[Snyk] Upgrade: , , , , , , socket.io, bcrypt, class-validator, dotenv, express, nodemon, reflect-metadata, ts-node, type, typeorm, typescript

[charley04310]

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

@types/node
from 18.11.11 to 18.19.45 | 132 versions ahead of your current version | a month ago
on 2024-08-19
@types/express
from 4.17.14 to 4.17.21 | 7 versions ahead of your current version | 10 months ago
on 2023-11-07
@types/cookie-parser
from 1.4.3 to 1.4.7 | 4 versions ahead of your current version | 7 months ago
on 2024-02-29
@types/multer
from 1.4.7 to 1.4.12 | 5 versions ahead of your current version | 22 days ago
on 2024-08-23
@types/nodemon
from 1.19.2 to 1.19.6 | 4 versions ahead of your current version | 10 months ago
on 2023-11-21
@types/request-promise
from 4.1.48 to 4.1.51 | 3 versions ahead of your current version | 10 months ago
on 2023-11-07
socket.io
from 4.5.4 to 4.7.5 | 10 versions ahead of your current version | 6 months ago
on 2024-03-14
bcrypt
from 5.1.0 to 5.1.1 | 1 version ahead of your current version | a year ago
on 2023-08-16
class-validator
from 0.14.0 to 0.14.1 | 1 version ahead of your current version | 8 months ago
on 2024-01-12
dotenv
from 16.0.3 to 16.4.5 | 17 versions ahead of your current version | 7 months ago
on 2024-02-20
express
from 4.18.2 to 4.19.2 | 4 versions ahead of your current version | 6 months ago
on 2024-03-25
nodemon
from 2.0.20 to 2.0.22 | 2 versions ahead of your current version | a year ago
on 2023-03-22
reflect-metadata
from 0.1.13 to 0.2.2 | 5 versions ahead of your current version | 6 months ago
on 2024-03-29
ts-node
from 10.9.1 to 10.9.2 | 1 version ahead of your current version | 9 months ago
on 2023-12-08
type
from 2.7.2 to 2.7.3 | 1 version ahead of your current version | 4 months ago
on 2024-05-30
typeorm
from 0.3.11 to 0.3.20 | 135 versions ahead of your current version | 8 months ago
on 2024-01-26
typescript
from 4.9.3 to 4.9.5 | 2 versions ahead of your current version | 2 years ago
on 2023-01-30

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Denial of Service (DoS) SNYK-JS-WS-7266574	482	Proof of Concept
	Uncaught Exception SNYK-JS-SOCKETIO-7278048	482	No Known Exploit
	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-5596892	482	No Known Exploit
	Uncaught Exception SNYK-JS-ENGINEIO-5496331	482	No Known Exploit
	Prototype Pollution SNYK-JS-XML2JS-5414874	482	Proof of Concept
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	482	Proof of Concept
	Open Redirect SNYK-JS-EXPRESS-6474509	482	No Known Exploit

Release notes

Package name: @types/node

• 18.19.45 - 2024-08-19
• 18.19.44 - 2024-08-09
• 18.19.43 - 2024-08-02
• 18.19.42 - 2024-07-23
• 18.19.41 - 2024-07-18
• 18.19.40 - 2024-07-16
• 18.19.39 - 2024-06-22
• 18.19.38 - 2024-06-20
• 18.19.37 - 2024-06-19
• 18.19.36 - 2024-06-17
• 18.19.35 - 2024-06-17
• 18.19.34 - 2024-06-03
• 18.19.33 - 2024-05-08
• 18.19.32 - 2024-05-06
• 18.19.31 - 2024-04-09
• 18.19.30 - 2024-04-05
• 18.19.29 - 2024-04-02
• 18.19.28 - 2024-03-30
• 18.19.27 - 2024-03-30
• 18.19.26 - 2024-03-19
• 18.19.25 - 2024-03-18
• 18.19.24 - 2024-03-13
• 18.19.23 - 2024-03-11
• 18.19.22 - 2024-03-06
• 18.19.21 - 2024-02-29
• 18.19.20 - 2024-02-28
• 18.19.19 - 2024-02-27
• 18.19.18 - 2024-02-22
• 18.19.17 - 2024-02-15
• 18.19.16 - 2024-02-15
• 18.19.15 - 2024-02-08
• 18.19.14 - 2024-02-01
• 18.19.13 - 2024-02-01
• 18.19.12 - 2024-01-31
• 18.19.11 - 2024-01-30
• 18.19.10 - 2024-01-26
• 18.19.9 - 2024-01-24
• 18.19.8 - 2024-01-17
• 18.19.7 - 2024-01-15
• 18.19.6 - 2024-01-09
• 18.19.5 - 2024-01-07
• 18.19.4 - 2023-12-30
• 18.19.3 - 2023-12-07
• 18.19.2 - 2023-12-03
• 18.19.1 - 2023-12-01
• 18.19.0 - 2023-11-30
• 18.18.14 - 2023-11-29
• 18.18.13 - 2023-11-23
• 18.18.12 - 2023-11-22
• 18.18.11 - 2023-11-21
• 18.18.10 - 2023-11-18
• 18.18.9 - 2023-11-07
• 18.18.8 - 2023-10-31
• 18.18.7 - 2023-10-25
• 18.18.6 - 2023-10-18
• 18.18.5 - 2023-10-12
• 18.18.4 - 2023-10-06
• 18.18.3 - 2023-10-02
• 18.18.2 - 2023-10-02
• 18.18.1 - 2023-09-29
• 18.18.0 - 2023-09-25
• 18.17.19 - 2023-09-23
• 18.17.18 - 2023-09-20
• 18.17.17 - 2023-09-16
• 18.17.16 - 2023-09-15
• 18.17.15 - 2023-09-08
• 18.17.14 - 2023-09-02
• 18.17.13 - 2023-09-01
• 18.17.12 - 2023-08-28
• 18.17.11 - 2023-08-24
• 18.17.10 - 2023-08-24
• 18.17.9 - 2023-08-23
• 18.17.8 - 2023-08-22
• 18.17.7 - 2023-08-22
• 18.17.6 - 2023-08-18
• 18.17.5 - 2023-08-11
• 18.17.4 - 2023-08-08
• 18.17.3 - 2023-08-05
• 18.17.2 - 2023-08-04
• 18.17.1 - 2023-07-25
• 18.17.0 - 2023-07-22
• 18.16.20 - 2023-07-21
• 18.16.19 - 2023-06-30
• 18.16.18 - 2023-06-13
• 18.16.17 - 2023-06-10
• 18.16.16 - 2023-05-26
• 18.16.15 - 2023-05-25
• 18.16.14 - 2023-05-21
• 18.16.13 - 2023-05-18
• 18.16.12 - 2023-05-16
• 18.16.11 - 2023-05-16
• 18.16.10 - 2023-05-16
• 18.16.9 - 2023-05-13
• 18.16.8 - 2023-05-11
• 18.16.7 - 2023-05-10
• 18.16.6 - 2023-05-08
• 18.16.5 - 2023-05-05
• 18.16.4 - 2023-05-05
• 18.16.3 - 2023-04-29
• 18.16.2 - 2023-04-27
• 18.16.1 - 2023-04-25
• 18.16.0 - 2023-04-23
• 18.15.13 - 2023-04-21
• 18.15.12 - 2023-04-19
• 18.15.11 - 2023-03-28
• 18.15.10 - 2023-03-25
• 18.15.9 - 2023-03-25
• 18.15.8 - 2023-03-24
• 18.15.7 - 2023-03-24
• 18.15.6 - 2023-03-23
• 18.15.5 - 2023-03-20
• 18.15.4 - 2023-03-20
• 18.15.3 - 2023-03-14
• 18.15.2 - 2023-03-13
• 18.15.1 - 2023-03-13
• 18.15.0 - 2023-03-09
• 18.14.6 - 2023-03-03
• 18.14.5 - 2023-03-03
• 18.14.4 - 2023-03-02
• 18.14.3 - 2023-03-02
• 18.14.2 - 2023-02-26
• 18.14.1 - 2023-02-23
• 18.14.0 - 2023-02-17
• 18.13.0 - 2023-02-07
• 18.11.19 - 2023-02-04
• 18.11.18 - 2022-12-26
• 18.11.17 - 2022-12-17
• 18.11.16 - 2022-12-16
• 18.11.15 - 2022-12-13
• 18.11.14 - 2022-12-13
• 18.11.13 - 2022-12-10
• 18.11.12 - 2022-12-08
• 18.11.11 - 2022-12-05

from @types/node GitHub release notes

Package name: @types/express

• 4.17.21 - 2023-11-07
• 4.17.20 - 2023-10-18
• 4.17.19 - 2023-10-10
• 4.17.18 - 2023-09-23
• 4.17.17 - 2023-02-03
• 4.17.16 - 2023-01-23
• 4.17.15 - 2022-12-13
• 4.17.14 - 2022-09-13

from @types/express GitHub release notes

Package name: @types/cookie-parser

• 1.4.7 - 2024-02-29
• 1.4.6 - 2023-11-07
• 1.4.5 - 2023-10-18
• 1.4.4 - 2023-09-04
• 1.4.3 - 2022-04-27

from @types/cookie-parser GitHub release notes

Package name: @types/multer

• 1.4.12 - 2024-08-23
• 1.4.11 - 2023-11-21
• 1.4.10 - 2023-11-07
• 1.4.9 - 2023-10-18
• 1.4.8 - 2023-09-27
• 1.4.7 - 2021-07-07

from @types/multer GitHub release notes

Package name: @types/nodemon

• 1.19.6 - 2023-11-21
• 1.19.5 - 2023-11-07
• 1.19.4 - 2023-10-18
• 1.19.3 - 2023-09-23
• 1.19.2 - 2022-07-20

from @types/nodemon GitHub release notes

Package name: @types/request-promise

• 4.1.51 - 2023-11-07
• 4.1.50 - 2023-10-18
• 4.1.49 - 2023-09-27
• 4.1.48 - 2021-07-07

from @types/request-promise GitHub release notes

Package name: socket.io

• 4.7.5 - 2024-03-14
  

  Bug Fixes

  • close the adapters when the server is closed (bf64870)
  • remove duplicate pipeline when serving bundle (e426f3e)

  Links

  • Diff: 4.7.4...4.7.5
  • Client release: 4.7.5
  • engine.io@~6.5.2 (no change)
  • ws@~8.11.0 (no change)
• 4.7.4 - 2024-01-12
  

  Bug Fixes

  • typings: calling io.emit with no arguments incorrectly errored (cb6d2e0), closes #4914

  Links

  • Diff: 4.7.3...4.7.4
  • Client release: 4.7.4
  • engine.io@~6.5.2 (no change)
  • ws@~8.11.0 (no change)
• 4.7.3 - 2024-01-03
  

  Bug Fixes

  • return the first response when broadcasting to a single socket (#4878) (df8e70f)
  • typings: allow to bind to a non-secure Http2Server (#4853) (8c9ebc3)

  Links

  • Diff: 4.7.2...4.7.3
  • Client release: 4.7.3
  • engine.io@~6.5.2 (no change)
  • ws@~8.11.0 (no change)
• 4.7.2 - 2023-08-02
  

  Bug Fixes

  • clean up child namespace when client is rejected in middleware (#4773) (0731c0d)
  • webtransport: properly handle WebTransport-only connections (3468a19)
  • webtransport: add proper framing (a306db0)

  Links

  • Diff: 4.7.1...4.7.2
  • Client release: 4.7.2
  • engine.io@~6.5.2 (diff)
  • ws@~8.11.0 (no change)
• 4.7.1 - 2023-06-28
  

  The client bundle contains a few fixes regarding the WebTransport support.

  Links

  • Diff: 4.7.0...4.7.1
  • Client release: 4.7.1
  • engine.io@~6.5.0 (no change)
  • ws@~8.11.0 (no change)
• 4.7.0 - 2023-06-22
  

  Bug Fixes

  • remove the Partial modifier from the socket.data type (#4740) (e5c62ca)

  Features

  Support for WebTransport

  The Socket.IO server can now use WebTransport as the underlying transport.

  WebTransport is a web API that uses the HTTP/3 protocol as a bidirectional transport. It's intended for two-way communications between a web client and an HTTP/3 server.

  References:

  • https://w3c.github.io/webtransport/
  • https://developer.mozilla.org/en-US/docs/Web/API/WebTransport
  • https://developer.chrome.com/articles/webtransport/

  Until WebTransport support lands in Node.js, you can use the @ fails-components/webtransport package:

  https://w3c.github.io/webtransport/#custom-certificate-requirements)
  const cert = readFileSync("/path/to/my/cert.pem");
  const key = readFileSync("/path/to/my/key.pem");

  const httpsServer = createServer({
  key,
  cert
  });

  httpsServer.listen(3000);

  const io = new Server(httpsServer, {
  transports: ["polling", "websocket", "webtransport"] // WebTransport is not enabled by default
  });

  const h3Server = new Http3Server({
  port: 3000,
  host: "0.0.0.0",
  secret: "changeit",
  cert,
  privKey: key,
  });

  (async () => {
  const stream = await h3Server.sessionStream("/socket.io/");
  const sessionReader = stream.getReader();

  while (true) {
  const { done, value } = await sessionReader.read();
  if (done) {
  break;
  }
  io.engine.onWebTransportSession(value);
  }
  })();

  h3Server.startServer();">

  import { readFileSync } from "fs";
  
  import { createServer } from "https";
  
  import { Server } from "socket.io";
  
  import { Http3Server } from "@ fails-components/webtransport";
  
  // WARNING: the total length of the validity period MUST NOT exceed two weeks (https://w3c.github.io/webtransport/#custom-certificate-requirements)
  
  const cert = readFileSync("/path/to/my/cert.pem");
  
  const key = readFileSync("/path/to/my/key.pem");
  const httpsServer = createServer({
  
  key,
  
  cert
  
  });
  httpsServer.listen(3000);
  const io = new Server(httpsServer, {
  
  transports: ["polling", "websocket", "webtransport"] // WebTransport is not enabled by default
  
  });
  const h3Server = new Http3Server({
  
  port: 3000,
  
  host: "0.0.0.0",
  
  secret: "changeit",
  
  cert,
  
  privKey: key,
  
  });
  (async () => {
  
  const stream = await h3Server.sessionStream("/socket.io/");
  
  const sessionReader = stream.getReader();
  while (true) {
  
  const { done, value } = await sessionReader.read();
  
  if (done) {
  
  break;
  
  }
  
  io.engine.onWebTransportSession(value);
  
  }
  
  })();
  h3Server.startServer();

  Added in 123b68c.

  Client bundles with CORS headers

  The bundles will now have the right Access-Control-Allow-xxx headers.

  Added in 63f181c.

  Links

  • Diff: 4.6.2...4.7.0
  • Client release: 4.7.0
  • engine.io@~6.5.0 (diff)
  • ws@~8.11.0 (no change)
• 4.6.2 - 2023-05-31
  

  Bug Fixes

  • exports: move types condition to the top (#4698) (3d44aae)

  Links

  • Diff: 4.6.1...4.6.2
  • Client release: 4.6.2
  • engine.io@~6.4.2 (diff)
  • ws@~8.11.0 (no change)
• 4.6.1 - 2023-02-20
• 4.6.0 - 2023-02-07
• 4.6.0-alpha1 - 2023-01-25
• 4.5.4 - 2022-11-22

from socket.io GitHub release notes

Package name: bcrypt

• 5.1.1 - 2023-08-16
  

  What's Changed

  • Refactored example with async await by @ lpizzinidev in #894
  • Fixed z/OS build issue by @ laijonathan in #968
  • Update dependencies by @ recrsn in #993

  New Contributors

  • @ lpizzinidev made their first contribution in #894
  • @ laijonathan made their first contribution in #968

  Full Changelog: v5.1.0...v5.1.1

• 5.1.0 - 2022-10-06
  

  What's Changed

  • Update node-pre-gyp to 1.0.2 by @ feuxfollets1013 in #865
  • Update README for inclusion of musl by @ arbourd in #883
  • Version bump, security updates to sub dep npmlog by @ adaniels-parabol in #905
  • document ESM usage (#892) by @ mariusa in #899
  • fix: update travis CI Docker image repository by @ cokia in #930
  • Update node versions in appveyor test matrix by @ p-kuen in #936
  • chore(appveyor): not use latest npm by @ cokia in #932
  • chore: update Appveyor readme badge by @ cokia in #933
  • Use Github actions for CI by @ recrsn in #858
  • Update dependencies by @ recrsn in #953
  • Migrate tests to use Jest by @ recrsn in #958
  • Pin NAPI to v3 by @ recrsn in #959

  New Contributors

  • @ feuxfollets1013 made their first contribution in #865
  • @ arbourd made their first contribution in #883
  • @ adaniels-parabol made their first contribution in #905
  • @ mariusa made their first contribution in #899
  • @ cokia made their first contribution in #930
  • @ p-kuen made their first contribution in #936

  Full Changelog: v5.0.1...v5.1.0

from bcrypt GitHub release notes

Package name: class-validator

• 0.14.1 - 2024-01-12
  

  What's Changed

  • fix: fail for non-array constraint in @ IsIn decorator by @ NoNameProvided in #1844
  • feat: allow specifying options for @ IsBase64 decorator by @ NoNameProvided in #1845
  • feat: use official type for version in @ IsUUID decorator by @ NoNameProvided in #1846
  • build(deps-dev): bump @ types/node from 18.11.12 to 18.11.13 by @ dependabot in #1847
  • build(deps): bump libphonenumber-js from 1.10.14 to 1.10.15 by @ dependabot in #1848
  • build(deps-dev): bump @ typescript-eslint/eslint-plugin from 5.46.0 to 5.46.1 by @ dependabot in #1850
  • build(deps-dev): bump @ types/node from 18.11.13 to 18.11.14 by @ dependabot in #1851
  • build(deps-dev): bump @ typescript-eslint/parser from 5.46.0 to 5.46.1 by @ dependabot in #1852
  • build(deps-dev): bump @ types/node from 18.11.14 to 18.11.15 by @ dependabot in #1854
  • build(deps-dev): bump @ rollup/plugin-commonjs from 23.0.4 to 23.0.5 by @ dependabot in #1855
  • docs: fix typos and reformat decorators table by @ carlocorradini in #1849
  • fix: allow number and boolean values in validation message "$value" tokens by @ kffl in #1467
  • feat: update @ IsPhoneNumber decorator to use max dataset by @ NoNameProvided in #1857
  • fix: read nullable option in @ IsNotEmptyObject decorator correctly by @ arkist in #1555
  • build(deps-dev): bump eslint-plugin-jest from 27.1.6 to 27.1.7 by @ dependabot in #1859
  • build(deps-dev): bump eslint from 8.29.0 to 8.30.0 by @ dependabot in #1860
  • build(deps-dev): bump @ rollup/plugin-commonjs from 23.0.5 to 24.0.0 by @ dependabot in #1862
  • build(deps-dev): bump @ types/node from 18.11.15 to 18.11.17 by @ dependabot in #1861
  • build(deps-dev): bump @ typescript-eslint/eslint-plugin from 5.46.1 to 5.47.0 by @ dependabot in #1864
  • build(deps-dev): bump @ typescript-eslint/parser from 5.46.1 to 5.47.0 by @ dependabot in #1865
  • build(deps-dev): bump @ typescript-eslint/parser from 5.47.0 to 5.47.1 by @ dependabot in #1870
  • build(deps-dev): bump @ typescript-eslint/eslint-plugin from 5.47.0 to 5.47.1 by @ dependabot in #1872
  • build(deps-dev): bump @ types/node from 18.11.17 to 18.11.18 by @ dependabot in #1871
  • build(deps-dev): bump @ types/jest from 29.2.4 to 29.2.5 by