[Snyk] Upgrade: cross-env, dotenv, express, express-mongo-sanitize, express-rate-limit, helmet, http-status, joi, moment, mongoose, nodemailer, passport, passport-jwt, pm2, swagger-ui-express, validator, winston, xss-clean

[MRdevX]

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

cross-env
from 7.0.2 to 7.0.3 | 1 version ahead of your current version | 4 years ago
on 2020-12-01
dotenv
from 8.2.0 to 8.6.0 | 5 versions ahead of your current version | 3 years ago
on 2021-05-05
express
from 4.17.1 to 4.19.2 | 9 versions ahead of your current version | 5 months ago
on 2024-03-25
express-mongo-sanitize
from 2.0.0 to 2.2.0 | 4 versions ahead of your current version | 3 years ago
on 2022-01-14
express-rate-limit
from 5.1.3 to 5.5.1 | 10 versions ahead of your current version | 3 years ago
on 2021-11-06
helmet
from 4.1.1 to 4.6.0 | 8 versions ahead of your current version | 3 years ago
on 2021-05-02
http-status
from 1.4.2 to 1.7.4 | 12 versions ahead of your current version | 7 months ago
on 2024-02-23
joi
from 17.3.0 to 17.13.3 | 33 versions ahead of your current version | 3 months ago
on 2024-06-19
moment
from 2.29.1 to 2.30.1 | 5 versions ahead of your current version | 8 months ago
on 2023-12-27
mongoose
from 5.10.11 to 5.13.22 | 68 versions ahead of your current version | 8 months ago
on 2024-01-02
nodemailer
from 6.4.14 to 6.9.14 | 36 versions ahead of your current version | 3 months ago
on 2024-06-19
passport
from 0.4.1 to 0.7.0 | 6 versions ahead of your current version | 9 months ago
on 2023-11-27
passport-jwt
from 4.0.0 to 4.0.1 | 1 version ahead of your current version | 2 years ago
on 2022-12-24
pm2
from 4.5.0 to 4.5.6 | 6 versions ahead of your current version | 3 years ago
on 2021-04-01
swagger-ui-express
from 4.1.4 to 4.6.3 | 10 versions ahead of your current version | a year ago
on 2023-05-05
validator
from 13.1.17 to 13.12.0 | 8 versions ahead of your current version | 4 months ago
on 2024-05-09
winston
from 3.3.3 to 3.14.2 | 20 versions ahead of your current version | 24 days ago
on 2024-08-14
xss-clean
from 0.1.1 to 0.1.4 | 3 versions ahead of your current version | a year ago
on 2023-06-02

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Command Injection SNYK-JS-VIZION-565230	586	Proof of Concept
	Prototype Pollution SNYK-JS-MQUERY-1050858	586	Proof of Concept
	Prototype Pollution SNYK-JS-MQUERY-1089718	586	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-NETMASK-1089716	586	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-NETMASK-6056519	586	Proof of Concept
	Command Injection SNYK-JS-NODEMAILER-1038834	586	Proof of Concept
	Code Injection SNYK-JS-LODASH-1040724	586	Proof of Concept
	Directory Traversal SNYK-JS-MOMENT-2440688	586	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	586	Proof of Concept
	Prototype Pollution SNYK-JS-MONGOOSE-2961688	586	Proof of Concept
	Prototype Pollution SNYK-JS-ASYNC-2441827	586	Proof of Concept
	Prototype Pollution SNYK-JS-ASYNC-2441827	586	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	586	Proof of Concept
	Improper Input Validation SNYK-JS-FOLLOWREDIRECTS-6141137	586	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	586	Proof of Concept
	Command Injection SNYK-JS-SYSTEMINFORMATION-1050436	586	Proof of Concept
	Command Injection SNYK-JS-SYSTEMINFORMATION-1074913	586	Mature
	Prototype Pollution SNYK-JS-MONGOOSE-5777721	586	Proof of Concept
	Uncontrolled resource consumption SNYK-JS-BRACES-6838727	586	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	586	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	586	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	586	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	586	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	586	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	586	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	586	Proof of Concept
	HTTP Header Injection SNYK-JS-NODEMAILER-1296415	586	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-NODEMAILER-6219989	586	Proof of Concept
	Session Fixation SNYK-JS-PASSPORT-2840631	586	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	586	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	586	No Known Exploit
	Prototype Pollution SNYK-JS-MONGOOSE-1086688	586	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	586	Proof of Concept
	Denial of Service (DoS) SNYK-JS-SYSTEMINFORMATION-1073627	586	No Known Exploit
	Server-side Request Forgery (SSRF) SNYK-JS-SYSTEMINFORMATION-1078290	586	Proof of Concept
	Arbitrary Command Injection SNYK-JS-SYSTEMINFORMATION-1243748	586	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	586	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	586	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WORDWRAP-3149973	586	Proof of Concept
	Prototype Pollution SNYK-JS-SYSTEMINFORMATION-1043753	586	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	586	Proof of Concept
	Information Exposure SNYK-JS-MONGODB-5871303	586	No Known Exploit
	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	586	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	586	Proof of Concept
	Prototype Pollution SNYK-JS-MPATH-1577289	586	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-COLORSTRING-1082939	586	Proof of Concept
	Open Redirect SNYK-JS-EXPRESS-6474509	586	No Known Exploit
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	586	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SIDEWAYFORMULA-3317169	586	No Known Exploit
	Server-side Request Forgery (SSRF) SNYK-JS-SWAGGERUIDIST-6056393	586	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-SWAGGERUIEXPRESS-6815423	586	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-SWAGGERUIEXPRESS-6815424	586	Mature
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	586	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	586	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	586	No Known Exploit
	Prototype Pollution SNYK-JS-SYSTEMINFORMATION-1047312	586	No Known Exploit
	Server-side Request Forgery (SSRF) SNYK-JS-SWAGGERUIDIST-2314884	586	Mature
	Improper Input Validation SNYK-JS-SYSTEMINFORMATION-1244526	586	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	586	Proof of Concept

Release notes

Package name: cross-env

• 7.0.3 - 2020-12-01
  

  7.0.3 (2020-12-01)

  Bug Fixes

  • add maintenance mode notice (fe80c84)
• 7.0.2 - 2020-03-05
  

  7.0.2 (2020-03-05)

  Reverts

  • Revert "fix: signal handling (#227)" (2a1f44c), closes #227

from cross-env GitHub release notes

Package name: dotenv

• 8.6.0 - 2021-05-05
  

  Show as 'added' in changelog

• 8.5.1 - 2021-05-05
  

  Bump version 8.5.1

• 8.5.0 - 2021-05-05
  

  Bump version 8.5.0

• 8.4.0 - 2021-05-05
  

  Point to types file for VS Code. Bump 8.4.0

• 8.3.0 - 2021-05-05
  

  Drop node 8 support

• 8.2.0 - 2019-10-16
  

  chore(release): 8.2.0

from dotenv GitHub release notes

Package name: express

• 4.19.2 - 2024-03-25
• 4.19.1 - 2024-03-20
  

  What's Changed

  • Fix ci after location patch by @ wesleytodd in #5552
  • fixed un-edited version in history.md for 4.19.0 by @ wesleytodd in #5556

  Full Changelog: 4.19.0...4.19.1

• 4.19.0 - 2024-03-20
  

  What's Changed

  • fix typo in release date by @ UlisesGascon in #5527
  • docs: nominating @ wesleytodd to be project captian by @ wesleytodd in #5511
  • docs: loosen TC activity rules by @ wesleytodd in #5510
  • Add note on how to update docs for new release by @ crandmck in #5541
  • Prevent open redirect allow list bypass due to encodeurl
  • Release 4.19.0 by @ wesleytodd in #5551

  New Contributors

  • @ crandmck made their first contribution in #5541

  Full Changelog: 4.18.3...4.19.0

• 4.18.3 - 2024-02-29
  

  Main Changes

  • Fix routing requests without method
  • deps: [email protected]
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: [email protected]

  Other Changes

  • Use https: protocol instead of deprecated git: protocol by @ vcsjones in #5032
  • build: [email protected] and [email protected] by @ abenhamdine in #5034
  • ci: update actions/checkout to v3 by @ armujahid in #5027
  • test: remove unused function arguments in params by @ raksbisht in #5124
  • Remove unused originalIndex from acceptParams by @ raksbisht in #5119
  • Fixed typos by @ raksbisht in #5117
  • examples: remove unused params by @ raksbisht in #5113
  • fix: parameter str is not described in JSDoc by @ raksbisht in #5130
  • fix: typos in History.md by @ raksbisht in #5131
  • build : add [email protected] by @ abenhamdine in #5028
  • test: remove unused function arguments in params by @ raksbisht in #5137
  • use random port in test so it won't fail on already listening by @ rluvaton in #5162
  • tests: use cb() instead of done() by @ kristof-low in #5233
  • examples: remove multipart example by @ riddlew in #5195
  • Update support Node.js@18 in the CI by @ UlisesGascon in #5490
  • Fix favicon-related bug in cookie-sessions example by @ DmytroKondrashov in #5414
  • Release 4.18.3 by @ UlisesGascon in #5505

  New Contributors

  • @ vcsjones made their first contribution in #5032
  • @ abenhamdine made their first contribution in #5034
  • @ armujahid made their first contribution in #5027
  • @ raksbisht made their first contribution in #5124
  • @ rluvaton made their first contribution in #5162
  • @ kristof-low made their first contribution in #5233
  • @ riddlew made their first contribution in #5195
  • @ DmytroKondrashov made their first contribution in #5414

  Full Changelog: 4.18.2...4.18.3

• 4.18.2 - 2022-10-08
  
  • Fix regression routing a large stack in a single route
  • deps: [email protected]
    • deps: [email protected]
    • perf: remove unnecessary object clone
  • deps: [email protected]
• 4.18.1 - 2022-04-29
  
  • Fix hanging on large stack of sync routes
• 4.18.0 - 2022-04-25
  
  • Add "root" option to res.download
  • Allow options without filename in res.download
  • Deprecate string and non-integer arguments to res.status
  • Fix behavior of null/undefined as maxAge in res.cookie
  • Fix handling very large stacks of sync middleware
  • Ignore Object.prototype values in settings through app.set/app.get
  • Invoke default with same arguments as types in res.format
  • Support proper 205 responses using res.send
  • Use http-errors for res.format error
  • deps: [email protected]
    • Fix error message for json parse whitespace in strict
    • Fix internal error when inflated body exceeds limit
    • Prevent loss of async hooks context
    • Prevent hanging when request already read
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
  • deps: [email protected]
    • Add priority option
    • Fix expires option to reject invalid dates
  • deps: [email protected]
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: [email protected]
    • Remove set content headers that break response
    • deps: [email protected]
    • deps: [email protected]
  • deps: [email protected]
    • Prevent loss of async hooks context
  • deps: [email protected]
  • deps: [email protected]
    • Fix emitted 416 error missing headers property
    • Limit the headers removed for 304 response
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
  • deps: [email protected]
    • deps: [email protected]
  • deps: [email protected]
    • Remove code 306
    • Rename 425 Unordered Collection to standard 425 Too Early
• 4.17.3 - 2022-02-17
  
  • deps: accepts@~1.3.8
    • deps: mime-types@~2.1.34
    • deps: [email protected]
  • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
    • Fix handling of __proto__ keys
  • pref: remove unnecessary regexp for trust proxy
• 4.17.2 - 2021-12-17
  
  • Fix handling of undefined in res.jsonp
  • Fix handling of undefined when "json escape" is enabled
  • Fix incorrect middleware execution with unanchored RegExps
  • Fix res.jsonp(obj, status) deprecation message
  • Fix typo in res.is JSDoc
  • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • deps: type-is@~1.6.18
  • deps: [email protected]
    • deps: [email protected]
  • deps: [email protected]
    • Fix maxAge option to reject invalid values
  • deps: proxy-addr@~2.0.7
    • Use req.socket over deprecated req.connection
    • deps: [email protected]
    • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
    • deps: [email protected]
    • deps: [email protected]
    • pref: ignore empty http tokens
  • deps: [email protected]
    • deps: [email protected]
  • deps: [email protected]
• 4.17.1 - 2019-05-26

from express GitHub release notes

Package name: express-mongo-sanitize

• 2.2.0 - 2022-01-14
  

  Added

  • New config option:
    • allowDots boolean: if set, allows dots in the user-supplied data #41

  Fixed

  • Prevent null pointer exception when using dryRun option #88
• 2.1.0 - 2021-05-11
  

  Added

  • New config options:
    • onSanitize callback: this will be called after the request's value was sanitized, with two named parameters: the key that was sanitized, and the raw req object.
    • dryRun boolean: if set, sanitization will not take place. Useful when combined with onSanitize to report on the keys which would have been sanitized.
  • TypeScript types
  • Official support for node v16.
• 2.0.2 - 2021-01-07
  

  Fixed

  • Fixed a prototype pollution security vulnerability. #34

  Updated

  • Update dependencies.
• 2.0.1 - 2020-12-02
  

  Updated

  • Update dependencies and test against node 14.

  Changed

  • Use ESLint instead of JSHint for code linting.
  • Use GitHub Actions for CI instead of Travis.
• 2.0.0 - 2020-03-25
  

  Added / Breaking

  • Support sanitization of headers. #5

  Note that if you weren't previously expecting headers to be sanitized, this is considered a breaking change.

  Breaking

  • Drop support for node versions < 10.

from express-mongo-sanitize GitHub release notes

Package name: express-rate-limit

• 5.5.1 - 2021-11-06
  

  5.5.1

• 5.5.0 - 2021-10-12
  

  5.5.0

• 5.4.1 - 2021-10-05
  

  5.4.1

• 5.4.0 - 2021-10-01
  

  5.4.0

• 5.3.0 - 2021-07-01
  

  5.3.0

• 5.2.6 - 2021-02-17
  

  5.2.6

• 5.2.5 - 2021-02-08
  

  5.2.5

• 5.2.3 - 2020-11-19
  

  5.2.3

• 5.2.2 - 2020-11-19
  

  5.2.2

• 5.2.1 - 2020-11-19
  

  5.2.1

• 5.1.3 - 2020-04-29

from express-rate-limit GitHub release notes

Package name: helmet

• 4.6.0 - 2021-05-02
  

  4.6.0

• 4.5.0 - 2021-04-17
  

  4.5.0

• 4.5.0-rc.1 - 2021-04-04
  

  v4.5.0-rc.1

• 4.4.1 - 2021-01-18
  

  4.4.1

• 4.4.0 - 2021-01-18
  

  4.4.0

• 4.3.1 - 2020-12-27
  

  4.3.1

• 4.3.0 - 2020-12-27
  

  4.3.0

• 4.2.0 - 2020-11-01
  

  4.2.0

• 4.1.1 - 2020-09-10
  

  4.1.1

from helmet GitHub release notes

Package name: http-status

• 1.7.4 - 2024-02-23
  

  chore(release): 1.7.4

• 1.7.3 - 2023-10-17
  

  chore(release): 1.7.3

• 1.7.2 - 2023-10-17
  

  chore(release): 1.7.2

• 1.7.1 - 2023-10-17
  

  chore(release): 1.7.1

• 1.7.0 - 2023-09-04
  

  chore(release): 1.7.0

• 1.6.2 - 2023-01-10
  

  chore(release): 1.6.2

• 1.6.1 - 2023-01-01
  

  chore(release): 1.6.1

• 1.6.0 - 2023-01-01
  

  chore(release): 1.6.0

• 1.5.3 - 2022-09-07
  

  chore(release): 1.5.3

• 1.5.2 - 2022-05-06
  

  chore(release): 1.5.2

• 1.5.1 - 2022-04-14
• 1.5.0 - 2020-11-16
• 1.4.2 - 2019-12-04

from http-status GitHub release notes

Package name: joi

• 17.13.3 - 2024-06-19
  

  17.13.3

• 17.13.2 - 2024-06-19
  

  17.13.2

• 17.13.1 - 2024-05-02
  

  17.13.1

• 17.13.0 - 2024-04-23
  

  17.13.0

• 17.12.3 - 2024-04-03
  

  17.12.3

• 17.12.2 - 2024-02-21
  

  17.12.2

• 17.12.1 - 2024-01-29
  

  17.12.1

• 17.12.0 - 2024-01-17
  

  17.12.0

• 17.11.1 - 2024-01-15
  

  17.11.1

• 17.11.0 - 2023-10-04
• 17.10.2 - 2023-09-17
• 17.10.1 - 2023-08-31
• 17.10.0 - 2023-08-27
• 17.9.2 - 2023-04-24
• 17.9.1 - 2023-03-21
• 17.9.0 - 2023-03-20
• 17.8.4 - 2023-03-14
• 17.8.3 - 2023-02-21
• 17.8.2 - 2023-02-21
• 17.8.1 - 2023-02-19
• 17.8.0 - 2023-02-19
• 17.7.1 - 2023-02-10
• 17.7.0 - 2022-11-01
• 17.6.4 - 2022-10-22
• 17.6.3 - 2022-10-11
• 17.6.2 - 2022-09-29
• 17.6.1 - 2022-09-22
• 17.6.0 - 2022-01-26
• 17.5.0 - 2021-12-02
• 17.4.3 - 2021-12-01
• 17.4.2 - 2021-08-01
• 17.4.1 - 2021-07-11
• 17.4.0 - 2021-02-08
• 17.3.0 - 2020-10-24

from joi GitHub release notes

Package name: moment

• 2.30.1 - 2023-12-27
  

  2.30.1

• 2.30.0 - 2023-12-26
  

  2.30.0

• 2.29.4 - 2022-07-06
  

  2.29.4

• 2.29.3 - 2022-04-17
  

  2.29.3

• 2.29.2 - 2022-04-03
  

  2.29.2

• 2.29.1 - 2020-10-06
  

  2.29.1

from moment GitHub release notes

Package name: mongoose

• 5.13.22 - 2024-01-02
• 5.13.21 - 2023-10-19
• 5.13.20 - 2023-07-12
• 5.13.19 - 2023-06-22
• 5.13.18 - 2023-06-22
• 5.13.17 - 2023-04-04
• 5.13.16 - 2023-02-20
• 5.13.15 - 2022-08-22
• 5.13.14 - 2021-12-27
• 5.13.13 - 2021-11-02
• 5.13.12 - 2021-10-19
• 5.13.11 - 2021-10-12
• 5.13.10 - 2021-10-05
• 5.13.9 - 2021-09-06
• 5.13.8 - 2021-08-23
• 5.13.7 - 2021-08-11
• 5.13.6 - 2021-08-09
• 5.13.5 - 2021-07-30
• 5.13.4 - 2021-07-28
• 5.13.3 - 2021-07-16
• 5.13.2 - 2021-07-03
• 5.13.1 - 2021-07-02
• 5.13.0 - 2021-06-28
• 5.12.15 - 2021-06-25
• 5.12.14 - 2021-06-15
• 5.12.13 - 2021-06-04
• 5.12.12 - 2021-05-28
• 5.12.11 - 2021-05-24
• 5.12.10 - 2021-05-18
• 5.12.9 - 2021-05-13
• 5.12.8 - 2021-05-10
• 5.12.7 - 2021-04-29
• 5.12.6 - 2021-04-27
• 5.12.5 - 2021-04-19
• 5.12.4 - 2021-04-15
• 5.12.3 - 2021-03-31
• 5.12.2 - 2021-03-22
• 5.12.1 - 2021-03-18
• 5.12.0 - 2021-03-11
• 5.11.20 - 2021-03-11
• 5.11.19 - 2021-03-05
• 5.11.18 - 2021-02-23
• 5.11.17 - 2021-02-17
• 5.11.16 - 2021-02-12
• 5.11.15 - 2021-02-03
• ...