[Snyk] Fix for 1 vulnerabilities

[Omrisnyk]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	44/1000 Why? Confidentiality impact: None, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 2, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 1.86, Score Version: V5	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: express

• 4.21.1 - 2024-10-08
  

  What's Changed

  • Backport a fix for CVE-2024-47764 to the 4.x branch by @ joshbuker in #6029
  • Release: 4.21.1 by @ UlisesGascon in #6031

  Full Changelog: 4.21.0...4.21.1

• 4.21.0 - 2024-09-11
  

  What's Changed

  • Deprecate "back" magic string in redirects by @ blakeembrey in #5935
  • finalhandler@1.3.1 by @ wesleytodd in #5954
  • fix(deps): serve-static@1.16.2 by @ wesleytodd in #5951
  • Upgraded dependency qs to 6.13.0 to match qs in body-parser by @ agadzinski93 in #5946

  New Contributors

  • @ agadzinski93 made their first contribution in #5946

  Full Changelog: 4.20.0...4.21.0

• 4.20.0 - 2024-09-10
  

  What's Changed

  Important

  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect

  Other Changes

  • 4.19.2 Staging by @ wesleytodd in #5561
  • remove duplicate location test for data uri by @ wesleytodd in #5562
  • feat: document beta releases expectations by @ marco-ippolito in #5565
  • Cut down on duplicated CI runs by @ jonchurch in #5564
  • Add a Threat Model by @ UlisesGascon in #5526
  • Assign captain of encodeurl by @ blakeembrey in #5579
  • Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @ jonchurch in #5587
  • docs: update Security.md by @ inigomarquinez in #5590
  • docs: update triage nomination policy by @ UlisesGascon in #5600
  • Add CodeQL (SAST) by @ UlisesGascon in #5433
  • docs: add UlisesGascon as triage initiative captain by @ UlisesGascon in #5605
  • deps: encodeurl@~2.0.0 by @ blakeembrey in #5569
  • skip QUERY method test by @ jonchurch in #5628
  • ignore ETAG query test on 21 and 22, reuse skip util by @ jonchurch in #5639
  • add support Node.js@22 in the CI by @ mertcanaltin in #5627
  • doc: add table of contents, tc/triager lists to readme by @ mertcanaltin in #5619
  • List and sort all projects, add captains by @ blakeembrey in #5653
  • docs: add @ UlisesGascon as captain for cookie-parser by @ UlisesGascon in #5666
  • ✨ bring back query tests for node 21 by @ ctcpip in #5690
  • [v4] Deprecate res.clearCookie accepting options.maxAge and options.expires by @ jonchurch in #5672
  • skip QUERY tests for Node 21 only, still not supported by @ jonchurch in #5695
  • 📝 update people, add ctcpip to TC by @ ctcpip in #5683
  • remove minor version pinning from ci by @ jonchurch in #5722
  • Fix link variable use in attribution section of CODE OF CONDUCT by @ IamLizu in #5762
  • Replace Appveyor windows testing with GHA by @ jonchurch in #5599
  • Add OSSF Scorecard badge by @ UlisesGascon in #5436
  • update scorecard link by @ bjohansebas in #5814
  • Nominate @ IamLizu to the triage team by @ UlisesGascon in #5836
  • deps: path-to-regexp@0.1.8 by @ blakeembrey in #5603
  • docs: specify new instructions for question and discuss by @ IamLizu in #5835
  • 4.x: Upgrade merge-descriptors dependency by @ RobinTail in #5781
  • path-to-regexp@0.1.10 by @ blakeembrey in #5902

  New Contributors

  • @ marco-ippolito made their first contribution in #5565
  • @ inigomarquinez made their first contribution in #5590
  • @ mertcanaltin made their first contribution in #5627
  • @ ctcpip made their first contribution in #5690
  • @ bjohansebas made their first contribution in #5814

  Full Changelog: 4.19.1...4.20.0

• 4.19.2 - 2024-03-25
  

  What's Changed

  • Improved fix for open redirect allow list bypass

  Full Changelog: 4.19.1...4.19.2

• 4.19.1 - 2024-03-20
  

  What's Changed

  • Fix ci after location patch by @ wesleytodd in #5552
  • fixed un-edited version in history.md for 4.19.0 by @ wesleytodd in #5556

  Full Changelog: 4.19.0...4.19.1

• 4.19.0 - 2024-03-20
  

  What's Changed

  • fix typo in release date by @ UlisesGascon in #5527
  • docs: nominating @ wesleytodd to be project captian by @ wesleytodd in #5511
  • docs: loosen TC activity rules by @ wesleytodd in #5510
  • Add note on how to update docs for new release by @ crandmck in #5541
  • Prevent open redirect allow list bypass due to encodeurl
  • Release 4.19.0 by @ wesleytodd in #5551

  New Contributors

  • @ crandmck made their first contribution in #5541

  Full Changelog: 4.18.3...4.19.0

• 4.18.3 - 2024-02-29
• 4.18.2 - 2022-10-08
• 4.18.1 - 2022-04-29
• 4.18.0 - 2022-04-25
• 4.17.3 - 2022-02-17
• 4.17.2 - 2021-12-17
• 4.17.1 - 2019-05-26
• 4.17.0 - 2019-05-17
• 4.16.4 - 2018-10-11
• 4.16.3 - 2018-03-12
• 4.16.2 - 2017-10-10
• 4.16.1 - 2017-09-29
• 4.16.0 - 2017-09-28
• 4.15.5 - 2017-09-25
• 4.15.4 - 2017-08-07
• 4.15.3 - 2017-05-17
• 4.15.2 - 2017-03-06
• 4.15.1 - 2017-03-06
• 4.15.0 - 2017-03-01
• 4.14.1 - 2017-01-28
• 4.14.0 - 2016-06-16
• 4.13.4 - 2016-01-22
• 4.13.3 - 2015-08-03
• 4.13.2 - 2015-07-31
• 4.13.1 - 2015-07-06
• 4.13.0 - 2015-06-21
• 4.12.4 - 2015-05-18

from express GitHub release notes

Package name: express-session

• 1.18.1 - 2024-10-08
  

  What's Changed

  • chore: add support for OSSF scorecard reporting by @ inigomarquinez in #984
  • dep: cookie@0.7.2 by @ knolleary in #997
  • Release: 1.18.1 by @ UlisesGascon in #998

  New Contributors

  • @ inigomarquinez made their first contribution in #984
  • @ knolleary made their first contribution in #997
  • @ UlisesGascon made their first contribution in #998

  Full Changelog: v1.18.0...v1.18.1

• 1.18.0 - 2024-01-28
  
  • Add debug log for pathname mismatch
  • Add partitioned to cookie options
  • Add priority to cookie options
  • Fix handling errors from setting cookie
  • Support any type in secret that crypto.createHmac supports
  • deps: cookie@0.6.0
    • Fix expires option to reject invalid dates
    • perf: improve default decode speed
    • perf: remove slow string split in parse
  • deps: cookie-signature@1.0.7
• 1.17.3 - 2022-05-11
  
  • Fix resaving already-saved new session at end of request
  • deps: cookie@0.4.2
• 1.17.2 - 2021-05-19
  
  • Fix res.end patch to always commit headers
  • deps: cookie@0.4.1
  • deps: safe-buffer@5.2.1

from express-session GitHub release notes

Commit messages

Package name: express

The new version differs by 250 commits.

• 8e229f9 4.21.1
• a024c8a fix(deps): cookie@0.7.1
• 7e562c6 4.21.0
• 1bcde96 fix(deps): qs@6.13.0 (#5946)
• 7d36477 fix(deps): serve-static@1.16.2 (#5951)
• 40d2d8f fix(deps): finalhandler@1.3.1
• 77ada90 Deprecate `"back"` magic string in redirects (#5935)
• 21df421 4.20.0
• 4c9ddc1 feat: upgrade to serve-static@0.16.0
• 9ebe5d5 feat: upgrade to send@0.19.0 (#5928)
• ec4a01b feat: upgrade to body-parser@1.20.3 (#5926)
• 54271f6 fix: don't render redirect values in anchor href
• 125bb74 path-to-regexp@0.1.10 (#5902)
• 2a980ad merge-descriptors@1.0.3 (#5781)
• a3e7e05 docs: specify new instructions for `question` and `discuss`
• c5addb9 deps: path-to-regexp@0.1.8 (#5603)
• e35380a docs: add @ IamLizu to the triage team (#5836)
• f5b6e67 docs: update scorecard link (#5814)
• 2177f67 docs: add OSSF Scorecard badge (#5436)
• f4bd86e Replace Appveyor windows testing with GHA (#5599)
• 2ec589c Fix Contributor Covenant link definition reference in attribution section (#5762)
• 4cf7eed remove minor version pinning from ci (#5722)
• 6d08471 📝 update people, add ctcpip to TC (#5683)
• 61421a8 skip QUERY tests for Node 21 only, still not supported (#5695)

See the full diff

Package name: express-session

The new version differs by 80 commits.

• bbeca94 1.18.1
• 341b179 dep: cookie@0.7.2 ([Snyk] Security upgrade node from 14.1.0 to 14.17.5 snyk-labs/nodejs-goof#997)
• 8f0a1c4 ci: add support for OSSF scorecard reporting ([Snyk-dev] Security upgrade node from 14.1.0 to 14.17.2 snyk-labs/nodejs-goof#984)
• 24d4972 1.18.0
• 855f21a docs: add connect-ottoman to the list of session stores
• 991b7ee Add debug log for pathname mismatch
• 408229e Add "partitioned" to cookie options
• 50e1429 build: Node.js@20.11
• 6153b3f build: Node.js@21.6
• 88e0f2e build: actions/checkout@v4
• d9354ef Fix handling errors from setting cookie
• f9f2318 docs: remove session-rethinkdb to the list of session stores
• 3ee08c4 Add "priority" to cookie options
• 71c3f74 docs: add connect-cosmosdb to the list of session stores
• 9d377c5 docs: add dynamodb-store-v3 to the list of session stores
• a1f884f docs: add @ cyclic.sh/session-store to the list of session stores
• e5f19ce docs: add note on length of secret
• 2a7a50b eslint@8.56.0
• a46e857 supertest@6.3.4
• 7dec651 build: Node.js@18.19
• 8e9f7a4 build: Node.js@20.10
• 6b7c9a0 build: Node.js@21.5
• 825e6c0 build: fix code coverage aggregate upload
• c1611ad build: actions/checkout@v3

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)