[Snyk-local] Fix for 42 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Denial of Service (DoS) SNYK-JS-EXPRESSFILEUPLOAD-473997	Yes	No Known Exploit
	Prototype Pollution SNYK-JS-EXPRESSFILEUPLOAD-595969	Yes	Proof of Concept
	Prototype Pollution SNYK-JS-JQUERY-174006	Yes	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-JQUERY-565129	Yes	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-JQUERY-567880	Yes	No Known Exploit
	Denial of Service (DoS) SNYK-JS-JSYAML-173999	Yes	No Known Exploit
	Arbitrary Code Execution SNYK-JS-JSYAML-174129	Yes	No Known Exploit
	DLL Injection SNYK-JS-KERBEROS-568900	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-174116	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451540	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS ) SNYK-JS-MARKED-584281	Yes	No Known Exploit
	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	Denial of Service (DoS) SNYK-JS-MONGODB-473855	Yes	No Known Exploit
	Information Exposure SNYK-JS-MONGOOSE-472486	No	No Known Exploit
	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No	No Known Exploit
	Prototype Pollution npm:hoek:20180212	Yes	No Known Exploit
	Cross-site Scripting (XSS) npm:jquery:20150627	Yes	No Known Exploit
	Cross-site Scripting (XSS) npm:marked:20150520	No	No Known Exploit
	Cross-site Scripting (XSS) npm:marked:20170112	No	No Known Exploit
	Cross-site Scripting (XSS) npm:marked:20170815	No	No Known Exploit
	Cross-site Scripting (XSS) npm:marked:20170815-1	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:marked:20170907	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:marked:20180225	No	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:moment:20161019	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:moment:20170905	No	No Known Exploit
	Remote Memory Exposure npm:mongoose:20160116	No	Mature
	Regular Expression Denial of Service (ReDoS) npm:ms:20151024	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	Yes	No Known Exploit
	Uninitialized Memory Exposure npm:npmconf:20180512	Yes	Mature
	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:semver:20150403	Yes	No Known Exploit
	Directory Traversal npm:st:20140206	No	Proof of Concept
	Open Redirect npm:st:20171013	Yes	Mature
	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Yes	Proof of Concept

Commit messages

Package name: body-parser

The new version differs by 221 commits.

• 0f1bed0 1.17.1
• 0532096 lint: remove unreachable code branches
• b34aab5 build: eslint-config-standard@7.0.0
• 77b1ca1 build: eslint-plugin-markdown@1.0.0-beta.4
• e51dbc5 deps: qs@6.4.0
• 79bc939 1.17.0
• e6140e1 build: Node.js@7.7
• 42f467d deps: qs@6.3.1
• 4954aec build: test against Node.js 8.x nightly
• e2050df build: Node.js@7.6
• 2f941c4 build: Node.js@6.10
• 6549617 build: Node.js@4.8
• d1c2c7f deps: http-errors@~1.6.1
• e7b86ba build: eslint@3.16.1
• 7b630f7 1.16.1
• de574bf build: eslint@3.15.0
• 889bcc9 build: Node.js@7.5
• dba8ac4 deps: debug@2.6.1
• 95a3ebb docs: fix history file with incorrect qs version
• c5a73d5 1.16.0
• 9744dda deps: qs@6.3.0
• 7807757 deps: debug@2.6.0
• 0e44768 lint: use standard style in the README
• 14952be build: eslint-config-standard@6.2.1

See the full diff

Package name: errorhandler

The new version differs by 85 commits.

• c41e9aa 1.4.3
• ffce329 build: istanbul@0.4.2
• 90a8777 build: Node.js@4.2
• 38b745b deps: accepts@~1.3.0
• 80aea51 deps: escape-html@~1.0.3
• b0be93a docs: fix typo in readme
• 2f688d0 build: support Node.js 5.x
• 1238ed4 build: istanbul@0.4.1
• fdeb13c build: mocha@2.3.4
• cc6fd1f build: support Node.js 4.x
• 3a2117a build: support io.js 3.x
• 75b9ee1 build: reduce runtime versions to one per major
• 6797752 tests: add test for util.inspect in HTML response
• b6e53d7 docs: add more documentation regarding util.inspect
• 88b9a58 deps: accepts@~1.2.13
• ac75d3f build: istanbul@0.3.19
• 5ee62b7 deps: escape-html@1.0.3
• 1e89ae7 build: istanbul@0.3.18
• ef1e8f1 build: supertest@1.1.0
• a7a6dce 1.4.2
• 692e2e7 deps: accepts@~1.2.12
• 6f2e8d2 build: io.js@2.5
• 564c117 build: fix running Node.js 0.8 tests on Travis CI
• 2dfd872 1.4.1

See the full diff

Package name: express

The new version differs by 250 commits.

• f974d22 4.16.0
• 8d4ceb6 docs: add more information to installation
• c0136d8 Add express.json and express.urlencoded to parse bodies
• 86f5df0 deps: serve-static@1.13.0
• 4196458 deps: send@0.16.0
• ddeb713 tests: add maxAge option tests for res.sendFile
• 7154014 Add "escape json" setting for res.json and res.jsonp
• 628438d deps: update example dependencies
• a24fd0c Add options to res.download
• 95fb5cc perf: remove dead .charset set in res.jsonp
• 44591fe deps: vary@~1.1.2
• 2df1ad2 Improve error messages when non-function provided as middleware
• 12c3712 Use safe-buffer for improved Buffer API
• fa272ed docs: fix typo in jsdoc comment
• d9d09b8 perf: re-use options object when generating ETags
• 02a9d5f deps: proxy-addr@~2.0.2
• c2f4fb5 deps: finalhandler@1.1.0
• 673d51f deps: utils-merge@1.0.1
• 5cc761c deps: parseurl@~1.3.2
• ad7d96d deps: qs@6.5.1
• e62bb8b deps: etag@~1.8.1
• 70589c3 deps: content-type@~1.0.4
• 9a99c15 deps: accepts@~1.3.4
• 550043c deps: setprototypeof@1.1.0

See the full diff

Package name: express-fileupload

The new version differs by 250 commits.

• fd40389 version bump
• 94c9cf9 prototype pollution fix Bump package.json version #2
• 829f395 version bump
• db49535 Merge pull request [Snyk-dev] Security upgrade npmconf from 0.0.24 to 2.1.3 #237 from richardgirges/fix-236-proto-pollution
• d81bee9 Upgrade latest packages; run npm audit fix; add logic to prevent prototype pollution in parseNested
• e9848fc Update package-lock.json
• d536cfb Update package.json
• c7a6b9c Merge pull request [Snyk-dev] Security upgrade tap from 5.8.0 to 11.1.3 #233 from RomanBurunkov/master
• a53b93f Update tests to support empty files
• d8c00c5 Add empty files support for tempFileHandler
• b24233d Comment extra condition in fileFactory(issue Bump package.json version #1), add more logging
• d57ee02 Formatting utilities
• b6097df Merge pull request [Snyk] Security upgrade mongoose from 4.2.4 to 5.13.20 #232 from RomanBurunkov/master
• 05004b7 Merge pull request [Snyk] Fix for 1 vulnerabilities #230 from Code42Cate/readme-timeout
• 1afa527 Update dependencies
• 880c2b7 Improve timeout option documentation
• 3f130b0 Add timeout option to README.MD
• d55fa83 Merge pull request [Snyk-dev] Fix for 5 vulnerabilities #222 from wbt/patch-1
• d61f02f Fix some small typos
• f20389a Merge pull request [Snyk] Security upgrade tap from 5.8.0 to 11.1.3 #219 from wbt/patch-1
• b95d3c7 Small typo fix usefull => useful
• 0f1ff52 Merge pull request [Snyk-dev] Security upgrade tap from 5.8.0 to 12.6.2 #214 from RomanBurunkov/master
• 2257106 Update package.json
• 62e3419 Merge pull request [Snyk] Security upgrade tap from 5.8.0 to 9.0.0 #213 from RomanBurunkov/master

See the full diff

Package name: humanize-ms

The new version differs by 3 commits.

• e8bc10a Release 1.1.0
• e584c58 add benchmark
• 4cf945f deps: upgrade ms to 0.7.0

See the full diff

Package name: marked

The new version differs by 250 commits.

• 1ad8e69 Merge pull request #1731 from UziTech/release-1.1.1
• 7e17526 1.1.1
• 7fbee6e Merge pull request #1730 from UziTech/update-deps
• 6f7522f Merge pull request #1729 from UziTech/quick-ref
• f8024eb remove ending slash
• 524ae66 remove ending slash
• 0d6e056 build
• 04ac593 update dev deps
• f36f676 🗜️ build [skip ci]
• dddf9ae Merge pull request #1686 from calculuschild/EmphasisFixes
• 6b729ed Merge branch 'EmphasisFixes' of https://github.com/calculuschild/marked into EmphasisFixes
• e27e6f9 Sorted strong and em into sub-objects
• a761316 Merge pull request #1726 from UziTech/show-rules
• f8193ed add npm run rules
• ad720c1 Make emEnd const
• 1fb141d Make strEnd const
• 226bbe7 Lint
• cc778ad Removed redundancy in "startEM" check
• 211b9f9 Removed Lookbehinds
• 982b57e Merge pull request #1720 from vassudanagunta/docs-patch-1
• 2a847e6 clarify level of support for Markdown flavors
• bd4f8c4 Fix unrestricted "any character" for REDOS
• 4e7902e Gaaaah lint
• 4db32dc Links are masked only once per inline string

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• 87f691e chore: release 5.4.10
• 09dd3cf docs(jest): improve docs about fake timers
• e778e0b chore: upgrade to mongodb driver 3.1.13
• 42aa401 refactor: be slightly more defensive about setting document arrays
• e5948b8 fix(document): copy atomics when setting document array to an existing document array
• a4e33dd test(document): repro #7472
• 704a5a4 docs: remove confusing references to executing a query immediately
• bc95a22 docs(guides+schematypes): link to custom schematypes docs
• ad71535 style: fix lint
• bc5d96a Merge branch 'gh6706'
• ab208b1 docs: hook up navbar search
• 3fc3e2b docs: add basic search page re: #6706
• a7ccba7 chore: add domainwheel.com as a sponsor
• 91755fa Merge branch 'master' into gh6706
• 3150958 docs(api): dont display type if method or function
• bfb3a9a style: fix lint
• 899ccdd Merge pull request #7478 from chrischen/master
• ef2ab11 chore(Makefile): remove unused rule
• bb1e8b4 chore: now working on 5.4.10
• 6032685 Added dot sytnax support for alias queries.
• 316936f chore: release 5.4.9
• 1bfdafd Merge pull request #7474 from arniu/fix-doc
• f67e30c docs: add Marcus Hiles and monovm as sponsors
• f08a4bd docs(documents): improve explanation of documents and use more modern syntax

See the full diff

Package name: ms

The new version differs by 19 commits.

• 9b88d15 2.0.0
• 94b995c Invalidated cache for slack badge
• bcf5715 Bumped dependencies to the latest version
• b1eaab7 Ignored logs coming from npm
• caae298 Limit str to 100 to avoid ReDoS of 0.3s (chore(deps): bump tap from 5.8.0 to 14.10.8 #89)
• b83b36d chore(package): update eslint to version 3.19.0 (chore(deps): [security] bump mongoose from 4.2.4 to 5.9.25 #88)
• 3f2a4d7 chore(package): update husky to version 0.13.3 (chore(deps): [security] bump marked from 0.3.5 to 1.1.1 #86)
• 7daf984 1.0.0
• ee91f30 More suitable name for file containing tests
• e818c35 Removed browser testing
• c9b1fd3 Test on LTS version of Node
• 389840b Badge for XO removed
• 1fbbe97 Removed component specification
• 57b3ef8 Use `prettier` and `eslint`
• 94068ea Removed XO
• 4b7f48f chore(package): update serve to version 5.0.4 (chore(deps): [security] bump mongoose from 4.2.4 to 5.9.23 #85)
• bd49cec chore(package): update xo to version 0.18.0 (chore(deps): [security] bump mongoose from 4.2.4 to 5.9.22 #84)
• d4a94b1 chore(package): update serve to version 5.0.3 (chore(deps): [security] bump mongoose from 4.2.4 to 5.9.21 #83)
• 923eee1 chore(package): update serve to version 5.0.2 (chore(deps): [security] bump mongoose from 4.2.4 to 5.9.20 #82)

See the full diff

Package name: tap

The new version differs by 250 commits.

• fa3f6e2 12.6.2
• b8be134 new computer, phantom png changes
• 3833522 update js-yaml and nyc for vuln advisories
• 1871736 12.6.1
• 066f159 updates for npm audit --fix
• ad3bed4 Passes `-r ts-node/register` argument to node
• 4645ecf Fix font-family typo
• 63ff608 12.6.0
• 040f61f Add --no-esm flag to disable '-r esm' behavior
• e2c0c1d update tap-mocha-reporter
• a73e95b update esm, and audit fix
• 2233376 12.5.3
• b45105f nyc@13.3.0
• 611ced8 12.5.2
• 99a989c update write-file-atomic
• e255dd9 update ts-node and typescript
• b674382 esm@3.2.3
• 555ecd4 including esm.js in stack traces is almost never helpful
• ccf2b44 Don't emit end while waiting for pipes to clear
• d3bf1f7 less impact
• 7fbf13f try something else
• b97f460 fix: allow for pipes to drain
• 740e695 nyc@13.2
• d03f383 12.5.1

See the full diff

With a Snyk patch:

Severity	Issue	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) npm:hawk:20160119	No Known Exploit
	Timing Attack npm:http-signature:20150122	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No Known Exploit
	Remote Memory Exposure npm:request:20160119	No Known Exploit
	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic