[Snyk] Fix for 25 vulnerabilities

[smarkussen19]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • goof/package.json
  • goof/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	584/1000 Why? Has a fix available, CVSS 7.4	Directory Traversal SNYK-JS-ADMZIP-1065796	No	No Known Exploit
	741/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.4	DLL Injection SNYK-JS-KERBEROS-568900	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-174116	No	No Known Exploit
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Information Exposure SNYK-JS-MONGOOSE-472486	No	No Known Exploit
	661/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.8	Arbitrary Code Injection SNYK-JS-MORGAN-72579	No	Proof of Concept
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept
	899/1000 Why? Mature exploit, Has a fix available, CVSS 9.4	Arbitrary File Write via Archive Extraction (Zip Slip) npm:adm-zip:20180415	No	Mature
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	No Known Exploit
	644/1000 Why? Has a fix available, CVSS 8.6	Code Injection npm:dustjs-linkedin:20160819	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No	No Known Exploit
	654/1000 Why? Has a fix available, CVSS 8.8	Cross-site Scripting (XSS) npm:marked:20150520	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Cross-site Scripting (XSS) npm:marked:20170112	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Cross-site Scripting (XSS) npm:marked:20170815	No	No Known Exploit
	454/1000 Why? Has a fix available, CVSS 4.8	Cross-site Scripting (XSS) npm:marked:20170815-1	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:marked:20170907	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:marked:20180225	No	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) npm:moment:20161019	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	No	No Known Exploit
	641/1000 Why? Mature exploit, Has a fix available, CVSS 5.1	Remote Memory Exposure npm:mongoose:20160116	No	Mature
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:ms:20151024	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Directory Traversal npm:st:20140206	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: adm-zip

The new version differs by 134 commits.

• c5aeed4 Incremented version number
• 119dcad Fixed path traversal issue GHSL-2020-198
• 1d22ff6 Merge pull request [Snyk(Unlimited)] Upgrade debug from 2.0.0 to 2.6.9 snyk-fixtures/npm-lockfiles#341 from 5saviahv/history
• 492d148 added changelog
• dd415ae Incremented version
• 0f011a3 Fixed outFileName
• bc19fee Added extra parameter to extractEntryTo so target filename can be renamed
• 92e9836 Updated dev dependency
• 2b8d9ab Merge pull request [Snyk(Unlimited)] Upgrade node-uuid from 1.4.0 to 1.4.8 snyk-fixtures/npm-lockfiles#315 from enecciari/work_in_browser
• 4fe58d1 Merge pull request [Snyk(Unlimited)] Upgrade from thebespokepixel/es-tinycolor to thebespokepixel/es-tinycolor snyk-fixtures/npm-lockfiles#322 from cthackers/dependabot/npm_and_yarn/lodash-4.17.19
• 49218a4 Merge pull request [Snyk(Unlimited)] Upgrade node-uuid from 1.4.0 to 1.4.8 snyk-fixtures/npm-lockfiles#327 from kosuke-suzuki/multibyte-comment
• a7e8932 Merge pull request [Snyk-local(Unlimited)] Upgrade sgr-composer from 0.5.0 to 0.5.3 snyk-fixtures/npm-lockfiles#331 from 5saviahv/master
• 7db0eda modified addLocalFolder method
• e114929 typo
• dc81063 modified addLocalFile method
• bc0f594 Deflate needs min V2.0
• dde4f51 Node v6
• 003d4cf Added ZipCrypto decrypting ability
• 63ed6e2 Detect and throw error with encrypted files
• c64ac14 LICENSE filename in package.json
• 1a334b2 add multibyte-encoded comment with byte length instead of character length
• 96d492a Bump lodash from 4.17.15 to 4.17.19
• b77f380 now it works in browser
• 218feee Merge remote-tracking branch 'upstream/master'

See the full diff

Package name: cfenv

The new version differs by 12 commits.

• fb0a2aa update dependencies, now at version 1.2.4
• 63e072a version 1.2.3
• 02bb92d Issue 45 Remove '.cfignore'
• 4103a3e version 1.2.2
• b07a59e handle ports race condition by returning 3000
• 6927628 version 1.2.1
• 3f19f12 Upgrade js-yaml to avoid Denial of Service
• a5dbceb version 1.2.0
• 1a730e3 Stop using outdated manifest stanza; use random-route instead
• f8b0392 Upgrade underscore version 1.9.x
• b60ef7c add test for local vcapFile port usage
• c6262a6 Locally use the options to read the port

See the full diff

Package name: errorhandler

The new version differs by 85 commits.

• c41e9aa 1.4.3
• ffce329 build: istanbul@0.4.2
• 90a8777 build: Node.js@4.2
• 38b745b deps: accepts@~1.3.0
• 80aea51 deps: escape-html@~1.0.3
• b0be93a docs: fix typo in readme
• 2f688d0 build: support Node.js 5.x
• 1238ed4 build: istanbul@0.4.1
• fdeb13c build: mocha@2.3.4
• cc6fd1f build: support Node.js 4.x
• 3a2117a build: support io.js 3.x
• 75b9ee1 build: reduce runtime versions to one per major
• 6797752 tests: add test for util.inspect in HTML response
• b6e53d7 docs: add more documentation regarding util.inspect
• 88b9a58 deps: accepts@~1.2.13
• ac75d3f build: istanbul@0.3.19
• 5ee62b7 deps: escape-html@1.0.3
• 1e89ae7 build: istanbul@0.3.18
• ef1e8f1 build: supertest@1.1.0
• a7a6dce 1.4.2
• 692e2e7 deps: accepts@~1.2.12
• 6f2e8d2 build: io.js@2.5
• 564c117 build: fix running Node.js 0.8 tests on Travis CI
• 2dfd872 1.4.1

See the full diff

Package name: express

The new version differs by 250 commits.

• f974d22 4.16.0
• 8d4ceb6 docs: add more information to installation
• c0136d8 Add express.json and express.urlencoded to parse bodies
• 86f5df0 deps: serve-static@1.13.0
• 4196458 deps: send@0.16.0
• ddeb713 tests: add maxAge option tests for res.sendFile
• 7154014 Add "escape json" setting for res.json and res.jsonp
• 628438d deps: update example dependencies
• a24fd0c Add options to res.download
• 95fb5cc perf: remove dead .charset set in res.jsonp
• 44591fe deps: vary@~1.1.2
• 2df1ad2 Improve error messages when non-function provided as middleware
• 12c3712 Use safe-buffer for improved Buffer API
• fa272ed docs: fix typo in jsdoc comment
• d9d09b8 perf: re-use options object when generating ETags
• 02a9d5f deps: proxy-addr@~2.0.2
• c2f4fb5 deps: finalhandler@1.1.0
• 673d51f deps: utils-merge@1.0.1
• 5cc761c deps: parseurl@~1.3.2
• ad7d96d deps: qs@6.5.1
• e62bb8b deps: etag@~1.8.1
• 70589c3 deps: content-type@~1.0.4
• 9a99c15 deps: accepts@~1.3.4
• 550043c deps: setprototypeof@1.1.0

See the full diff

Package name: humanize-ms

The new version differs by 3 commits.

• e8bc10a Release 1.1.0
• e584c58 add benchmark
• 4cf945f deps: upgrade ms to 0.7.0

See the full diff

Package name: marked

The new version differs by 250 commits.

• 529a8d4 Merge pull request [Snyk(Unlimited)] Upgrade @thebespokepixel/string from 0.5.2 to 0.5.10 snyk-fixtures/npm-lockfiles#1441 from styfle/release-0.6.2
• fc5dbf1 🗜️ minify [skip ci]
• b1ddd3c Merge pull request [Snyk(Unlimited)] Upgrade truwrap from 0.8.1 to 0.8.4 snyk-fixtures/npm-lockfiles#1460 from andersk/inline-text-quadratic
• be27472 Improve worst-case performance of inline.text regex
• 6b88601 0.6.2
• ba1de1e 🗜️ minify [skip ci]
• d94253c Merge pull request [Snyk(Unlimited)] Upgrade adm-zip from 0.4.7 to 0.4.13 snyk-fixtures/npm-lockfiles#1438 from UziTech/html-new-line-fix
• 6eec528 Merge pull request [Snyk(Unlimited)] Upgrade color-convert from 1.9.2 to 1.9.3 snyk-fixtures/npm-lockfiles#1449 from UziTech/use-htmldiffer
• 0cd0333 remove redundant comments
• ff127c5 use template literals
• a16251d fix test spacing
• da57301 use htmldiffer in file tests & update to node 4
• 621f649 abstract htmldiffer
• 42e816c fix again
• 246dd3d fix whitespace after tag
• f1089fe add test
• 0f0b763 allow html without \n after
• d069d0d Merge pull request [Snyk(Unlimited)] Upgrade @thebespokepixel/es-tinycolor from 0.3.1 to 0.3.2 snyk-fixtures/npm-lockfiles#1448 from UziTech/version
• 5d6bde0 Merge pull request [Snyk(Unlimited)] Upgrade sgr-composer from 0.5.0 to 0.5.3 snyk-fixtures/npm-lockfiles#1444 from UziTech/normalize-tests
• 4760772 fix tests
• df310a8 remove header ids from original tests
• 775d08d move redos tests to /redos folder
• b169e7b add excerpt length constant
• fd9dc21 update deps

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• f88eb25 fix(query): delete top-level `_bsontype` property in queries to prevent silent empty queries
• 1db031c test(schema): clean up messy tests re: #8459
• 8fa8012 test: test cleanup re: #8459
• 4a55040 chore: remove problematic mongoose-long dep and use mongodb 3.4 in tests
• 91f95da chore: run consistent mongod version in tests
• 0e65e6e chore: release 4.13.20
• 803090d fix(schema): make aliases handle mongoose-lean-virtuals
• 6a8b381 chore: add .config.js to gitignore and npmignore
• f51c4aa chore: release 4.13.19
• 2aeeaa8 Merge pull request #7950 from cdimitroulas/backport-aggregate-options-bugfix
• b10cc98 rename aggregation option test
• d9a2027 fix bug: Using options in aggregates doesn't set anything
• 75daf18 chore: release 4.13.18
• 8c75e9b chore: dont run nsp
• c8b8720 style: fix lint
• edf70e4 fix(cast): backport fix from #7290 to 4.x
• 29f6709 fix(model): handle setting populated path set via `Document#populate()`
• 0e1772f test(document): repro #7302
• 2370f97 chore: now working on 4.13.18
• 4545d44 chore: release 4.13.17
• fb8b644 fix(document): disallow setting constructor and prototype if strict mode false
• b33d8c2 style: fix lint
• df93f5b chore: release 4.13.16
• a3b98f6 fix(document): disallow setting __proto__ if strict mode false

See the full diff

Package name: morgan

The new version differs by 27 commits.

• 572dd93 1.9.1
• e02de38 lint: apply standard 12 style
• e329663 Fix using special characters in format
• eb1968a tests: use strict equality checks
• 310b206 build: use yaml eslint configuration
• 5810937 build: Node.js@9.11
• f60afd5 build: Node.js@8.11
• 5295b0c build: eslint-plugin-standard@3.1.0
• 178daaf build: eslint-plugin-promise@3.8.0
• 7b08641 build: eslint-plugin-import@2.12.0
• 73cb666 build: eslint@4.19.1
• edc95aa build: Node.js@6.14
• ace86c3 build: Node.js@4.9
• 4dd1180 lint: apply standard 11 style
• 60c31e8 build: Node.js@9.8
• 05e382f build: Node.js@8.10
• 1a5be20 build: Node.js@6.13
• cf9565f docs: remove gratipay badge
• b66251d build: eslint-plugin-node@5.2.0
• 0113732 build: eslint-plugin-import@2.8.0
• 47659a9 deps: depd@~1.1.2
• 695f659 build: support Node.js 9.x
• f4c51e9 build: Node.js@8.9
• 4f15f36 build: Node.js@6.12

See the full diff

Package name: ms

The new version differs by 19 commits.

• 9b88d15 2.0.0
• 94b995c Invalidated cache for slack badge
• bcf5715 Bumped dependencies to the latest version
• b1eaab7 Ignored logs coming from npm
• caae298 Limit str to 100 to avoid ReDoS of 0.3s ([Snyk] Fix for 10 vulnerabilities #89)
• b83b36d chore(package): update eslint to version 3.19.0 ([Snyk] Fix for 1 vulnerabilities #88)
• 3f2a4d7 chore(package): update husky to version 0.13.3 ([Snyk] Fix for 1 vulnerabilities #86)
• 7daf984 1.0.0
• ee91f30 More suitable name for file containing tests
• e818c35 Removed browser testing
• c9b1fd3 Test on LTS version of Node
• 389840b Badge for XO removed
• 1fbbe97 Removed component specification
• 57b3ef8 Use `prettier` and `eslint`
• 94068ea Removed XO
• 4b7f48f chore(package): update serve to version 5.0.4 ([Snyk] Security upgrade tap from 5.8.0 to 14.6.8 #85)
• bd49cec chore(package): update xo to version 0.18.0 ([Snyk] Fix for 1 vulnerabilities #84)
• d4a94b1 chore(package): update serve to version 5.0.3 ([Snyk] Fix for 1 vulnerabilities #83)
• 923eee1 chore(package): update serve to version 5.0.2 ([Snyk] Security upgrade debug from 2.6.9 to 3.1.0 #82)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal
🦉 Code Injection
🦉 Cross-site Scripting (XSS)
🦉 More lessons are available in Snyk Learn