[Snyk] Fix for 14 vulnerabilities

[Seanland]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • SCA/JS/package.json
  • SCA/JS/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	584/1000 Why? Has a fix available, CVSS 7.4	Directory Traversal SNYK-JS-ADMZIP-1065796	No	No Known Exploit
	819/1000 Why? Mature exploit, Has a fix available, CVSS 7.8	Arbitrary Code Execution SNYK-JS-EXIFTOOLVENDOREDPL-1279041	No	Mature
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MQUERY-1050858	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MQUERY-1089718	Yes	Proof of Concept
	811/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.8	Arbitrary Code Execution SNYK-JS-TOTAL4-1130527	No	Proof of Concept
	811/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.8	Arbitrary Code Execution SNYK-JS-TOTALJS-1088607	No	Proof of Concept
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary Code Injection SNYK-JS-XMLHTTPREQUESTSSL-1082936	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Access Restriction Bypass SNYK-JS-XMLHTTPREQUESTSSL-1255647	Yes	Proof of Concept
	899/1000 Why? Mature exploit, Has a fix available, CVSS 9.4	Arbitrary File Write via Archive Extraction (Zip Slip) npm:adm-zip:20180415	No	Mature
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20171108	Yes	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: adm-zip

The new version differs by 134 commits.

• c5aeed4 Incremented version number
• 119dcad Fixed path traversal issue GHSL-2020-198
• 1d22ff6 Merge pull request [Snyk(Unlimited)] Upgrade body-parser from 1.9.0 to 1.19.0 snyk-matt/goof-platform#341 from 5saviahv/history
• 492d148 added changelog
• dd415ae Incremented version
• 0f011a3 Fixed outFileName
• bc19fee Added extra parameter to extractEntryTo so target filename can be renamed
• 92e9836 Updated dev dependency
• 2b8d9ab Merge pull request [Snyk(Unlimited)] Upgrade moment from 2.15.1 to 2.29.1 snyk-matt/goof-platform#315 from enecciari/work_in_browser
• 4fe58d1 Merge pull request [Snyk(Unlimited)] Upgrade express-fileupload from 0.0.5 to 0.4.0 snyk-matt/goof-platform#322 from cthackers/dependabot/npm_and_yarn/lodash-4.17.19
• 49218a4 Merge pull request [Snyk(Unlimited)] Upgrade body-parser from 1.9.0 to 1.19.0 snyk-matt/goof-platform#327 from kosuke-suzuki/multibyte-comment
• a7e8932 Merge pull request [Snyk(Unlimited)] Upgrade npmconf from 0.0.24 to 0.2.0 snyk-matt/goof-platform#331 from 5saviahv/master
• 7db0eda modified addLocalFolder method
• e114929 typo
• dc81063 modified addLocalFile method
• bc0f594 Deflate needs min V2.0
• dde4f51 Node v6
• 003d4cf Added ZipCrypto decrypting ability
• 63ed6e2 Detect and throw error with encrypted files
• c64ac14 LICENSE filename in package.json
• 1a334b2 add multibyte-encoded comment with byte length instead of character length
• 96d492a Bump lodash from 4.17.15 to 4.17.19
• b77f380 now it works in browser
• 218feee Merge remote-tracking branch 'upstream/master'

See the full diff

Package name: cfenv

The new version differs by 1 commits.

• fb0a2aa update dependencies, now at version 1.2.4

See the full diff

Package name: exiftool-vendored.pl

The new version differs by 9 commits.

• d66f29b 12.25.0
• c51aba6 v12.25
• 1a38890 v12.25.0-pre
• 85a87b3 12.23.0
• 2e8f0b4 v12.23
• 0e946b6 v12.23.0-pre
• 7d535c6 12.21.0
• c03ce10 v12.21
• 76f0d44 v12.21.0-pre

See the full diff

Package name: karma

The new version differs by 250 commits.

• 16010eb chore(release): 5.0.8 [skip ci]
• a409696 chore: remove unused `grunt lint` command ([Snyk(Unlimited)] Upgrade typeorm from 0.2.30 to 0.2.32 snyk-matt/goof-platform#3515)
• 47f1cb2 fix(dependencies): update to latest log4js major ([Snyk(Unlimited)] Upgrade consolidate from 0.14.5 to 0.16.0 snyk-matt/goof-platform#3514)
• b60391f fix(dependencies): update and unlock socket.io dependency ([Snyk(Unlimited)] Upgrade humanize-ms from 1.0.1 to 1.2.1 snyk-matt/goof-platform#3513)
• 4d49948 chore(release): 5.0.7 [skip ci]
• f399063 fix: detect type for URLs with query parameter or fragment identifier ([Snyk(Unlimited)] Upgrade express-fileupload from 0.0.5 to 0.4.0 snyk-matt/goof-platform#3509)
• 17b50bc chore(release): 5.0.6 [skip ci]
• 0cd696f fix(dependencies): update production dependencies ([Snyk(Unlimited)] Upgrade mongodb from 3.6.3 to 3.6.9 snyk-matt/goof-platform#3512)
• 7c24a03 chore: fix broken HTML markup in the changelog file ([Snyk(Unlimited)] Upgrade adm-zip from 0.4.7 to 0.5.5 snyk-matt/goof-platform#3507)
• fdc4f9d refactor(test): remove no debug matching option ([Snyk(Unlimited)] Upgrade npmconf from 0.0.24 to 0.2.0 snyk-matt/goof-platform#3504)
• 35d57e9 chore(release): 5.0.5 [skip ci]
• e99da31 fix(cli): restore command line help contents ([Snyk(Unlimited)] Upgrade marked from 0.3.5 to 0.8.2 snyk-matt/goof-platform#3502)
• 4f2fe56 chore: add Node 14 to the build matrix ([Snyk(Unlimited)] Upgrade moment from 2.15.1 to 2.29.1 snyk-matt/goof-platform#3501)
• 100b227 refactor(test): move execKarma into the World ([Snyk(Unlimited)] Upgrade body-parser from 1.9.0 to 1.19.0 snyk-matt/goof-platform#3500)
• f375884 refactor(test): reduce execKarma to a reasonable size ([Snyk(Unlimited)] Upgrade humanize-ms from 1.0.1 to 1.2.1 snyk-matt/goof-platform#3496)
• a3d1f11 refactor(test): add common method to start server in background ([Snyk(Unlimited)] Upgrade consolidate from 0.14.5 to 0.16.0 snyk-matt/goof-platform#3495)
• e4a5126 refactor(test): write config file in its own steps ([Snyk(Unlimited)] Upgrade mongodb from 3.6.3 to 3.6.9 snyk-matt/goof-platform#3494)
• 0bd5c2b refactor(test): adjust sandbox folder location and simplify config logic ([Snyk(Unlimited)] Upgrade cookie-parser from 1.3.3 to 1.4.5 snyk-matt/goof-platform#3493)
• b788f94 refactor(test): extract proxy into a separate Given claim ([Snyk(Unlimited)] Upgrade dustjs-helpers from 1.5.0 to 1.7.4 snyk-matt/goof-platform#3492)
• 633f833 chore(release): 5.0.4 [skip ci]
• 810489d refactor(test): migrate Proxy to ES2015 ([Snyk(Unlimited)] Upgrade dustjs-linkedin from 2.5.0 to 2.7.5 snyk-matt/goof-platform#3490)
• fa95fa3 fix(browser): make sure that empty results array is still recognized ([Snyk(Unlimited)] Upgrade errorhandler from 1.2.0 to 1.5.1 snyk-matt/goof-platform#3486)
• 255bf67 refactor(test): migrate World to ES2015 ([Snyk(Unlimited)] Upgrade express-fileupload from 0.0.5 to 0.4.0 snyk-matt/goof-platform#3489)
• be5db67 chore(test): remove usage of deprecated defineSupportCode ([Snyk(Unlimited)] Upgrade adm-zip from 0.4.7 to 0.5.5 snyk-matt/goof-platform#3488)

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• f8d2721 chore: release 5.12.3
• 58cad73 fix(connection): use queueing instead of event emitter for `createCollection()` and other helpers to avoid event emitter warning
• 5382408 fix(index.d.ts): add `transform` to PopulateOptions interface
• dca1d70 Merge branch 'master' of github.com:Automattic/mongoose
• 2648088 fix(index.d.ts): add DocumentQuery type for backwards compatibility
• 966770f Merge pull request [Snyk(Unlimited)] Upgrade body-parser from 1.9.0 to 1.19.2 snyk-matt/goof-platform#10063 from Automattic/[Snyk(Unlimited)] Upgrade marked from 0.3.18 to 0.8.2 snyk-matt/goof-platform#10044
• 9e4a083 style: fix lint
• f3cd3a8 chore: use variable instead of function
• f24953c fix(query): add `writeConcern()` method to avoid writeConcern deprecation warning
• 7d2e9c9 chore: upgrade mquery -> 3.2.5 re: Security Fix for Prototype Pollution - huntr.dev mongoosejs/mquery#121
• d1a9a1e made requested changes
• cf1b666 Merge pull request [Snyk(Unlimited)] Upgrade consolidate from 0.14.5 to 0.16.0 snyk-matt/goof-platform#10078 from pezzu/master
• 2aef528 Merge pull request [Snyk(Unlimited)] Upgrade total4 from 0.0.42 to 0.0.59 snyk-matt/goof-platform#10062 from Automattic/[Snyk(Unlimited)] Upgrade exiftool-vendored.pl from 12.19.0 to 12.40.0 snyk-matt/goof-platform#10025
• 452c77c Fixes [Snyk(Unlimited)] Upgrade exiftool-vendored.pl from 12.19.0 to 12.40.0 snyk-matt/goof-platform#10072
• c9bfb30 Update model.indexes.test.js
• 6f0133a removed comments
• 9e98cd8 Merge pull request [Snyk] Security upgrade org.apache.struts:struts2-spring-plugin from 2.3.20 to 2.3.20.1 snyk-matt/goof-platform#10055 from emrebass/patch-1
• 1c20044 Merge pull request [Snyk(Unlimited)] Upgrade cfenv from 1.2.3 to 1.2.4 snyk-matt/goof-platform#10054 from coro101/add-discriminator-type
• 4e74ea7 TIL that includes() is also not supported in all browsers
• f231d7b should work and is designed to handle multiple text fields
• c4897f9 TIL Object.values in not supported on all browsers
• 391ecec collation not added to text indexes
• 7a93c16 linter fix
• 6deb668 fix: connection ids are now scoped

See the full diff

Package name: total.js

The new version differs by 5 commits.

• 887b0fa Fixed security issue in `U.set()` and `U.get()`.
• 2fe92a6 Updated changelog.
• 84e6d02 Fixed security issue when parsing query arguments.
• 7004957 Added `insecure` flags to the `U.request()` method.
• 398b691 Added HTML escaping for meta tags.

See the full diff

Package name: total4

The new version differs by 15 commits.

• 4e01001 Updated version.
• 853f482 Updated `LOADCONFIG()` by adding support for encoding.
• a2cb2a3 Improved code.
• b3eacd6 Added additional variables.
• 1dd8472 Added missing variable.
• 3c594b6 Improved code.
• 3c24772 Improved error handling.
• 545fbd4 Updated `flowstream.trigger()` for sync. functionality.
• 7577212 Improved `flowmessage.variables()`.
• 20ddfe8 Added `flowstream.variables()` method.
• 508648f Added missing method.
• 8a72d8c Removed useless methods.
• 9163b92 Updated `flowinstance.newmessage()` by adding support for existing Message instance.
• 2c24ce5 Updated changelog.
• 99330c8 Updated code.

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal
🦉 Arbitrary Code Execution
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn