[Snyk] Upgrade: , argon2, config, dayjs, dotenv, express-fileupload, express-rate-limit, mongoose, nanoid, nodemailer, pino, zod #508

JonasLang-dev · 2024-09-16T10:23:35Z

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

@typegoose/typegoose
from 9.10.1 to 9.13.2 | 12 versions ahead of your current version | 2 years ago
on 2022-12-01
argon2
from 0.28.7 to 0.41.0 | 15 versions ahead of your current version | 22 days ago
on 2024-08-25
config
from 3.3.7 to 3.3.12 | 5 versions ahead of your current version | 3 months ago
on 2024-06-25
dayjs
from 1.11.4 to 1.11.13 | 9 versions ahead of your current version | a month ago
on 2024-08-20
dotenv
from 16.0.1 to 16.4.5 | 19 versions ahead of your current version | 7 months ago
on 2024-02-20
express-fileupload
from 1.4.0 to 1.5.1 | 5 versions ahead of your current version | 2 months ago
on 2024-07-13
express-rate-limit
from 6.5.1 to 6.11.2 | 12 versions ahead of your current version | a year ago
on 2023-09-12
mongoose
from 6.4.6 to 6.13.0 | 54 versions ahead of your current version | 3 months ago
on 2024-06-06
nanoid
from 3.3.4 to 3.3.7 | 3 versions ahead of your current version | 10 months ago
on 2023-11-06
nodemailer
from 6.7.7 to 6.9.14 | 17 versions ahead of your current version | 3 months ago
on 2024-06-19
pino
from 8.3.0 to 8.21.0 | 35 versions ahead of your current version | 5 months ago
on 2024-04-24
zod
from 3.17.10 to 3.23.8 | 111 versions ahead of your current version | 4 months ago
on 2024-05-08

Issues fixed by the recommended upgrade:

Issue	Score	Exploit Maturity
Regular Expression Denial of Service (ReDoS) SNYK-JS-ZOD-5925617	305	Proof of Concept
Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	305	Proof of Concept
Prototype Pollution SNYK-JS-MONGOOSE-5777721	305	Proof of Concept
Prototype Poisoning SNYK-JS-QS-3153490	305	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	305	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	305	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	305	Proof of Concept
Open Redirect SNYK-JS-EXPRESS-6474509	305	No Known Exploit
Cross-site Scripting SNYK-JS-EXPRESS-7926867	305	No Known Exploit
Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	305	Proof of Concept
Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	305	Proof of Concept
Server-Side Request Forgery (SSRF) SNYK-JS-IP-7148531	305	Proof of Concept
Prototype Pollution SNYK-JS-JSON5-3182856	305	Proof of Concept
Information Exposure SNYK-JS-MONGODB-5871303	305	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-NODEMAILER-6219989	305	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	305	Proof of Concept
Cross-site Scripting SNYK-JS-SEND-7926862	305	No Known Exploit

Release notes

Package name: @typegoose/typegoose

9.13.2 - 2022-12-01
9.13.2 (2022-12-01)

Fixes
- deprecate option "runSyncIndexes" (40f6d30)
9.13.1 - 2022-11-24
9.13.1 (2022-11-24)

Fixes
- typeguards: quick fix for typescript 4.9 (df36c34), closes #772
9.13.0 - 2022-11-22
9.13.0 (2022-11-22)

Features
- fix non-nested discriminator hooks & plugins (8cc7301), closes Automattic/mongoose#12472 Automattic/mongoose#12604 Automattic/mongoose#12613 Automattic/mongoose#12696 typegoose/typegoose#768
Dependencies
- @ types/lodash: upgrade to 4.14.186 (8367452)
- @ types/lodash: upgrade to 4.14.189 (6257223)
- @ types/semver: upgrade to 7.3.13 (9c7a151)
- @ typescript-eslint/*: upgrade to 5.41.0 (e10e53a)
- @ typescript-eslint/*: upgrade to 5.43.0 (851163f)
- eslint: upgrade to 8.26.0 (187c843)
- eslint: upgrade to 8.27.0 (436036a)
- loglevel: upgrade to 1.8.1 (b017f76)
- mongodb-memory-server: upgrade to 8.10.0 (79242e6)
- mongodb-memory-server: upgrade to 8.9.3 (1725f65)
- mongoose: upgrade to 6.7.0 (d5fa0e0)
- mongoose: upgrade to 6.7.2 (d1e83f7)
- semver: upgrade to 7.3.8 (7dc8138)
- tslib: upgrade to 2.4.1 (9da2600)
- typescript: upgrade to 4.8.4 (6590961), closes #644
Style
- dbIndex.test: remove unused imports (7c1c7be)
9.13.0-beta.2 - 2022-11-17
9.13.0-beta.2 (2022-11-17)

Features
- fix non-nested discriminator hooks & plugins (8cc7301), closes #12472 #12604 #12613 #12696 typegoose/typegoose#768
Dependencies
- @ types/lodash: upgrade to 4.14.189 (6257223)
- @ typescript-eslint/*: upgrade to 5.43.0 (851163f)
- eslint: upgrade to 8.27.0 (436036a)
- loglevel: upgrade to 1.8.1 (b017f76)
- mongodb-memory-server: upgrade to 8.10.0 (79242e6)
- mongoose: upgrade to 6.7.2 (d1e83f7)
- tslib: upgrade to 2.4.1 (9da2600)
9.13.0-beta.1 - 2022-10-27
9.13.0-beta.1 (2022-10-27)

Dependencies
- @ types/lodash: upgrade to 4.14.186 (8367452)
- @ types/semver: upgrade to 7.3.13 (9c7a151)
- @ typescript-eslint/*: upgrade to 5.41.0 (e10e53a)
- eslint: upgrade to 8.26.0 (187c843)
- mongodb-memory-server: upgrade to 8.9.3 (1725f65)
- mongoose: upgrade to 6.7.0 (d5fa0e0)
- semver: upgrade to 7.3.8 (7dc8138)
- typescript: upgrade to 4.8.4 (6590961), closes #644
9.12.1 - 2022-09-26
9.12.1 (2022-09-26)

Fixes
- add option to skip applying plugins on discriminators (f9cbc90)
9.12.0 - 2022-09-13
9.12.0 (2022-09-13)

Dependencies
- @ types/jest: upgrade to 28.1.8 (cc0377f)
- @ types/lodash: upgrade to 4.14.185 (58bde50)
- @ types/semver: upgrade to 7.3.12 (570d6d2)
- @ typescript-eslint/*: upgrade to 5.37.0 (0eb4fa6)
- eslint: upgrade to 8.23.1 (fe69e01)
- jest-runner-tsd: upgrade to 3.1.1 (28dfd2a)
- mongodb-memory-server: upgrade to 8.9.1 (76b8ba9)
- mongoose: upgrade to 6.6.0 (44fce67)
- ts-jest: upgrade to 28.0.8 (7bfba67)
9.11.2 - 2022-08-25
9.11.2 (2022-08-25)

Style
- fix some typos (#754) (12b7007)
9.11.1 - 2022-08-25
9.11.1 (2022-08-25)

Fixes
- scripts: use double quotes in lint file glob (#755) (e383d32)
9.11.0 - 2022-07-28
9.11.0 (2022-07-28)

Dependencies
- @ types/jest: upgrade to 28.1.6 (3d93a26)
- @ typescript-eslint/*: upgrade to 5.31.0 (8a10681)
- eslint: upgrade to 8.20.0 (eaf2af4)
- jest: upgrade to 28.1.3 (436eda7)
- lint-staged: upgrade to 12.5.0 (f447011)
- mongodb-memory-server: upgrade to 8.8.0 (f7b95d5)
- mongoose: upgrade to 6.5.0 (5535fa8)
- ts-jest: upgrade to 28.0.7 (7dc67be)
9.11.0-beta.2 - 2022-07-28
9.11.0-beta.1 - 2022-07-27
9.10.1 - 2022-07-03

from @typegoose/typegoose GitHub release notes

Package name: argon2

0.41.0 - 2024-08-25
What's Changed
- Disable LTO to avoid missing symbols in some envs by @ amarshall in #415
New Contributors
- @ amarshall made their first contribution in #415
Full Changelog: v0.40.2...v0.41.0
0.40.3 - 2024-05-25
0.40.2 - 2024-05-25
Fix issue with publishing tags starting with v
0.40.1 - 2024-02-22
0.40.0-alpha.3 - 2024-01-10
0.40.0-alpha.2 - 2023-12-30
0.40.0-alpha.1 - 2023-12-20
0.31.2 - 2023-11-04
Note: this is the last version that will support Node 16 since it's support has ended on 2023-09-11. Please upgrade to 18 or preferably 20 as soon as possible.

What's Changed
- Fix macos m1 build/release by @ CarsonF in #387
- Change workflow bridge routes by @ RavelloH in #388
New Contributors
- @ CarsonF made their first contribution in #387
- @ RavelloH made their first contribution in #388
Full Changelog: v0.31.1...v0.31.2
0.31.1 - 2023-09-01
Maintenance release intended to fix missing prebuilts due to failure when building v0.31.0

Note: v0.31.x will be the last version supporting Node v16. Please update to Node v18 or newer.

Full Changelog: v0.31.0...v0.31.1
0.31.0 - 2023-08-02
What's Changed
- Security update: bump @ mapbox/node-pre-gyp by @ jdforsythe in #383
Please update to v0.31.0 as soon as possible.

New Contributors
- @ abcfy2 made their first contribution in #371
- @ jdforsythe made their first contribution in #383
Full Changelog: v0.30.3...v0.31.0
0.30.3 - 2023-01-05
What's Changed
- Change binding resolution to mitigate "Module parse failed" errors by @ Voltra in #366
New Contributors
- @ Voltra made their first contribution in #366
Full Changelog: v0.30.2...v0.30.3
0.30.2 - 2022-11-08
Fixes #362
0.30.1 - 2022-10-13
Defaults have been updated to use RFC recommended values, see #360
0.29.1 - 2022-08-23
Added builds for FreeBSD, closes #320 and hopefully fixes coder/code-server#4669 coder/code-server#4670
0.29.0 - 2022-08-22
0.28.7 - 2022-07-03

from argon2 GitHub release notes

Package name: config

3.3.12 - 2024-06-25
What's Changed
- Remove usage of deprecated utils to fix warnings in Node 22 by @ KidkArolis in #764
New Contributors
- @ KidkArolis made their first contribution in #764
Full Changelog: v3.3.11...v3.3.12
3.3.11 - 2024-02-01
What's Changed
- fix: webpack bundling compatibility by @ cbazureau in #757
New Contributors
- @ cbazureau made their first contribution in #757
Full Changelog: v3.3.10...v3.3.11
3.3.10 - 2024-01-09
What's Changed
- replace var to let and const by @ jamashita in #720
- refactor: 💡 xxx === undefined => typeof xxx === 'undefined' by @ jamashita in #729
- Fix source maps when using ts config files, improve performance loading ts config files by @ andrzej-woof in #721
- fix: lack of comments removal, invalid regexp by @ DeutscherDude in #745
New Contributors
- @ jamashita made their first contribution in #720
- @ andrzej-woof made their first contribution in #721
- @ DeutscherDude made their first contribution in #745
Full Changelog: v3.3.9...v3.3.10
3.3.9 - 2023-01-17
What's Changed
- Support loading transpiled JS config files by @ Tomas2D in #692
- fix(vulnerability): upgrade json5 version from 2.2.1 to 2.2.2 by @ veekays in #713
New Contributors
- @ Tomas2D made their first contribution in #692
- @ veekays made their first contribution in #713
Full Changelog: v3.3.8...v3.3.9
3.3.8 - 2022-09-09
What's Changed
- bump json5 dep to 2.2.1
- Cleanup of file scoped environment variables by @ jdmarshall in #667
- Allow multiple relative directory paths separated by path.delimiter to work by @ inside in #661
- Reentrancy bugs by @ jdmarshall in #668
- Fixed property mutation. Throw an exception on such an attempt. Updat… by @ fgheorghe in #516
- docs: update copyright & fix misspelling by @ DigitalGreyHat in #677
New Contributors
- @ jdmarshall made their first contribution in #667
- @ inside made their first contribution in #661
- @ DigitalGreyHat made their first contribution in #677
Full Changelog: v3.3.7...v3.3.8
3.3.7 - 2022-01-11
- No code changes. Resolving versioning / release mix-up

from config GitHub release notes

Package name: dayjs

1.11.13 - 2024-08-20
1.11.13 (2024-08-20)

Bug Fixes
- customParseFormat supports Q quter / w ww weekOfYear (#2705) (8ca74f1)
1.11.12 - 2024-07-18
1.11.12 (2024-07-18)

Bug Fixes
- Add NegativeYear Plugin support (#2640) (6a42e0d)
- add UTC support to negativeYear plugin (#2692) (f3ef705)
- Fix zero offset issue when use tz with locale (#2532) (d0e6738)
- Improve typing for min/max plugin (#2573) (4fbe94a)
- timezone plugin currect parse UTC tz (#2693) (b575c81)
1.11.11 - 2024-04-28
1.11.11 (2024-04-28)

Bug Fixes
- day of week type literal (#2630) (f68d73e)
- improve locale "zh-hk" format and meridiem (#2419) (a947a51)
- Update 'da' locale to match correct first week of year (#2592) (44b0936)
- update locale Bulgarian monthsShort Jan (#2538) (f0c9a41)
1.11.10 - 2023-09-19
1.11.10 (2023-09-19)

Bug Fixes
- Add Korean Day of Month with ordinal (#2395) (dd55ee2)
- change back fa locale to the Gregorian calendar equivalent (#2411) (95e9458)
- duration plugin - MILLISECONDS_A_MONTH const calculation (#2362) (f0a0b54)
- duration plugin getter get result 0 instead of undefined (#2369) (061aa7e)
- fix isDayjs check logic (#2383) (5f3f878)
- fix timezone plugin to get correct locale setting (#2420) (4f45012)
- locale: add meridiem in ar locale (#2418) (361be5c)
- round durations to millisecond precision for ISO string (#2367) (890a17a)
- sub-second precisions need to be rounded at the seconds field to avoid adding floats (#2377) (a9d7d03)
- update $x logic to avoid plugin error (#2429) (2254635)
- Update Slovenian locale for relative time (#2396) (5470a15)
- update uzbek language translation (#2327) (0a91056)
1.11.9 - 2023-07-01
1.11.9 (2023-07-01)

Bug Fixes
- Add null to min and max plugin return type (#2355) (62d9042)
- check if null passed to objectSupport parser (#2175) (013968f)
- dayjs.diff improve performance (#2244) (33c80e1)
- dayjs(null) throws error, not return dayjs object as invalid date (#2334) (c79e2f5)
- objectSupport plugin causes an error when null is passed to dayjs function (closes #2277) (#2342) (89bf31c)
- Optimize format method (#2313) (1fe1b1d)
- update Duration plugin add/subtract take into account days in month (#2337) (3b1060f)
- update MinMax plugin 1. ignore the 'null' in args 2. return the only one arg (#2330) (3c2c6ee)
1.11.8 - 2023-06-02
1.11.8 (2023-06-02)

Bug Fixes
- .format add padding to 'YYYY' (#2231) (00c223b)
- Added .valueOf method to Duration class (#2226) (9b4fcfd)
- timezone type mark date parameter as optional (#2222) (b87aa0e)
- type file first parameter date is optional in isSame(), isBefore(), isAfter() (#2272) (4d56f3e)
1.11.7 - 2022-12-06
1.11.7 (2022-12-06)

Bug Fixes
- Add locale (zh-tw) meridiem (#2149) (1e9ba76)
- update fa locale (#2151) (1c26732)
1.11.6 - 2022-10-21
1.11.6 (2022-10-21)

Bug Fixes
- add BigIntSupport plugin (

Snyk has created this PR to upgrade: - @typegoose/typegoose from 9.10.1 to 9.13.2. See this package in npm: https://www.npmjs.com/package/@typegoose/typegoose - argon2 from 0.28.7 to 0.41.0. See this package in npm: https://www.npmjs.com/package/argon2 - config from 3.3.7 to 3.3.12. See this package in npm: https://www.npmjs.com/package/config - dayjs from 1.11.4 to 1.11.13. See this package in npm: https://www.npmjs.com/package/dayjs - dotenv from 16.0.1 to 16.4.5. See this package in npm: https://www.npmjs.com/package/dotenv - express-fileupload from 1.4.0 to 1.5.1. See this package in npm: https://www.npmjs.com/package/express-fileupload - express-rate-limit from 6.5.1 to 6.11.2. See this package in npm: https://www.npmjs.com/package/express-rate-limit - mongoose from 6.4.6 to 6.13.0. See this package in npm: https://www.npmjs.com/package/mongoose - nanoid from 3.3.4 to 3.3.7. See this package in npm: https://www.npmjs.com/package/nanoid - nodemailer from 6.7.7 to 6.9.14. See this package in npm: https://www.npmjs.com/package/nodemailer - pino from 8.3.0 to 8.21.0. See this package in npm: https://www.npmjs.com/package/pino - zod from 3.17.10 to 3.23.8. See this package in npm: https://www.npmjs.com/package/zod See this project in Snyk: https://app.snyk.io/org/supercutcat/project/08ca081a-fcbb-4842-9424-5da4c249c304?utm_source=github&utm_medium=referral&page=upgrade-pr

[Snyk] Upgrade: , argon2, config, dayjs, dotenv, express-fileupload, express-rate-limit, mongoose, nanoid, nodemailer, pino, zod #508

Are you sure you want to change the base?

[Snyk] Upgrade: , argon2, config, dayjs, dotenv, express-fileupload, express-rate-limit, mongoose, nanoid, nodemailer, pino, zod #508

Conversation

JonasLang-dev commented Sep 16, 2024

Snyk has created this PR to upgrade multiple dependencies.

Issues fixed by the recommended upgrade:

9.13.2 (2022-12-01)

Fixes

9.13.1 (2022-11-24)

Fixes

9.13.0 (2022-11-22)

Features

Dependencies

Style

9.13.0-beta.2 (2022-11-17)

Features

Dependencies

9.13.0-beta.1 (2022-10-27)

Dependencies

9.12.1 (2022-09-26)

Fixes

9.12.0 (2022-09-13)

Dependencies

9.11.2 (2022-08-25)

Style

9.11.1 (2022-08-25)

Fixes

9.11.0 (2022-07-28)

Dependencies

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

1.11.13 (2024-08-20)

Bug Fixes

1.11.12 (2024-07-18)

Bug Fixes

1.11.11 (2024-04-28)

Bug Fixes

1.11.10 (2023-09-19)

Bug Fixes

1.11.9 (2023-07-01)

Bug Fixes

1.11.8 (2023-06-02)

Bug Fixes

1.11.7 (2022-12-06)

Bug Fixes

1.11.6 (2022-10-21)

Bug Fixes