[Snyk] Fix for 1 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • install/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	768/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: archiver

The new version differs by 20 commits.

• f646f86 Update package-lock.json
• dc3a5c3 Create release-drafter.yml
• bb2abd8 Update release-drafter.yml
• b5c41f9 Create release-drafter.yml
• 8e6aa5c bump version for release
• a5645b9 Update CHANGELOG.md
• 4094c44 Resolve vulnerability by updating async to 3.2.0 version (relax username validation (#413) NodeBB/NodeBB#420)
• a9ca639 bump version for release.
• 78f47f2 update to zip-stream@^3.0.1
• 6509b33 Update nodejs.yml
• 63f574a updates for release.
• 72484d3 remove support for node v6/7
• 0312160 update various deps.
• 52702bb update mkdirp to 1.0.4
• 4b3ad11 Update npmpublish.yml
• 4346329 fix for a hang with _statQueue (Crash w/ stack trace NodeBB/NodeBB#388)
• 227b785 allow testing of pull requests.
• 9121aa3 Update npmpublish.yml
• e23f3d6 Create npmpublish.yml
• 8084212 Create nodejs.yml

See the full diff

Package name: grunt

The new version differs by 45 commits.

• 6f49017 1.3.0
• faab6be Merge pull request Refactor Notifications system to hold more than "text" NodeBB/NodeBB#1720 from gruntjs/update-changelog-deps
• 520fedb Update Changelog and legacy-util dependency
• 7e669ac Merge pull request [Composer] Remove "Write" tab, move "Help" to toolbar NodeBB/NodeBB#1719 from gruntjs/yaml-refactor
• e350cea Switch to use `safeLoad` for loading YML files via `file.readYAML`.
• 7125f49 Merge pull request Watch and Unwatch alerts should have same alert_id NodeBB/NodeBB#1718 from gruntjs/legacy-log-bumo
• 00d5907 Bump legacy-log
• 3b75085 1.2.1
• ae11839 Changelog update
• 9d23cb6 Merge pull request Invalid LESS in Custom CSS bricks NodeBB NodeBB/NodeBB#1715 from sibiraj-s/remove-path-is-absolute
• e789b1f Remove path-is-absolute dependency
• 27bc5d9 Merge pull request Heroku Installation Document Corrections are Required. NodeBB/NodeBB#1714 from gruntjs/release-1.2.0
• 64a3cf4 Release v1.2.0
• 0d23eff Merge pull request Smart preloading NodeBB/NodeBB#1570 from bhldev/feature-options-keys
• ee70306 Merge pull request All Forum Permissiosn creating a new group. NodeBB/NodeBB#1697 from philz/1696
• 05c0634 Merge pull request Update global counters when deleting/restoring topic NodeBB/NodeBB#1712 from gruntjs/fix-lint
• cdd1c19 fix lint in file.js
• bc168e3 Merge pull request Fresh page load on topic causes composer to not appear on reply click NodeBB/NodeBB#1283 from greglittlefield-wf/recognize-relative-links
• 5f16b5a Merge pull request Allow ACP/Plugins to install specific versions of a plugin NodeBB/NodeBB#1675 from STRML/remove-coffeescript
• 58f80ae Merge pull request group badges NodeBB/NodeBB#1677 from micellius/monorepo-support
• 1f61427 Add CODE_OF_CONDUCT.md
• 4c6fcd9 Merge pull request Deleting topic doesn't reduce the category post_count NodeBB/NodeBB#1709 from NotMoni/patch-1
• 169d496 add link to license
• 288ea76 add license link

See the full diff

Package name: nodebb-plugin-dbsearch

The new version differs by 36 commits.

• d2d3b4a 5.0.0
• b28ea35 feat: update to use redisearch 1.0.0
• 5af4a20 4.2.0
• 045789f Merge pull request [Snyk] Fix for 3 vulnerabilities #57 from julianlam/master
• a625633 fix: compatibility string
• 050e22e 4.1.3
• 7d3b994 refactor: update fireHook
• f2681e5 4.1.2
• d136ea6 Merge pull request [Snyk] Security upgrade @commitlint/cli from 7.5.2 to 8.3.6 #55 from barisusakli/dependabot/npm_and_yarn/lodash-4.17.19
• 89d791d Bump lodash from 4.17.15 to 4.17.19
• 2ce2052 4.1.1
• b014486 fix: isPrimary is boolean
• feaed9c 4.1.0
• 0183d70 fix: https://github.com/changing post owner doesn't update search index NodeBB/NodeBB#8469
• ed6e05c 4.0.7
• 90689fc use _id sort if sorting by topic timestamp
• 5f0b976 4.0.6
• 0e22520 update for latest nbb
• 9be4878 4.0.5
• 96da306 up compat
• 436d1dd Merge branch 'master' of https://github.com/barisusakli/nodebb-plugin-dbsearch
• b21669b use core method
• df3a2b5 4.0.4
• d96621d fix: checkProgress

See the full diff

Package name: nodebb-plugin-emoji

The new version differs by 10 commits.

• fc18ef7 3.0.0
• ffbb22b Fix ACP textcomplete error, bump dependencies
• 3eed576 Fix [Snyk] Fix for 1 vulnerabilities #22: sort emojis alphabetically
• 2ef992d Fix [Snyk] Security upgrade sharp from 0.22.0 to 0.29.3 #24 - hide emoji dialog when composer hidden
• a914516 Bump dependencies
• 695583f Add fontawesome pack to readme
• 95d74d4 closes [Snyk] Security upgrade grunt from 1.0.3 to 1.5.3 #21
• 5014a93 use winston.error instead
• ce75ad9 2.2.7
• 4a264e8 closes https://github.com/emoji prevents pages from loading NodeBB/NodeBB#6818

See the full diff

Package name: nodebb-plugin-mentions

The new version differs by 110 commits.

• 2a95fb3 3.0.0
• cf5bc19 Merge branch 'master' of https://github.com/julianlam/nodebb-plugin-mentions
• d2c2543 refactor: add missing awaits
• d56fbf5 chore(deps): update dependency eslint to v8
• e40a894 refactor: rewrite async/await
• 00c6855 2.15.2
• 8b74dfd fix: html-entities
• b3f9f02 2.15.1
• df78854 fix: on post purge delete sets
• 06de593 2.15.0
• c796b43 fix: excessive db entries
• a86c9e6 chore(deps): update dependency mocha to v9.1.3
• d71ca42 fix(deps): update dependency html-entities to v2
• 635d907 fix(deps): update dependency validator to v13
• 3469c1d Merge remote-tracking branch 'origin/master'
• ecfb30a 2.14.0
• cae7345 fix(deps): xregexp@^5
• f792193 chore(deps): update dependency mocha to v9.1.2
• 04dbe4a chore(deps): update dependency mocha to v9
• af701a5 chore(deps): update dependency mocha to v8.4.0
• 82e173b chore(deps): pin dependency mocha to v8.3.2
• 4ba8d9e Add renovate.json
• 73be51b chore(deps): bump glob-parent from 5.1.1 to 5.1.2
• b01a4dc 2.13.11

See the full diff

Package name: winston

The new version differs by 48 commits.

• b47d5d5 3.3.0
• b6bc918 Prepare for v3.3.0
• 9354721 doc: fix whitespace and trailing comma. (Server restarts when editing posts NodeBB/NodeBB#1778)
• 3d07a80 docs: add example of uncaughtRejections logging (fixed missing redis-dependency NodeBB/NodeBB#1780)
• df25fa2 fix: change property of handleRejections (Can't start NodeBB NodeBB/NodeBB#1779)
• 950cbcd Add options to request (Real-time search NodeBB/NodeBB#1777)
• 1c75292 Update package-lock.json (Insert image in wrong position NodeBB/NodeBB#1772)
• e7d13d5 Exclude unnecessary files from npm package (setup not working NodeBB/NodeBB#1768)
• 75f7edf Fix removes a logger when pass undefined transport (Patch 1 NodeBB/NodeBB#1785)
• 4b571ba This adds Node.js 14 and removes Node.js 8 as: (Cannot read property 'value' of undefined css.js:57:20 - CleanCSS NodeBB/NodeBB#1793)
• 73ae01f Update Sentry transport `require` change (Fix typo debian install doc NodeBB/NodeBB#1754)
• 7b67eb0 Fix typo ("Forum Updated" alert should have an alert_id NodeBB/NodeBB#1750)
• 1679c49 Fix Issue where winston removes transport on error (Running very slow NodeBB/NodeBB#1364) (Heroku Installation Document Corrections are Required. NodeBB/NodeBB#1714)
• 0e0cf14 Fix Not add password-confirm on register + Improved french translation  NodeBB/NodeBB#1690 (What's the easiest way to change all requests for static files from local to my CDN? NodeBB/NodeBB#1691)
• 85a250a Node 12 is LTS now
• bea9c34 Update README.md (notification template not getting data or not getting parsed. NodeBB/NodeBB#1743)
• 319abf1 Add defaultMeta to Logger index.d.ts (Ctrl-Enter no longer submits a post NodeBB/NodeBB#1736)
• c719706 (typo) Missing label import in example (if there is an error on upload maybeParse might crash NodeBB/NodeBB#1733)
• 8944598 Update index.d.ts (Allow the path in the scripts array in plugin.json to be a directory NodeBB/NodeBB#1729)
• 7bb258c Fix `npm` logging levels on README.md (Persona support NodeBB/NodeBB#1737)
• 64744d7 Forking topics no longer work NodeBB/NodeBB#1567: document common transport options (These worlds need language support NodeBB/NodeBB#1723)
• ae2335b Add Humio transport link to docs (Changing bootstrap skin causes existing widgets to be moved to drafts NodeBB/NodeBB#1705)
• 785bd9e UPDATE levels on readme (http added) (Remove relative_path when creating relPath NodeBB/NodeBB#1650)
• 4f44acb Add PostgresQL transport to list of community transports (All Forum Permissiosn creating a new group. NodeBB/NodeBB#1697)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution