[Snyk-dev] Fix for 20 vulnerabilities

[attriaayush]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	No	Proof of Concept
	696/1000 Why? Recently disclosed, Has a fix available, CVSS 8.2	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-DOTTIE-3332763	No	Proof of Concept
	541/1000 Why? Recently disclosed, Has a fix available, CVSS 5.1	Cross-site Scripting SNYK-JS-EXPRESS-7926867	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	No	Proof of Concept
	751/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.6	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-Side Request Forgery (SSRF) SNYK-JS-IP-7148531	No	Proof of Concept
	641/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MOUT-2342654	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Improper Control of Generation of Code ('Code Injection') SNYK-JS-PUGCODEGEN-7086056	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	391/1000 Why? Recently disclosed, Has a fix available, CVSS 2.1	Cross-site Scripting SNYK-JS-SEND-7926862	No	No Known Exploit
	391/1000 Why? Recently disclosed, Has a fix available, CVSS 2.1	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	No	No Known Exploit
	761/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.8	Information Exposure SNYK-JS-SIMPLEGET-2361683	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-WS-7266574	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: body-parser

The new version differs by 64 commits.

• 1752951 1.20.3
• 39744cf chore: linter (Update swagger-ui-express to the latest version 🚀 juice-shop/juice-shop#534)
• b2695c4 Merge commit from fork
• ade0f3f add scorecard to readme (Update mocha to the latest version 🚀 juice-shop/juice-shop#531)
• 99a1bd6 deps: [email protected] (Add reflected XSS challenge juice-shop/juice-shop#521)
• 9478591 fix: pin to [email protected]
• 83db46a ci: fix errors in ci github action for node 8 and 9 (Persist language selection in cookie juice-shop/juice-shop#523)
• 9d4e212 chore: add support for OSSF scorecard reporting (New Crowdin translations juice-shop/juice-shop#522)
• ee91374 1.20.2
• 368a93a Fix strict json error message on Node.js 19+
• 0385872 deps: [email protected]
• 2c35b41 build: [email protected]
• f0646c2 build: [email protected]
• f345fb1 build: [email protected]
• 6842efc deps: content-type@~1.0.5
• 5af7315 build: [email protected]
• 8e605b3 build: [email protected]
• cba6e77 build: [email protected]
• 6a464ab build: [email protected]
• 7ebf276 build: [email protected]
• 69bb649 build: [email protected]
• 8ff995f docs: switch badges to badgen
• 850832f build: [email protected]
• dad8f34 build: actions/download-artifact@v3

See the full diff

Package name: check-dependencies

The new version differs by 61 commits.

• 03c8847 Tag 2.0.0
• 65d9ef5 Set Node.js requirement in package.json engines to >=18.3
• 4917ab0 Simplify the spawn logic
• fc04cc8 Drop support for the callback interface
• 28257dd Tweak ESLint settings
• dc16e8a Drop the bluebird devDependency
• 412337a Drop fs-extra & graceful-fs devDependencies
• 091279a Drop the findup-sync dependency
• 10ac9c5 Drop lodash.camelcase & minimist dependencies
• 35dce52 Update dependencies
• 2929ba7 Update tested Node.js versions
• 1f514eb Don't invoke `npm prune`, `npm install` is already enough
• 65107d2 Drop support for Bower & the `checkCustomPackageNames` option
• f28ba1b Avoid `git://` URLs, they're no longer supported
• 8fdc6ad Limit allowed `packageManager` values
• 9809f13 Bump word-wrap from 1.2.3 to 1.2.4 (Random alexeisnyk/juice-shop#58)
• e522471 Bump semver from 7.3.8 to 7.5.2 (Login page v2 alexeisnyk/juice-shop#57)
• 031416d Bump yaml from 2.2.1 to 2.2.2 (Vulnerable branch alexeisnyk/juice-shop#56)
• dff3ab9 Build: Fix running tests on Windows
• 062005f Build: Update the GitHub Actions config
• ecf138f Build: Update dependencies
• 15c13b3 Build: Remove AppVeyor
• 89b9df0 Build: Update .gitattributes to files always use LF line endings
• db8c172 Build: Tweak GitHub Actions workflow code style

See the full diff

Package name: express

The new version differs by 187 commits.

• 7e562c6 4.21.0
• 1bcde96 fix(deps): [email protected] (#5946)
• 7d36477 fix(deps): [email protected] (#5951)
• 40d2d8f fix(deps): [email protected]
• 77ada90 Deprecate `"back"` magic string in redirects (#5935)
• 21df421 4.20.0
• 4c9ddc1 feat: upgrade to [email protected]
• 9ebe5d5 feat: upgrade to [email protected] (#5928)
• ec4a01b feat: upgrade to [email protected] (#5926)
• 54271f6 fix: don't render redirect values in anchor href
• 125bb74 [email protected] (#5902)
• 2a980ad [email protected] (#5781)
• a3e7e05 docs: specify new instructions for `question` and `discuss`
• c5addb9 deps: [email protected] (#5603)
• e35380a docs: add @ IamLizu to the triage team (#5836)
• f5b6e67 docs: update scorecard link (#5814)
• 2177f67 docs: add OSSF Scorecard badge (#5436)
• f4bd86e Replace Appveyor windows testing with GHA (#5599)
• 2ec589c Fix Contributor Covenant link definition reference in attribution section (#5762)
• 4cf7eed remove minor version pinning from ci (#5722)
• 6d08471 📝 update people, add ctcpip to TC (#5683)
• 61421a8 skip QUERY tests for Node 21 only, still not supported (#5695)
• f42b160 [v4] Deprecate `res.clearCookie` accepting `options.maxAge` and `options.expires` (#5672)
• 689073d ✨ bring back query tests for node 21 (#5690)

See the full diff

Package name: grunt-contrib-compress

The new version differs by 5 commits.

• bd9fc8e v2.0.0
• b8565a9 Update Archiver ([Snyk] Security upgrade express from 4.17.2 to 4.21.0 alexeisnyk/juice-shop#232)
• f6815bf Update deps and remove nodeunit loading ([Snyk] Fix for 4 vulnerabilities alexeisnyk/juice-shop#231)
• b70c1d9 Update tests and dependencies ([Snyk] Fix for 4 vulnerabilities alexeisnyk/juice-shop#230)
• 5759edd Bump ini from 1.3.5 to 1.3.7 ([Snyk] Fix for 18 vulnerabilities alexeisnyk/juice-shop#228)

See the full diff

Package name: juicy-chat-bot

The new version differs by 15 commits.

• 705832f Bump version
• 147fb16 Only load english ([Snyk] Fix for 1 vulnerabilities #15)
• 11bbd8b Bump CI/CD to Node.js 18
• 3b677b5 Bump to v0.7.1
• 4a90dc5 Merge remote-tracking branch 'origin/develop' into develop
• 7b32e43 Pin version of VM2 to 3.9.17 without vulnerability ([Snyk] Security upgrade socket.io from 2.4.1 to 4.8.0 #14)
• 8e63414 Pin version of VM2 to 3.9.17 without vulnerability ([Snyk] Security upgrade socket.io from 2.4.1 to 4.8.0 #14)
• 61a1f1a Bump version
• 5ef0011 Add typescript definition for juicy-chat-bot
• d816d29 Bump copyright notes to include 2023
• 53fdc22 Update contributor statistics
• d5bc807 Bump to recent supported Node.js versions
• 956f6df Merge pull request [Snyk] Security upgrade express from 4.17.3 to 4.20.0 #13 from pattyjogal/pattyjogal-patch-1
• 24c7cbd Pin version of VM2 to version w/o vulnerability
• 93e1fab Add contributors chart

See the full diff

Package name: sequelize

The new version differs by 22 commits.

• 367caf3 feat(types): add TypeScript 5.2 support (#16442)
• e4c780c meta: update lockfile (#16265)
• 2eb7a5d fix(types): remove escape from query-interface types (#15944)
• a3213f0 fix: bump dependencies (#16119)
• 99c3530 fix: move `types` condition to the front (#16085)
• af4f0ae feat(oracle): add width support for numerictype (#16073)
• e07eefb feat(oracle): add new error messages introduced in new driver version (#16075)
• 5c8250e fix(oracle): reordered check constraint for unsigned numeric type (#16074)
• fd38e79 fix(oracle): For Raw queries avoid converting the input parameters passed (#16067)
• eb71077 meta: use Node 18 in CI (#16000)
• a9fd501 fix(postgres): adds support for minifying through join aliases (#15897)
• f2a4535 feat: add beforePoolAcquire and afterPoolAcquire hooks (#15874)
• 58576dd fix(postgres): prevent crash if postgres connection emits multiple errors (#15868)
• 9d864be fix: update Slack invitation link (#15849)
• 295c297 feat(postgres, sqlite): add conflictWhere option to Model.bulkCreate (#15788)
• 338ae6a meta(db2): remove node:util (#15819)
• 2e50bd9 feat(postgres, sqlite): allow override of conflict keys for bulkCreate (#15787)
• 46d3553 fix: pass CLS transaction to model hooks (#15818)
• 1e68681 feat(postgres, sqlite): add conflictWhere option to upsert (#15786)
• 5bda2ce fix: fix unnamed dollar string detection (#15759)
• 1ad9a64 fix(postgres): escape identifier in createSchema and dropSchema (#15752)
• 1b94462 fix(postgres): make sync not fail when trying to create existing enum (#15718)

See the full diff

Package name: socket.io

The new version differs by 57 commits.

• 1af3267 chore(release): 3.0.0
• 02951c4 chore(release): 3.0.0-rc4
• 54bf4a4 feat: emit an Error object upon middleware error
• aa7574f feat: serve msgpack bundle
• 64056d6 docs(examples): update TypeScript example
• cacad70 chore(release): 3.0.0-rc3
• d16c035 refactor: rename ERROR to CONNECT_ERROR
• 5c73733 feat: add support for catch-all listeners
• 129c641 feat: make Socket#join() and Socket#leave() synchronous
• 0d74f29 refactor(typings): export Socket class
• 7603da7 feat: remove prod dependency to socket.io-client
• a81b9f3 docs(examples): add example with TypeScript
• 20ea6bd docs(examples): add example with ES modules
• 0ce5b4c chore(release): 3.0.0-rc2
• 8a5db7f refactor: remove duplicate _sockets map
• 2a05042 refactor: add additional typings
• 91cd255 fix: close clients with no namespace
• 58b66f8 refactor: hide internal methods and properties
• 669592d feat: move binary detection back to the parser
• 2d2a31e chore: publish the wrapper.mjs file
• ebb0575 chore(release): 3.0.0-rc1
• c0d171f test: use the reconnect event of the Manager
• 9c7a48d test: use the complete export name
• 4bd5b23 feat: throw upon reserved event names

See the full diff

Package name: sqlite3

The new version differs by 41 commits.

• ba4ba07 v5.1.7
• d04c1fb Removed Node version from matrix title
• 03d6e75 v5.1.7-rc.0
• 8398daa Fixed uploading assets from Docker
• 8b86e41 Fixed uploading release assets on Windows
• 83c8c0a Configured releases to be created as prereleases
• f792f69 Update dependency node-addon-api to v7
• 4ef11bf Removed extraneous parameter to event emit function
• e99160a Inlined `init()` functions into class header files
• 3372130 Improved `RowToJS` performance by removing `Napi::String::New` instantiation
• 77b327c Increased number of rows inserted into benchmark database
• 603e468 Fixed minor linting warning
• 8bda876 Refactored Database to use macros for method definitions
• 5809f62 Fixed uploading prebuilt binaries from Docker
• aabd297 Update actions/setup-node action to v4
• c775b81 Extracted common Node-API queuing code into macro
• 2595304 Updated list of supported targets
• 605c7f9 Replaced `@ mapbox/node-pre-gyp` in favor of `prebuild` + `prebuild-install`
• a2cee71 Update dependency mocha to v10
• 7674271 Update dependency eslint to v8
• 83e282d Update actions/checkout digest to b4ffde6
• 8482aaf Update docker/setup-buildx-action action to v3
• c74f267 Update docker/setup-qemu-action action to v3
• 9e8b2ee Reworked CI versions

See the full diff

Package name: unzipper

The new version differs by 60 commits.

• ea87bf3 Update package.json
• ba8416b Merge pull request pull from with master juice-shop/juice-shop#321 from ZJONSSON/fix-deploy
• 2357a71 Fix deploy script
• 2608bc2 Merge pull request rebase with v3.2.0 juice-shop/juice-shop#320 from ZJONSSON/update-docs
• 23cc3b8 Merge pull request Travis-CI build stages juice-shop/juice-shop#319 from ZJONSSON/deploy.yml
• 1b4b210 Update docs
• 760f100 Merge pull request Integration Awareness-Training Examples juice-shop/juice-shop#316 from lechuhuuha/master
• 360b0f2 Merge branch 'master' into master
• cbf8db9 add deploy action
• 343956a Merge pull request unknown error deploying to heroku juice-shop/juice-shop#318 from ZJONSSON/ayush-refactor
• 341aa44 Make empty directories
• b1abffa Replace fstream with fs-extra
• 088319e remove new lines and big-integer
• 36585e5 replace bigint with node-int64
• 1149855 eslint (Continue code autosave juice-shop/juice-shop#314)
• a6e0392 Increase buffer to 1k - add tests (Added Scoreboard Autoupdate as suggested in #307. juice-shop/juice-shop#313)
• 637df97 Open methods - only stream up to length (Different behavior of Login with Google juice-shop/juice-shop#310)
• 6a165e5 bump patch (Feature: Add refresh button to score-board. juice-shop/juice-shop#307)
• d161755 Fix spelling
• 46df524 expand test versions (v3.0.0 juice-shop/juice-shop#304)
• 2416da8 fix .npmignore (Corrected contribution links juice-shop/juice-shop#303)
• 3095797 bump minor (After docker crashed there's no way to restore challenges. juice-shop/juice-shop#302)
• d7f01ee fix: use pipeline to propagate errors across all piped streams (Develop customization #277  juice-shop/juice-shop#288)
• 7c4604e Fix: Unix OS's should properly ignore the windows zip slipped files ([Snyk] Security upgrade @angular-devkit/build-angular from 0.1000.8 to 12.2.0 alexeisnyk/juice-shop#179)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Cross-site Scripting
🦉 More lessons are available in Snyk Learn