[Snyk] Fix for 12 vulnerabilities

[afeish]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-URLREGEX-569472	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Prototype Pollution SNYK-JS-XML2JS-5414874	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:parsejson:20170908	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: html-to-text

The new version differs by 49 commits.

• cc4d026 Version bumped 5.1.0
• 30c5556 Remove hardcoded CLI options (Image drag/drop abort causes dropzone to stay visible NodeBB/NodeBB#173)
• 14c7475 README updated
• fc487c9 Dependency on fs module removed (password reset doesn't work NodeBB/NodeBB#171)
• b642ec7 Added tests for the cli arguments (<code> blocks need better CSS NodeBB/NodeBB#153)
• 4e6127d prepublish script added
• d1e3077 Changelog updated
• ac0e63b Potential security vulnerability fixed
• 8f8a5c8 Merge branch 'jstewmon-fix-href-anchors'
• 5781f8a Closed Multiple ownership for posts/topics NodeBB/NodeBB#148
• 3540426 Merge branch 'master' of github.com:werk85/node-html-to-text
• d561095 Version bumped to 4.0.0. package-lock.json added. README updated.
• 655a754 Supports format blockquote (Search NodeBB/NodeBB#142)
• 1a3d878 Drop support for Node.js < 4; switch from underscore to lodash (Application event logging & auditing NodeBB/NodeBB#150)
• b5d0ea1 customizable ul li item prefix (mark all threads read NodeBB/NodeBB#140)
• fc503dc take a stance on semicolons
• 912536a fix: html entities in hrefs should not trigger noAnchorUrl
• 1dbebe1 Fix docs typo (Embedding iFrames would raise potential security risk NodeBB/NodeBB#146)
• 019f45e chore(package): update chai to version 4.0.1 (Replies don't match main post width  NodeBB/NodeBB#133)
• 76b1a89 Version bumped to 3.3.0. Readme updated.
• 5419826 Implement ol type="i" and "I" as fallbacks to "1", add option to not render anchor links. ([Templates] {object.property} should expect an object with a property, not a property called "object.property" NodeBB/NodeBB#123)
• 2ac2830 Ability to pass custom formatting via the `format` option (Favoriting posts as guest disconnects server NodeBB/NodeBB#128)
• 8782c3d Changelog fixed. Version bumped to 3.2.0
• 00f63b1 Changelog updated for Version 3.2.0

See the full diff

Package name: less

The new version differs by 250 commits.

• e4f7551 v3.12.0
• 371185c v3.12.0-RC.2 (ACP: Delete site logo  NodeBB/NodeBB#3540)
• d5aa9d1 Fixes Update index.js, fix outgoing XSS NodeBB/NodeBB#3371 Allow conditional evaluation of function args (clear message after send to websocket NodeBB/NodeBB#3532)
• a722237 Remove lib folder from git (Hook request filter:email.send NodeBB/NodeBB#3531)
• e0f5c1a Move changelog to root (img-responsive within chat NodeBB/NodeBB#3530)
• f7bdce7 Duplicate dist files in root for older links (Moderators can not write in a closed topics NodeBB/NodeBB#3529)
• 0925cf1 Test-data module (Custom themes must use Bootstrap NodeBB/NodeBB#3525)
• 51fb02b Fixes err with upload photo NodeBB/NodeBB#3504 / organizes tests (SSO plugins are no longer working in 0.8.0 NodeBB/NodeBB#3523)
• efb76ec Restore nuked scripts (?), replace dependencies (Form action attribute must have a non-empty value NodeBB/NodeBB#3501) (Settings are not properly displayed in 0.8.0 NodeBB/NodeBB#3522)
• 2c5e4dd Lerna refactor / TS compiling w/o bundling (iOS bug? NodeBB/NodeBB#3521)
• a3641e4 Resolve 유성오피≒〖강남오피〗자이언트〗 ▷ Opmania 23 . Com◁˘역삼오피ஸை대전오피˘  NodeBB/NodeBB#3398 Add flag to disable sourcemap url annotation (Plugin incompatibility message shows up multiple times if you use more than 1 port NodeBB/NodeBB#3517)
• e018ba8 fix(Category links on Mobile are broken NodeBB/NodeBB#3294): use loadFileSync when loading plugins with syncImport: true (Updating the nodebb-plugin-composer-default crashes NodeBB v0.7.3 NodeBB/NodeBB#3506)
• 95b9007 Update changelog
• 6238bbc Fixes remove helpers.notFound NodeBB/NodeBB#3508 (ACP: setting for maximum images in one post NodeBB/NodeBB#3509)
• 8338366 Update README.md
• 6313bc5 Update changelog
• 53bf877 Remove tree caching in import manager (Translated missing variables NodeBB/NodeBB#3498)
• 0f271f3 issue#3481 ignore missing debugInfo (Group header image slightly too wide NodeBB/NodeBB#3482)
• 3bd995b Additional check to avoid evaluating an expression if it is a comment (Add language files for ACP NodeBB/NodeBB#3494)
• 0715d90 fix: Use make-dir instead of mkdirp (translator topic title bug NodeBB/NodeBB#3490)
• 2634494 Properly exit calc mode after use (meta.depencies.check problem NodeBB/NodeBB#3493)
• 096dd22 Convert to auto-changelog (Groups page Bootstrap markup wrong NodeBB/NodeBB#3477)
• 842386b Fixes Admin is unable to become Group owner of (System) Admin group. NodeBB/NodeBB#3469 - Include tslib dependency (Breadcrumbs missing from various pages NodeBB/NodeBB#3475)
• 1adaadb 3.11.0 (Call the active composer plugin for performing reply actions NodeBB/NodeBB#3468)

See the full diff

Package name: nodemailer

The new version differs by 19 commits.

• eaef3b5 Merge pull request Categories.getRecentReplies doesn't check for access control NodeBB/NodeBB#719 from nodemailer/v3.0.0
• de5b6f6 updated license
• 652ad8e Do not use PRO in name
• 6218b8d Setup files for EUPL licensed v3.0.0
• a108bc1 bumped mailcomposer
• e1da543 v2.7.1
• 3663c79 updated readme
• 9314fcd Merge branch 'master' of github.com:nodemailer/nodemailer
• 17c7702 v2.7.0
• 5e22dad Merge pull request can i haz header-icons pls, merry xmas NodeBB/NodeBB#685 from vijay22sai/fix-readme-typo
• adb8bd0 Fix a typo in README
• ee795f7 Merge pull request /unread shows double of last topic NodeBB/NodeBB#676 from sadika9/patch-1
• 9eddf01 Fix typo
• dadeb9f Merge pull request Ability to disable signatures outright in ACP. NodeBB/NodeBB#675 from killmenot/patch-1
• 88a5cc2 added a link to nodemailer trap plugin
• 0ca29c4 Merge pull request Signature needs padding away from list elements NodeBB/NodeBB#674 from ekryski/patch-1
• f1cb087 Adding mailgun transport link
• 9b55bbe Merge pull request Vanilla needs to get rid of predefined font colors NodeBB/NodeBB#672 from niftylettuce/master
• d9e4e43 Added reference to newly published nodemailer-base64-to-s3

See the full diff

Package name: socket.io

The new version differs by 42 commits.

• 3367eaa [chore] Release 2.0.0
• 6c0705f [docs] Add an example of custom parser (the /chats route on mobile isn't usable NodeBB/NodeBB#2929)
• 1980fb4 [chore] Merge history of 1.7.x and 0.9.x branches (topic move doesnt update page NodeBB/NodeBB#2930)
• 0d07c47 [chore] Added backers and sponsors on the README (Missing topics in category view after pressing back NodeBB/NodeBB#2933)
• a086588 [chore] Bump dependencies (Fix pagination errors on categories and topics pages. NodeBB/NodeBB#2926)
• 87b06ad [feat] Move binary detection to the parser (Don't update pagination # when scrolling, update position when stopped NodeBB/NodeBB#2923)
• 199eec6 [docs] Replace non-breaking space with proper whitespace (Install NodeBB via one single command or via package NodeBB/NodeBB#2913)
• f1b39a6 [docs] Update emit cheatsheet (No footer on the home page after redirect NodeBB/NodeBB#2906)
• 240b154 [docs] Explicitly document that Server extends EventEmitter (Text in curly brackets in topic or post not shown NodeBB/NodeBB#2874)
• c5b7738 [docs] Add server.engine.generateId attribute (Implement new topic creation globally NodeBB/NodeBB#2880)
• 03f3bc9 [docs] Fix wrong space character in README ([[global:guest]] doesnt work inside another language string NodeBB/NodeBB#2900)
• e40accf [docs] Fix documentation for 'connect' event (Registration error on latest master NodeBB/NodeBB#2898)
• 01a4623 [feat] Allow to join several rooms at once (reply button does nothing on locked topics for admins NodeBB/NodeBB#2879)
• 2d5b002 [docs] Add webpack build example (nbbpm not documented NodeBB/NodeBB#2828)
• 5ae06e6 [chore] Bump socket.io-adapter to version 1.0.0 (filter:parse.post hook bug by cache fixed NodeBB/NodeBB#2867)
• 4d8f68c [chore] Bump engine.io to version 2.0.2 (clicking chat popup doesnt work NodeBB/NodeBB#2864)
• 5b79ab1 [docs] Update the wording to match the code example ([composer] Replying to "Surround the title with quotes" NodeBB/NodeBB#2853)
• 54ff591 [feature] Merge Engine.IO and Socket.IO handshake packets (Hovering over avatar doesn't display username properly on categories page NodeBB/NodeBB#2833)
• e1facd5 [docs] Small addition to the Express Readme Part (SEO and friendly urls NodeBB/NodeBB#2846)
• 3b92cc2 [feature] Allow the use of custom parsers (nbbpm.compatibility not read by core NodeBB/NodeBB#2829)
• 3d695c6 [chore] Bump engine.io to version 2.0.0 (Proposal: Keep posts and topics after user deletion NodeBB/NodeBB#2832)
• 3b5f433 [fix] Use path.resolve by default and require.resolve as a fallback ([UI] Plugin "Install" button text wraps when clicked to install the plugin NodeBB/NodeBB#2797)
• 23c9dd3 [docs] Add a 'Features' section in the README ([advanced search] highlighting matches NodeBB/NodeBB#2824)
• e28b475 [docs] Add httpd cluster example (Themes should not have "activate" buttons in plugins ACP page NodeBB/NodeBB#2819)

See the full diff

Package name: socket.io-client

The new version differs by 24 commits.

• d30914d [chore] Release 2.0.0
• 9e7b543 [chore] Bump engine.io to version 3.1.0 (Error editing admin profile  NodeBB/NodeBB#1109)
• 442587e [chore] Bump dev dependencies (deleted posts have the delete button NodeBB/NodeBB#1108)
• ff4cb3e [feat] Move binary detection to the parser (I set up latest NodeBB(have removed old NodeBB) , skip some plugins(But there is no 'MOTD' button on the Admin page) NodeBB/NodeBB#1103)
• b4c7e49 [chore] Bump debug to version 2.6.4 (Return me to my position in category view NodeBB/NodeBB#1101)
• 3f19445 Merge pull request Autoscroll to post not always working in firefox NodeBB/NodeBB#1096 from satya164/patch-1
• 628eb3b Fix dependencies
• d32bc5b [docs] Fix messed events documentation (notifications crash NodeBB/NodeBB#1089)
• 2135ed8 [docs] Fix Manager constructor documentation (Thread description is not searchable NodeBB/NodeBB#1093)
• 25321d1 [docs] Fix format in API.md (Mark all as Read exclude non-shown NodeBB/NodeBB#1090)
• 9064608 [docs] Add note regarding the Emitter class ([Widgets] Double-click on a widget in ACP should expand/collapse it NodeBB/NodeBB#1079)
• 49fb3e0 [fix] Run tests on the minified files (Fix configFile option handling NodeBB/NodeBB#1042)
• 4af8fd3 [docs] Add missing path option in the documentation ( Cannot call method 'substr' of null NodeBB/NodeBB#1078)
• 2dcc794 [feature] Allow the use of a custom parser (Fix crash when there would be no widgets NodeBB/NodeBB#1075)
• 4322cf2 [docs] Fix typo (Make themes tab the default active tab again NodeBB/NodeBB#1076)
• 1ac8374 [chore] Bump engine.io-client to version 2.0.2 (Latest pull generates an error NodeBB/NodeBB#1074)
• 3d63875 [chore] Bump socket.io-parser to version 2.3.2 (Using FormData in composer.js breaks IE8-9 support NodeBB/NodeBB#1071)
• 8fc4b44 [docs] Fix typo (templates helpers? NodeBB/NodeBB#1066)
• a98f94d [chore] Bump engine.io-client to version 2.0.0 (mention notification should take user to the post NodeBB/NodeBB#1062)
• fcb5c43 [fix] Add nsp prefix to socket.id (check if exec_body_scripts is really necessary NodeBB/NodeBB#1058)
• ba5dca3 [test] Update browsers matrix (Allow admins to reset a user password NodeBB/NodeBB#1059)
• 7a533cd [chore] Update issue template with fiddle (Highlighted text to link -> focus on (text url) NodeBB/NodeBB#1057)
• 55411df [docs] Add `connect_error` and `connect_timeout` events (Update user.json NodeBB/NodeBB#1051)
• 558163d [docs] API documentation (Setup script : infinite loop NodeBB/NodeBB#1049)

See the full diff

Package name: socket.io-redis

The new version differs by 11 commits.

• 5f475fb [chore] Release 5.0.0
• f42e26d [perf] Use notepack instead of msgpack-lite (XML Sitemap includes entries for deleted topics NodeBB/NodeBB#218)
• 05f926e [perf] Use pattern matching at the namespace level (Do not allow a user to remove themselves as admin NodeBB/NodeBB#217)
• d3d000b [chore] Release 4.0.1
• a33499d [docs] Add link to Go implementation of socket.io-emitter (Posts inside deleted topics still show up in Recent Replies block NodeBB/NodeBB#199)
• bceab01 [fix] Fix duplicate identifier declaration (Chat messages sent by uid are not shown in chat windows opened by the same uid NodeBB/NodeBB#213)
• 2354068 [chore] Release 4.0.0 (Post creation socket data not calling "markdownToHTML" NodeBB/NodeBB#202)
• 7ae896a [fix] Fix remoteJoin/remoteLeave methods (Express session has no maxAge set NodeBB/NodeBB#201)
• 1dc1a9b [docs] Update code examples in the Readme (Socket Data construction on Post.reply needs refactoring NodeBB/NodeBB#194)
• 38b8a2b [docs] Update History.md regarding the `return_buffers` option (Instant everything is nice but not really for UX NodeBB/NodeBB#189)
• 01028d0 [feature] Make customHook async (add /users/:username/favourites NodeBB/NodeBB#181)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Server-side Request Forgery (SSRF)
🦉 Denial of Service (DoS)
🦉 More lessons are available in Snyk Learn