[Snyk] Fix for 28 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	630/1000 Why? Has a fix available, CVSS 8.1	Internal Property Tampering SNYK-JS-BSON-561052	Yes	No Known Exploit
	554/1000 Why? Has a fix available, CVSS 6.8	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Timing Attack SNYK-JS-ELLIPTIC-511941	Yes	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Cryptographic Issues SNYK-JS-ELLIPTIC-571484	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	Yes	Proof of Concept
	584/1000 Why? Has a fix available, CVSS 7.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	Yes	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-JSYAML-173999	Yes	No Known Exploit
	619/1000 Why? Has a fix available, CVSS 8.1	Arbitrary Code Execution SNYK-JS-JSYAML-174129	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-MONGODB-473855	Yes	No Known Exploit
	751/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.6	Command Injection SNYK-JS-NODEMAILER-1038834	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	HTTP Header Injection SNYK-JS-NODEMAILER-1296415	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Insecure Defaults SNYK-JS-SOCKETIO-1024859	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	576/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.1	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: coveralls

The new version differs by 3 commits.

• 2ed4d09 major version bump for node > 4.x
• 5ebe57f bump version
• 428780c Expand allowed dependency versions to all API compatible versions (by dflt multiserver listen only to localhost bitpay/bitcore-wallet-service#172)

See the full diff

Package name: mongodb

The new version differs by 250 commits.

• c6f417e chore(release): 3.1.13
• 210c71d fix(db_ops): ensure we async resolve errors in createCollection
• 5ad9fa9 fix(changeStream): properly handle changeStream event mid-close (#1902)
• e806be4 fix(bulk): honor ignoreUndefined in initializeUnorderedBulkOp
• 050267d fix(*): restore ability to webpack by removing `makeLazyLoader`
• 6e896f4 docs: adding aggregation, createIndex, and runCommand examples
• cb3cd12 chore(release): 3.1.12
• 508d685 Revert "chore(release): 3.2.0"
• e7619aa chore(release): 3.2.0
• d0dc228 chore(travis): include forgotten stage info for sharded builds
• ffbe90b chore(travis): run sharded tests in travis as well
• 9bef6e7 feat(core): update to mongodb-core v3.1.11
• e4bb39e chore(release): 3.1.11
• 76c0130 chore(core): bump version of mongodb-core
• a3adb3f fix(bulk): fix error propagation in empty bulk.execute
• ec0e30e doc(change-streams): correct typo, add missing example
• 10ea992 chore(package): update lock file
• fcb3ec1 test(sharded): reduce some sharded errors
• d4eae97 test(sessions): undo hack for apm events in sessions tests
• 0eaca21 test(sessions): fixing broken session test
• 6790a74 test(sharding): fixing old sharding tests
• 98f0c68 test(sharded): fixing sharded operation test
• c6a9baa test(sessions): fixing session tests in sharded env
• 985f0e9 test(drop): fixing drop assertions for sharded tests

See the full diff

Package name: nodemailer

The new version differs by 250 commits.

• 7e02648 v6.6.1
• 1750c0f v6.6.0
• 0636d58 Merge branch 'master' of github.com:nodemailer/nodemailer
• 058d414 v6.6.0
• fcb0d1f test: 💍 aws ses SDK v3 support
• 2ef39e3 test: 💍 aws ses connection verification
• 6107585 fix: 🐛 ses verify, add support for v3 API
• bf57cf5 Fixes resolveContent with streams overriding data
• 91108d7 v6.5.0
• 87d9b25 Pass through textEncoding to subnodes.
• 271f91b Update index.js
• 9b5fb94 v6.4.18
• 625a9ed Update README.md
• 1d24d8b docs: added rudimentary sponsor quote block
• a455716 Added OhMySMTP to services
• 6e045d1 v6.4.17
• ba31c64 v6.4.16
• 7e7b2b2 v6.4.15
• fca2041 Update CHANGELOG.md
• b4ccfa3 Oups
• 24b93bf Add ethereal.email to well-known/services.json
• 0f132fa doc: make the code a little more accessible with some code comments.
• 1815bad v6.4.14
• dd26ddd v6.4.13

See the full diff

Package name: socket.io

The new version differs by 154 commits.

• 1af3267 chore(release): 3.0.0
• 02951c4 chore(release): 3.0.0-rc4
• 54bf4a4 feat: emit an Error object upon middleware error
• aa7574f feat: serve msgpack bundle
• 64056d6 docs(examples): update TypeScript example
• cacad70 chore(release): 3.0.0-rc3
• d16c035 refactor: rename ERROR to CONNECT_ERROR
• 5c73733 feat: add support for catch-all listeners
• 129c641 feat: make Socket#join() and Socket#leave() synchronous
• 0d74f29 refactor(typings): export Socket class
• 7603da7 feat: remove prod dependency to socket.io-client
• a81b9f3 docs(examples): add example with TypeScript
• 20ea6bd docs(examples): add example with ES modules
• 0ce5b4c chore(release): 3.0.0-rc2
• 8a5db7f refactor: remove duplicate _sockets map
• 2a05042 refactor: add additional typings
• 91cd255 fix: close clients with no namespace
• 58b66f8 refactor: hide internal methods and properties
• 669592d feat: move binary detection back to the parser
• 2d2a31e chore: publish the wrapper.mjs file
• ebb0575 chore(release): 3.0.0-rc1
• c0d171f test: use the reconnect event of the Manager
• 9c7a48d test: use the complete export name
• 4bd5b23 feat: throw upon reserved event names

See the full diff

Package name: socket.io-client

The new version differs by 72 commits.

• de2ccff chore(release): 2.4.0
• e9dd12a chore: bump engine.io-client version
• 7248c1e ci: migrate to GitHub Actions
• 4631ed6 chore(release): 2.3.1
• 7f73a28 test: fix tests in IE
• 67c54b8 chore: bump engine.io-parser and socket.io-parser
• 15a52ab test: remove arrow function (for now)
• 050108b fix: fix reconnection after opening socket asynchronously (#1253)
• b570025 chore: bump engine.io-client and downgrade debug
• 1fb1b78 chore: remove unused dependencies
• 0c39f14 docs: add section about Debug / logging on the client side (#1278)
• 6ce02ee docs: add server port in the example (#1359)
• f4a4d89 chore: update package-lock.json file
• 3c1d860 chore: bump component-emitter dependency (#1376)
• b7dbbd2 test: fix race condition in the tests
• 661f1e7 [chore] Release 2.3.0
• 71d7b79 [chore] Bump engine.io-client to version 3.4.0
• 8b4a539 [docs] Add CDN link (#1318)
• 40cf185 [ci] use Node.js 10 for compatibility with Gulp v3
• 3020e45 [chore] Release 2.2.0
• 06e9a4c [chore] Bump dependencies
• 4a93871 [chore] Update the Makefile
• eeafa44 [fix] Remove any reference to the `global` variable
• dfc34e4 [chore] Pin zuul version

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn