[Snyk] Fix for 21 vulnerabilities #76

BMondly · 2023-11-28T14:17:46Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Breaking Change	Exploit Maturity
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	Yes	Proof of Concept
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	Yes	Proof of Concept
676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Cross-site Request Forgery (CSRF) SNYK-JS-AXIOS-6032459	Yes	Proof of Concept
761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-DICER-2311764	Yes	Mature
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	Yes	Proof of Concept
344/1000 Why? Has a fix available, CVSS 2.6	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	Yes	No Known Exploit
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	No	Proof of Concept
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-NODEFORGE-2330875	Yes	Proof of Concept
529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-NODEFORGE-2331908	Yes	No Known Exploit
494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430337	Yes	No Known Exploit
579/1000 Why? Has a fix available, CVSS 7.3	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430339	Yes	No Known Exploit
494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430341	Yes	No Known Exploit
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	No	No Known Exploit
539/1000 Why? Has a fix available, CVSS 6.5	Improper Input Validation SNYK-JS-XMLDOM-1534562	Yes	No Known Exploit
639/1000 Why? Has a fix available, CVSS 8.5	Prototype Pollution SNYK-JS-XMLDOM-3042242	Yes	No Known Exploit
811/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-XMLDOM-3092935	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @google-cloud/storage

The new version differs by 222 commits.

f1ef9c6 Release v2.4.3 (App links on login page (and...) RocketChat/Rocket.Chat#628)
b80ee22 fix(deps): update dependency @ google-cloud/pubsub to ^0.28.0
813ecca tests: fix assertion syntax (Support end to end encryption RocketChat/Rocket.Chat#629)
e24f2d1 fix(deps): update dependency @ google-cloud/paginator to ^0.2.0
72a57ab build: Add docuploader credentials to node publish jobs (Test issue for @marcel.rocket.team RocketChat/Rocket.Chat#624)
58d4ea5 fix(deps): update dependency gcs-resumable-upload to v1 (Update README.md RocketChat/Rocket.Chat#619)
23a3cf0 build: use node10 to run samples-test, system-test etc (Canonical link is hard-coded to https://demo.rocket.chat/ RocketChat/Rocket.Chat#623)
a5ea8ab fix(deps): update dependency @ google-cloud/pubsub to ^0.27.0 (Update README.md RocketChat/Rocket.Chat#620)
0a6c134 build: update release configuration
5dcb36c fix(deps): update dependency @ google-cloud/pubsub to ^0.26.0 (Initial implementation of search in channel RocketChat/Rocket.Chat#618)
c09f7c2 fix: handle errors from file#createReadStream (Admins should be able to delete (and/or) edit other users' mesages RocketChat/Rocket.Chat#615)
d10c120 fix(deps): update dependency @ google-cloud/pubsub to ^0.25.0 (Multiline code block has extra two lines RocketChat/Rocket.Chat#616)
1c3bd03 fix: getSigned(Policy|Url) throws if expiration is invalid Date (How to remove social media links in the chat sidebar? RocketChat/Rocket.Chat#614)
f6acc87 chore(deps): update dependency mocha to v6 (If social media accounts integration is disabled, there are still shown around RocketChat/Rocket.Chat#611)
c3f3a8e build: use linkinator for docs test (Configure list of channels a new user is automatically added RocketChat/Rocket.Chat#607)
86246f9 docs: update links in contrib guide (Remove need for name when registering? RocketChat/Rocket.Chat#610)
e29512f fix(deps): update dependency @ google-cloud/promisify to ^0.4.0 (Way to configure login/registration page footer RocketChat/Rocket.Chat#609)
e229d60 chore(deps): update dependency @ types/tmp to v0.0.34 (Way to configure login/registration page header RocketChat/Rocket.Chat#608)
30a2c5d fix(deps): update dependency yargs to v13 (Allow to disable notifications sounds RocketChat/Rocket.Chat#606)
7e32925 build: create docs test npm scripts (Allow post to join the channel RocketChat/Rocket.Chat#605)
4cfa23c build: test using @ grpc/grpc-js in CI (Allow anonymous use of the chat [$250] RocketChat/Rocket.Chat#604)
7526624 docs: update contributing path in README (Pressing ESC to cancel previous post editing mode doesn't work RocketChat/Rocket.Chat#603)
c3e1da2 chore: move CONTRIBUTING.md to root (Federation Protocol RocketChat/Rocket.Chat#601)
1f8bacf chore: remove console.log in system test (Starting a codeblock and pressing enter should not send a message RocketChat/Rocket.Chat#599)

See the full diff

Package name: bcrypt

The new version differs by 156 commits.

2f124bd Fix artifact upload path
10eacf5 Prepare v5.0.1
6eacfe1 Merge pull request joinRoom returns if room is already added RocketChat/Rocket.Chat#856 from kelektiv/update-deps
feb477c Update node-pre-gyp to 1.0.0
42c8b0c Merge pull request Meteor 1.2 (HELP TO TEST) RocketChat/Rocket.Chat#852 from kelektiv/update-deps
bafefc3 Update packages
7c5d8df Merge pull request Image autoloading does not work behind proxy RocketChat/Rocket.Chat#851 from recrsn/node-15-ci
1ba55f9 Add Node 15 to CI
19c06c1 Update Node version compatibility info
09cb4fc Merge pull request Create room permissions for read-only / speak RocketChat/Rocket.Chat#825 from dogon11/patch-1
2821c03 Merge pull request number of unread messages indicator misbehavior RocketChat/Rocket.Chat#811 from techhead/use_buffers
63c8403 Merge pull request Create Channel button hidden RocketChat/Rocket.Chat#838 from alete89/docs/improve-hash-info
984ef18 remove reference to $2y$ algo identifier
630c897 fixes: Create a cog or other icon for dropdown actions on message RocketChat/Rocket.Chat#828
0f93284 README.md typo fix
4125ebc Update README.md
f503e57 Create SECURITY.md
f158e6e Allow optional use of Node Buffers.
8866277 Deploy on any travis tag
61139e6 v5.0.0
1bde62c Update node-pre-gyp to 0.15.0
40770d6 Add NodeJS 14 to appveyor CI
5916a46 Merge pull request Don't Make Hashtags Which Aren't Channels Clickable RocketChat/Rocket.Chat#807 from techhead/known_length
f28e916 Reword comment

See the full diff

Package name: less-plugin-autoprefix

The new version differs by 4 commits.

bffe924 Merge pull request [Snyk] Security upgrade xmldom from 0.1.27 to 0.5.0 #34 from calvinjuarez/update-dependencies
0004d46 2.0.0
50963ba package – bump minimum node version
dea07ce autoprefixer – update to 8.6.3; postcss – update to 6.0.22

See the full diff

Package name: mailparser

The new version differs by 37 commits.

7cba5bc v2.7.0
4e367f7 fix: capture decoder end event to use on cleanup
c4b4d7d Move eslint into devDependencies
403176f fixed invalid license file
92ad01d v2.6.0
4af69d9 v2.5.0
53216af bumped deps
0dba5fc Properly propagate errors for simpleParser
7706160 Skip decoding for UTF-8
543460f Add partId attribute on attachment
b261a26 Added option for setting restrictions for how long html content to parse
f681f8d Test case for attachment as base64 encoded root node
9465685 v2.4.3
f4720aa Only decode base64 encoded root-nodes if they are flowed
7db9ed4 v2.4.2
e4974ed v2.4.1
236263e v2.4.0
7751845 formatting changes
fa936d8 Handle HTML parser RangeErrors (maximum call stack exceeded)
b7f37eb Publishing as runbox-mailparser
af397a1 Handle base64 encoded root nodes.
590f785 Added option to skip text to html conversion
141c7c5 failing test
4818665 v2.3.4

See the full diff

Package name: turndown

The new version differs by 23 commits.

4e36b45 6.0.0
9026414 5.1.0
bc23db7 Update acorn for https://npmjs.com/advisories/1488
b9898b7 Update travis node version
1559f32 Update to latest rollup (+ plugins) versions
73a7539 Target new versions of node
166a41a Update jsdom to v16 to fix potential security vulnerabilities
0b5d4d5 Merge pull request Fix minor bugs in irc plugin. RocketChat/Rocket.Chat#302 from fredck/t/domchristie/turndown/300
e5bd9f8 Use the repeat utility function for consistency.
d1ee0ac Simplified the fence character sniffing.
99b0516 Minor stylistic fixes.
8e072d2 Fixed the wrong trimming of line break at at the start of code blocks.
a24c58b Fixed multiple ticks/tildes inside code blocks.
cae7098 Merge pull request add Video Chat HD and fullscreen modes for web-rtc #115 RocketChat/Rocket.Chat#281 from kevindew/vanishing-or-duplicating-spacing
b73068c Consistently handle inline elements with spaces
80297ce 5.0.3
50d3444 Update browserify for security vulnerability
6cc551e 5.0.2
99aa4c4 Update dependencies for security vulnerability
e2c64f1 Format options example
7c5bc0e Merge pull request Error on meteor run RocketChat/Rocket.Chat#257 from dace/update-documentation-with-options-example
7783add Comply with WCAG contrast guidelines in demo.
4925169 add example

See the full diff

Package name: twilio

The new version differs by 211 commits.

