[Snyk] Fix for 4 vulnerabilities

[Omrisnyk]

Snyk has created this PR to fix 4 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	149
	Cross-site Scripting SNYK-JS-EXPRESS-7926867	107
	Cross-site Scripting SNYK-JS-SEND-7926862	80
	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	80

Release notes

Package name: body-parser

• 1.20.3 - 2024-09-09
  

  What's Changed

  Important

  • deps: qs@6.13.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

  Other changes

  • chore: add support for OSSF scorecard reporting by @ inigomarquinez in #522
  • ci: fix errors in ci github action for node 8 and 9 by @ inigomarquinez in #523
  • fix: pin to node@22.4.1 by @ wesleytodd in #527
  • deps: qs@6.12.3 by @ melikhov-dev in #521
  • Add OSSF Scorecard badge by @ bjohansebas in #531
  • Linter by @ UlisesGascon in #534
  • Release: 1.20.3 by @ UlisesGascon in #535

  New Contributors

  • @ inigomarquinez made their first contribution in #522
  • @ melikhov-dev made their first contribution in #521
  • @ bjohansebas made their first contribution in #531
  • @ UlisesGascon made their first contribution in #534

  Full Changelog: 1.20.2...1.20.3

• 1.20.2 - 2023-02-22
  
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
    • perf: skip value escaping when unnecessary
  • deps: raw-body@2.5.2
• 1.20.1 - 2022-10-06
  
  • deps: qs@6.11.0
  • perf: remove unnecessary object clone
• 1.20.0 - 2022-04-03
  
  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: depd@2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: http-errors@2.0.0
    • deps: depd@2.0.0
    • deps: statuses@2.0.1
  • deps: on-finished@2.4.1
  • deps: qs@6.10.3
  • deps: raw-body@2.5.1
    • deps: http-errors@2.0.0
• 1.19.2 - 2022-02-16
  
  • deps: bytes@3.1.2
  • deps: qs@6.9.7
    • Fix handling of __proto__ keys
  • deps: raw-body@2.4.3
    • deps: bytes@3.1.2
• 1.19.1 - 2021-12-10
  
  • deps: bytes@3.1.1
  • deps: http-errors@1.8.1
    • deps: inherits@2.0.4
    • deps: toidentifier@1.0.1
    • deps: setprototypeof@1.2.0
  • deps: qs@6.9.6
  • deps: raw-body@2.4.2
    • deps: bytes@3.1.1
    • deps: http-errors@1.8.1
  • deps: safe-buffer@5.2.1
  • deps: type-is@~1.6.18
• 1.19.0 - 2019-04-26
• 1.18.3 - 2018-05-14
• 1.18.2 - 2017-09-22
• 1.18.1 - 2017-09-12
• 1.18.0 - 2017-09-09
• 1.17.2 - 2017-05-18
• 1.17.1 - 2017-03-06
• 1.17.0 - 2017-03-01
• 1.16.1 - 2017-02-11
• 1.16.0 - 2017-01-18
• 1.15.2 - 2016-06-20
• 1.15.1 - 2016-05-06
• 1.15.0 - 2016-02-11
• 1.14.2 - 2015-12-16
• 1.14.1 - 2015-09-28
• 1.14.0 - 2015-09-16
• 1.13.3 - 2015-07-31
• 1.13.2 - 2015-07-06
• 1.13.1 - 2015-06-16
• 1.13.0 - 2015-06-15
• 1.12.4 - 2015-05-11
• 1.12.3 - 2015-04-16
• 1.12.2 - 2015-03-17
• 1.12.1 - 2015-03-16
• 1.12.0 - 2015-02-14
• 1.11.0 - 2015-01-31
• 1.10.2 - 2015-01-21
• 1.10.1 - 2015-01-02
• 1.10.0 - 2014-12-03
• 1.9.3 - 2014-11-22
• 1.9.2 - 2014-10-28
• 1.9.1 - 2014-10-23
• 1.9.0 - 2014-09-24

from body-parser GitHub release notes

Package name: express

• 4.21.0 - 2024-09-11
  

  What's Changed

  • Deprecate "back" magic string in redirects by @ blakeembrey in #5935
  • finalhandler@1.3.1 by @ wesleytodd in #5954
  • fix(deps): serve-static@1.16.2 by @ wesleytodd in #5951
  • Upgraded dependency qs to 6.13.0 to match qs in body-parser by @ agadzinski93 in #5946

  New Contributors

  • @ agadzinski93 made their first contribution in #5946

  Full Changelog: 4.20.0...4.21.0

• 4.20.0 - 2024-09-10
  

  What's Changed

  Important

  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect

  Other Changes

  • 4.19.2 Staging by @ wesleytodd in #5561
  • remove duplicate location test for data uri by @ wesleytodd in #5562
  • feat: document beta releases expectations by @ marco-ippolito in #5565
  • Cut down on duplicated CI runs by @ jonchurch in #5564
  • Add a Threat Model by @ UlisesGascon in #5526
  • Assign captain of encodeurl by @ blakeembrey in #5579
  • Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @ jonchurch in #5587
  • docs: update Security.md by @ inigomarquinez in #5590
  • docs: update triage nomination policy by @ UlisesGascon in #5600
  • Add CodeQL (SAST) by @ UlisesGascon in #5433
  • docs: add UlisesGascon as triage initiative captain by @ UlisesGascon in #5605
  • deps: encodeurl@~2.0.0 by @ blakeembrey in #5569
  • skip QUERY method test by @ jonchurch in #5628
  • ignore ETAG query test on 21 and 22, reuse skip util by @ jonchurch in #5639
  • add support Node.js@22 in the CI by @ mertcanaltin in #5627
  • doc: add table of contents, tc/triager lists to readme by @ mertcanaltin in #5619
  • List and sort all projects, add captains by @ blakeembrey in #5653
  • docs: add @ UlisesGascon as captain for cookie-parser by @ UlisesGascon in #5666
  • ✨ bring back query tests for node 21 by @ ctcpip in #5690
  • [v4] Deprecate res.clearCookie accepting options.maxAge and options.expires by @ jonchurch in #5672
  • skip QUERY tests for Node 21 only, still not supported by @ jonchurch in #5695
  • 📝 update people, add ctcpip to TC by @ ctcpip in #5683
  • remove minor version pinning from ci by @ jonchurch in #5722
  • Fix link variable use in attribution section of CODE OF CONDUCT by @ IamLizu in #5762
  • Replace Appveyor windows testing with GHA by @ jonchurch in #5599
  • Add OSSF Scorecard badge by @ UlisesGascon in #5436
  • update scorecard link by @ bjohansebas in #5814
  • Nominate @ IamLizu to the triage team by @ UlisesGascon in #5836
  • deps: path-to-regexp@0.1.8 by @ blakeembrey in #5603
  • docs: specify new instructions for question and discuss by @ IamLizu in #5835
  • 4.x: Upgrade merge-descriptors dependency by @ RobinTail in #5781
  • path-to-regexp@0.1.10 by @ blakeembrey in #5902

  New Contributors

  • @ marco-ippolito made their first contribution in #5565
  • @ inigomarquinez made their first contribution in #5590
  • @ mertcanaltin made their first contribution in #5627
  • @ ctcpip made their first contribution in #5690
  • @ bjohansebas made their first contribution in #5814

  Full Changelog: 4.19.1...4.20.0

• 4.19.2 - 2024-03-25
  

  What's Changed

  • Improved fix for open redirect allow list bypass

  Full Changelog: 4.19.1...4.19.2

• 4.19.1 - 2024-03-20
  

  What's Changed

  • Fix ci after location patch by @ wesleytodd in #5552
  • fixed un-edited version in history.md for 4.19.0 by @ wesleytodd in #5556

  Full Changelog: 4.19.0...4.19.1

• 4.19.0 - 2024-03-20
  

  What's Changed

  • fix typo in release date by @ UlisesGascon in #5527
  • docs: nominating @ wesleytodd to be project captian by @ wesleytodd in #5511
  • docs: loosen TC activity rules by @ wesleytodd in #5510
  • Add note on how to update docs for new release by @ crandmck in #5541
  • Prevent open redirect allow list bypass due to encodeurl
  • Release 4.19.0 by @ wesleytodd in #5551

  New Contributors

  • @ crandmck made their first contribution in #5541

  Full Changelog: 4.18.3...4.19.0

• 4.18.3 - 2024-02-29
  

  Main Changes

  • Fix routing requests without method
  • deps: body-parser@1.20.2
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: raw-body@2.5.2

  Other Changes

  • Use https: protocol instead of deprecated git: protocol by @ vcsjones in #5032
  • build: Node.js@16.18 and Node.js@18.12 by @ abenhamdine in #5034
  • ci: update actions/checkout to v3 by @ armujahid in #5027
  • test: remove unused function arguments in params by @ raksbisht in #5124
  • Remove unused originalIndex from acceptParams by @ raksbisht in #5119
  • Fixed typos by @ raksbisht in #5117
  • examples: remove unused params by @ raksbisht in #5113
  • fix: parameter str is not described in JSDoc by @ raksbisht in #5130
  • fix: typos in History.md by @ raksbisht in #5131
  • build : add Node.js@19.7 by @ abenhamdine in #5028
  • test: remove unused function arguments in params by @ raksbisht in #5137
  • use random port in test so it won't fail on already listening by @ rluvaton in #5162
  • tests: use cb() instead of done() by @ kristof-low in #5233
  • examples: remove multipart example by @ riddlew in #5195
  • Update support Node.js@18 in the CI by @ UlisesGascon in #5490
  • Fix favicon-related bug in cookie-sessions example by @ DmytroKondrashov in #5414
  • Release 4.18.3 by @ UlisesGascon in #5505

  New Contributors

  • @ vcsjones made their first contribution in #5032
  • @ abenhamdine made their first contribution in #5034
  • @ armujahid made their first contribution in #5027
  • @ raksbisht made their first contribution in #5124
  • @ rluvaton made their first contribution in #5162
  • @ kristof-low made their first contribution in #5233
  • @ riddlew made their first contribution in

[Omrisnyk]

🎉 Snyk hasn't found any issues so far.

✅ code/snyk check is completed. No issues were found. (View Details)