[Snyk] Fix for 2 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	768/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	Yes	Proof of Concept
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: mongoose

The new version differs by 250 commits.

• 43b63ae chore: release 5.7.3
• 06112b0 docs(validation): remove deprecated `isAsync` from validation docs in favor of emphasizing promises
• 7fee719 docs(documents): add overwriting section
• 98b5a73 fix: make CoreMongooseArray#includes() handle `fromIndex` parameter
• 6c91dea style: fix lint
• 9bb4b03 refactor: remove async as a prod dependency
• 3647292 refactor(cursor): remove async.queue() from eachAsync() re: #8073 #5502
• e60db1b refactor(cursor): remove dependency on async.times()
• c5b2355 docs(promises): add note about queries being thenable
• da77b8d Merge pull request #8192 from birdofpreyru/fix-8093-1
• c371500 fix(update): cast right hand side of `$pull` as a query instead of an update for document arrays
• 9d455ad test(update): repro #8166
• 8c98a3a chore: now working on 5.7.3
• 0a33412 fix(populate): handle virtual populate of an embedded discriminator nested path
• b42d0f5 test(populate): repro #8173 #6488
• 1db5982 docs: link to map blog post
• c76e062 Fixes the previous commit
• 1a01713 [#8093] Fixes performance of update validator, and flatten function logic
• dea0b95 chore: release 5.7.2
• fb0bd0d fix(populate): avoid converting mixed paths into arrays if populating an object path under `Mixed`
• bdfce8f docs: add mongoosejs-cli to readme
• e2d191a fix(discriminator): support `tiedValue` parameter for embedded discriminators analagous to top-level discriminators
• d8cc819 test: fix tests
• 952120a fix(query): handle `toConstructor()` with entries-style sort syntax

See the full diff

Package name: npm

The new version differs by 178 commits.

• 1569304 3.0.0
• d67d437 [email protected]
• 2becdc3 [email protected]
• 3501f22 src: Fix one last standard style issue
• 0772c95 changelog: Add two more known bugs
• 283eef4 changelog: minor tweaks that didn't make it in prior to merging
• 064d62c changelog for 3.0.0
• a306446 test: more descriptive assertions + assertion label
• 6aa6754 uninstall: Support "no arguments"=global action semantics
• a526b60 gitignore: Ignore dev subdep unpipe
• 57328de test: Only run standard once regardless of how we invoke tests
• 65cc653 pack: fix infinite loop when packing w/ node_modules w/ dep cycles
• 532dfc1 [email protected]
• b50be6a src: make the npm source comply with `standard`
• 7c5ebe0 ls: Don't error on missing optional deps
• ae1f202 travis: Use the version of npm being tested
• 231a582 building npm: Yell if you try to package npm@3 with npm@2
• 2da0ce8 install: Run top level lifecycles AFTER rolling back failed optdeps
• 8a814a6 recalculate-metadata: don't compute missing dev deps for subdeps
• 1b71c55 install: save: Don't sort the top level package.json keys
• bc46ca9 install: Make shrinkwrap extraction work in 0.8
• 8fb8b4a install: Move more npm config into the installer object
• 3cdbce3 install: Refactor --link to behave better
• 9e030f7 publish: Throw an error if the bundled deps package.json entry is invalid

See the full diff

Package name: officegen

The new version differs by 181 commits.

• 87dd550 build: version 0.6.5
• ebbd47f feat: pPTX: Better fonts support in pptx
• 4bfff80 Some typos
• 903b3b1 Pull request templates
• b342c7b version 0.6.4
• ef09555 Merged the last changes.
• c672c42 build: packages update
• 0380df2 Merge pull request Revert "Sub tasks" #352 from apsavin/apple-pages-compat
• 5ffe087 Apple Pages compatibility and more options
• 3771614 Merge pull request "Restricted access" doesn't work - Important  #349 from isdh/patch-1
• b31ba84 Merge pull request search is not working #348 from apsavin/patch-1
• 7d3906d add syntax
• f8ec25d More options for tables
• 5a0f096 build(package.json): update dependencies
• 5c92281 Merge remote-tracking branch 'origin/master' into dev
• 8dbd0df docs: more documentation and examples
• 98cb58b Merge pull request Mark all template subtasks as templates #340 from peakon/fix/text_escape
• ceb44bf Merge pull request subTasks - new components #323 from benvd/master
• c4a8bb1 Add control character to text
• 960f9d4 Add comments
• 30e9e99 Extend encoding to also remove control characters
• 0be1ab5 docs: fixed addImage example
• 283806b Merge pull request Search doesn't work #329 from Karanpreettoor/master
• a8abf5b Feature request: ability to specify list level/depth for Docx

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Directory Traversal