[Snyk] Fix for 20 vulnerabilities

[bumplzz69]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-ASYNC-2441827	No	Proof of Concept
	526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1	Arbitrary Code Injection SNYK-JS-EJS-1049328	Yes	Proof of Concept
	726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-JPEGJS-2859218	No	Proof of Concept
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-JPEGJS-570039	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-174116	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451540	No	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-584281	No	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-MONGODB-473855	No	No Known Exploit
	751/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.6	Command Injection SNYK-JS-NODEMAILER-1038834	Yes	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	HTTP Header Injection SNYK-JS-NODEMAILER-1296415	Yes	Proof of Concept
	869/1000 Why? Mature exploit, Has a fix available, CVSS 8.8	Use After Free SNYK-JS-PUPPETEER-174321	No	Mature
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: jimp

The new version differs by 125 commits.

• 2b3413a Bump version to: v0.12.0 [skip ci]
• 0bd02d5 Update CHANGELOG.md [skip ci]
• 651de24 Fix package.json
• a2b44a1 Add readme description
• 697f2a6 Remove compiling polyfills into published code (passing whole members info when deleting account Countly/countly-server#891)
• ec736c9 Bump version to: v0.11.0 [skip ci]
• a52b096 Update CHANGELOG.md [skip ci]
• 2f99663 Make callback optional for Jimp.rgbaToInt (bugfix. Column selector. Added "Select columns to display" to localization strings Countly/countly-server#889)
• 585c1ab Removed Core-JS as a dependency. (Add --ignore-installed flag to installation of supervisor Countly/countly-server#882)
• 3719710 Bump version to: v0.10.3 [skip ci]
• 30f04f7 Update CHANGELOG.md [skip ci]
• e93497a Simplify and fix flip (Python 2.7 issue with meld3 on CentOS 7 Countly/countly-server#879)
• dd7a6ba Bump version to: v0.10.2 [skip ci]
• baf756c Update CHANGELOG.md [skip ci]
• b038cba Rewrite handling EXIF orientation — add tests, make it plugin-independent ([Reports-manager] change table render to server side  Countly/countly-server#875)
• 44ce60b Bump version to: v0.10.1 [skip ci]
• da6bf75 Update CHANGELOG.md [skip ci]
• bd5ba89 Update package.json (Possible repeated calls to /session endpoint Countly/countly-server#870)
• 3cc4a4c Fix a `loadFont` and case inconsistency of `jimp` ( [SERVER-1247] Create a common members utility  Countly/countly-server#868)
• c23237b Bump version to: v0.10.0 [skip ci]
• 1add0ba Update CHANGELOG.md [skip ci]
• e1d05da Properly split constructor and instance types (Support more date range formats in period parameter Countly/countly-server#867)
• 3a3df33 Bump version to: v0.9.8 [skip ci]
• df1fd79 Update CHANGELOG.md [skip ci]

See the full diff

Package name: jsdoc

The new version differs by 123 commits.

• c5ea65a 3.6.8
• a024054 update dependencies
• e1f1919 3.6.7
• f7a64bd chore(deps): update selected dependencies
• 3f5c462 3.6.6
• 95e3192 fix: correctly track interface members
• ef05a69 3.6.5
• a59b5cd fix: prevent circular refs when params have the same type expression
• 8d0fce6 chore: bump version; update release notes
• 91c9aa7 chore(deps): update dependencies
• ef33f07 3.6.3
• 0e468af 3.6.2
• d5e0eb0 Add 3.6.2 changelog.
• 61ae11c Ensure that ES 2015 classes appear in the generated docs when they're supposed to. ([SERVER-1834] Countly/countly-server#1644)
• 03b8abd Add 3.6.1 changelog.
• 0645930 3.6.1
• bac40ab Parse type applications correctly in Node.js 12. (Bump json2csv from 5.0.3 to 5.0.4 Countly/countly-server#1643)
• e5919e4 Update .gitignore.
• 2099e72 3.6.0
• d45c5b8 Add 3.6.0 changelog.
• b8012f4 Update dependencies, plus the URLs for the GitHub repos and docs.
• 10c004f update docs with new template ([event-groups] improvements Countly/countly-server#1604)
• aa0b6c1 switch to new-ish ECMAScript syntax
• 1546d40 update ESLint config

See the full diff

Package name: mongodb

The new version differs by 37 commits.

• c6f417e chore(release): 3.1.13
• 210c71d fix(db_ops): ensure we async resolve errors in createCollection
• 5ad9fa9 fix(changeStream): properly handle changeStream event mid-close (Adding Github actions Countly/countly-server#1902)
• e806be4 fix(bulk): honor ignoreUndefined in initializeUnorderedBulkOp
• 050267d fix(*): restore ability to webpack by removing `makeLazyLoader`
• 6e896f4 docs: adding aggregation, createIndex, and runCommand examples
• cb3cd12 chore(release): 3.1.12
• 508d685 Revert "chore(release): 3.2.0"
• e7619aa chore(release): 3.2.0
• d0dc228 chore(travis): include forgotten stage info for sharded builds
• ffbe90b chore(travis): run sharded tests in travis as well
• 9bef6e7 feat(core): update to mongodb-core v3.1.11
• e4bb39e chore(release): 3.1.11
• 76c0130 chore(core): bump version of mongodb-core
• a3adb3f fix(bulk): fix error propagation in empty bulk.execute
• ec0e30e doc(change-streams): correct typo, add missing example
• 10ea992 chore(package): update lock file
• fcb3ec1 test(sharded): reduce some sharded errors
• d4eae97 test(sessions): undo hack for apm events in sessions tests
• 0eaca21 test(sessions): fixing broken session test
• 6790a74 test(sharding): fixing old sharding tests
• 98f0c68 test(sharded): fixing sharded operation test
• c6a9baa test(sessions): fixing session tests in sharded env
• 985f0e9 test(drop): fixing drop assertions for sharded tests

See the full diff

Package name: nodemailer

The new version differs by 99 commits.

• 7e02648 v6.6.1
• 1750c0f v6.6.0
• 0636d58 Merge branch 'master' of github.com:nodemailer/nodemailer
• 058d414 v6.6.0
• fcb0d1f test: 💍 aws ses SDK v3 support
• 2ef39e3 test: 💍 aws ses connection verification
• 6107585 fix: 🐛 ses verify, add support for v3 API
• bf57cf5 Fixes resolveContent with streams overriding data
• 91108d7 v6.5.0
• 87d9b25 Pass through textEncoding to subnodes.
• 271f91b Update index.js
• 9b5fb94 v6.4.18
• 625a9ed Update README.md
• 1d24d8b docs: added rudimentary sponsor quote block
• a455716 Added OhMySMTP to services
• 6e045d1 v6.4.17
• ba31c64 v6.4.16
• 7e7b2b2 v6.4.15
• fca2041 Update CHANGELOG.md
• b4ccfa3 Oups
• 24b93bf Add ethereal.email to well-known/services.json
• 0f132fa doc: make the code a little more accessible with some code comments.
• 1815bad v6.4.14
• dd26ddd v6.4.13

See the full diff

Package name: puppeteer

The new version differs by 173 commits.

• 77a9694 chore: mark version v1.13.0 ([SER-581] Data Manager ---> Changing the visibility of an unplanned event Countly/countly-server#4114)
• ba5f94d test: disable flaky cookies test (Next Countly/countly-server#4112)
• 02b2451 fix: check if async error has a stack (fix for multiple similar survey id's Countly/countly-server#4017)
• 9db09fe test: add test to validate redirecting in request.respond (Add max-old-space-size variable to all enviroment variables for conta… Countly/countly-server#4106)
• c68df32 test: add failing test for bad request interception (Bump countly-sdk-web from 23.2.0 to 23.2.1 Countly/countly-server#4108)
• 02859c3 feat(chromium): roll Chromium to r637110 ([SER-611] All events: sort segment values alphabetically Countly/countly-server#4099)
• bc28f3b fix(firefox): fix executablePath() on OSX ([SER-465] small fix to cohort upgrade script  Countly/countly-server#4105)
• c9f6a3d chore(firefox): bump version to v0.5.0 (Bump get-random-values from 2.0.0 to 2.1.0 Countly/countly-server#4089)
• a6d8ecc fix(firefox): keyboard tests (Bump sass from 1.59.3 to 1.60.0 Countly/countly-server#4082)
• e8a4963 test: cleanup tests ([SER-604] Fixes for views plugin Countly/countly-server#4078)
• dae998e fix(firefox): enable domains in a proper order (Update CHANGELOG.md Countly/countly-server#4077)
• 9ef23b1 feat(firefox): implement cookies api ([SER-472] Case insensitive member emails- fixes Countly/countly-server#4076)
• 03d06f5 feat(firefox): page.accessibility.snapshot() ([SER-607] crypto.getRandomValues is replaced with get-random-values package Countly/countly-server#4071)
• f21486f feat(firefox): implement Page.touchscreen (Update countly.helpers.js Countly/countly-server#4070)
• 3541b89 test: split out all chromium-specific tests into chromiumonly.spec.js ([SER-603] allow disabling range modes in date picker (custom period) Countly/countly-server#4068)
• 77a4ea5 test: split out fixture tests and make them work with FF ([SER-600] Add query linking to dbviewer Countly/countly-server#4067)
• d04a8d5 refactor(firefox): split out DOMWorld ([SER-606] Title in aggregation view shows collection name. Countly/countly-server#4066)
• 4ecbd91 refactor(firefox): migrate onto ExecutionContext events ([plugin disabling-enabling][bugfix] Make sure to call callback only after installation are done (to prevent errors regarding having no db connection) Countly/countly-server#4064)
• 56dafd7 feat: support Response.buffer(), Response.json() and Response.text() ([SER-461] hooks writes to database on every trigger Countly/countly-server#4063)
• 3bea5d6 feat(firefox): implement browserContext.overridePermissions (Bump countly-sdk-web from 22.6.5 to 23.2.0 Countly/countly-server#4060)
• f1a14fe feat(firefox): support elementHandle.uploadFile ([SER-602] Consolidate plugin not functioning Countly/countly-server#4058)
• 1315dc8 feat(firefox): support Page.emualteMedia (SER-574: All Events > format duration and add double y-axis for segments Countly/countly-server#4056)
• 5c81836 feat(firefox): implement page.exposeFunction (SER-575: Unknown country flag image Countly/countly-server#4052)
• 7d39aca test: split out test for "text" option of ElementHandle.press (SER-597: Invalid download from aggregation pipeline Countly/countly-server#4051)

See the full diff

Package name: underscore

The new version differs by 250 commits.

• bf5a0ed Merge branch 'template-variable-parameter'
• 7e3d404 Update annotated sources and minified bundles for 1.12.1
• 5343fbc Add version 1.12.1 to the documentation
• 44df929 Bump the version to 1.12.1
• 7e89b79 Un-document the fix for Feature/crashgroups formatter fix Countly/countly-server#2911 for the time being
• 4c73526 Fix Feature/crashgroups formatter fix Countly/countly-server#2911
• ef646cc Reflect real issue of Feature/crashgroups formatter fix Countly/countly-server#2911 in test from Drawer edit issue fixed for user properties Countly/countly-server#2912
• a6159ff Fix indentation in the test from Drawer edit issue fixed for user properties Countly/countly-server#2912
• 798eafa Update the link to the preview release (bugfix)
• 07cc415 Convert all RawGit links to Statically
• db7fb6a Add temporary note about preview release to index.html
• 548fa01 Merge pull request check for tabs path in sidebar Countly/countly-server#2913 from ognjenjevremovic/test/time-tampering-tests
• 3a5c878 test: Assertion comment updates; `_.throttle` and `_.debounce`.
• 4d5d198 test: 💍 Time tampering tests for _.throttle and _.deobounce
• a4cc7c0 Add a test to confirm we are not vulnerable to CVE-2021-23337 (Feature/crashgroups formatter fix Countly/countly-server#2911)
• 745e9b7 Merge pull request pages added to ratings Countly/countly-server#2896 from anderlaw/master
• af2f919 Correct "Non-numerical values in list will be ignored"
• c9b4b63 Put back test/vendor/qunit.* static files to fix live website tests
• 311b04e Merge pull request Bump puppeteer from 5.5.0 to 13.5.0 Countly/countly-server#2892 from kritollm/master
• 6568211 Make a comment render more nicely
• 0b93f06 Fixed a few more details
• 913bcf2 Resolved changes requested.
• 769a494 throttle cleanup
• 03f9781 Reimplementing timer optimization Bump argon2 from 0.26.1 to 0.26.2 Countly/countly-server#1269

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Arbitrary Code Injection
🦉 Remote Code Execution (RCE)
🦉 More lessons are available in Snyk Learn