[Snyk] Fix for 10 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	584/1000 Why? Has a fix available, CVSS 7.4	Directory Traversal SNYK-JS-ADMZIP-1065796	No	No Known Exploit
	751/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.6	Prototype Pollution SNYK-JS-DUSTJSLINKEDIN-1089257	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	Yes	Proof of Concept
	741/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.4	DLL Injection SNYK-JS-KERBEROS-568900	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	899/1000 Why? Mature exploit, Has a fix available, CVSS 9.4	Arbitrary File Write via Archive Extraction (Zip Slip) npm:adm-zip:20180415	No	Mature
	644/1000 Why? Has a fix available, CVSS 8.6	Code Injection npm:dustjs-linkedin:20160819	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Cross-site Scripting (XSS) npm:marked:20150520	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Cross-site Scripting (XSS) npm:marked:20170112	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: adm-zip

The new version differs by 134 commits.

• c5aeed4 Incremented version number
• 119dcad Fixed path traversal issue GHSL-2020-198
• 1d22ff6 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#341 from 5saviahv/history
• 492d148 added changelog
• dd415ae Incremented version
• 0f011a3 Fixed outFileName
• bc19fee Added extra parameter to extractEntryTo so target filename can be renamed
• 92e9836 Updated dev dependency
• 2b8d9ab Merge pull request [Snyk-dev Update] New fixes for 54 vulnerable dependency paths snyk-labs/nodejs-goof#315 from enecciari/work_in_browser
• 4fe58d1 Merge pull request [Snyk-dev Update] New fixes for 14 vulnerable dependency paths snyk-labs/nodejs-goof#322 from cthackers/dependabot/npm_and_yarn/lodash-4.17.19
• 49218a4 Merge pull request [Snyk-dev Update] New fixes for 15 vulnerable dependency paths snyk-labs/nodejs-goof#327 from kosuke-suzuki/multibyte-comment
• a7e8932 Merge pull request [Snyk-dev] Fix for 65 vulnerable dependency paths snyk-labs/nodejs-goof#331 from 5saviahv/master
• 7db0eda modified addLocalFolder method
• e114929 typo
• dc81063 modified addLocalFile method
• bc0f594 Deflate needs min V2.0
• dde4f51 Node v6
• 003d4cf Added ZipCrypto decrypting ability
• 63ed6e2 Detect and throw error with encrypted files
• c64ac14 LICENSE filename in package.json
• 1a334b2 add multibyte-encoded comment with byte length instead of character length
• 96d492a Bump lodash from 4.17.15 to 4.17.19
• b77f380 now it works in browser
• 218feee Merge remote-tracking branch 'upstream/master'

See the full diff

Package name: express

The new version differs by 250 commits.

• ea3d605 4.15.5
• 40435ec deps: [email protected]
• 7137bf5 deps: [email protected]
• bd1672f deps: finalhandler@~1.0.6
• 9395db4 deps: [email protected]
• 19a2eeb tests: check render error without engine-specific message
• d7da225 build: [email protected]
• 961dbff deps: [email protected]
• 9e0fa7f deps: [email protected]
• 9e067ad deps: [email protected]
• de5fb62 deps: update example dependencies
• b208b24 build: [email protected]
• 78e5510 build: [email protected]
• 48817a7 build: remove minor pin for nightly
• a4bd437 4.15.4
• a50f109 deps: [email protected]
• e2d725e deps: [email protected]
• e006622 lint: remove all unused varaibles
• 44881fa docs: update collaborator guide for lint script
• 1dbaae5 deps: update example dependencies
• 56e90e3 lint: add eslint rules that cover editorconfig
• 713d2ae tests: fix incorrect should usage
• e0aa8bf build: [email protected]
• 85770a7 deps: finalhandler@~1.0.4

See the full diff

Package name: marked

The new version differs by 13 commits.

• 2a92083 Release 0.3.7
• 753a7bd 0.3.7
• 635e45c Merge pull request feat: add open redirect and xss vulns in code snyk-labs/nodejs-goof#960 from chjj/github-templates
• d24427e Add issue template
• 8f9d0b7 Merge pull request [Snyk-dev] Security upgrade npmconf from 0.0.24 to 1.0.1 snyk-labs/nodejs-goof#844 from chjj/data_link_fix
• cd2f6f5 added data: link fix to prevent xss
• 38f1727 Merge pull request [Snyk-local] Fix for 3 vulnerabilities snyk-labs/nodejs-goof#728 from nehero/patch-1
• eddec20 v0.3.6
• fd0d1a2 Merge pull request [Snyk] Fix for 3 vulnerable dependencies snyk-labs/nodejs-goof#592 from matt-/xss_html_entities
• 0fa05b6 Merge pull request [Snyk] Fix for 10 vulnerabilities #1 from rsp/fix/xss_html_entities_semicolon
• 31c7799 add optional semicolon in html entities regex
• 6470e8b Update readme example to reflect defaults
• 2cff859 added explicit matching for HTML entities to prevent XSS

See the full diff

Package name: mongoose

The new version differs by 35 commits.

• de88912 release 4.2.5
• fae7c94 fix; correctly handle changes in update hook (Fix #3549)
• 5e58d83 repro; #3549
• 68e394d fix; dont flatten empty arrays in updateValidators (Fix #3554)
• f0b0f61 repro; #3554
• 73de49c fix; proper support for .update(doc) (Fix #3221)
• b5329a1 repro; #3221
• 932cdbe upgrade; node driver -> 2.0.48 (re: #3544)
• 6ff39ef fix; unhandled rejection using Query.then() (Fix #3543)
• 8cccafb Merge pull request #3548 from ChristianMurphy/node-5
• 2ff09cc Merge pull request #3547 from ChristianMurphy/eslint-update
• 6d0df2f Test against Node 4 LTS and Node 5 Stable
• fc3f645 update ESLint and add a lint script to the package.json
• aac346a Update README examples to comma last style
• 352d80d fix; ability to use mongos for standalones (Fix #3537)
• 043c958 repro; #3537
• 4023f12 docs; fix bad connection string example
• a55fba7 fix; allow undefined for min/max validators (Fix #3539)
• cfc3194 repro; #3539
• a2a3b8b fix; issue with fix for #3535
• 171e694 docs; deep populate docs (Fix #3528)
• 0922d78 fix; call toObject() when setting single embedded schema to doc (Fix #3535)
• ce11be0 repro; #3535
• b3472ac fix; apply methods to single embedded schemas (Fix #3534)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal
🦉 Prototype Pollution
🦉 Code Injection
🦉 More lessons are available in Snyk Learn