07891d5 Release 3.41.0
3120c68 [Librarian] Regenerated @ b99d9f1d3667442d965805ac71bf6185ee04b82c
c76264e fix: remove the lock file since this is a library
d073d8c fix: Page JSON parsing and integration tests (Add Google Play button for app RocketChat/Rocket.Chat#546)
ef0d339 fix: add overloaded TS definitions for non-required params (Fix search not coming up RocketChat/Rocket.Chat#545)
465d158 fix: Add method overload to VoiceResponse.prototype.play (Fix image stretching RocketChat/Rocket.Chat#544)
747a091 fix: don't re-parse parsed JSON (Images Stretched RocketChat/Rocket.Chat#543)
6266910 feat: migrate from deprecated request module to axios (Support audio only calls RocketChat/Rocket.Chat#542)
5249e3b [Librarian] Regenerated @ ee964c66599ebcd125eb411ba410bde1e62b3503
ad2e98b Release 3.40.0
ec54ee2 [Librarian] Regenerated @ ee964c66599ebcd125eb411ba410bde1e62b3503
5a65128 docs: add url parameter documentation in twilio.webhook() (Document VPS deployment for non-docker users RocketChat/Rocket.Chat#541)
6d96611 fix: proper indentation (Images not shown in dev RocketChat/Rocket.Chat#534)
3b07aca docs: guide for enabling lazy loading (Is schema doc anywhere? RocketChat/Rocket.Chat#532)
25ec77d feat: Faster requiring using optional lazy loading (Pinned Messages Per Channel RocketChat/Rocket.Chat#526)
deca8ff Release 3.39.5
f8f368c [Librarian] Regenerated @ 59055a0e4517ecbe8ab584e0f9b38f2a70cd94a8
3d0e4a1 Release 3.39.4
2d7f7fa [Librarian] Regenerated @ 0d359fdcea150a7f3ec36771ffeb0bd2bf34ea1d
412b484 [Librarian] Regenerated @ d279b32f822f241b774d58939b2c4c04ca4152e9
1294266 [Librarian] Regenerated @ d279b32f822f241b774d58939b2c4c04ca4152e9
0d96c5b [Librarian] Regenerated @ d279b32f822f241b774d58939b2c4c04ca4152e9
1286866 [Librarian] Regenerated @ d279b32f822f241b774d58939b2c4c04ca4152e9
548eed3 [Librarian] Regenerated @ d279b32f822f241b774d58939b2c4c04ca4152e9

See the full diff

Package name: xml-crypto

The new version differs by 78 commits.

62fb8fa 1.5.6
69abad6 Update xmldom to 0.7.0 (Fix! RocketChat/Rocket.Chat#236)
6f63436 1.5.5
6af1bc5 1.5.4
06831c5 build(deps): update xmldom
d295ecc 1.5.3
79fc2ac Merge pull request New day and system messages RocketChat/Rocket.Chat#209 from troyfactor4/master
f982b0c return response as well even if async
4ffe0aa Async response for built in algo sign/verify
713f3d8 1.5.2
638ab6c Lock ejs to 2.6.1
2730604 1.5.1
07e2320 Merge pull request Cannot read property 't' of undefined RocketChat/Rocket.Chat#207 from troyfactor4/master
234bc0b enable more use cases by returning the xml object in callback
01d462d Test suites of other projects (mocha) that include v1.5.0 fail with error: "Error: global leak detected: existingPrefixes"
0157f26 1.5.0
e9942f3 Merge pull request Create Admin User RocketChat/Rocket.Chat#206 from troyfactor4/master
ddc17c9 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #1 from LoneRifle/master
3d14db0 Lock ejs to 2.5.5
e2609c1 Convert arrow func for backcompat
96c1fcd Adjust whitespace
c140018 bug: missing return
3e1c2f9 -convert promises to callback for backwards compatibility
17bbd13 Add callback options to sign/verify asynchronously