-2840631	489	No Known Exploit

Release notes

Package name: connect-mongo

• 5.1.0 - 2023-10-14
  

  chore: release v5.1.0

• 5.0.0 - 2023-03-14
  

  fix: createIndex now do not need to supply writeConcern

• 4.6.0 - 2021-09-17
  

  chore: bump version to 4.6.0 for release

• 4.5.0 - 2021-08-17
  

  chore: bump version to 4.5.0 for release

• 4.4.1 - 2021-03-23
  

  chore: bump version to 4.4.1

• 4.4.0 - 2021-03-11
  

  Merge branch 'feat/import-export-review'

• 4.4.0-rc1 - 2021-03-11
• 4.3.1 - 2021-03-09
  

  fix: fix incorrect assertion checking after adding client option

• 4.3.0 - 2021-03-08
  

  docs: ready to release 4.3.0

• 4.2.2 - 2021-03-02
  

  chore: bump version again for mis-publish

• 4.2.1 - 2021-03-02
• 4.2.0 - 2021-02-24
  

  chore: bump version to 4.2.0

• 4.2.0-rc2 - 2021-02-23
• 4.2.0-rc1 - 2021-02-23
• 4.1.0 - 2021-02-22
• 4.1.0-rc1 - 2021-02-22
• 4.0.0 - 2021-02-21
• 4.0.0-rc2 - 2021-02-21
• 4.0.0-rc1 - 2021-02-21
• 3.2.0 - 2019-11-28

from connect-mongo GitHub release notes

Package name: dotenv

• 16.4.5 - 2024-02-20
  

  16.4.5

• 16.4.4 - 2024-02-13
  

  16.4.4

• 16.4.3 - 2024-02-12
  

  16.4.3

• 16.4.2 - 2024-02-10
  

  16.4.2

• 16.4.1 - 2024-01-24
  

  16.4.1

• 16.4.0 - 2024-01-23
  

  16.4.0

• 16.3.2 - 2024-01-19
  

  16.3.2

• 16.3.1 - 2023-06-17
  

  16.3.1

• 16.3.0 - 2023-06-16
  

  16.3.0

• 16.2.0 - 2023-06-16
  

  16.2.0

• 16.1.4 - 2023-06-04
• 16.1.3 - 2023-05-31
• 16.1.2 - 2023-05-31
• 16.1.1 - 2023-05-31
• 16.1.0 - 2023-05-30
• 16.1.0-rc2 - 2023-05-21
• 16.1.0-rc1 - 2023-04-07
• 16.0.3 - 2022-09-29
• 16.0.2 - 2022-08-30
• 16.0.1 - 2022-05-10
• 16.0.0 - 2022-02-02
• 15.0.1 - 2022-02-02
• 15.0.0 - 2022-01-31
• 14.3.2 - 2022-01-25
• 14.3.1 - 2022-01-25
• 14.3.0 - 2022-01-24
• 14.2.0 - 2022-01-17
• 14.1.1 - 2022-01-17
• 14.1.0 - 2022-01-17
• 14.0.1 - 2022-01-17
• 14.0.0 - 2022-01-17
• 13.0.1 - 2022-01-16
• 13.0.0 - 2022-01-16
• 12.0.4 - 2022-01-16
• 12.0.3 - 2022-01-15
• 12.0.2 - 2022-01-15
• 12.0.1 - 2022-01-15
• 12.0.0 - 2022-01-14
• 11.0.0 - 2022-01-11
• 10.0.0 - 2021-05-21

from dotenv GitHub release notes

Package name: ejs

• 3.1.10 - 2024-04-12
  

  Version 3.1.10

• 3.1.9 - 2023-03-12
  

  Version 3.1.9

• 3.1.8 - 2022-05-11
  

  Version 3.1.8

• 3.1.7 - 2022-04-20
  

  Version 3.1.7

• 3.1.6 - 2021-02-06
  

  Version 3.1.6

from ejs GitHub release notes

Package name: ejs-mate

• 4.0.0 - 2022-05-08
  
  • upgrade ejs to v3.
  • upgrade dev-dependencies.
• 3.0.0 - 2018-10-26

from ejs-mate GitHub release notes

Package name: express

• 4.19.2 - 2024-03-25
• 4.19.1 - 2024-03-20
  

  What's Changed

  • Fix ci after location patch by @ wesleytodd in #5552
  • fixed un-edited version in history.md for 4.19.0 by @ wesleytodd in #5556

  Full Changelog: 4.19.0...4.19.1

• 4.19.0 - 2024-03-20
  

  What's Changed

  • fix typo in release date by @ UlisesGascon in #5527
  • docs: nominating @ wesleytodd to be project captian by @ wesleytodd in #5511
  • docs: loosen TC activity rules by @ wesleytodd in #5510
  • Add note on how to update docs for new release by @ crandmck in #5541
  • Prevent open redirect allow list bypass due to encodeurl
  • Release 4.19.0 by @ wesleytodd in #5551

  New Contributors

  • @ crandmck made their first contribution in #5541

  Full Changelog: 4.18.3...4.19.0

• 4.18.3 - 2024-02-29
  

  Main Changes

  • Fix routing requests without method
  • deps: body-parser@1.20.2
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: raw-body@2.5.2

  Other Changes

  • Use https: protocol instead of deprecated git: protocol by @ vcsjones in #5032
  • build: Node.js@16.18 and Node.js@18.12 by @ abenhamdine in #5034
  • ci: update actions/checkout to v3 by @ armujahid in #5027
  • test: remove unused function arguments in params by @ raksbisht in #5124
  • Remove unused originalIndex from acceptParams by @ raksbisht in #5119
  • Fixed typos by @ raksbisht in #5117
  • examples: remove unused params by @ raksbisht in #5113
  • fix: parameter str is not described in JSDoc by @ raksbisht in #5130
  • fix: typos in History.md by @ raksbisht in #5131
  • build : add Node.js@19.7 by @ abenhamdine in #5028
  • test: remove unused function arguments in params by @ raksbisht in #5137
  • use random port in test so it won't fail on already listening by @ rluvaton in #5162
  • tests: use cb() instead of done() by @ kristof-low in #5233
  • examples: remove multipart example by @ riddlew in #5195
  • Update support Node.js@18 in the CI by @ UlisesGascon in #5490
  • Fix favicon-related bug in cookie-sessions example by @ DmytroKondrashov in #5414
  • Release 4.18.3 by @ UlisesGascon in #5505

  New Contributors

  • @ vcsjones made their first contribution in #5032
  • @ abenhamdine made their first contribution in #5034
  • @ armujahid made their first contribution in #5027
  • @ raksbisht made their first contribution in #5124
  • @ rluvaton made their first contribution in #5162
  • @ kristof-low made their first contribution in #5233
  • @ riddlew made their first contribution in #5195
  • @ DmytroKondrashov made their first contribution in #5414

  Full Changelog: 4.18.2...4.18.3

• 4.18.2 - 2022-10-08
  
  • Fix regression routing a large stack in a single route
  • deps: body-parser@1.20.1
    • deps: qs@6.11.0
    • perf: remove unnecessary object clone
  • deps: qs@6.11.0
• 4.18.1 - 2022-04-29
  
  • Fix hanging on large stack of sync routes
• 4.18.0 - 2022-04-25
  
  • Add "root" option to res.download
  • Allow options without filename in res.download
  • Deprecate string and non-integer arguments to res.status
  • Fix behavior of null/undefined as maxAge in res.cookie
  • Fix handling very large stacks of sync middleware
  • Ignore Object.prototype values in settings through app.set/app.get
  • Invoke default with same arguments as types in res.format
  • Support proper 205 responses using res.send
  • Use http-errors for res.format error
  • deps: body-parser@1.20.0
    • Fix error message for json parse whitespace in strict
    • Fix internal error when inflated body exceeds limit
    • Prevent loss of async hooks context
    • Prevent hanging when request already read
    • deps: depd@2.0.0
    • deps: http-errors@2.0.0
    • deps: on-finished@2.4.1
    • deps: qs@6.10.3
    • deps: raw-body@2.5.1
  • deps: cookie@0.5.0
    • Add priority option
    • Fix expires option to reject invalid dates
  • deps: depd@2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: finalhandler@1.2.0
    • Remove set content headers that break response
    • deps: on-finished@2.4.1
    • deps: statuses@2.0.1
  • deps: on-finished@2.4.1
    • Prevent loss of async hooks context
  • deps: qs@6.10.3
  • deps: send@0.18.0
    • Fix emitted 416 error missing headers property
    • Limit the headers removed for 304 response
    • deps: depd@2.0.0
    • deps: destroy@1.2.0
    • deps: http-errors@2.0.0
    • deps: on-finished@2.4.1
    • deps: statuses@2.0.1
  • deps: serve-static@1.15.0
    • deps: send@0.18.0
  • deps: statuses@2.0.1
    • Remove code 306
    • Rename 425 Unordered Collection to standard 425 Too Early
• 4.17.3 - 2022-02-17
  
  • deps: accepts@~1.3.8
    • deps: mime-types@~2.1.34
    • deps: negotiator@0.6.3
  • deps: body-parser@1.19.2
    • deps: bytes@3.1.2
    • deps: qs@6.9.7
    • deps: raw-body@2.4.3
  • deps: cookie@0.4.2
  • deps: qs@6.9.7
    • Fix handling of __proto__ keys
  • pref: remove unnecessary regexp for trust proxy
• 4.17.2 - 2021-12-17
  
  • Fix handling of undefined in res.jsonp
  • Fix handling of undefined when "json escape" is enabled
  • Fix incorrect middleware execution with unanchored RegExps
  • Fix res.jsonp(obj, status) deprecation message
  • Fix typo in res.is JSDoc
  • deps: body-parser@1.19.1
    • deps: bytes@3.1.1
    • deps: http-errors@1.8.1
    • deps: qs@6.9.6
    • deps: raw-body@2.4.2
    • deps: safe-buffer@5.2.1
    • deps: type-is@~1.6.18
  • deps: content-disposition@0.5.4
    • deps: safe-buffer@5.2.1
  • deps: cookie@0.4.1
    • Fix maxAge option to reject invalid values
  • deps: proxy-addr@~2.0.7
    • Use req.socket over deprecated req.connection
    • deps: forwarded@0.2.0
    • deps: ipaddr.js@1.9.1
  • deps: qs@6.9.6
  • deps: safe-buffer@5.2.1
  • deps: send@0.17.2
    • deps: http-errors@1.8.1
    • deps: ms@2.1.3
    • pref: ignore empty http tokens
  • deps: serve-static@1.14.2
    • deps: send@0.17.2
  • deps: setprototypeof@1.2.0
• 4.17.1 - 2019-05-26

from express GitHub release notes

Package name: express-session

• 1.18.0 - 2024-01-28
  
  • Add debug log for pathname mismatch
  • Add partitioned to cookie options
  • Add priority to cookie options
  • Fix handling errors from setting cookie
  • Support any type in secret that crypto.createHmac supports
  • deps: cookie@0.6.0
    • Fix expires option to reject invalid dates
    • perf: improve default decode speed
    • perf: remove slow string split in parse
  • deps: cookie-signature@1.0.7
• 1.17.3 - 2022-05-11
  
  • Fix resaving already-saved new session at end of request
  • deps: cookie@0.4.2
• 1.17.2 - 2021-05-19
  
  • Fix res.end patch to always commit headers
  • deps: cookie@0.4.1
  • deps: safe-buffer@5.2.1

from express-session GitHub release notes

Package name: fast-csv

• 5.0.1 - 2024-02-13
  

  What's Changed

  • chore(docs): update changelog and homepage URL

  Full Changelog: v5.0.0...v5.0.1

• 5.0.0 - 2024-01-13
  

  5.0.0 (2024-01-13)

  Bug Fixes

  • Added missing single quote in error message (#656) (b9dceab)
  • deps: Fix up @ types node package incorrectly involved in dependencies, closes #774 (#838) (83315a6)
  • deps: update dependency @ types/yargs to v16.0.1 (024ec2c)
  • deps: update dependency classnames to v2.4.0 (#642) (3ce8ad8)
  • deps: update dependency classnames to v2.5.0 (#847) (8a38bd2)
  • deps: update dependency classnames to v2.5.1 (#849) (4187b08)
  • deps: update dependency globby to v11.0.2 (57953cc)
  • deps: update dependency globby to v11.0.3 (e310319)
  • deps: update dependency globby to v11.1.0 (#678) (0ea420d)
  • deps: update dependency jest-diff to v29 (#672) (b962de0)
  • deps: update dependency yargs to v16.2.0 (d9420d8)
  • deps: update dependency yargs to v17 (#673) (0d33b48)
  • deps: update docusaurus monorepo to v2.4.3 (#531) (ed71ed4)
  • deps: update docusaurus monorepo to v3 (#844) (7fdb903)
  • deps: update docusaurus monorepo to v3.1.0 (#855) (4f67398)
  • deps: update react monorepo to v18 (#845) (a447d06)
• 4.3.6 - 2020-12-04
  

  4.3.6 (2020-12-04)

  Bug Fixes

  • Simplify empty row check by removing complex regex (4bbd39f)
  • deps: update dependency @ types/yargs to v15.0.10 (9af7a41)
  • deps: update dependency yargs to v16.1.1 (057a4da)

from fast-csv GitHub release notes

Package name: fs

• 0.0.2 - 2014-09-12
• 0.0.1-security - 2016-08-23

from fs GitHub release notes

Package name: joi

• 17.13.3 - 2024-06-19
  

  17.13.3

• 17.13.2 - 2024-06-19
  

  17.13.2

• 17.13.1 - 2024-05-02
  

  17.13.1

• 17.13.0 - 2024-04-23
  

  17.13.0

• 17.12.3 - 2024-04-03
  

  17.12.3

• 17.12.2 - 2024-02-21
  

  17.12.2

• 17.12.1 - 2024-01-29
  

  17.12.1

• 17.12.0 - 2024-01-17
  

  17.12.0

• 17.11.1 - 2024-01-15
  

  17.11.1

• 17.11.0 - 2023-10-04
• 17.10.2 - 2023-09-17
• 17.10.1 - 2023-08-31
• 17.10.0 - 2023-08-27
• 17.9.2 - 2023-04-24
• 17.9.1 - 2023-03-21
• 17.9.0 - 2023-03-20
• 17.8.4 - 2023-03-14
• 17.8.3 - 2023-02-21
• 17.8.2 - 2023-02-21
• 17.8.1 - 2023-02-19
• 17.8.0 - 2023-02-19
• 17.7.1 - 2023-02-10
• 17.7.0 - 2022-11-01
• 17.6.4 - 2022-10-22
• 17.6.3 - 2022-10-11
• 17.6.2 - 2022-09-29
• 17.6.1 - 2022-09-22
• 17.6.0 - 2022-01-26
• 17.5.0 - 2021-12-02
• 17.4.3 - 2021-12-01
• 17.4.2 - 2021-08-01
• 17.4.1 - 2021-07-11

from joi GitHub release notes

Package name: mongoose

• 8.5.4 - 2024-08-23
  

  8.5.4 / 2024-08-23

  • fix: add empty string check for collection name passed #14806 Shubham2552
  • docs(model): add 'throw' as valid strict value for bulkWrite() and add some more clarification on throwOnValidationError #14809
• 8.5.3 - 2024-08-13
  

  8.5.3 / 2024-08-13

  • fix(document): call required functions on subdocuments underneath nested paths with correct context #14801 #14788
  • fix(populate): avoid throwing error when no result and lean() set #14799 #14794 #14759 MohOraby
  • fix(document): apply virtuals to subdocuments if parent schema has virtuals: true for backwards compatibility #14774 #14771 #14623 #14394
  • types: make HydratedSingleSubdocument and HydratedArraySubdocument merge types instead of using & #14800 #14793
  • types: support schema type inference based on schema options timestamps as well #14773 #13215 ark23CIS
  • types(cursor): indicate that cursor.next() can return null #14798 #14787
  • types: allow mongoose.connection.db to be undefined #14797 #14789
  • docs: add schema type widening advice #14790 JstnMcBrd
• 8.5.2 - 2024-07-30
  

  8.5.2 / 2024-07-30

  • perf(clone): avoid further unnecessary checks if cloning a primitive value #14762 #14394
  • fix: allow setting document array default to null #14769 #14717 #6691
  • fix(model): support session: null option for save() to opt out of automatic session option with transactionAsyncLocalStorage #14744 #14736

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.