[Snyk] Fix for 50 vulnerabilities

[wmurphysnyk]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	No	Proof of Concept
	/1000 Why?	Use of Weak Hash SNYK-JS-CRYPTOJS-6028119	No	No Known Exploit
	/1000 Why?	Prototype Pollution SNYK-JS-DOTTIE-3332763	No	Proof of Concept
	/1000 Why?	Denial of Service (DoS) SNYK-JS-ENGINEIO-3136336	No	No Known Exploit
	/1000 Why?	Directory Traversal SNYK-JS-GRUNT-2635969	No	Proof of Concept
	/1000 Why?	Race Condition SNYK-JS-GRUNT-2813632	No	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	/1000 Why?	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	/1000 Why?	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	/1000 Why?	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	/1000 Why?	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	No	No Known Exploit
	/1000 Why?	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit
	/1000 Why?	Prototype Poisoning SNYK-JS-QS-3153490	No	Proof of Concept
	/1000 Why?	Validation Bypass SNYK-JS-SANITIZEHTML-1070780	Yes	Proof of Concept
	/1000 Why?	Access Restriction Bypass SNYK-JS-SANITIZEHTML-1070786	Yes	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-SANITIZEHTML-2957526	Yes	No Known Exploit
	/1000 Why?	Arbitrary Code Execution SNYK-JS-SANITIZEHTML-585892	Yes	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	No	Proof of Concept
	/1000 Why?	SQL Injection SNYK-JS-SEQUELIZE-2932027	Yes	Proof of Concept
	/1000 Why?	SQL Injection SNYK-JS-SEQUELIZE-2959225	Yes	No Known Exploit
	/1000 Why?	Improper Filtering of Special Elements SNYK-JS-SEQUELIZE-3324088	Yes	No Known Exploit
	/1000 Why?	Information Exposure SNYK-JS-SEQUELIZE-3324089	Yes	No Known Exploit
	/1000 Why?	Access of Resource Using Incompatible Type ('Type Confusion') SNYK-JS-SEQUELIZE-3324090	Yes	No Known Exploit
	/1000 Why?	Denial of Service (DoS) SNYK-JS-SQLITE3-2388645	No	Proof of Concept
	/1000 Why?	Arbitrary Code Execution SNYK-JS-SQLITE3-3358947	No	No Known Exploit
	/1000 Why?	Arbitrary File Overwrite SNYK-JS-TAR-1536528	No	No Known Exploit
	/1000 Why?	Arbitrary File Overwrite SNYK-JS-TAR-1536531	No	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	No	No Known Exploit
	/1000 Why?	Arbitrary File Write SNYK-JS-TAR-1579147	No	No Known Exploit
	/1000 Why?	Arbitrary File Write SNYK-JS-TAR-1579152	No	No Known Exploit
	/1000 Why?	Arbitrary File Write SNYK-JS-TAR-1579155	No	No Known Exploit
	/1000 Why?	Sandbox Bypass SNYK-JS-VM2-1585918	No	Proof of Concept
	/1000 Why?	Sandbox Bypass SNYK-JS-VM2-2309905	No	Proof of Concept
	/1000 Why?	Arbitrary Code Execution SNYK-JS-VM2-2990237	No	Proof of Concept
	/1000 Why?	Sandbox Bypass SNYK-JS-VM2-3018201	No	Proof of Concept
	/1000 Why?	Sandbox Escape SNYK-JS-VM2-5415299	No	Proof of Concept
	/1000 Why?	Sandbox Escape SNYK-JS-VM2-5422057	No	Proof of Concept
	/1000 Why?	Improper Handling of Exceptional Conditions SNYK-JS-VM2-5426093	No	No Known Exploit
	/1000 Why?	Uninitialized Memory Exposure npm:base64url:20180511	Yes	Mature
	/1000 Why?	Authentication Bypass npm:jsonwebtoken:20150331	Yes	Proof of Concept
	/1000 Why?	Forgeable Public/Private Tokens npm:jws:20160726	Yes	No Known Exploit
	/1000 Why?	Prototype Pollution npm:lodash:20180130	No	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) npm:moment:20160126	No	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) npm:moment:20161019	No	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	No	No Known Exploit
	/1000 Why?	Cross-site Scripting (XSS) npm:sanitize-html:20141024	No	No Known Exploit
	/1000 Why?	Cross-site Scripting (XSS) npm:sanitize-html:20160801	No	No Known Exploit
	/1000 Why?	Cross-site Scripting (XSS) npm:sanitize-html:20161026	No	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: body-parser

The new version differs by 16 commits.

• 424dadd 1.19.2
• 11248a2 deps: [email protected]
• 7a088eb build: [email protected]
• ecedf31 build: [email protected]
• b6bfabd build: [email protected]
• badd6b2 build: fix code coverage aggregate upload
• 96b448a build: [email protected]
• 70560b1 build: [email protected]
• 548a06f build: [email protected]
• 3b00678 deps: [email protected]
• d5acb61 build: [email protected]
• 82c8a7c tests: add limit + inflate tests
• b356758 deps: [email protected]
• c631b58 build: [email protected]
• c81a8e2 build: [email protected]
• 3c4dcb8 build: [email protected]

See the full diff

Package name: dottie

The new version differs by 6 commits.

• e0c8bae 2.0.4
• 7d3aee1 rudimentary __proto__ guarding
• b48e227 add github action to run tests
• 001ca40 2.0.3
• dbf26a6 Setting a null value should convert it to object ([Snyk] Security upgrade @angular-devkit/build-angular from 0.1000.8 to 0.1102.11 #37)
• b581120 added power support arch ppc64le on yml file. ([Snyk] Security upgrade sequelize from 5.22.5 to 6.29.0 #35)

See the full diff

Package name: express

The new version differs by 30 commits.

• 3d7fce5 4.17.3
• f906371 build: update example dependencies
• 6381bc6 deps: [email protected]
• a007863 deps: [email protected]
• e98f584 Revert "build: use [email protected] for Node.js < 4"
• a659137 tests: use strict mode
• a39e409 tests: prevent leaking changes to NODE_ENV
• 82de4de examples: fix path traversal in downloads example
• 12310c5 build: use nyc for test coverage
• 884657d examples: remove bitwise syntax for includes check
• 7511d08 build: use [email protected] for Node.js < 4
• 2585f20 tests: fix test missing assertion
• 9d09762 build: [email protected]
• 43cc56e build: clean up gitignore
• 1c7bbcc build: [email protected]
• 9cbbc8a deps: [email protected]
• 6fbc269 pref: remove unnecessary regexp for trust proxy
• 2bc734a deps: accepts@~1.3.8
• 89bb531 docs: fix typo in res.download jsdoc
• 744564f tests: add test for multiple ips in "trust proxy"
• da6cb0e tests: add range tests to res.download
• 00ad5be tests: add more tests for app.request & app.response
• 141914e tests: fix tests that did not bubble errors
• bd4fdfe tests: remove global dependency on should

See the full diff

Package name: grunt

The new version differs by 21 commits.

• 82d79b8 1.5.3
• 572d79b Merge pull request #1745 from gruntjs/fix-copy-op
• 58016ff Patch up race condition in symlink copying.
• 0749e1d Merge pull request Bug/code injection juice-shop/juice-shop#1746 from JamieSlome/patch-1
• 69b7c50 Create SECURITY.md
• ac667b2 1.5.2
• 7f15fd5 Update Changelog
• b0ec6e1 Merge pull request Fix error rendering bug in 'Change Password' form juice-shop/juice-shop#1743 from gruntjs/cleanup-link
• 433f91b Clean up link handling
• d5969ec 1.5.1
• ad22608 Merge pull request testen juice-shop/juice-shop#1742 from gruntjs/update-symlink-test
• 0652305 Fix symlink test
• a7ab0a8 1.5.0
• b2b2c2b Updated changelog
• 3eda6ae Merge pull request Add .circleci/config.yml juice-shop/juice-shop#1740 from gruntjs/update-deps-22-10
• 47d32de Update testing matrix
• 2e9161c More updates
• 04b960e Remove console log
• aad3d45 Update dependencies, tests...
• fdc7056 Merge pull request [ImgBot] Optimize images juice-shop/juice-shop#1736 from justlep/main
• e35fe54 support .cjs extension

See the full diff

Package name: juicy-chat-bot

The new version differs by 13 commits.

