[Snyk] Fix for 29 vulnerabilities

[hajjiTarik]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	584/1000 Why? Has a fix available, CVSS 7.4	Authorization Bypass SNYK-JS-EXPRESSJWT-575022	Yes	No Known Exploit
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	Yes	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	454/1000 Why? Has a fix available, CVSS 4.8	Session Fixation SNYK-JS-PASSPORT-2840631	No	No Known Exploit
	791/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.4	SQL Injection SNYK-JS-SEQUELIZE-2932027	Yes	Proof of Concept
	564/1000 Why? Has a fix available, CVSS 7	SQL Injection SNYK-JS-SEQUELIZE-2959225	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	SQL Injection SNYK-JS-SEQUELIZE-450221	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	SQL Injection SNYK-JS-SEQUELIZE-459751	No	Proof of Concept
	550/1000 Why? Has a fix available, CVSS 6.5	Denial of Service (DoS) SNYK-JS-SEQUELIZE-543029	No	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-536840	Yes	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Arbitrary Code Injection SNYK-JS-SERIALIZEJAVASCRIPT-570062	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SQLITE3-2388645	Yes	Proof of Concept
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) npm:react-dom:20180802	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: express-jwt

The new version differs by 13 commits.

• 678f3b0 6.0.0
• 7ecab5f Merge pull request from GHSA-6g6m-m6h5-w9gf
• 304a1c5 Made algorithms mandatory
• e9ed6d2 5.3.3
• 8662579 Make clearer sections in the Readme
• d3e86bf Update README.md
• c5d8419 Add a note about OAuth2 bearer tokens
• 888f0e9 Update Readme and use a consistent JS style for code examples
• 6591014 5.3.2
• f4f4d1d fix license field
• 1789282 fix dependencies vulnerabilities and test against 8, 10 and 12 from now on
• 5766a24 Merge pull request only render a component on client-side kriasoft/react-starter-kit#186 from auth0/jwt_update
• 11f3ac4 Update jsonwebtoken dependency to 8.1.0

See the full diff

Package name: node-fetch

The new version differs by 240 commits.

• 1ef4b56 backport of Transfer of cookies between the client and the server. kriasoft/react-starter-kit#1449 (Not working from safari 8.3 kriasoft/react-starter-kit#1453)
• 8fe5c4e 2.x: Specify encoding as an optional peer dependency in package.json (Add stylelint-order; remove stylefmt in favor of stylelint --fix kriasoft/react-starter-kit#1310)
• f56b0c6 fix(URL): prefer built in URL version when available and fallback to whatwg (Made an ESLint service using the React Starter Kit kriasoft/react-starter-kit#1352)
• b5417ae fix: import whatwg-url in a way compatible with ESM Node (Adding Dataloader, PersonType, and some data to test it. kriasoft/react-starter-kit#1303)
• 18193c5 fix v2.6.3 that did not sending query params (Include correct userAgent in server for react server-side rendering kriasoft/react-starter-kit#1301)
• ace7536 fix: properly encode url with unicode characters (Invariant Violation: Could not find "store" in either the context or props of "Connect(App)". Either wrap the root component in a <Provider>, or explicitly pass "store" as a prop to "Connect(App)". kriasoft/react-starter-kit#1291)
• 152214c Fix(package.json): Corrected main file path in package.json (Flexboxgrid media rules doesn't import globally from react-starter-kit kriasoft/react-starter-kit#1274)
• b5e2e41 update version number
• 2358a6c Honor the `size` option after following a redirect and revert data uri support
• 8c197f8 docs: Fix typos and grammatical errors in README.md (Add static content intl(locale) support kriasoft/react-starter-kit#686)
• 1e99050 fix: Change error message thrown with redirect mode set to error ([feature/react-intl] Extract description into messages files kriasoft/react-starter-kit#653)
• 244e6f6 docs: Show backers in README
• 6a5d192 fix: Properly parse meta tag when parameters are reversed (How can I add a class of active to the Link component? kriasoft/react-starter-kit#682)
• 47a24a0 chore: Add opencollective badge
• 7b13662 chore: Add funding link
• 5535c2e fix: Check for global.fetch before binding it (Update Starter kit to Relay 0.9? kriasoft/react-starter-kit#674)
• 1d5778a docs: Add Discord badge
• eb3a572 feat: Data URI support (Feature/docker kriasoft/react-starter-kit#659)
• 086be6f Remove --save option as it isn't required anymore (npm ERR! peer dep missing when install the latest version kriasoft/react-starter-kit#581)
• 95286f5 v2.6.0 ([feature/react-intl] Store current language in cookie kriasoft/react-starter-kit#638)
• bf8b4e8 Allow agent option to be a function ([fix] Linter Error fixed kriasoft/react-starter-kit#632)
• 0c2294e 2.5.0 release (Styles are not applied after. kriasoft/react-starter-kit#630)
• 0fc414c Allow third party blob implementation (how do i use browsersync with a reverse proxy kriasoft/react-starter-kit#629)
• d8f5ba0 build: disable generation of package-lock since it is not used (Create how-to-add-new-language.md kriasoft/react-starter-kit#623)

See the full diff

Package name: passport

The new version differs by 126 commits.

• c33067b 0.6.0
• 3052bb4 Update changelog.
• 42630cb Merge pull request Use location.reload() when client-side routing error occur kriasoft/react-starter-kit#900 from jaredhanson/fix-fixation
• 8dd79fe Use utils-merge rather than Object.assign for compatibility.
• 4f6bd5b Change keepSessionData to keepSessionData.
• 46756e5 Silence verbose logging.
• 987b191 Add tests.
• f8a175f Add tests.
• 29a90d6 No need to guard callback existence.
• bfba8a1 Add tests.
• 17111d7 Add option to keep session data on logout.
• a349c2b Add option to keep session data.
• e69834e Add optional options to login and logout.
• 8825a9a Add tests.
• c1991cf Add tests.
• 294f22c Better session detection and exceptions.
• 80cc4e3 Add tests.
• 3001654 Add tests.
• b395106 Clean up tests.
• cfa8259 Add tests.
• ee0bf81 Add tests.
• cc7606c Add tests.
• 71c54f6 Add test.
• 88c1f1b Handle logout without session manager.

See the full diff

Package name: prop-types

The new version differs by 23 commits.

• fa6fbb7 15.6.2
• 5115f5c Merge pull request Jade implementation kriasoft/react-starter-kit#180 from jaller94/master
• 2ac742c Merge pull request Fix errors in README.md kriasoft/react-starter-kit#171 from barrymichaeldoyle/master
• a7a5a64 Merge pull request update docs caused by React Library => separate fbjs. kriasoft/react-starter-kit#194 from facebook/no-fbjs
• d6c9c5c Preserve "Invariant Violation" name
• 07d1b47 Remove fbjs dependency
• 3c99d57 Remove trailing spaces
• a36cda8 Move explanation of `isRequired` and show it in `PropTypes.shape`
• ba3da12 Show that shapes can have required properties
• 2bde8eb Add example for `PropTypes.exact`
• d65f80e Updated vars to consts and lets in PropTypesProductionStandalone-test.js
• c10c93f Updated vars to consts and lets in PropTypesDevelopmentStandalone-test.js
• 8e2b34e Updated vars to consts and lets in PropTypesDevelopmentReact15.js
• c5527c8 Updated vars with consts and lets in PropTypesProductionReact15-test.js
• 7cc8c81 Add 15.6.1 to CHANGELOG
• 5df7296 15.6.1
• b7d03ce Point readme to correct docs for production builds (is it possible to run with forever kriasoft/react-starter-kit#153)
• a94243f Update the repository location (Remove Protractor dependency kriasoft/react-starter-kit#148)
• 77c62a7 Fix failing tests (error "WithContext" is not defined no-undef kriasoft/react-starter-kit#129)
• 644844c Merge pull request Removed unnecessary page load at client boot kriasoft/react-starter-kit#140 from flarnie/master
• 0b5db12 Add `CODE_OF_CONDUCT`
• a6900f0 Add CONTRIBUTING.md
• 492e230 Update README.md with improved importing for CDNs (Cannot find module? kriasoft/react-starter-kit#104)

See the full diff

Package name: sequelize

The new version differs by 250 commits.

• 7bb60e3 fix: properly escaoe multiple `$` in `fn` args (#14678)
• 86d35b1 docs: added nest option inside findAll query (#14683)
• 2f3b924 fix(postgres): use schema set in sequelize config by default (#14665)
• cbdf73e feat: exports types to support typescript >= 4.5 nodenext module (#14620)
• a333862 docs(readme): update README to be more like main (#14626)
• e1a9c28 fix: kill connection on commit/rollback error (#14535)
• b37df96 feat: support cyclic foreign keys (#14499)
• e37c572 fix: accept replacements in `ARRAY[]` & followed by `;` (#14518)
• 6c5f8ec test: disable mysql/mariadb deadlock test (#14514)
• 87655eb build: fix esdoc (#14513)
• ccaa399 fix: do not replace `:replacements` inside of strings (#14472)
• 5954d2c feat(types): make `Model.init` aware of pre-configured foreign keys (#14370)
• 0d0aade fix(types): make `WhereOptions` more accurate (#14368)
• 7e8b707 docs: restore Model api reference & make fail on error (#14323)
• ca0e017 test: disable deadlock test for mariadb 10.5.15 (#14314)
• 62564f7 docs: fix dead link in API reference (#14313)
• cdc8881 build: remove v6 docs from repository (#14234)
• 730af27 docs: document scope whereMergeStrategy option (#14201)
• 8349c02 feat: add whereScopeStrategy to merge where scopes with Op.and (#14152)
• e974e20 feat(types): make `Model.getAttributes` stricter (#14017)
• 2d339d0 fix: fix typo in query-generator.js error message (#14151)
• b80aeed fix(types): update return type of `Model.update` (#14155)
• f5c06bd feat(types): infer nullable creation attributes as optional (#14147)
• af6cbe6 build(deps): move @ types/validator to prod deps (#14159)

See the full diff

Package name: serialize-javascript

The new version differs by 49 commits.

• b54341e v3.1.0
• 7cee7e4 Revert "support for bigint (Fix output.publicPath in wepback.config.js kriasoft/react-starter-kit#80)"
• 026a445 Bump mocha from 7.1.2 to 7.2.0 (Cannot seem to get socket.io integrated... kriasoft/react-starter-kit#83)
• 5130a71 support for bigint (Fix output.publicPath in wepback.config.js kriasoft/react-starter-kit#80)
• ea76b23 Bump mocha from 7.1.1 to 7.1.2 (Update package.json kriasoft/react-starter-kit#82)
• 073c8d8 Bump nyc from 15.0.0 to 15.0.1 (Question: ESLint with imports kriasoft/react-starter-kit#81)
• f21a6fb Don't replace regex / function placeholders within string literals (Going to Privacy link and then hitting the Back Button does not work kriasoft/react-starter-kit#79)
• 1ac487e [Security] Bump minimist from 1.2.0 to 1.2.5 (Replace Jest with Mocha and JSDom; replace Node.js with io.js kriasoft/react-starter-kit#78)
• c795cef Bump mocha from 7.1.0 to 7.1.1 (webpack dev does not work whereas release works kriasoft/react-starter-kit#77)
• 3064431 Bump mocha from 7.0.1 to 7.1.0 (Use ESLint Loader kriasoft/react-starter-kit#74)
• 9dbe8f6 Update example in README (Gulp Deploy to GitHub Pages - No static files kriasoft/react-starter-kit#73)
• f5957ee v3.0.0
• eed510c Introduce support for Infinity (Styles from modules not loading to page kriasoft/react-starter-kit#72)
• 82bb2d2 Bump mocha from 7.0.0 to 7.0.1 (Use eslint instead of jshint kriasoft/react-starter-kit#71)
• fdfb10a Test on Node.js v12 (implement auth with the Flux based router kriasoft/react-starter-kit#70)
• 2f5f126 Bump mocha from 6.2.2 to 7.0.0 (fix .jade templates not reloading upon change kriasoft/react-starter-kit#69)
• 35062c0 Bump nyc from 14.1.1 to 15.0.0 (Old content is served kriasoft/react-starter-kit#68)
• 6c43b02 v2.1.2
• 3e05a3f Ignore .nyc_output (Removes requiring of images kriasoft/react-starter-kit#64)
• 3c46e8e Bump mocha from 6.2.0 to 6.2.2 (Stops browsersync from opening kriasoft/react-starter-kit#62)
• 433fc9c 2.1.1
• 16a68ab Merge pull request from GHSA-h9rv-jmmf-4pgx
• 3bab6de Bump mocha from 6.2.1 to 6.2.2 (Use 6to5 rather than jstransform kriasoft/react-starter-kit#60)
• 7a6b13d Bump mocha from 6.2.0 to 6.2.1 (assets versioning kriasoft/react-starter-kit#59)

See the full diff

Package name: sqlite3

The new version differs by 250 commits.

• 573784b v5.0.3
• e5a24fd Deleted `examples/` folder
• b05f459 Added note about GitHub Releases to CHANGELOG.md
• 33d0656 Modernised Usage example in README
• 9d05c55 Fixed up more README nits
• 08d6319 Fixed link to API docs
• 0e2235a Altered wording in README
• 76b6c56 Altered README header
• e3df365 Updated README
• 426930f Enabled CI to run when pushing tags
• a21d41f Fixed uploading binaries to commit artifacts
• bc978c7 Fixed CI step wording
• 7f744a1 Added prebuilt binaries via GitHub Releases
• b4b3c3a Deleted `scripts/` directory
• 71bbdea Pinned dev dependencies ([Opinion] Is SSR still necessary? kriasoft/react-starter-kit#1558)
• a597383 Updated badges in README
• 0eb4a0f Deleted Travis and Appveyor configs
• b58d341 Downgraded `mocha` and `eslint`
• f39b10d Added missing Node versions to CI
• 8db96d4 Replaced Python extraction script with JS (https://reactstarter.com/ is down kriasoft/react-starter-kit#1570)
• 11c988c Fixed Windows build architecture in CI
• 8e63848 Updated Windows CI runner to `windows-latest`
• d9e7d8b Fixed building on MacOS Monterey 12.3
• 859b95b Updated `node-gyp` to v8.x

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution npm:extend:20180424	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Proof of Concept
	646/1000 Why? Mature exploit, Has a fix available, CVSS 5.2	Uninitialized Memory Exposure npm:stringstream:20180511	Mature

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)
🦉 Prototype Pollution
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn