[Snyk] Upgrade: lodash, adm-zip, body-parser, cfenv, consolidate, dustjs-helpers, dustjs-linkedin, ejs, errorhandler, express, express-fileupload, express-session, file-type, hbs, humanize-ms, jquery, marked, moment, mongodb, mongoose, ms, npmconf, st, stream-buffers, tap, typeorm, validator

[akanchhaS]

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Name	Versions	Released on

lodash
from 4.17.4 to 4.17.21 | 14 versions ahead of your current version | 4 years ago
on 2021-02-20
adm-zip
from 0.4.7 to 0.5.15 | 23 versions ahead of your current version | a month ago
on 2024-08-05
body-parser
from 1.9.0 to 1.20.2 | 37 versions ahead of your current version | 2 years ago
on 2023-02-22
cfenv
from 1.2.2 to 1.2.4 | 2 versions ahead of your current version | 3 years ago
on 2021-04-07
consolidate
from 0.14.5 to 1.0.4 | 7 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 months ago
on 2024-07-10
dustjs-helpers
from 1.5.0 to 1.7.4 | 9 versions ahead of your current version | 7 years ago
on 2017-12-09
dustjs-linkedin
from 2.5.0 to 3.0.1 | 13 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 3 years ago
on 2021-12-29
ejs
from 1.0.0 to 3.1.10 | 47 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 5 months ago
on 2024-04-12
errorhandler
from 1.2.0 to 1.5.1 | 17 versions ahead of your current version | 5 years ago
on 2019-05-09
express
from 4.12.4 to 4.19.2 | 29 versions ahead of your current version | 6 months ago
on 2024-03-25
express-fileupload
from 0.0.5 to 1.5.1 | 44 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 months ago
on 2024-07-13
express-session
from 1.17.2 to 1.18.0 | 2 versions ahead of your current version | 8 months ago
on 2024-01-28
file-type
from 8.1.0 to 19.4.1 | 86 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | a month ago
on 2024-08-14
hbs
from 4.0.4 to 4.2.0 | 6 versions ahead of your current version | 3 years ago
on 2021-11-17
humanize-ms
from 1.0.1 to 1.2.1 | 3 versions ahead of your current version | 7 years ago
on 2017-05-19
jquery
from 2.2.4 to 3.7.1 | 21 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | a year ago
on 2023-08-28
marked
from 0.3.5 to 14.0.0 | 137 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | a month ago
on 2024-08-07
moment
from 2.15.1 to 2.30.1 | 33 versions ahead of your current version | 9 months ago
on 2023-12-27
mongodb
from 3.5.9 to 6.8.0 | 195 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 3 months ago
on 2024-06-27
mongoose
from 4.2.4 to 8.5.4 | 590 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 21 days ago
on 2024-08-23
ms
from 0.7.3 to 2.1.3 | 6 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 4 years ago
on 2020-12-08
npmconf
from 0.0.24 to 2.1.3 | 49 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 6 years ago
on 2018-05-11
st
from 0.2.4 to 3.0.0 | 20 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 3 years ago
on 2021-05-20
stream-buffers
from 3.0.2 to 3.0.3 | 1 version ahead of your current version | 3 months ago
on 2024-06-17
tap
from 11.1.5 to 21.0.1 | 255 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | a month ago
on 2024-08-13
typeorm
from 0.2.24 to 0.3.20 | 526 versions ahead of your current version | 8 months ago
on 2024-01-26
validator
from 13.5.2 to 13.12.0 | 5 versions ahead of your current version | 4 months ago
on 2024-05-09

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Prototype Pollution SNYK-JS-LODASH-6139239	227	Proof of Concept
	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	227	Proof of Concept
	Prototype Pollution SNYK-JS-SETVALUE-450213	227	Proof of Concept
	Arbitrary Code Execution SNYK-JS-HANDLEBARS-534478	227	Proof of Concept
	Directory Traversal SNYK-JS-ADMZIP-1065796	227	No Known Exploit
	Arbitrary File Write via Archive Extraction (Zip Slip) npm:adm-zip:20180415	227	Mature
	Remote Code Execution (RCE) SNYK-JS-HANDLEBARS-1056767	227	Proof of Concept
	Denial of Service (DoS) SNYK-JS-EXPRESSFILEUPLOAD-473997	227	No Known Exploit
	Prototype Pollution SNYK-JS-EXPRESSFILEUPLOAD-595969	227	Proof of Concept
	Prototype Pollution SNYK-JS-HANDLEBARS-173692	227	No Known Exploit
	Remote Code Execution (RCE) SNYK-JS-HANDLEBARS-1056767	227	Proof of Concept
	Prototype Pollution SNYK-JS-HANDLEBARS-174183	227	No Known Exploit
	Prototype Pollution SNYK-JS-HANDLEBARS-469063	227	No Known Exploit
	Prototype Pollution SNYK-JS-HANDLEBARS-469063	227	No Known Exploit
	Denial of Service (DoS) SNYK-JS-HANDLEBARS-480388	227	No Known Exploit
	Denial of Service (DoS) SNYK-JS-HANDLEBARS-480388	227	No Known Exploit
	Arbitrary Code Execution SNYK-JS-HANDLEBARS-534478	227	Proof of Concept
	Denial of Service (DoS) SNYK-JS-DICER-2311764	227	Mature
	Prototype Pollution SNYK-JS-DUSTJSLINKEDIN-1089257	227	Proof of Concept
	Code Injection npm:dustjs-linkedin:20160819	227	No Known Exploit
	Prototype Pollution SNYK-JS-MIXINDEEP-450212	227	Proof of Concept
	Directory Traversal SNYK-JS-MOMENT-2440688	227	No Known Exploit
	Prototype Pollution SNYK-JS-AJV-584908	227	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	227	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	227	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	227	Proof of Concept
	Prototype Pollution SNYK-JS-INI-1048974	227	Proof of Concept
	Prototype Pollution SNYK-JS-INI-1048974	227	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	227	Proof of Concept
	Prototype Pollution SNYK-JS-ASYNC-2441827	227	Proof of Concept
	Remote Memory Exposure SNYK-JS-BL-608877	227	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-JQUERY-565129	227	Mature
	Prototype Poisoning SNYK-JS-QS-3153490	227	Proof of Concept
	Prototype Override Protection Bypass npm:qs:20170213	227	No Known Exploit
	Prototype Poisoning SNYK-JS-QS-3153490	227	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:marked:20170907	227	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:marked:20180225	227	Proof of Concept
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	227	No Known Exploit
	Prototype Pollution SNYK-JS-LODASH-73638	227	Proof of Concept
	Cross-site Scripting (XSS) npm:marked:20150520	227	No Known Exploit
	Cross-site Scripting (XSS) npm:marked:20170112	227	No Known Exploit
	Cross-site Scripting (XSS) npm:marked:20170815	227	No Known Exploit
	Prototype Pollution SNYK-JS-LODASH-73638	227	Proof of Concept
	Open Redirect SNYK-JS-EXPRESS-6474509	227	No Known Exploit
	Prototype Pollution SNYK-JS-HANDLEBARS-567742	227	Proof of Concept
	Prototype Pollution SNYK-JS-HANDLEBARS-1279029	227	Proof of Concept
	Prototype Pollution SNYK-JS-HANDLEBARS-1279029	227	Proof of Concept
	Prototype Pollution SNYK-JS-HANDLEBARS-534988	227	No Known Exploit
	Prototype Pollution SNYK-JS-HANDLEBARS-567742	227	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:moment:20161019	227	No Known Exploit
	Prototype Pollution SNYK-JS-HIGHLIGHTJS-1045326	227	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HIGHLIGHTJS-1048676	227	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HOSTEDGITINFO-1088355	227	Proof of Concept
	Reverse Tabnabbing SNYK-JS-ISTANBULREPORTS-2328088	227	No Known Exploit
	Prototype Pollution SNYK-JS-JQUERY-174006	227	Proof of Concept
	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962463	227	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-JQUERY-567880	227	Mature
	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	227	No Known Exploit
	DLL Injection SNYK-JS-KERBEROS-568900	227	Proof of Concept
	Code Injection SNYK-JS-LODASH-1040724	227	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-450202	227	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-567746	227	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-608086	227	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-6139239	227	Proof of Concept
	Code Injection SNYK-JS-LODASH-1040724	227	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-450202	227	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-567746	227	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-608086	227	Proof of Concept
	Prototype Override Protection Bypass npm:qs:20170213	227	No Known Exploit
	Prototype Pollution SNYK-JS-MQUERY-1089718	227	Proof of Concept
	Denial of Service (DoS) SNYK-JS-MONGODB-473855	227	No Known Exploit
	Prototype Pollution SNYK-JS-MONGOOSE-5777721	227	Proof of Concept
	Remote Memory Exposure npm:mongoose:20160116	227	Mature
	Prototype Pollution SNYK-JS-MQUERY-1050858	227	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	227	Proof of Concept
	Prototype Pollution SNYK-JS-MONGOOSE-2961688	227	Proof of Concept
	Prototype Pollution SNYK-JS-SETVALUE-1540541	227	Proof of Concept
	Cross-site Scripting (XSS) npm:marked:20170815-1	227	No Known Exploit
	Prototype Pollution SNYK-JS-MINIMIST-559764	227	Proof of Concept
	Prototype Pollution SNYK-JS-MINIMIST-559764	227	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	227	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-174116	227	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	227	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	227	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451540	227	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-584281	227	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	227	Proof of Concept
	Prototype Pollution npm:lodash:20180130	227	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	227	Proof of Concept
	Cross-site Scripting (XSS) npm:jquery:20150627	227	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	227	Proof of Concept
	Prototype Pollution SNYK-JS-MINIMIST-559764	227	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	227	Proof of Concept
	Prototype Pollution SNYK-JS-MPATH-1577289	227	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	227	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:semver:20150403	227	No Known Exploit
	Prototype Pollution SNYK-JS-MONGOOSE-1086688	227	Proof of Concept
	Information Exposure SNYK-JS-MONGOOSE-472486	227	No Known Exploit
	Validation Bypass SNYK-JS-KINDOF-537849	227	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	227	No Known Exploit
	Prototype Pollution SNYK-JS-MINIMIST-2429795	227	Proof of Concept
	Prototype Pollution SNYK-JS-HANDLEBARS-534988	227	No Known Exploit
	Prototype Pollution SNYK-JS-SETVALUE-1540541	227	Proof of Concept
	Prototype Pollution SNYK-JS-SETVALUE-450213	227	Proof of Concept
	Prototype Pollution SNYK-JS-TYPEORM-590152	227	Mature
	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	227	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	227	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	227	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	227	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	227	No Known Exploit
	Uninitialized Memory Exposure npm:npmconf:20180512	227	Mature
	Open Redirect npm:st:20171013	227	Mature
	Prototype Pollution SNYK-JS-Y18N-1021887	227	Proof of Concept
	Prototype Pollution SNYK-JS-Y18N-1021887	227	Proof of Concept
	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	227	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	227	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	227	No Known Exploit
	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	227	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	227	Proof of Concept
	Denial of Service (DoS) npm:mem:20180117	227	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:ms:20151024	227	No Known Exploit
	Directory Traversal npm:st:20140206	227	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	227	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	227	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	227	Proof of Concept
	Prototype Pollution SNYK-JS-XML2JS-5414874	227	Proof of Concept
	Prototype Pollution SNYK-JS-YARGSPARSER-560381	227	Proof of Concept
	Prototype Pollution SNYK-JS-YARGSPARSER-560381	227	Proof of Concept
	Prototype Pollution SNYK-JS-MINIMIST-2429795	227	Proof of Concept
	Prototype Pollution SNYK-JS-MINIMIST-2429795	227	Proof of Concept
	Prototype Pollution SNYK-JS-MINIMIST-2429795	227	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	227	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	227	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	227	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	227	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	227	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	227	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	227	Proof of Concept

Release notes

Package name: lodash

• 4.17.21 - 2021-02-20
  

  Bump to v4.17.21

• 4.17.20 - 2020-08-13
  

  Bump to v4.17.20.

• 4.17.19 - 2020-07-08
  

  Bump to v4.17.19

• 4.17.18 - 2020-07-08
• 4.17.17 - 2020-07-08
• 4.17.16 - 2020-07-08
  

  Rebuild lodash and docs

• 4.17.15 - 2019-07-19
  

  4.17.15

• 4.17.14 - 2019-07-10
• 4.17.13 - 2019-07-09
• 4.17.12 - 2019-07-09
• 4.17.11 - 2018-09-12
• 4.17.10 - 2018-04-24
• 4.17.9 - 2018-04-24
• 4.17.5 - 2018-02-04
• 4.17.4 - 2016-12-31

from lodash GitHub release notes

Package name: adm-zip

• 0.5.15 - 2024-08-05
  

  What's Changed

  • Fix utils canonical to valid posix by @ skoniks in #499
  • addFile backslash test by @ 5saviahv in #500
  • added addLocalFolderAsync2 by @ 5saviahv in #501
  • fixed windows paths by @ roosipuu in #503
  • Add Windows build by @ 5saviahv in #504
  • inital "decoder" functionality by @ 5saviahv in #505
  • Bump braces from 3.0.2 to 3.0.3 by @ dependabot in #506
  • Write out Electron original-fs auto loading by @ 5saviahv in #502
  • using writeZip() twice throws "Invalid LOC header (bad signature)" error by @ 5saviahv in #507
  • Descriptor check & Main Header locating by @ 5saviahv in #508
  • House keeping by @ 5saviahv in #509
  • typo by @ 5saviahv in #510
  • Allow interoperability files with non-UTF-8 (bit 11 = 0) name by @ yfdyh000 in #450
  • package lock update by @ 5saviahv in #511
  • small updates by @ 5saviahv in #513
  • CodeQL check by @ 5saviahv in #514
  • Keep local extra data by @ 5saviahv in #515
  • Update old test by @ 5saviahv in #516
  • make all errors a function by @ 5saviahv in #517
  • Update date time functions by @ 5saviahv in #518
  • Add a length check when extra field parsed by @ code-sunbo in #520
  • deleteFile is too eager by @ 5saviahv in #525

  New Contributors

  • @ skoniks made their first contribution in #499
  • @ roosipuu made their first contribution in #503
  • @ code-sunbo made their first contribution in #520

  Full Changelog: v0.5.14...v0.5.15

• 0.5.14 - 2024-06-04
  

  Fixed an issue introduced on version 0.5.13 requiring a new mandatory parameter on the inflater on nodejs version >= 15

• 0.5.13 - 2024-06-01
  
  • Fixed extractAllToAsync callback @ 5saviahv
  • Fixed issue with "toAsyncBuffer" where after that command all entries are gone @ 5saviahv
  • Minor fixes (tests, typos etc) @ 5saviahv
  • Added a an option to specificy the maximum expectedLength of the file to protect against zip bombs or limit memory usage @ undefined-moe
  • Add check for invalid large disk entries @ criyle
• 0.5.12 - 2024-03-14
  

  Fixed extraction error

• 0.5.11 - 2024-03-13
  
  • Add support for Info-Zip password check spec for ZipCrypto @ lukemalcolm
  • Extraction of password protected zip entries @ Santa77
  • Fixed unnecessary scanning a local file headers (except in the case of corrupted archives) @ likev
  • Added GitHub actions @ kibertoad
  • Fixed cases when extra data was lost @ yfdyh000
  • Fixed throw empty error in extractAllToAsync on operation done @ Autokaka
• 0.5.10 - 2022-12-20
• 0.5.9 - 2021-10-07
  

  v0.5.9

• 0.5.8 - 2021-10-07
  

  v0.5.8

• 0.5.7 - 2021-10-01
  

  v0.5.7

• 0.5.6 - 2021-09-12
• 0.5.5 - 2021-03-31
• 0.5.4 - 2021-03-08
• 0.5.3 - 2021-02-18
• 0.5.2 - 2021-01-27
• 0.5.1 - 2020-11-27
• 0.5.0 - 2020-11-19
• 0.4.16 - 2020-06-23
• 0.4.14 - 2020-02-06
• 0.4.13 - 2018-11-13
• 0.4.11 - 2018-05-12
• 0.4.10 - 2018-05-12
• 0.4.9 - 2018-04-25
• 0.4.8 - 2018-04-23
• 0.4.7 - 2015-02-09

from adm-zip GitHub release notes

Package name: body-parser

• 1.20.2 - 2023-02-22
  
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
    • perf: skip value escaping when unnecessary
  • deps: raw-body@2.5.2
• 1.20.1 - 2022-10-06
  
  • deps: qs@6.11.0
  • perf: remove unnecessary object clone
• 1.20.0 - 2022-04-03
  
  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: depd@2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: http-errors@2.0.0
    • deps: depd@2.0.0
    • deps: statuses@2.0.1
  • deps: on-finished@2.4.1
  • deps: qs@6.10.3
  • deps: raw-body@2.5.1
    • deps: http-errors@2.0.0
• 1.19.2 - 2022-02-16
  
  • deps: bytes@3.1.2
  • deps: qs@6.9.7
    • Fix handling of __proto__ keys
  • deps: raw-body@2.4.3
    • deps: bytes@3.1.2
• 1.19.1 - 2021-12-10
  
  • deps: bytes@3.1.1
  • deps: http-errors@1.8.1
    • deps: inherits@2.0.4
    • deps: toidentifier@1.0.1
    • deps: setprototypeof@1.2.0
  • deps: qs@6.9.6
  • deps: raw-body@2.4.2
    • deps: bytes@3.1.1
    • deps: http-errors@1.8.1
  • deps: safe-buffer@5.2.1
  • deps: type-is@~1.6.18
• 1.19.0 - 2019-04-26
  
  • deps: bytes@3.1.0
    • Add petabyte (pb) support
  • deps: http-errors@1.7.2
    • Set constructor name when possible
    • deps: setprototypeof@1.1.1
    • deps: statuses@'>= 1.5.0 < 2'
  • deps: iconv-lite@0.4.24
    ...