[Snyk] Fix for 5 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:eslint:20180222	Yes	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: body-parser

The new version differs by 92 commits.

• b2659a7 1.18.2
• 6339bf7 perf: remove argument reassignment
• d5f9a4a deps: [email protected]
• d041563 1.18.1
• 9efa9ab deps: content-type@~1.0.4
• f1ef6cc deps: [email protected]
• e438db5 deps: [email protected]
• 15c3585 deps: [email protected]
• adfa01c 1.18.0
• 0632e2f Include the "type" property on all generated errors
• b8f97cd Include the "body" property on verify errors
• c659e8a tests: add test for err.body on json parse error
• 4e15325 tests: reorganize json error tests
• 5bd7ed5 tests: reorganize json strict option tests
• 3cb380b tests: store server on mocha context instead of variable shadowing
• 29c8cd0 docs: document too many parameters error
• 7b9cb14 Use http-errors to set status code on errors
• 29a27f1 docs: fix typo in jsdoc comment
• 448dc57 Fix JSON strict violation error to match native parse error
• 87df7e6 tests: add leading whitespace strict json test
• 1841248 deps: [email protected]
• e666dbe deps: http-errors@~1.6.2
• c2a110a deps: [email protected]
• a1a2e31 build: [email protected]

See the full diff

Package name: compression

The new version differs by 46 commits.

• 93586e7 1.7.1
• bd3fa8a deps: [email protected]
• e1ce980 deps: vary@~1.1.2
• d0f7eab deps: [email protected]
• 931c346 build: [email protected]
• 8c8e36a deps: compressible@~2.0.11
• 8a5e773 deps: accepts@~1.3.4
• 7b4a7e2 build: [email protected]
• de30e3a build: [email protected]
• 8c3f7ea 1.7.0
• c27dc0f build: support Node.js 8.x
• d886306 build: [email protected]
• 598d876 Use safe-buffer for improved Buffer API
• 47fca12 build: [email protected]
• 3c78e39 build: [email protected]
• 6c4c539 deps: [email protected]
• 6d2de08 deps: compressible@~2.0.10
• ac13bc4 deps: [email protected]
• 527907c deps: [email protected]
• 6488fc2 build: [email protected]
• 55532e1 build: [email protected]
• 0e4ad01 build: [email protected]
• be58132 deps: compressible@~2.0.10
• 4d5238e deps: vary@~1.1.1

See the full diff

Package name: debug

The new version differs by 154 commits.

• 13abeae Release 2.6.9
• f53962e remove ReDoS regexp in %o formatter (#504)
• 52e1f21 Release 2.6.8
• 2482e08 Check for undefined on browser globals (#462)
• 6bb07f7 release 2.6.7
• 15850cb Fix Regular Expression Denial of Service (ReDoS)
• 4a6c85c update "debug" to v1.0.0 (#454)
• b68dbf8 Fix typo (#455)
• 1351d2f Inline extend function in node implementation (#452)
• c211947 update version for component
• 14df14c release 2.6.5
• cae07b7 cleanup browser tests and fix null reference check on window.documentElement.style.WebkitAppearance (#447)
• f311b10 release 2.6.4
• 1f01b70 Fix bug that would occure if process.env.DEBUG is a non-string value. (#444)
• 2f3ebf4 Update CHANGELOG.md
• f5ae332 Update CHANGELOG.md
• 9742c5f chore(): ignore bower.json in npm installations. (#437)
• 27d93a3 update "debug" to v0.7.3
• 9dc30f8 release 2.6.3
• 0fb8ea4 LocalStorage returns undefined for any key not present (#431)
• ce4d93e changelog fix
• 017a9d6 release 2.6.2
• 23bc780 fix DEBUG_MAX_ARRAY_LENGTH
• 065cbfb Add backers and sponsors from Open Collective (#422)

See the full diff

Package name: eslint

The new version differs by 250 commits.

• 22ff6f3 4.18.2
• 817b84b Build: changelog update for 4.18.2
• 6b71fd0 Fix: [email protected], because 4.0.3 needs "ajv": "^6.0.1" (#10022)
• 3c697de Chore: fix incorrect comment about linter.verify return value (#10030)
• 9df8653 Chore: refactor parser-loading out of linter.verify (#10028)
• f6901d0 Fix: remove catastrophic backtracking vulnerability (fixes #10002) (#10019)
• e4f52ce Chore: Simplify dataflow in linter.verify (#10020)
• 33177cd Chore: make library files non-executable (#10021)
• 558ccba Chore: refactor directive comment processing (#10007)
• 18e15d9 Chore: avoid useless catch clauses that just rethrow errors (#10010)
• a1c3759 Chore: refactor populating configs with defaults in linter (#10006)
• aea07dc Fix: Make max-len ignoreStrings ignore JSXText (fixes #9954) (#9985)
• 8c237d8 4.18.1
• 537b5c3 Build: changelog update for 4.18.1
• f417506 Fix: ensure no-await-in-loop reports the correct node (fixes #9992) (#9993)
• 3e99363 Docs: Fixed typo in key-spacing rule doc (#9987)
• 7c2cd70 Docs: deprecate experimentalObjectRestSpread (#9986)
• 883a2a2 4.18.0
• 89d55ca Build: changelog update for 4.18.0
• 70f22f3 Chore: Apply memoization to config creation within glob utils (#9944)
• 0e4ae22 Update: fix indent bug with binary operators/ignoredNodes (fixes #9882) (#9951)
• 47ac478 Update: add named imports and exports for object-curly-newline (#9876)
• e8efdd0 Fix: support Rest/Spread Properties (fixes #9885) (#9943)
• f012b8c Fix: support Async iteration (fixes #9891) (#9957)

See the full diff

Package name: express

The new version differs by 147 commits.

• ea3d605 4.15.5
• 40435ec deps: [email protected]
• 7137bf5 deps: [email protected]
• bd1672f deps: finalhandler@~1.0.6
• 9395db4 deps: [email protected]
• 19a2eeb tests: check render error without engine-specific message
• d7da225 build: [email protected]
• 961dbff deps: [email protected]
• 9e0fa7f deps: [email protected]
• 9e067ad deps: [email protected]
• de5fb62 deps: update example dependencies
• b208b24 build: [email protected]
• 78e5510 build: [email protected]
• 48817a7 build: remove minor pin for nightly
• a4bd437 4.15.4
• a50f109 deps: [email protected]
• e2d725e deps: [email protected]
• e006622 lint: remove all unused varaibles
• 44881fa docs: update collaborator guide for lint script
• 1dbaae5 deps: update example dependencies
• 56e90e3 lint: add eslint rules that cover editorconfig
• 713d2ae tests: fix incorrect should usage
• e0aa8bf build: [email protected]
• 85770a7 deps: finalhandler@~1.0.4

See the full diff

Package name: express-session

The new version differs by 80 commits.

• 89fd715 1.15.6
• d4344fb build: [email protected]
• 6cf886d deps: [email protected]
• d190faa deps: [email protected]
• f24d228 lint: run eslint against README
• 44ee046 docs: remove trailing newline in README
• 68e210d deps: parseurl@~1.3.2
• 8b4f668 lint: add editorconfig and eslint to enforce
• 917b03d docs: add memorystore to the list of session stores
• 65781dd build: [email protected]
• 71c9d7c build: [email protected]
• 11b3e97 deps: uid-safe@~2.1.5
• 0e97d6f docs: fix formatting in history
• d63a3e9 1.15.5
• c226301 Fix TypeError when req.url is an empty string
• 62c4d15 tests: add test for mounted middleware
• 8518200 tests: move the cookie path tests
• 2b08370 docs: improve code readability
• 310d288 deps: depd@~1.1.1
• fc60bb6 build: [email protected]
• 521e6bd tests: add leak checking for variables and handles
• 7b26d57 1.15.4
• fc9d474 build: [email protected]
• d367b33 build: [email protected]

See the full diff

Package name: helmet

The new version differs by 67 commits.

• c2d0810 3.8.2
• 3da2f55 Update changelog for 3.8.2 release
• 35e7d97 Update connect to 3.6.5
• 5587ecc 3.8.1
• 3b95345 Prepare for 3.8.1 release
• 3ca8991 3.8.0
• 33fff29 Update to [email protected]
• 146594f 3.7.0
• 39b7f11 Update changelog for 3.7.0 release
• d46443a Update helmet-csp to 2.5.0
• fb407df Update security reporting instructions
• f6270e3 Minor: fix typo in test description
• 0624fea Update changelog for incorrect usage change
• 35a247f Update error message when doing `app.use(helmet)`
• 4ecf148 Add a test when called directly
• e213d87 warn if a helmet constructor is used directly as handler
• 7255042 Travis: test on Node 8
• d09b414 Add some useless Markdown files to npmignore
• d5dce64 Minor: move default middleware definition into index.js
• 267ac75 Use `--fix` flag with Standard to auto-fix errors
• 64e815b Minor: clean up main function for clarity
• f034913 Update Sinon and Standard
• 60db9c5 3.6.1
• 621ff8f Update changelog for 3.6.1 release

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• c86ef79 chore: release 4.11.14
• 0165e5f chore: bump lockfile and add back nsp re: #5658
• 07e62be fix(populate): automatically select() populated()-ed fields
• cc6e489 test(populate): repro #5669
• 4be7d79 chore: remove nsp for now
• 5ab6726 chore: run nsp after test
• 2b4435d Merge pull request #5679 from hairyhenderson/add-nsp-check-in-ci
• bf6ef00 Merge pull request #5675 from jonathanprl/patch-1
• 5332ab6 chore: use ~
• 48ca046 Adding nsp check to the CI build
• f9e0525 fix(connection): make force close work as expected
• 0e5fc39 test(connection): repro #5664
• e8f0055 Update mquery dependency
• 4875dbe fix(model): make `init()` public and return a promise that resolves when indexes are done building
• 3f17393 fix(document): treat $elemMatch as inclusive projection
• a7a5621 test(document): repro #5661
• c79d48e docs(model/query): clarify which functions fire which middleware
• 635f07f chore: now working on 4.11.14
• cc32e59 Merge branch 'master' of github.com:Automattic/mongoose
• 96e06b7 chore: release 4.11.13
• cc52ec0 Merge pull request #5665 from sime1/master
• ab9ba7c test: add coverage for #5656
• 52ed14f Merge pull request #5656 from zipp3r/master
• a872591 fix(query): avoid throwing cast error for strict: throw with nested id in query

See the full diff

Package name: socket.io

The new version differs by 46 commits.

• a10dc8d [chore] Release 2.0.2
• 2b21690 [fix] Fix timing issues with middleware (#2948)
• 832b8fc [chore] Release 2.0.1
• a005690 [fix] Update path of client file (#2934)
• 3367eaa [chore] Release 2.0.0
• 6c0705f [docs] Add an example of custom parser (#2929)
• 1980fb4 [chore] Merge history of 1.7.x and 0.9.x branches (#2930)
• 0d07c47 [chore] Added backers and sponsors on the README (#2933)
• a086588 [chore] Bump dependencies (#2926)
• 87b06ad [feat] Move binary detection to the parser (#2923)
• 199eec6 [docs] Replace non-breaking space with proper whitespace (#2913)
• f1b39a6 [docs] Update emit cheatsheet (#2906)
• 240b154 [docs] Explicitly document that Server extends EventEmitter (#2874)
• c5b7738 [docs] Add server.engine.generateId attribute (#2880)
• 03f3bc9 [docs] Fix wrong space character in README (#2900)
• e40accf [docs] Fix documentation for 'connect' event (#2898)
• 01a4623 [feat] Allow to join several rooms at once (#2879)
• 2d5b002 [docs] Add webpack build example (#2828)
• 5ae06e6 [chore] Bump socket.io-adapter to version 1.0.0 (#2867)
• 4d8f68c [chore] Bump engine.io to version 2.0.2 (#2864)
• 5b79ab1 [docs] Update the wording to match the code example (#2853)
• 54ff591 [feature] Merge Engine.IO and Socket.IO handshake packets (#2833)
• e1facd5 [docs] Small addition to the Express Readme Part (#2846)
• 3b92cc2 [feature] Allow the use of custom parsers (#2829)

See the full diff

Package name: superagent

The new version differs by 106 commits.

• fda9b5e v2.0.0
• 2429a1e 2.0.0-alpha.3
• 2ae9281 Catch errors thrown during end event
• 536e9a6 Merge pull request #989 from focusaurus/doc-electron-browser
• d0c57f1 document browser version in electron
• b3ef32c Merge pull request #981 from visionmedia/pipeevents
• b24ab0b Emit response event when piping
• 8ae7380 Exclude bower.json from npm to avoid generating a confusing package
• 6b0e527 Alpha 2
• b47a011 Backwards compatibility with superagent-mock
• 984fbc6 Merge remote-tracking branch 'origin/headredirects'
• d351b1c Skip redirect test that exposes bug in IE
• 94f6f0a Merge pull request #974 from visionmedia/formserialize
• 6ff9350 Browsers are broken
• 1d8dc66 Localtunnel timeouts
• 61401a7 Fix #669
• 93a1cef Move method
• e302db1 Split test
• 62a077b Reused server for redirect tests
• b29520d Catch assertion errors to report them properly
• d7c3daa Redundant
• 781580f Moved tests
• 4ecd3f0 Serialize nested objects same way as node
• 2097cd2 Lint

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution