[Snyk] Fix for 31 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • test/fixtures/demo-os/package.json
  • test/fixtures/demo-os/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change
	Prototype Pollution SNYK-JS-HANDLEBARS-173692	Yes
	Prototype Pollution SNYK-JS-HANDLEBARS-469063	Yes
	Arbitrary Code Execution SNYK-JS-HANDLEBARS-534478	Yes
	Prototype Pollution SNYK-JS-HANDLEBARS-534988	Yes
	SQL Injection SNYK-JS-KNEX-471962	No
	Prototype Pollution SNYK-JS-LODASH-450202	Yes
	Prototype Pollution SNYK-JS-LODASH-73638	Yes
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes
	Arbitrary Code Injection SNYK-JS-MORGAN-72579	No
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No
	Prototype Pollution npm:extend:20180424	No
	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No
	Cross-site Scripting (XSS) npm:handlebars:20151207	Yes
	Regular Expression Denial of Service (DoS) npm:hawk:20160119	No
	Prototype Pollution npm:hoek:20180212	Yes
	Timing Attack npm:http-signature:20150122	No
	SQL Injection npm:knex:20150413	No
	Prototype Pollution npm:lodash:20180130	Yes
	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes
	Regular Expression Denial of Service (DoS) npm:minimatch:20160620	Yes
	Regular Expression Denial of Service (ReDoS) npm:moment:20160126	No
	Regular Expression Denial of Service (ReDoS) npm:moment:20161019	No
	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	No
	Regular Expression Denial of Service (ReDoS) npm:ms:20151024	No
	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No
	Regular Expression Denial of Service (DoS) npm:negotiator:20160616	No
	Insecure Randomness npm:node-uuid:20160328	No
	Prototype Override Protection Bypass npm:qs:20170213	No
	Remote Memory Exposure npm:request:20160119	No
	Uninitialized Memory Exposure npm:tunnel-agent:20170305	No
	Buffer Overflow npm:validator:20160218	Yes

Commit messages

Package name: body-parser

The new version differs by 197 commits.

• b2659a7 1.18.2
• 6339bf7 perf: remove argument reassignment
• d5f9a4a deps: debug@2.6.9
• d041563 1.18.1
• 9efa9ab deps: content-type@~1.0.4
• f1ef6cc deps: qs@6.5.1
• e438db5 deps: raw-body@2.3.2
• 15c3585 deps: iconv-lite@0.4.19
• adfa01c 1.18.0
• 0632e2f Include the "type" property on all generated errors
• b8f97cd Include the "body" property on verify errors
• c659e8a tests: add test for err.body on json parse error
• 4e15325 tests: reorganize json error tests
• 5bd7ed5 tests: reorganize json strict option tests
• 3cb380b tests: store server on mocha context instead of variable shadowing
• 29c8cd0 docs: document too many parameters error
• 7b9cb14 Use http-errors to set status code on errors
• 29a27f1 docs: fix typo in jsdoc comment
• 448dc57 Fix JSON strict violation error to match native parse error
• 87df7e6 tests: add leading whitespace strict json test
• 1841248 deps: raw-body@2.3.1
• e666dbe deps: http-errors@~1.6.2
• c2a110a deps: bytes@3.0.0
• a1a2e31 build: Node.js@8.4

See the full diff

Package name: bookshelf

The new version differs by 250 commits.

• 3afecc4 Prepare for release
• a81945a Merge pull request feat: add new generic payload to process scan results from plugins snyk/cli#1305 from tgriesser/feature/gh-pages-script
• b497ce0 Remove test from `prepublish`.
• ea66c18 Try to fix tests
• 1822e74 Add postpublish script to tag and push
• 96b7668 gh-pages script
• ab426d9 Update changelog for next release
• 6a77562 Merge pull request chore(test): use shellspec for regression test snyk/cli#1287 from acburdine/lodash-4
• 4c7212f update changelog
• 12c9af8 cleanup extend function and super method calls
• 937eb59 deps: lodash@4.13.1
• 619414c Merge pull request chore: update run test exports to modules syntax snyk/cli#1294 from chamini2/registry
• bb8300f Changed registry plugin to re-implement only the _relation method
• 0124c0b Merge pull request feat: support pipfile on containerized cli snyk/cli#1288 from vellotis/fix-beolngs_to_many-jsdocs
• 4f48a7f Fix belongsToMany jsdocs
• 54c2237 Merge pull request fix: abridge call graph creation error messages in analytics snyk/cli#1279 from 1mike12/1mike12-patch-1
• e92f5f4 fix typo in docs
• adeccde Merge pull request chore: Update node version for Gradle with Java 11 standalone binary snyk/cli#1273 from vellotis/fix-linter-warnings
• 637ea90 Merge pull request feat: if matched display the project ID snyk/cli#1271 from vellotis/restore-postinstall-script
• a099e98 Remove two linter warnings
• 382f2c4 Fix Travis CI by restoring `postinstall` script in package.json
• 89b888c Merge pull request feat: add --json-file-output option for snyk test snyk/cli#1107 from gergelyke/master
• cbb8fef Merge pull request test: run yarn v2 tests for Node 10 snyk/cli#1268 from jadengore/fix/documentation-model-where
• 1182485 Add missing fetch() in Model#where

See the full diff

Package name: cheerio

The new version differs by 106 commits.

• c3ec1cd Release 0.20.0
• ef848ca Add coveralls badge, remove link to old report
• dbcbe90 Merge pull request feat: add pipfile support to docker image snyk/cli#808 from leifhanack/lodash4
• c04ead1 Merge pull request #668 from rwaldin/prop-method
• b5531bb Merge pull request fix: revert to nodejs8 on standalone binaries snyk/cli#671 from twolfson/dev/fallback.select.content.sqwished
• 9d98bd7 Merge pull request feat: Send ignorePolicyOption to the server snyk/cli#704 from Rycochet/master
• 1b9c5c9 Merge pull request test: skip test that uses previous bad version snyk/cli#797 from Delgan/641-appendTo_prependTo
• b12cbe8 Update lodash dependeny to 4.1.0
• 8c9b2e0 Merge pull request #796 from Delgan/fix_780
• b09db31 Fix PR feat: add legal instructions snyk/cli#726 adding 'appendTo()' and 'prependTo()'
• ce8829d Added appendTo and prependTo with tests docs: vulns badge in readme tests the repo snyk/cli#641
• 4779762 Fix feat: add CocoaPods support snyk/cli#780 by changing options context in '.find()'
• 8dc1cc9 Add an unit test checking the query of child
• b27bed6 fix #667: attr({foo: null}) removes attribute foo, like attr('foo', null)
• 70c5608 Include reference to dedicated "Loading" section
• fa70a84 Added load method to $
• 4e8483a update css-select to 1.2.0
• 5f2777a Merge pull request fix: reinstate --all-sub-project support for Gradle snyk/cli#732 from jugglinmike/reinstate-toarray
• 106e42a Merge pull request fix: Do not show duplicate license issues snyk/cli#776 from dYale/master
• 97149d3 Fixing Grammatical Error
• a1367ee Merge pull request fix: Ignore empty fixedIn arrays snyk/cli#739 from TrySound/npm-files
• 6c73b7a Merge pull request feat: convert nodejs plugin response to use multi format snyk/cli#773 from JaKXz/patch-1
• 48bb22d Test against node v0.12 --> v4.2
• ec2414d Correct output in example

See the full diff

Package name: compression

The new version differs by 117 commits.

• 93586e7 1.7.1
• bd3fa8a deps: bytes@3.0.0
• e1ce980 deps: vary@~1.1.2
• d0f7eab deps: debug@2.6.9
• 931c346 build: Node.js@8.4
• 8c8e36a deps: compressible@~2.0.11
• 8a5e773 deps: accepts@~1.3.4
• 7b4a7e2 build: eslint-plugin-node@5.1.1
• de30e3a build: mocha@2.5.3
• 8c3f7ea 1.7.0
• c27dc0f build: support Node.js 8.x
• d886306 build: eslint-config-standard@10.2.1
• 598d876 Use safe-buffer for improved Buffer API
• 47fca12 build: eslint-plugin-markdown@1.0.0-beta.6
• 3c78e39 build: Node.js@6.11
• 6c4c539 deps: debug@2.6.8
• 6d2de08 deps: compressible@~2.0.10
• ac13bc4 deps: bytes@2.5.0
• 527907c deps: debug@2.6.4
• 6488fc2 build: Node.js@7.10
• 55532e1 build: Node.js@6.10
• 0e4ad01 build: Node.js@4.8
• be58132 deps: compressible@~2.0.10
• 4d5238e deps: vary@~1.1.1

See the full diff

Package name: cookie-session

The new version differs by 43 commits.

• 9e9c681 1.3.2
• 62a6ec8 deps: debug@2.6.9
• 3d81629 1.3.1
• 269e5dd build: Node.js@8.4
• 84414e9 docs: fix date of 1.3.0 release
• 6d6c0b5 docs: add some comparison to express-session
• 0718b0b deps: cookies@0.7.1
• 096353e 1.3.0
• dfe1279 build: supertest@1.1.0
• ef47255 build: istanbul@0.4.5
• 3cf0b6c build: support Node.js 4.x - 8.x
• 0739b01 deps: cookies@0.7.0
• f8c02a3 build: support io.js 3.x
• a53eb76 deps: on-headers@~1.0.1
• 7eb6a41 build: reduce runtime versions to one per major
• 64de88f build: mocha@2.5.3
• f11ffdc deps: debug@2.6.8
• c8867bc build: remove unnecessary Travis CI command
• 92608fb build: io.js@2.5
• e7613aa build: fix running Node.js 0.8 tests on Travis CI
• 24334af 1.2.0
• caf462d Make req.sessionOptions a shallow clone to override per-request
• 5117478 docs: expand req.session documentation
• 5d3a73c perf: remove argument reassignments

See the full diff

Package name: express

The new version differs by 250 commits.

• f974d22 4.16.0
• 8d4ceb6 docs: add more information to installation
• c0136d8 Add express.json and express.urlencoded to parse bodies
• 86f5df0 deps: serve-static@1.13.0
• 4196458 deps: send@0.16.0
• ddeb713 tests: add maxAge option tests for res.sendFile
• 7154014 Add "escape json" setting for res.json and res.jsonp
• 628438d deps: update example dependencies
• a24fd0c Add options to res.download
• 95fb5cc perf: remove dead .charset set in res.jsonp
• 44591fe deps: vary@~1.1.2
• 2df1ad2 Improve error messages when non-function provided as middleware
• 12c3712 Use safe-buffer for improved Buffer API
• fa272ed docs: fix typo in jsdoc comment
• d9d09b8 perf: re-use options object when generating ETags
• 02a9d5f deps: proxy-addr@~2.0.2
• c2f4fb5 deps: finalhandler@1.1.0
• 673d51f deps: utils-merge@1.0.1
• 5cc761c deps: parseurl@~1.3.2
• ad7d96d deps: qs@6.5.1
• e62bb8b deps: etag@~1.8.1
• 70589c3 deps: content-type@~1.0.4
• 9a99c15 deps: accepts@~1.3.4
• 550043c deps: setprototypeof@1.1.0

See the full diff

Package name: glob

The new version differs by 76 commits.

• 3a7e71d v5.0.15
• 841fda0 use latest minimatch
• 4ba54a8 Skip some tests on Windows, make others pass
• 3936e1e Build: Add build for node v4
• c47d451 v5.0.14
• 821fac8 Handle ENOTSUP for sync glob as well as async
• 9625618 Test for when readdir raises ENOTSUP
• 0a2b519 Generate fixtures more effectively, with -O instead of eval
• f96190b Use js for benchmark cleanup
• 957fd93 Fix some 'use strict' errors
• bf3381e Treat ENOTSUP like ENOTDIR in readdir
• 507733d v5.0.13
• f5878af Do not emit 'match' events for ignored items
• 9439afd v5.0.12
• 6071f3a Revert "Use graceful-fs if available"
• 38ff16c v5.0.11
• f09292b Use graceful-fs if available
• 4f39b60 Remove duplicate option description
• e3cdccc v5.0.10
• 480da05 ignore .nyc_output, upgrade tap, use coverage, rm fixtures
• 155124b add more sync cb thrower tests
• f7302ca Test base-matching
• 7530e88 v5.0.9
• b185987 reduce cases where tests need to be regenerated

See the full diff

Package name: morgan

The new version differs by 149 commits.

• 572dd93 1.9.1
• e02de38 lint: apply standard 12 style
• e329663 Fix using special characters in format
• eb1968a tests: use strict equality checks
• 310b206 build: use yaml eslint configuration
• 5810937 build: Node.js@9.11
• f60afd5 build: Node.js@8.11
• 5295b0c build: eslint-plugin-standard@3.1.0
• 178daaf build: eslint-plugin-promise@3.8.0
• 7b08641 build: eslint-plugin-import@2.12.0
• 73cb666 build: eslint@4.19.1
• edc95aa build: Node.js@6.14
• ace86c3 build: Node.js@4.9
• 4dd1180 lint: apply standard 11 style
• 60c31e8 build: Node.js@9.8
• 05e382f build: Node.js@8.10
• 1a5be20 build: Node.js@6.13
• cf9565f docs: remove gratipay badge
• b66251d build: eslint-plugin-node@5.2.0
• 0113732 build: eslint-plugin-import@2.8.0
• 47659a9 deps: depd@~1.1.2
• 695f659 build: support Node.js 9.x
• f4c51e9 build: Node.js@8.9
• 4f15f36 build: Node.js@6.12

See the full diff

Package name: node-uuid

The new version differs by 14 commits.

• 17365b4 v1.4.6
• 3ff5482 Merge branch 'master' of github.com:broofa/node-uuid
• c206db8 v1.4.5
• 7bb3cb6 workaround for [Snyk] Security upgrade flask from 0.12.2 to 0.12.3 #126
• b18ad26 close [Snyk] Security upgrade proxy-agent from 3.1.1 to 5.0.0 #70
• 672f383 v1.4.4: close [Snyk] Security upgrade git-url-parse from 11.1.2 to 13.0.0 #122 [Snyk] Security upgrade django from 1.6.1 to 3.2.14 #118 [Snyk] Security upgrade snyk-config from 2.2.3 to 4.0.0 #108
• 8baa708 Merge pull request [Snyk] Security upgrade git-url-parse from 11.1.2 to 13.0.0 #123 from coolaj86/patch-1
• 616ad38 fix node.js security vulnerability
• 4ff82d5 Merge pull request [Snyk] Security upgrade yarn from 1.17.1 to 1.17.3 #113 from bcoe/coverage
• 2e45d22 add coverage reporting using nyc
• 49a74b4 Merge pull request [Snyk] Fix for 1 vulnerabilities #112 from pdehaan/patch-1
• 7683aa2 Update license attribute
• 95a9c54 Merge pull request [Snyk] Security upgrade snyk from 1.101.1 to 1.465.0 #107 from danorton2/master
• da999e9 Provide support of MSIE 11 msCrypto

See the full diff

Package name: request

The new version differs by 250 commits.

• 0ab5c36 2.82.0
• ffdf0d3 Updating deps.
• 4386836 Merge branch 'master' of github.com:request/request
• 1527407 Merge pull request [Snyk-dev] Security upgrade django from 1.6.1 to 2.2.27 snyk/cli#2703 from ryysud/add-nodejs-v8-to-travis
• 3afcbf8 Merge branch 'master' of github.com:request/request
• 479143d Update of hawk and qs to latest version (refactor: pull out custom rules code snyk/cli#2751)
• 169be11 Add Node.js v8 to Travis CI
• 643c43a Fixed some text in README.md ([Snyk-dev] Security upgrade openjdk from 8-jdk-slim to 8u302-slim-buster snyk/cli#2658)
• e8fca51 chore(package): update aws-sign2 to version 0.7.0 (chore: Update Readme extension to read markdown snyk/cli#2635)
• e999203 Update README to simplify & update convenience methods (fix: add support for --API to iac test command [CFG-1513] snyk/cli#2641)
• 6f286c8 lint fix, PR from pre-standard was merged with passing tests
• a765593 Add convenience method for HTTP OPTIONS (docs: update protect.md snyk/cli#2541)
• 52d6945 Add promise support section to README ([Snyk-dev] Upgrade minimatch from 3.0.2 to 3.0.4 snyk/cli#2605)
• b12a624 refactor(lint): replace eslint with standard ([Snyk-dev] Security upgrade marked from 0.3.6 to 4.0.10 snyk/cli#2579)
• 29a0b17 Merge pull request feat: Improve npm7+ error message snyk/cli#2598 from request/greenkeeper-codecov-2.0.2
• e7b4a88 Merge pull request GH Action for syncing help files snyk/cli#2590 from nicjansma/timings-tests
• dd5c02c Updated comment
• 087de94 Merge pull request [Snyk-dev] Security upgrade alpine from 3.12.0 to 3.13.7 snyk/cli#2589 from odykyi/fix-tabulation
• 3d5e50d Merge pull request [Snyk-dev] Security upgrade node from 12 to 12.22.8-stretch snyk/cli#2594 from ahmadnassri/patch-1
• 0951f47 chore(package): update codecov to version 2.0.2
• baf9c1f chore(dependencies): har-validator -> 5.0.2
• 21b1112 chore(dependencies): har-validator -> 5.0.1
• 51806f8 chore(dependencies): har-validator to 5.x [removes babel dep]
• c57fb72 2.81.1

See the full diff

Package name: sqlite3

The new version differs by 188 commits.

• d02f5c3 update changelog with nan update [skip ci]
• c18c701 [republish binary]
• a3dbf1d upgrade nan to latest
• cb34582 bump to v4.x (drops node v0.x support) [publish binary]
• c4659eb Merge pull request fix: increase cli test timeout snyk/cli#952 from SebastianSchmidt/master
• f937dea Upgrade node-pre-gyp to version 0.9.0
• a469960 Merge pull request feat: better error for setup.py when deps are not installed snyk/cli#921 from mapbox/visual-studio-fixes
• 2d7c082 [publish binary]
• a719c73 use CALL
• 60c6d28 upgrade node-gyp for node v5 as well
• f7c4627 set NODE_MAJOR variable
• 22fb3d9 attempt to fix bat logic
• 6fc2f8b Start building for node v9 on unix
• 943da93 build against msvs_toolset=14 when we can
• 72bddaf add v3.1.13 to changelog [skip ci]
• 22de94e bump to 3.1.13 [publish binary]
• 7761ce3 use released node-pre-gyp with repaired node v0.10.x support
• 95f2d24 bump to v3.1.12 [publish binary]
• e3f5002 use Nan::ForceSet to avoid v8 deprecation issue
• fa77a07 fix node-gyp version to use released version
• 354d688 remove node-gyp from package.json since it will now break node v0.10.x support
• 105861d point at diff upstream node-pre-gyp
• 6dd888e fix node-pre-gyp testing url
• 9a8a8e9 attempt to fix node v0.10.x build

See the full diff

Package name: validator

The new version differs by 250 commits.

• 76a0561 5.0.0
• 34779dc Update the README and changelog
• 396f2be Merge pull request fix: remove debug logging from the code snyk/cli#496 from forabi/modules
• a33b64b Fix README.md
• be9fb9c Rebase on 4.9.0
• bf16624 Fix ESLint config
• b1ff8bc Remove old ESLint config file
• af94fb7 Upgrade to ESLint 2, remove unnecessary deps
• f919358 Prefer template strings
• b96a953 Update the changelog
• e2ccc9f Merge pull request #503 from chriso/chriso/faster-base64-validation
• ebcca98 Condense the if blocks
• 1bd5b1f Check padding in the last block
• 38a5271 Don't use regex to validate base64
• f9c0cfb Add some more test vectors
• 4e06dc6 Merge pull request feat: allow passing color for docker cli response snyk/cli#501 from Dadidam/master
• 6204821 Merge pull request [Snyk] Fix for 1 vulnerabilities #2 from chriso/master
• 438d8da Update the README, re fix: correct remediation (after switching to dep-graph) snyk/cli#499
• 8682441 4.9.0
• d36a29d Update the changelog and min version
• 1db186a Remove the restriction on adjacent hyphens in hostnames
• 20c8bdf Update the changelog and min version
• 1ae83ef Merge pull request fix: correct remediation (after switching to dep-graph) snyk/cli#499 from Dadidam/master
• ebc7497 Merge pull request [Snyk] Fix for 32 vulnerabilities #1 from Dadidam/Dadidam-patch-ru-locale

See the full diff

With a Snyk patch:

Severity	Issue
	Prototype Pollution npm:hoek:20180212

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:

🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic