[Snyk] Fix for 11 vulnerabilities

[ghost]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-DICER-2311764	Yes	Mature
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-DOTPROP-543489	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	Open Redirect SNYK-JS-GOT-2932019	No	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASHSET-1320032	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	No	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: express-compile-sass

The new version differs by 17 commits.

• 6429900 4.0.0
• cf5cafa Update to chalk 2.3.1
• a4e4abb Don't test in node 7
• 91d43f4 update coveralls to 3.x
• 4fb082e Replace gaze with chokidar, update mocha and sinon
• e4eafa2 Stupid travis.yml copy/paster error
• bd5f976 Update fs-extra to 5.x
• 804b8e7 Update travis setup
• 7ceaddf Update to unexpected-express 10
• 748c39e Deprecate supertest
• e41bb60 Update to node-sass 4.x
• c564d47 Merge pull request Asi 10 04 changes Midburn/spark#268 from sonicdoe/fix-test
• e5a5df2 Fix test
• d177287 Update dependencies
• 26e4e70 Remove lodash
• c984e18 Update csserror to 2.0.2 and add custom assertions for tests
• 48fdd82 Configure jshint correctly

See the full diff

Package name: express-fileupload

The new version differs by 250 commits.

• 4f81fc8 1.4.0
• 78a66c1 Merge pull request [WIP]Adding a show-table dev tool at /dev/ Midburn/spark#315 from duterte/master
• 310a382 Merge branch 'richardgirges:master' into master
• f57198b fix linting error
• ce713c2 add workflow job filters
• e47cc7d trigger ci
• 74a0830 Refactor: upgrade to busboy 1.6.0
• d1d6c66 Refactor busboy is no longer a constructor, its a function
• 30d8535 Merge pull request Camp Membership screen display bugs Midburn/spark#310 from richardgirges/dependabot/npm_and_yarn/minimist-1.2.6
• e6948f9 Bump minimist from 1.2.5 to 1.2.6
• c9c7d83 Create SECURITY.md
• f9237aa help wanted readme update
• 651421b help wanted readme update
• 290f3cc 1.3.1
• ab3d252 node 12+ support
• 4afa5a1 1.3.0
• fe0ce3f circleci status badge
• 26f4a92 comment out console logs
• edd91ce Merge pull request ori test codeship Midburn/spark#301 from zwade/master
• 47bc50c Merge remote-tracking branch 'origin/master'
• 3ba7d94 Merge pull request [wip] Api Gate Routes Midburn/spark#302 from zwade/zw-fix-tests
• ddf5530 support node 12+. fix security vulnerabilities re: npm audit
• 3cfbc7f Have promiseCallback make callbacks and promises behave the same
• 5e83249 Refactor prototype pollution check to be more comprehensive

See the full diff

Package name: json2csv

The new version differs by 101 commits.

• 58bd0ae chore(release): 4.3.5
• 3182707 fix: audit deps
• 2d69281 fix: unwind of nested fields (Recreate Volunteers DB Midburn/spark#357)
• c910c35 chore(release): 4.3.4
• 851c02f fix: issue with fields.value function not receiving correct fields (Spark should provide a button to redirect to volunteers homepage Midburn/spark#353)
• 9b243d1 chore(release): 4.3.3
• 1ef4bcd fix: audit dep fix
• 964ca6e chore: remove unused flat link from readme
• 130ef7d fix: Remove invalid reference to flat (integrate with opbeat for easy debugging and better error reporting on production Midburn/spark#347)
• 2b6ad3a fix: Remove preferGlobal from package.json (should change to a stable NodeJS version Midburn/spark#346)
• 1d6e18d chore(release): 4.3.2
• d28955a fix: Remove lodash.clonedeep dependency ([Task] investigate error on production with v2.3.0 Midburn/spark#339)
• 9d8f917 chore(release): 4.3.1
• f45730f docs: Document how fields work in the CLI (Asi 23 04 camps add more managers Midburn/spark#336)
• a793de5 fix: Return correct exit code on error (Asi 23 04 camps add more managers Midburn/spark#337)
• e9622cb chore: update ghpages deploy
• bd9b791 chore(release): 4.3.0
• b91069e docs: Update docs, remove fields list, add fields config (cannot debug #camps module, as I run out of coffee. Midburn/spark#331)
• d9e4463 fix: Optimize performance around the usage of fields ([Task] find out what's the "spark-production" load balancer meant to be used for Midburn/spark#328)
• 8f0ae55 feat: Add support for objectMode in the stream API ([Incident] production down-time Apr. 21, 2017 Midburn/spark#325)
• 6486bb0 fix: Remove wrong submodule ([Task] review the nginx / node production configuration (focus on stability and performance) Midburn/spark#326)
• 8522d89 docs: Add documentation about CDN usage ([Task] should support basic (manual) autoscaling group with load balancer Midburn/spark#327)
• f31d114 chore(release): 4.2.1
• f0a4830 fix: bug that modifies opts after parsing an object/stream (#Camps - Phase 2 Midburn/spark#318)

See the full diff

Package name: knex

The new version differs by 73 commits.

• ca702cf Updated changelog and bumped version up
• 44ccb33 Fixes #1303 (#2458)
• 8771bd4 Use tarn as pool (#2450)
• 053736f Added info about new dialect and about minimal test cases
• 5f81e8a Add redshift support without changing cli or package.json (#2233)
• bf1fa63 Add queryContext to schema and query builders (#2314)
• 09eb126 Update dependencies and fix ESLint warnings accordingly (#2433)
• c1997e9 Fixing issue with add columns on tables failing if using both after and collate (#2432)
• 15706c0 2351 CLI sets exit-code 1 if the command supplied was not parseable (#2358)
• 9f8d2ed Update dependencies (#2422)
• 59f6cba Set toNative() to be not enumerable (#2388)
• 45f5ffb Use wrapIdentifier in columnInfo. fixes #2402 (#2405)
• 82bfdba Disable oracledb tests from non LTS nodes (#2407)
• 3f89701 Shifted returning before joins for updates (MSSQL) (#2399)
• 6ffcaed fixes #2373 (#2374)
• 5e12b23 Incorrectly set UV_THREADPOOL_SIZE (#2372)
• fbf371f Added decimal variable precision / scale support (#2353)
• aac0565 Updated change log + version for 0.14.2
• b5ba51a Fix truncate() on sqlite3 dialect (#2348)
• aeec0a2 Updated package version and changelog
• c0ac107 More pool tests and test on borrow default (#2341)
• 95e5cf8 Support multiple searchPaths while preserving case-sensitive feature … (#2340)
• e405d66 Fixed passing connection errors directly to the query (#2336)
• 211a611 Fixed typo in issue template

See the full diff

Package name: node-sass

The new version differs by 163 commits.

• 3b556c1 7.0.2
• c716359 Bump sass-graph@^4.0.1 (#3292)
• 24741b3 docs(readme): fix docpad plugin link
• 1523330 feat: Drop Node 12
• 365d357 update https://registry.npm.taobao.org to https://registry.npmmirror.com
• 1456114 build(deps): bump actions/upload-artifact from 2 to 3
• b465b69 chore: bump GitHub Actions to Windows 2019 (#3254)
• e6194b1 build(deps): bump make-fetch-happen from 9.1.0 to 10.0.4
• 4edf594 build(deps): bump node-gyp from 8.4.1 to 9.0.0
• 29e2344 build(deps): bump actions/checkout from 2 to 3
• 85b0d22 build(deps): bump actions/setup-node from 2 to 3
• 3bb51da Use make-fetch-happen instead of request (#3193)
• adc2f8b build(deps): bump true-case-path from 1.0.3 to 2.2.1 (#3000)
• 77d12f0 chore: disable Apline for Node 16/17 builds
• 308d533 ci: use Python 3 for Node 12
• c818907 ci: unpin actions/setup-node to v2
• 99242d7 7.0.1
• 77049d1 build(deps): bump sass-graph from 2.2.5 to 4.0.0 (#3224)
• c929f25 build(deps): bump node-gyp from 7.1.2 to 8.4.1 (#3209)
• 918dcb3 Lint fix
• 0a21792 Set rejectUnauthorized to true by default (#3149)
• e80d4af chore: Drop EOL Node 15 (#3122)
• d753397 feat: Add Node 17 support (#3195)
• dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0

See the full diff

Package name: nodemon

The new version differs by 98 commits.

• 9a67f36 feat: update chokidar to v3
• 6781b40 docs: add license file
• 0e6ba3c fix: wait for all subprocesses to terminate (fixes issue #1476)
• b58cf7d chore: Merge branch 'master'
• 95a4c09 docs: add to faq
• 3a2eaf7 choe: merge master
• 3d90879 chore: add logo to site
• 7d6c1a8 fix: Replace `jade` references by `pug`
• 74c8749 chore: test funding.yml change
• c1a8b75 chore: update funding
• d5b9891 test: ensure ignore relative paths
• eead311 fix: to avoid confusion like in #1528, always report used extension
• 12b66cd fix: langauge around "watching" (#1591)
• 2e6e2c4 docs: README Grammar (#1601)
• 5124ae9 Merge branch 'master' of github.com:remy/nodemon
• 95fa05a chore: git card
• d84f421 chore: adding funding file
• 13afac2 fix: ensure signal is sent to exit event
• d088cb6 chore: update stalebot
• 20ccb62 feat: add message event
• 886527f fix: disable fork only if string starts with dash
• 64b474e feat: add TypeScript to default execPath (#1552)
• 2973afb fix: Quote zero-length strings in arguments (#1551)
• aa41ab2 fix: hard bump of [email protected]

See the full diff

Package name: snyk

The new version differs by 62 commits.

• 933f3f1 feat: update snyk-resolve-deps to reduce size of dependencies
• 042c476 feat: remove update notifier
• 7e10aae feat: support yarn for protect scripts
• 6b6ce94 fix: dont suggest reinstallation for yarn projects
• 80e49fd fix: update test fixures expected version
• 38f993f fix: compatability with new pip version (10.0.0)
• db91114 feat: a seperate spinner for "Analyzing deps ..."
• 6a77349 fix: update snyk-go-plugin 1.4.5 -> 1.4.6
• 334f8b1 fix: remove vulns from analytics payload if present
• 58b5437 chore: adds security document
• b3d241a fix: bump snyk-python-plugin to better handle editable fragments
• 66d658a fix: analytics report includes duration of execution
• c2399ae feat: add severity-threshold flag
• 9da056d fix: add --json to help docs
• 46cb432 fix: bump sbt-plugin to 1.2.5 (better errors)
• 5bf0f83 fix: debug on requests
• 6847700 test: lock `nock` to 9.1.0
• 65c6ac1 test: new policy fixtures
• 54ffa86 fix: bump snyk-policy to allow unquoted dates
• e70618d docs: update readme
• a536ad5 fix: bump snyk-sbt-plugin to fix output format issue
• d7d3353 fix: standardise handling of errors on snyk test
• dd60fcc test: tests are not babelified, remove es6 syntax for 0.12 support
• 297b3ac fix: bump debug to a non-vulnerable minimum version

See the full diff

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Open Redirect
🦉 More lessons are available in Snyk Learn