[Snyk] Fix for 29 vulnerabilities

[abdullahceylan]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	630/1000 Why? Has a fix available, CVSS 8.1	Internal Property Tampering SNYK-JS-BSON-561052	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-CONVICT-1062508	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-CONVICT-2340604	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-CONVICT-2774757	Yes	No Known Exploit
	741/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.4	DLL Injection SNYK-JS-KERBEROS-568900	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-MONGODB-473855	Yes	No Known Exploit
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	Yes	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	Yes	Proof of Concept
	816/1000 Why? Mature exploit, Has a fix available, CVSS 8.6	Uninitialized Memory Exposure npm:base64-url:20180512	Yes	Mature
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:moment:20161019	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	Yes	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Buffer Overflow npm:validator:20160218	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: base64-url

The new version differs by 6 commits.

• 34d3397 Merge pull request [Snyk] Security upgrade graphiql from 0.7.8 to 0.11.11 #12 from joaquimserafim/v2
• 371deb5 v2
• 5c6f57d Merge pull request [Snyk] Fix for 1 vulnerabilities #11 from imyelo/patch-1
• f531219 add encoding option
• fce4efa Merge pull request [Snyk] Security upgrade kerberos from 0.0.17 to 1.0.0 #10 from graingert/patch-1
• 978ba0a Add base64url as an alternative

See the full diff

Package name: bassmaster

The new version differs by 4 commits.

• b800167 2.0.0
• a5c5702 Merge pull request Unify naming of interfaces  reindexio/reindex-api#64 from cadecairos/node-6
• 32fabe8 Fix test file style
• c459788 1. Update dependencies

See the full diff

Package name: bell

The new version differs by 58 commits.

• 2b8b528 7.7.0
• 1c65521 Merge pull request Remove unused function getOrCreateUser reindexio/reindex-api#216 from hapijs/wreck
• dfdbab0 Add Pinterest provider (Protect Social Login credentials reindexio/reindex-api#213)
• fa93f3f Consistently return node req object in oauth v1 client. Closes Set node references to null and remove from m2m on delete reindexio/reindex-api#215
• f9d8d84 7.6.1
• 951ccec Merge pull request Remove default permissions from the admin app reindexio/reindex-api#208 from ldesplat/master
• 9765831 Fix refresh implementation and closes Add validation of field names in schema reindexio/reindex-api#191 and Make migration execution replace types as is reindexio/reindex-api#206
• 4047201 eslint configuration, extends: Hapi
• 933608b Fix weird error happening when logging in through Facebook on safari browsers, fixes Add validation of field names in schema reindexio/reindex-api#191
• 9477828 7.6.0
• 3ae0283 Merge pull request Update Social Login to create User throught GraphQL reindexio/reindex-api#207 from zitsen/gitlab-provider
• 6366a85 Add GitLab provider
• cd305e9 7.5.1
• fc4886c Merge pull request Fix librato stat name reindexio/reindex-api#205 from pankajpatel/wordpress
• 7e2d682 Added appsecret_proof to wordpress provider
• e116dd7 7.5.0
• 642d4be Merge pull request Add Librato measurements for all critical performance characteristics reindexio/reindex-api#204 from pankajpatel/master
• c05e97a Merge remote-tracking branch 'upstream/master'
• fcafabf WordPress provider documentation
• a95d294 Added the wordpress provider
• 0e3979b 7.4.0
• 7ec11a2 Merge pull request Remove newrelic and add raven (sentry) reindexio/reindex-api#202 from mattboutet/office365_provider
• 5c7e39e Fix test for 100% coverage, and fix linting errors
• 6e2fa88 Update package.json, providers/index.js (critical) and API docs

See the full diff

Package name: convict

The new version differs by 250 commits.

• deef5d7 v6.2.3
• 5e64b53 More recent Ubuntu dist for Travis CI build
• 1ea0ab1 More more complete fix for prototype pollution
• c7acb02 Update info regarding publishing on NPM
• 4da12f8 v6.2.2
• 8ad66b5 Update CHANGELOG
• 3b86be0 More complete fix against prototype pollution
• e3173b1 Clearer variable name
• 5eb1314 v6.2.1
• 5ad62d6 Update CHANGELOG
• c682086 fix misspelling of the word optional in the error message (#397)
• bdd8a4e v6.2.0
• f693077 Provide working links in the CHANGELOG
• d90f2f8 Update CHANGELOG
• 11ef47e chore: update dependencies (#390)
• 41e8c4a v6.1.0
• 8d198ef Update CHANGELOG for next 6.1.0 release
• b31d451 Update CHANGELOG for previous release
• 342fab6 Allow null additionally to any format (#386)
• 7e068d8 v6.0.1
• 81771b3 ran npm audit fix
• dc17a2e Merge pull request #384 from 418sec/1-npm-convict
• 180d692 Merge pull request [Snyk] Fix for 9 vulnerable dependencies #1 from arjunshibu/master
• 688c46a Security fix for prototype pollution

See the full diff

Package name: good

The new version differs by 83 commits.

• f0b562e version 7.1.0
• 45606c7 Restored wreck logging. Closes #469. (#514)
• 6584880 Upgrade async. Fixes #515. (#538)
• 265a5ca Update deps. Closes #515
• f957062 Don't create a reporter if no streams were provided. Addresses #534 (#535)
• 9d198f8 update stream example in docs and other minors (#536)
• dfe7912 non breaking change adds responseSentTime. Closes #530 (#533)
• 3bd61be current version shield links to good @ npmjs (#521)
• ae1778b Support functions as modules (#517)
• b8f923e Add request route tags to response event (#516)
• 7a78ec8 Fix previous hapi versions
• 77bae30 Fix hapi v15.0.2 timing errors in tests
• 4a22673 hapi 15. Closes #509
• 2d510b1 handle missing coverage on hapi < 15
• 3f9a36a hapi 15 tests
• 51e8ec5 hapi 15
• 502b961 hapi 15
• 673af3e Changed keys used to identify reporters in example (#508)
• cf9f3fb Update CONTRIBUTING.md
• 65730b1 correct and improve documentation (#505)
• a55e808 Not enough feedback when error. Closes #498 (#499)
• 8561ecc Added .npmignore file. Closes #485 (#496)
• 0c93720 Update LICENSE
• 0434d88 Closes #491. Update tests to code3.

See the full diff

Package name: good-console

The new version differs by 33 commits.

• 7c9a73d Update README.md
• 9de8c84 8.0.0
• dc7295d Update node requirements. Closes Add files created at CI to ignore reindexio/reindex-api#114
• b22bbf3 Update moment (Fix social login in prod reindexio/reindex-api#112)
• 9aca297 Add changelog.md (Require https in production reindexio/reindex-api#111)
• a69df28 Update README.md
• c996499 v7.1.0
• da92807 format as error when data.error is populated (Add changedXEdge to payload reindexio/reindex-api#104)
• 388b0fa Use SafeStringify when serializing the query
• fd44bf5 v7.0.1
• c8823c0 Revert addition of responseSentTime
• 3f07b60 v7.0.0
• 0ab557d pass event.id for every format
• eb54cd1 Add responseSentTime to response format (Make create-app script insert User type reindexio/reindex-api#95)
• 26b1fc2 v6.4.1
• f1b1a5b Upgrade Moment to 2.19.x (Add wildcard permission (permission for all types) reindexio/reindex-api#98)
• c4fb48f version 6.4.0
• 729155b separated message and stack with a comma (Add description and fix deprecation reindexio/reindex-api#85)
• e32cec6 leveraged the error formatter when data is an Error (Add permission validation reindexio/reindex-api#86)
• f0f83c9 version 6.2.0
• c8d0de9 log event.id when available (Refactor then to async functions reindexio/reindex-api#80)
• e91d381 version 6.3.1
• 95f4762 Bump moment to 2.15.x branch to resolve Regex DOS (Rewrite eslintrc reindexio/reindex-api#78)
• 9f1d35e version 6.1.2

See the full diff

Package name: hapi

The new version differs by 107 commits.

• faacf02 deps and passthrough validation error. Closes #3136. Closes #3137. Closes #3138. Closes #3139. Closes #3140. Closes #3141. Closes #3142. Closes #3143. Closes #3144. Closes #3145. Closes #3146. Closes #3147
• 40dbdc1 Merge pull request #3128 from mikefrey/patch-1
• e169ee3 Spelling/grammar fix
• af95913 Merge pull request #3111 from hapijs/johnbrett-patch-1
• 2752e23 add test for multipart payload exceeding byte limit
• d870e6a Merge pull request #3113 from danielb2/master
• 5d1b437 test for strictHeader false
• f8e897d Update hapijs/subtext to 4.0.1 from 4.0.0
• 8aef93a typo
• 526d5ea Cleanup
• fb83094 Merge branch 'master' of github.com:hapijs/hapi
• a739abe Allow validating any input. Closes #3107
• 6f20a78 Merge pull request #3105 from devinivy/api-deps-on-init
• d3ca463 Clarify that plugin deps are enforced during initialize
• 0cd1b62 Merge pull request #3068 from kanongil/fast-shutdown
• ea04005 version
• 9e5c889 Fix incorrect entity error message. Closes #3101
• 7a47a85 Actively end idle persistent connections on server.stop()
• 2435a08 Test that server.stop() completes active requests before denying new requests
• a123307 Add server.stop() destroy test for in-progress connections
• 6e80746 Revise server.stop() self close test
• ed195fa 13.2.1
• 23e333e Cleanup for #3044
• 687a378 Merge pull request #3044 from csabapalfi/disable-cache-control

See the full diff

Package name: inert

The new version differs by 23 commits.

• c4f6b07 4.0.0
• d53a0ec Merge pull request Change style and update eslint reindexio/reindex-api#47 from kanongil/confine-file-path
• 7251728 Remove '..' param check which is no longer required. Closes [Snyk] Fix for 1 vulnerable dependencies #5
• 0a6b551 Add confine option that confines file responses
• fef2232 Update license date
• ac741b5 Update hoek to 4.x.x
• d751e8d Update travis config to match hapi
• c439c5b Update joi to 8.x.x
• d2998d8 Update devDependencies
• 11ce9bf Merge pull request Remove test timeout to remove flakiness on Circle CI reindexio/reindex-api#56 from prashaantt/clarify
• 9607ea4 Merge pull request Add a tool that prints the schema reindexio/reindex-api#59 from simon-p-r/absolutePath
• 4e3ec4d Merge pull request Implement lists and nested objects reindexio/reindex-api#61 from kanongil/gzip-range-fix
• bd6a007 Restrict when range request logic is applied. Closes Add missing fields to GitHub and Twitter credentials reindexio/reindex-api#60
• 3c4cd57 remove hoek.isAbsolutePath for path.isAbsolute
• 5540383 Clarify bad path for directory handler message
• 0b33f1e Update lru-cache to 4.0.x. Closes Add CRUD mutations reindexio/reindex-api#53
• 86a12b8 Fix license according to Copyright and license outmoded/hapi-contrib#66
• f5f704d Don't test using the hapi-lts branch
• ef243e1 Additional ES6 style fixes
• cbab9fc Merge branch 'escalant3-es6-and-node4'
• 6614b93 Use ES6 endsWith for better readability
• 90c860a Remove unnecessary memoizing
• b7210a2 Update dependencies. Update codebase to ES6/Node4

See the full diff

Package name: jsonwebtoken

The new version differs by 120 commits.

• 5e6dc77 update changelog
• e9c6ddd 7.4.1
• adcfd6a bump ms to v2 due a ReDoS vuln (#352)
• 6755049 Update changelog
• b0e443c 7.4.0
• 07a47a3 Merge pull request #328 from ziluvatar/npb-exp-iat-docs-numeric-date
• 659f731 Add docs about numeric date fields
• 2ec4960 Merge pull request #320 from ziluvatar/make-options-optional-on-async-call
• e202c4f Make Options object optional for callback-ish sign
• 636fbd0 Update changelog
• 94007b3 7.3.0
• 1b0592e Add more information to `maxAge` option in README
• 8fdc150 Allow user to specify now. (Fix “cannot sort with keys that are parallel arrays” reindexio/reindex-api#274)
• 7f68fe0 Raise jws.decode error to avoid confusion with "invalid token" error (#294)
• a542403 Fixed a simple typo (#287)
• 1b6ec8d Fix handling non string tokens (#305)
• 35d8415 rauchg/ms.js changed to zeit/ms (#303)
• 05d9978 update changelog
• 8da893a 7.2.1
• 4219c34 add nsp check to find vulnerabilities on npm test
• 51d4796 revert to joi@^6 to keep ES5 compatibility
• 445cab7 update changelog
• e35bcdc Merge pull request Fix many-to-many permission checking false negative reindexio/reindex-api#243 from rmharrison/patch-1
• 3a8b2b6 7.2.0

See the full diff

Package name: mongodb

The new version differs by 250 commits.

• c6f417e chore(release): 3.1.13
• 210c71d fix(db_ops): ensure we async resolve errors in createCollection
• 5ad9fa9 fix(changeStream): properly handle changeStream event mid-close (#1902)
• e806be4 fix(bulk): honor ignoreUndefined in initializeUnorderedBulkOp
• 050267d fix(*): restore ability to webpack by removing `makeLazyLoader`
• 6e896f4 docs: adding aggregation, createIndex, and runCommand examples
• cb3cd12 chore(release): 3.1.12
• 508d685 Revert "chore(release): 3.2.0"
• e7619aa chore(release): 3.2.0
• d0dc228 chore(travis): include forgotten stage info for sharded builds
• ffbe90b chore(travis): run sharded tests in travis as well
• 9bef6e7 feat(core): update to mongodb-core v3.1.11
• e4bb39e chore(release): 3.1.11
• 76c0130 chore(core): bump version of mongodb-core
• a3adb3f fix(bulk): fix error propagation in empty bulk.execute
• ec0e30e doc(change-streams): correct typo, add missing example
• 10ea992 chore(package): update lock file
• fcb3ec1 test(sharded): reduce some sharded errors
• d4eae97 test(sessions): undo hack for apm events in sessions tests
• 0eaca21 test(sessions): fixing broken session test
• 6790a74 test(sharding): fixing old sharding tests
• 98f0c68 test(sharded): fixing sharded operation test
• c6a9baa test(sessions): fixing session tests in sharded env
• 985f0e9 test(drop): fixing drop assertions for sharded tests

See the full diff

Package name: node-fetch

The new version differs by 240 commits.

• 1ef4b56 backport of #1449 (#1453)
• 8fe5c4e 2.x: Specify encoding as an optional peer dependency in package.json (#1310)
• f56b0c6 fix(URL): prefer built in URL version when available and fallback to whatwg (#1352)
• b5417ae fix: import whatwg-url in a way compatible with ESM Node (#1303)
• 18193c5 fix v2.6.3 that did not sending query params (#1301)
• ace7536 fix: properly encode url with unicode characters (#1291)
• 152214c Fix(package.json): Corrected main file path in package.json (#1274)
• b5e2e41 update version number
• 2358a6c Honor the `size` option after following a redirect and revert data uri support
• 8c197f8 docs: Fix typos and grammatical errors in README.md (#686)
• 1e99050 fix: Change error message thrown with redirect mode set to error (#653)
• 244e6f6 docs: Show backers in README
• 6a5d192 fix: Properly parse meta tag when parameters are reversed (#682)
• 47a24a0 chore: Add opencollective badge
• 7b13662 chore: Add funding link
• 5535c2e fix: Check for global.fetch before binding it (#674)
• 1d5778a docs: Add Discord badge
• eb3a572 feat: Data URI support (#659)
• 086be6f Remove --save option as it isn't required anymore (#581)
• 95286f5 v2.6.0 (#638)
• bf8b4e8 Allow agent option to be a function (#632)
• 0c2294e 2.5.0 release (#630)
• 0fc414c Allow third party blob implementation (#629)
• d8f5ba0 build: disable generation of package-lock since it is not used (#623)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Buffer Overflow
🦉 More lessons are available in Snyk Learn