[Snyk] Fix for 42 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIHTML-1296849	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	No	Proof of Concept
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JS-AXIOS-174505	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-ENGINEIO-1056749	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	No	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Denial of Service (DoS) SNYK-JS-HTTPPROXY-569139	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-JQUERY-174006	No	Proof of Concept
	701/1000 Why? Mature exploit, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-JQUERY-565129	No	Mature
	711/1000 Why? Mature exploit, Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JS-JQUERY-567880	No	Mature
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MONGOOSE-1086688	No	Proof of Concept
	671/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7	Prototype Pollution SNYK-JS-MONGOOSE-2961688	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-OBJECTPATH-1017036	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-OBJECTPATH-1569453	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Insecure Defaults SNYK-JS-SOCKETIO-1024859	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-1023599	No	Proof of Concept
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-1072471	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-610226	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-XLSX-1311137	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-XLSX-1311139	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-XLSX-1311141	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-XLSX-585898	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Arbitrary Code Injection SNYK-JS-XMLHTTPREQUESTSSL-1082936	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Access Restriction Bypass SNYK-JS-XMLHTTPREQUESTSSL-1255647	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	No	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	No	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:ua-parser-js:20180227	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: browser-sync

The new version differs by 111 commits.

• 8840282 v2.27.8
• 58ab4ab more version bumps + github actions (#1940)
• 6e8d2b2 Merge pull request #1936 from lachieh/socket-io-upgrade
• e909447 update browser-sync-client ts version
• daa8cd0 restore test setting
• 3c5777a Upgrade to latest version of socket.io. Fixes #1847
• a7c14c8 v2.27.7
• 40ebbd8 fixes #1916
• e557aac v2.27.6
• 6976fe9 v2.27.5
• 8ba1c17 updated lockfile format
• c99273c Merge pull request #1915 from iwt-philipzeh/fix/ua-parser-version-security
• 6648032 security-patches
• c2bc05d Merge pull request #1738 from davezuko/patch-1
• b8abf44 Merge pull request #1858 from arafalov/master
• 3084279 v2.27.4
• d0c9c4c security patches
• a4fd558 v2.27.3
• 910a9e1 v2.27.2
• ebe0962 docs: added snippet option for website generation
• a4aa8eb v2.27.1
• 3825dc6 v2.27.0
• 462c438 updated options
• 525fff9 feat: added option `snippet: boolean` - fixes #1882

See the full diff

Package name: express-session

The new version differs by 28 commits.

• 89fd715 1.15.6
• d4344fb build: express@4.15.5
• 6cf886d deps: debug@2.6.9
• d190faa deps: utils-merge@1.0.1
• f24d228 lint: run eslint against README
• 44ee046 docs: remove trailing newline in README
• 68e210d deps: parseurl@~1.3.2
• 8b4f668 lint: add editorconfig and eslint to enforce
• 917b03d docs: add memorystore to the list of session stores
• 65781dd build: Node.js@8.4
• 71c9d7c build: express@4.15.4
• 11b3e97 deps: uid-safe@~2.1.5
• 0e97d6f docs: fix formatting in history
• d63a3e9 1.15.5
• c226301 Fix TypeError when req.url is an empty string
• 62c4d15 tests: add test for mounted middleware
• 8518200 tests: move the cookie path tests
• 2b08370 docs: improve code readability
• 310d288 deps: depd@~1.1.1
• fc60bb6 build: Node.js@8.2
• 521e6bd tests: add leak checking for variables and handles
• 7b26d57 1.15.4
• fc9d474 build: Node.js@8.1
• d367b33 build: Node.js@6.11

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• 5449ab9 chore: release 6.4.6
• b8c99cf Merge pull request #11892 from Automattic/netlify-functions-example
• 2751883 fix tests
• eced2c7 Merge branch 'master' into netlify-functions-example
• 92cb6fb Merge branch 'master' into vkarpov15/gh-12085
• 422f9da test(schema): add coverage for calling `plugin()` with options
• 2262a77 fix(document): avoid mutating original object passed to $set() when applying defaults to nested properties
• 2e6b064 made requested changes
• b70a0dc Merge pull request #12123 from LokeshKanumoori/patch-1
• 086bd9f fix(query): apply lean transform option to top-level document
• 1344214 Update migrating_to_6.md
• a45cfb6 fix(schema): disallow setting __proto__ when creating schema with dotted properties
• bc302f4 chore: release 6.4.5
• 44530a6 Merge pull request #12116 from Automattic/revert-12103-upgrade-mongo-driver
• 80b7d53 Revert "chore: upgrade mongodb driver to 4.8.0"
• 0156d5e style: fix lint
• 9524f89 fix(types): make `$addToSet` fields mutable to allow programatically constructing $addToSet
• 201071b fix(types): allow any value for AddFields
• 5301deb fix: cleanup and various updates
• 118c97a Merge branch 'master' into netlify-functions-example
• 1306d00 Merge pull request #12086 from hasezoey/modelJSDOCTouchup
• f95373d Merge pull request #12110 from skrtheboss/fix/is-atlas-check
• 1445c20 Merge pull request #12112 from pathei-kosmos/master
• 250b01b fix(types): avoid treating `| undefined` types as `any` in `Require_id` to better support `_id: String` with auto-typed schemas

See the full diff

Package name: webpack-hot-middleware

The new version differs by 35 commits.

• e140693 2.25.1
• 3d5018a Merge pull request Update mongoose to the latest version 🚀 #413 from nttibbetts/replace-ansi-html
• 90551e5 use public npm registry, not private one
• adeeade fix: replace ansi-html with ansi-html-community to fix vulnerability
• f0ffa4c Resolve weird desync in package lock
• 0f5e3e9 Use old-style require syntax to keep the linter happy
• aa38d42 Bump ansi/html encoding deps
• 2c31df1 Bump example dependencies
• d156bbc Simplify CI setup
• 0635d00 Replace istanbul with nyc
• 04fa8c8 Apply prettier formatting updates
• b81cfd5 Update eslint and prettier
• c98216a Upgrade test dependencies
• cb29abb 2.25.0
• bbffbe6 Merge branch 'master' of github.com:webpack-contrib/webpack-hot-middleware
• 82dd483 Merge pull request Update mongoose to the latest version 🚀 #360 from jimblue/master
• e2b49ff improved client overlay style
• c430265 2.24.4
• fe33d59 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #355 from okcoker/ansi-color-fix
• 331ad96 Merge branch 'master' into ansi-color-fix
• f6609e4 Bump deps to sort audit out
• e605d10 Fix ansi colors
• 036bf30 Merge pull request [Snyk] Fix for 1 vulnerable dependencies #354 from Hacksign/master
• f2b477d Resolve Code under example folder do not work. webpack/webpack-hot-middleware#353

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-Side Request Forgery (SSRF)
🦉 Cross-site Scripting (XSS)
🦉 Cross-site Scripting (XSS)
🦉 More lessons are available in Snyk Learn