[Snyk-dev] Fix for 10 vulnerabilities

[KobyDamari]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Recently disclosed, Has a fix available, CVSS 8.2	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Code Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-LODASH-6139239	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: body-parser

The new version differs by 209 commits.

• 1752951 1.20.3
• 39744cf chore: linter (#534)
• b2695c4 Merge commit from fork
• ade0f3f add scorecard to readme (#531)
• 99a1bd6 deps: [email protected] (#521)
• 9478591 fix: pin to [email protected]
• 83db46a ci: fix errors in ci github action for node 8 and 9 (#523)
• 9d4e212 chore: add support for OSSF scorecard reporting (#522)
• ee91374 1.20.2
• 368a93a Fix strict json error message on Node.js 19+
• 0385872 deps: [email protected]
• 2c35b41 build: [email protected]
• f0646c2 build: [email protected]
• f345fb1 build: [email protected]
• 6842efc deps: content-type@~1.0.5
• 5af7315 build: [email protected]
• 8e605b3 build: [email protected]
• cba6e77 build: [email protected]
• 6a464ab build: [email protected]
• 7ebf276 build: [email protected]
• 69bb649 build: [email protected]
• 8ff995f docs: switch badges to badgen
• 850832f build: [email protected]
• dad8f34 build: actions/download-artifact@v3

See the full diff

Package name: mongodb

The new version differs by 250 commits.

• 8b3c3b0 chore(release): 3.3.0
• 0d2018c docs(AutoEncryption): adds documentation for extraOptions
• 3ecda98 docs(autoEncryption): document that autoEncryption is in beta
• 814a4cc chore(useUnifiedTopology): add deprecation warning for useUnifiedTopology
• b7308db test: disable some failing tests for later investigation
• b23e606 test(transactions): disable invalid pinning test
• 82a7a6e chore(travis): add 4.2 testing to travis
• 392f5a6 fix(topology): add new error for retryWrites on MMAPv1
• 2ef8f2c chore(ci): update evergreen config to test Ubuntu 18.04 on mongodb >= 4.2
• ae729f8 refactor(change-stream): use `AggregateOperation` for stream cursor
• 831968d refactor(cursor): return operation readPreference with priority
• 1ffe9b7 refactor(client): provide default namespace and read preference
• 778928f refactor(command): support full response as command op option
• 6acef6d refactor(find): use `FindOperation` for finds
• 0f88582 refactor(cursor): modernize and deduplicate cursor classes
• feec4ba refactor(cursor): deduplicate properties shared by base cursors
• b3948aa feat(transaction): allow applications to set maxTimeMS for commitTransaction
• b0a4a0c test(ChangeStream): attempt to stabilize changeStream tests
• af3243d test(UnifiedTopology): fix a variety of issues with unified topology tests
• eb5dfc9 fix(transactions): fix error message for attempting sharded
• eb5cc6b fix(serverSelection): make sure to pass session to serverSelection
• 083e18a fix(transactions): fix sharded transaction error logic
• bcf6358 chore(ci): update evergreen config
• ce2c9af fix(connections_stepdown_tests): use correct version of mongo for tests

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• 43b63ae chore: release 5.7.3
• 06112b0 docs(validation): remove deprecated `isAsync` from validation docs in favor of emphasizing promises
• 7fee719 docs(documents): add overwriting section
• 98b5a73 fix: make CoreMongooseArray#includes() handle `fromIndex` parameter
• 6c91dea style: fix lint
• 9bb4b03 refactor: remove async as a prod dependency
• 3647292 refactor(cursor): remove async.queue() from eachAsync() re: #8073 #5502
• e60db1b refactor(cursor): remove dependency on async.times()
• c5b2355 docs(promises): add note about queries being thenable
• da77b8d Merge pull request #8192 from birdofpreyru/fix-8093-1
• c371500 fix(update): cast right hand side of `$pull` as a query instead of an update for document arrays
• 9d455ad test(update): repro #8166
• 8c98a3a chore: now working on 5.7.3
• 0a33412 fix(populate): handle virtual populate of an embedded discriminator nested path
• b42d0f5 test(populate): repro #8173 #6488
• 1db5982 docs: link to map blog post
• c76e062 Fixes the previous commit
• 1a01713 [#8093] Fixes performance of update validator, and flatten function logic
• dea0b95 chore: release 5.7.2
• fb0bd0d fix(populate): avoid converting mixed paths into arrays if populating an object path under `Mixed`
• bdfce8f docs: add mongoosejs-cli to readme
• e2d191a fix(discriminator): support `tiedValue` parameter for embedded discriminators analagous to top-level discriminators
• d8cc819 test: fix tests
• 952120a fix(query): handle `toConstructor()` with entries-style sort syntax

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Code Injection
🦉 Prototype Pollution