[Snyk-dev] Fix for 100 vulnerabilities

[schottsfired]

Snyk has created this PR to fix 100 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json
• package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Prototype Pollution SNYK-JS-LODASH-567746	****
	Prototype Pollution SNYK-JS-LODASH-608086	****
	Prototype Pollution SNYK-JS-LODASH-73638	****
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	****
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-174116	****
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	****
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	****
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451540	****
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-584281	****
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	****
	Prototype Pollution SNYK-JS-MINIMIST-2429795	****
	Prototype Pollution SNYK-JS-MINIMIST-559764	****
	Prototype Pollution SNYK-JS-MIXINDEEP-450212	****
	Directory Traversal SNYK-JS-MOMENT-2440688	****
	Denial of Service (DoS) SNYK-JS-MONGODB-473855	****
	Prototype Pollution SNYK-JS-MONGOOSE-1086688	****
	Prototype Pollution SNYK-JS-MONGOOSE-2961688	****
	Information Exposure SNYK-JS-MONGOOSE-472486	****
	Prototype Pollution SNYK-JS-MPATH-1577289	****
	Prototype Pollution SNYK-JS-MQUERY-1050858	****
	Prototype Pollution SNYK-JS-MQUERY-1089718	****
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	****
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-13271681	****
	Prototype Pollution SNYK-JS-SETVALUE-1540541	****
	Prototype Pollution SNYK-JS-SETVALUE-450213	****
	Prototype Pollution SNYK-JS-TYPEORM-590152	****
	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	****
	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	****
	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	****
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	****
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	****
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	****
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	****
	Prototype Pollution SNYK-JS-Y18N-1021887	****
	Prototype Pollution SNYK-JS-YARGSPARSER-560381	****
	Arbitrary File Write via Archive Extraction (Zip Slip) npm:adm-zip:20180415	899
	Denial of Service (DoS) SNYK-JS-DICER-2311764	761
	Uninitialized Memory Exposure npm:npmconf:20180512	756
	Prototype Pollution SNYK-JS-DUSTJSLINKEDIN-1089257	751
	Cross-site Scripting (XSS) SNYK-JS-JQUERY-565129	744
	DLL Injection SNYK-JS-KERBEROS-568900	741
	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	726
	Cross-site Scripting (XSS) SNYK-JS-JQUERY-567880	711
	Prototype Pollution SNYK-JS-HANDLEBARS-534988	704
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	696
	Prototype Pollution SNYK-JS-EXPRESSFILEUPLOAD-595969	696
	Regular Expression Denial of Service (ReDoS) npm:marked:20180225	696
	Prototype Pollution SNYK-JS-INI-1048974	686
	Prototype Pollution SNYK-JS-LODASH-450202	686
	Command Injection SNYK-JS-LODASH-1040724	681
	Remote Code Execution (RCE) SNYK-JS-HANDLEBARS-1056767	671
	Prototype Pollution SNYK-JS-JQUERY-174006	666
	Cross-site Scripting (XSS) npm:marked:20150520	654
	Prototype Pollution SNYK-JS-HANDLEBARS-567742	646
	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	644
	Code Injection npm:dustjs-linkedin:20160819	644
	Open Redirect npm:st:20171013	644
	Remote Memory Exposure npm:mongoose:20160116	641
	Prototype Pollution npm:lodash:20180130	636
	Prototype Pollution SNYK-JS-AJV-584908	619
	Arbitrary Code Execution SNYK-JS-HANDLEBARS-534478	619
	Arbitrary Code Execution npm:ejs:20161128	619
	Prototype Pollution SNYK-JS-HANDLEBARS-1279029	601
	Directory Traversal SNYK-JS-ASYNC-12239908	589
	Denial of Service (DoS) SNYK-JS-EXPRESSFILEUPLOAD-473997	589
	Denial of Service (DoS) SNYK-JS-FILETYPE-2958042	589
	Denial of Service (DoS) SNYK-JS-HANDLEBARS-480388	589
	Denial of Service (DoS) SNYK-JS-LODASH-12239302	589
	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	589
	Cross-site Scripting (XSS) npm:marked:20170112	589
	Cross-site Scripting (XSS) npm:marked:20170815	589
	Regular Expression Denial of Service (ReDoS) npm:marked:20170907	589
	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	589
	Prototype Override Protection Bypass npm:qs:20170213	589
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HOSTEDGITINFO-1088355	586
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	586
	Directory Traversal npm:st:20140206	586
	Directory Traversal SNYK-JS-ADMZIP-1065796	584
	Prototype Pollution SNYK-JS-HANDLEBARS-173692	579
	Prototype Pollution SNYK-JS-HANDLEBARS-174183	579
	Prototype Pollution SNYK-JS-HANDLEBARS-469063	579
	Regular Expression Denial of Service (ReDoS) SNYK-JS-DEBUG-13283909	559
	Alternate solution to CWE-1333	Inefficient Regular Expression Complexity SNYK-JS-DEBUG-14214893
	Arbitrary Code Injection SNYK-JS-EJS-1049328	526
	Cross-site Scripting (XSS) npm:ejs:20161130	509
	Denial of Service (DoS) npm:ejs:20161130-1	509
	Regular Expression Denial of Service (ReDoS) npm:moment:20161019	509
	Validation Bypass SNYK-JS-KINDOF-537849	506
	Cross-site Scripting (XSS) npm:jquery:20150627	484
	Regular Expression Denial of Service (ReDoS) npm:ms:20151024	479
	Regular Expression Denial of Service (ReDoS) npm:semver:20150403	479
	Cross-site Scripting (XSS) SNYK-JS-COLORNAME-17614999	469
	Denial of Service (DoS) npm:mem:20180117	469
	Cross-site Scripting (XSS) npm:marked:20170815-1	454
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	436
	Reverse Tabnabbing SNYK-JS-ISTANBULREPORTS-2328088	429
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	399
	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	399
	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	399
	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	399

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal
🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn

[amazon-inspector-n-virginia]

⏳ I'm reviewing this pull request for security vulnerabilities and code quality issues. I'll provide an update when I'm done

[amazon-inspector-n-virginia]

Description: body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.

Relevant link: GHSA-qwcr-r2fm-qrc7

Severity: High

[amazon-inspector-n-virginia]

Description: moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

Relevant link: GHSA-wc69-rhjr-hc9g

Severity: High

[amazon-inspector-n-virginia]

Description: An arbitrary file write vulnerability in Express-FileUpload v1.3.1 allows attackers to upload multiple files with the same name, causing an overwrite of files in the web application server.

Relevant link: GHSA-w4m6-x6c2-j5c9

Severity: High

[amazon-inspector-n-virginia]

✅ I finished the code review, and left comments with the issues I found.

[schottsfired]

⛔ Snyk checks have failed. 5 issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (5)
⛔	Open Source Security	0	1	3	1	5 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.