• 11bbd8b Bump CI/CD to Node.js 18
• 3b677b5 Bump to v0.7.1
• 4a90dc5 Merge remote-tracking branch 'origin/develop' into develop
• 7b32e43 Pin version of VM2 to 3.9.17 without vulnerability ([Snyk] Security upgrade @angular-devkit/build-angular from 0.1000.8 to 0.1102.18 #14)
• 8e63414 Pin version of VM2 to 3.9.17 without vulnerability ([Snyk] Security upgrade @angular-devkit/build-angular from 0.1000.8 to 0.1102.18 #14)
• 61a1f1a Bump version
• 5ef0011 Add typescript definition for juicy-chat-bot
• d816d29 Bump copyright notes to include 2023
• 53fdc22 Update contributor statistics
• d5bc807 Bump to recent supported Node.js versions
• 956f6df Merge pull request [Snyk] Security upgrade @angular-devkit/build-angular from 0.1000.8 to 13.2.0 #13 from pattyjogal/pattyjogal-patch-1
• 24c7cbd Pin version of VM2 to version w/o vulnerability
• 93e1fab Add contributors chart

See the full diff

Package name: semver

The new version differs by 82 commits.

• e7b78de chore: release 7.5.2
• 58c791f fix: diff when detecting major change from prerelease (Update sinon-chai to the latest version 🚀 juice-shop/juice-shop#566)
• 5c8efbc fix: preserve build in raw after inc (Creates basic views and services in Angular. juice-shop/juice-shop#565)
• 717534e fix: better handling of whitespace (Trainer Guide juice-shop/juice-shop#564)
• 2f738e9 chore: bump @ npmcli/template-oss from 4.14.1 to 4.15.1 (Update nyc to the latest version 🚀 juice-shop/juice-shop#558)
• aa016a6 chore: release 7.5.1
• d30d25a fix: show type on invalid semver error (Create myConfig.yml juice-shop/juice-shop#559)
• 09c69e2 chore: bump @ npmcli/template-oss from 4.13.0 to 4.14.1 (UI-Error. juice-shop/juice-shop#555)
• 5b02ad7 chore: release 7.5.0
• e219bb4 fix: throw on bad version with correct error message (Packaged release unpacks in current directory juice-shop/juice-shop#552)
• 503a4e5 feat: allow identifierBase to be false (New Crowdin translations juice-shop/juice-shop#548)
• fc2f3df fix: incorrect results from diff sometimes with prerelease versions (Address #545 bad cipher text premium paywall juice-shop/juice-shop#546)
• 2781767 fix: avoid re-instantiating SemVer during diff compare (CTF deployment help. juice-shop/juice-shop#547)
• 82aa7f6 chore: release 7.4.0
• 731d896 chore: enable CD (Ciphertext for premium paywall challenge is corrupted juice-shop/juice-shop#545)
• 940723d fix: intersects with v0.0.0 and v0.0.0-0 (Editing Admin's reviews is not listed as a challenge juice-shop/juice-shop#538)
• aa516b5 fix: faster parse options (rest/user/whoami requests working with expired jwt juice-shop/juice-shop#535)
• 61e6ea1 fix: faster cache key factory for range (Add Order Dashboard tracking utility juice-shop/juice-shop#536)
• f8b8b61 fix: optimistic parse (New Crowdin translations juice-shop/juice-shop#541)
• 796cbe2 fix: semver.diff prerelease to release recognition (Add SAML authentication and challenge juice-shop/juice-shop#533)
• 3f222b1 fix: reuse comparators on subset (New Crowdin translations juice-shop/juice-shop#537)
• 113f513 feat: identifierBase parameter for .inc (Learn about the TokenSale challenge bypassed? juice-shop/juice-shop#532)
• ea689bc chore: basic type test for RELEASE_TYPES
• c5d29df docs: Add "Constants" section to README

See the full diff

Package name: sequelize

The new version differs by 250 commits.

• d3f5b5a feat: throw an error if attribute includes parentheses (fixes CVE-2023-22578) (#15710)
• 53bd9b7 meta: fix null test getWhereConditions (#15705)
• 13f2e89 fix: accept undefined in where (#15703)
• d9e0728 fix: throw if where receives an invalid value (#15699)
• 48d6193 fix: update moment-timezone version (#15685)
• fd4afa6 feat(types): use retry-as-promised types for retry options to match documentation (#15484)
• 1247c01 feat: add support for bigints (backport of #14485) (#15413)
• 94beace feat(postgres): add support for lock_timeout [#15345] (#15355)
• 7885000 fix(oracle): remove hardcoded maxRows value (#15323)
• bc39fd6 fix: fix parameters not being replaced when after $$ strings (#15307)
• a205765 fix(postgres): invalidate connection after client-side timeout (#15283)
• 67e69cd fix: remove options.model overwrite on bulkUpdate (#15252)
• 00c6da3 fix(types): add instance.dataValues property to model.d.ts (#15240)
• bf98d7c meta: swap Slack links (#15159)
• 7990095 fix: don't treat \ as escape in standard strings, support E-strings, support vars after ->> operator, treat lowercase e as valid e-string prefix (#15139)
• 851daaf fix(types): fix TS 4.9 excessive depth error on `InferAttributes` (v6) (#15135)
• 9dd93b8 fix(types): expose legacy "types" folder in export alias ( #15123)
• 06ad05d feat(oracle): add support for `dialectOptions.connectString` (#15042)
• a44772e feat(snowflake): Add support for `QueryGenerator#tableExistsQuery` (#15087)
• 55051d0 docs: add missing ssl options for sequelize instance (v6) (#15049)
• 5c88734 docs(model): Added paranoid option for Model.BelongsToMany.through (#15065)
• 7203b66 fix(postgres): add custom order direction to subQuery ordering with minified alias (#15056)
• 5f621d7 fix(oracle): add support for Oracle DB 18c CI (#15016)
• 3468378 feat(types): add typescript 4.8 compatibility (#14990)

See the full diff

Package name: socket.io

The new version differs by 6 commits.

• baa6804 chore(release): 2.5.0
• f223178 fix: prevent the socket from joining a room after disconnection
• 226cc16 fix: only set 'connected' to true after middleware execution
• 05e1278 fix: fix race condition in dynamic namespaces
• 22d4bdf fix: ignore packet received after disconnection
• dfded53 chore: update engine.io version to 3.6.0

See the full diff

Package name: sqlite3

The new version differs by 129 commits.

• 6a806f8 v5.1.5
• edb1934 Fixed code execution vulnerability due to Object coercion
• 3a48888 Updated bundled SQLite to v3.41.1
• c1440bd Fixed rpath linker option when using a custom sqlite ([🚀] Fixes for the coding challenges juice-shop/juice-shop#1654)
• 93affa4 Update microsoft/setup-msbuild action to v1.3
• 6f6318e v5.1.4
• aeafe25 Revert "Renamed `master` references to `main`"
• 57ce2d4 Fixed glib compatibility by downgrading to Ubuntu 20
• af8e567 Renamed `master` references to `main`
• 8fd18a3 Extracted function checking code into macro
• 5c94f75 v5.1.3
• aec0d31 Updated bundled SQLite to v3.40.0
• 1980f10 v5.1.2
• 7aa29fe Updated bundled SQLite to v3.39.4
• c4fca9f v5.1.1
• ea71343 Added Darwin ARM64 to prebuilt binaries list in README
• ec154ab Added Darwin ARM64 prebuilt binaries
• 9290d8c v5.1.0
• 9e9079d Updated types file
• 946a3f6 Added ability to receive updates from `sqlite3_update_hook`
• 97cc584 Added yarn.lock to gitignore
• 572f05e Fixed importing `sqlite3#verbose` using destructuring syntax ([🐛] Basket Access challenge solved by switching between two users juice-shop/juice-shop#1632)
• c366ef9 Fixed remaining method declarations (Ugh juice-shop/juice-shop#1633)
• f0090b8 Added `.configure('limit', ...` to library type file

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Use of Weak Hash
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn