Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Snyk] Upgrade: apollo-server-express, graphql, express, bcrypt, module-alias, mongodb, nodemon, swagger-ui-express, validator #126

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Upgrade: apollo-server-express, graphql, express, bcrypt, module-alias, mongodb, nodemon, swagger-ui-express, validator #126

wants to merge 1 commit into from

Conversation

danilocatapan
Copy link
Owner

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

apollo-server-express
from 2.19.1 to 2.26.2 | 40 versions ahead of your current version | a year ago
on 2023-08-30
graphql
from 15.5.1 to 15.9.0 | 9 versions ahead of your current version | 3 months ago
on 2024-06-21
express
from 4.17.1 to 4.19.2 | 9 versions ahead of your current version | 6 months ago
on 2024-03-25
bcrypt
from 5.0.1 to 5.1.1 | 2 versions ahead of your current version | a year ago
on 2023-08-16
module-alias
from 2.2.2 to 2.2.3 | 1 version ahead of your current version | a year ago
on 2023-06-03
mongodb
from 3.6.6 to 3.7.4 | 11 versions ahead of your current version | a year ago
on 2023-06-21
nodemon
from 2.0.7 to 2.0.22 | 25 versions ahead of your current version | a year ago
on 2023-03-22
swagger-ui-express
from 4.1.6 to 4.6.3 | 8 versions ahead of your current version | a year ago
on 2023-05-05
validator
from 13.6.0 to 13.12.0 | 4 versions ahead of your current version | 4 months ago
on 2024-05-09

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 482 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 482 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 482 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-WS-7266574		 482 Proof of Concept
high severity Prototype Poisoning
SNYK-JS-QS-3153490		 482 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-WS-7266574		 482 Proof of Concept
medium severity Server-side Request Forgery (SSRF)
SNYK-JS-SWAGGERUIEXPRESS-6815423		 482 Proof of Concept
medium severity Server-side Request Forgery (SSRF)
SNYK-JS-SWAGGERUIEXPRESS-6815424		 482 Mature
medium severity Uncontrolled Resource Consumption ('Resource Exhaustion')
SNYK-JS-TAR-6476909		 482 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-VALIDATOR-1090600		 482 Proof of Concept
medium severity Open Redirect
SNYK-JS-GOT-2932019		 482 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-HTTPCACHESEMANTICS-3248783		 482 Proof of Concept
medium severity Information Exposure
SNYK-JS-NODEFETCH-2342118		 482 No Known Exploit
medium severity Open Redirect
SNYK-JS-EXPRESS-6474509		 482 No Known Exploit
medium severity Server-side Request Forgery (SSRF)
SNYK-JS-SWAGGERUIDIST-2314884		 482 Mature
medium severity Server-side Request Forgery (SSRF)
SNYK-JS-SWAGGERUIDIST-6056393		 482 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MINIMATCH-3050818		 482 No Known Exploit
medium severity Information Exposure
SNYK-JS-MONGODB-5871303		 482 No Known Exploit
medium severity Information Exposure
SNYK-JS-NODEFETCH-2342118		 482 No Known Exploit
low severity Information Exposure
SNYK-JS-APOLLOSERVERCORE-5876618		 482 No Known Exploit
low severity Regular Expression Denial of Service (ReDoS)
npm:debug:20170905		 482 Proof of Concept
low severity Prototype Pollution
SNYK-JS-MINIMIST-2429795		 482 Proof of Concept
Release notes
Package name: apollo-server-express
  • 2.26.2 - 2023-08-30
  • 2.26.1 - 2022-10-20
  • 2.26.0 - 2022-08-18
  • 2.25.4 - 2022-05-25
  • 2.25.3 - 2021-11-04
  • 2.25.2 - 2021-06-22
  • 2.25.1 - 2021-06-08
  • 2.25.0 - 2021-05-27
  • 2.25.0-alpha.1 - 2021-05-27
  • 2.25.0-alpha.0 - 2021-05-26
  • 2.24.1 - 2021-05-18
  • 2.24.0 - 2021-04-30
  • 2.24.0-alpha.2 - 2021-04-30
  • 2.24.0-alpha.1 - 2021-04-29
  • 2.24.0-alpha.0 - 2021-04-28
  • 2.23.1-unified2.3 - 2021-04-27
  • 2.23.1-unified2.2 - 2021-04-27
  • 2.23.1-unified2.1 - 2021-04-23
  • 2.23.1-unified2.0 - 2021-04-22
  • 2.23.1-unified.2 - 2021-04-22
  • 2.23.1-unified.0 - 2021-04-22
  • 2.23.0 - 2021-04-14
  • 2.23.0-alpha.1 - 2021-04-09
  • 2.23.0-alpha.0 - 2021-04-09
  • 2.22.2 - 2021-03-29
  • 2.22.2-alpha.0 - 2021-03-29
  • 2.22.1 - 2021-03-26
  • 2.22.0 - 2021-03-26
  • 2.22.0-alpha.0 - 2021-03-22
  • 2.21.2 - 2021-03-18
  • 2.21.2-alpha.0 - 2021-03-16
  • 2.21.1 - 2021-03-08
  • 2.21.1-alpha.0 - 2021-03-06
  • 2.21.0 - 2021-02-12
  • 2.21.0-alpha.2 - 2021-02-11
  • 2.21.0-alpha.1 - 2021-02-11
  • 2.21.0-alpha.0 - 2021-02-11
  • 2.20.0 - 2021-02-09
  • 2.20.0-alpha.0 - 2021-02-09
  • 2.19.2 - 2021-01-14
  • 2.19.1 - 2020-12-22
from apollo-server-express GitHub release notes
Package name: graphql
  • 15.9.0 - 2024-06-21

    v15.9.0 (2024-06-21)

    New Feature 🚀

    • #4120 backport[v15]: Introduce "recommended" validation rules (@ benjie)

    Bug Fix 🐞

    • #3708 Fix crash in node when mixing sync/async resolvers (backport of #3706) (@ chrskrchr)
    • #4000 Backport "Prevent Infinite Loop in OverlappingFieldsCanBeMergedRule" to v15 (@ benjie)

    Internal 🏠

    Committers: 2

  • 15.8.0 - 2021-12-07
  • 15.7.2 - 2021-10-28
  • 15.7.1 - 2021-10-27
  • 15.7.0 - 2021-10-26
  • 15.6.1 - 2021-10-05
  • 15.6.0 - 2021-09-20
  • 15.5.3 - 2021-09-06
  • 15.5.2 - 2021-08-30
  • 15.5.1 - 2021-06-20
from graphql GitHub release notes
Package name: express
  • 4.19.2 - 2024-03-25
  • 4.19.1 - 2024-03-20

    What's Changed

    Full Changelog: 4.19.0...4.19.1

  • 4.19.0 - 2024-03-20

    What's Changed

    New Contributors

    Full Changelog: 4.18.3...4.19.0

  • 4.18.3 - 2024-02-29

    Main Changes

    • Fix routing requests without method
    • deps: body-parser@1.20.2
      • Fix strict json error message on Node.js 19+
      • deps: content-type@~1.0.5
      • deps: raw-body@2.5.2

    Other Changes

    New Contributors

    Full Changelog: 4.18.2...4.18.3

  • 4.18.2 - 2022-10-08
    • Fix regression routing a large stack in a single route
    • deps: body-parser@1.20.1
      • deps: qs@6.11.0
      • perf: remove unnecessary object clone
    • deps: qs@6.11.0
  • 4.18.1 - 2022-04-29
    • Fix hanging on large stack of sync routes
  • 4.18.0 - 2022-04-25
    • Add "root" option to res.download
    • Allow options without filename in res.download
    • Deprecate string and non-integer arguments to res.status
    • Fix behavior of null/undefined as maxAge in res.cookie
    • Fix handling very large stacks of sync middleware
    • Ignore Object.prototype values in settings through app.set/app.get
    • Invoke default with same arguments as types in res.format
    • Support proper 205 responses using res.send
    • Use http-errors for res.format error
    • deps: body-parser@1.20.0
      • Fix error message for json parse whitespace in strict
      • Fix internal error when inflated body exceeds limit
      • Prevent loss of async hooks context
      • Prevent hanging when request already read
      • deps: depd@2.0.0
      • deps: http-errors@2.0.0
      • deps: on-finished@2.4.1
      • deps: qs@6.10.3
      • deps: raw-body@2.5.1
    • deps: cookie@0.5.0
      • Add priority option
      • Fix expires option to reject invalid dates
    • deps: depd@2.0.0
      • Replace internal eval usage with Function constructor
      • Use instance methods on process to check for listeners
    • deps: finalhandler@1.2.0
      • Remove set content headers that break response
      • deps: on-finished@2.4.1
      • deps: statuses@2.0.1
    • deps: on-finished@2.4.1
      • Prevent loss of async hooks context
    • deps: qs@6.10.3
    • deps: send@0.18.0
      • Fix emitted 416 error missing headers property
      • Limit the headers removed for 304 response
      • deps: depd@2.0.0
      • deps: destroy@1.2.0
      • deps: http-errors@2.0.0
      • deps: on-finished@2.4.1
      • deps: statuses@2.0.1
    • deps: serve-static@1.15.0
      • deps: send@0.18.0
    • deps: statuses@2.0.1
      • Remove code 306
      • Rename 425 Unordered Collection to standard 425 Too Early
  • 4.17.3 - 2022-02-17
    • deps: accepts@~1.3.8
      • deps: mime-types@~2.1.34
      • deps: negotiator@0.6.3
    • deps: body-parser@1.19.2
      • deps: bytes@3.1.2
      • deps: qs@6.9.7
      • deps: raw-body@2.4.3
    • deps: cookie@0.4.2
    • deps: qs@6.9.7
      • Fix handling of __proto__ keys
    • pref: remove unnecessary regexp for trust proxy
  • 4.17.2 - 2021-12-17
    • Fix handling of undefined in res.jsonp
    • Fix handling of undefined when "json escape" is enabled
    • Fix incorrect middleware execution with unanchored RegExps
    • Fix res.jsonp(obj, status) deprecation message
    • Fix typo in res.is JSDoc
    • deps: body-parser@1.19.1
      • deps: bytes@3.1.1
      • deps: http-errors@1.8.1
      • deps: qs@6.9.6
      • deps: raw-body@2.4.2
      • deps: safe-buffer@5.2.1
      • deps: type-is@~1.6.18
    • deps: content-disposition@0.5.4
      • deps: safe-buffer@5.2.1
    • deps: cookie@0.4.1
      • Fix maxAge option to reject invalid values
    • deps: proxy-addr@~2.0.7
      • Use req.socket over deprecated req.connection
      • deps: forwarded@0.2.0
      • deps: ipaddr.js@1.9.1
    • deps: qs@6.9.6
    • deps: safe-buffer@5.2.1
    • deps: send@0.17.2
      • deps: http-errors@1.8.1
      • deps: ms@2.1.3
      • pref: ignore empty http tokens
    • deps: serve-static@1.14.2
      • deps: send@0.17.2
    • deps: setprototypeof@1.2.0
  • 4.17.1 - 2019-05-26
from express GitHub release notes
Package name: bcrypt from bcrypt GitHub release notes
Package name: module-alias
  • 2.2.3 - 2023-06-03
  • 2.2.2 - 2019-10-01

    Make module-alias work in cli mode #76

from module-alias GitHub release notes
Package name: mongodb
  • 3.7.4 - 2023-06-21

    The MongoDB Node.js team is pleased to announce version 3.7.4 of the mongodb package!

    Release Highlights

    This release fixes a bug that throws a type error when SCRAM-SHA-256 is used with saslprep in a webpacked environment.

    3.7.4 (2023-06-21)

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

  • 3.7.3 - 2021-10-20
  • 3.7.2 - 2021-10-05
  • 3.7.1 - 2021-09-14
  • 3.7.0 - 2021-08-31
  • 3.6.12 - 2021-08-30
  • 3.6.11 - 2021-08-05
  • 3.6.10 - 2021-07-06
  • 3.6.9 - 2021-05-26
  • 3.6.8 - 2021-05-21
  • 3.6.7 - 2021-05-18
  • 3.6.6 - 2021-04-06
from mongodb GitHub release notes
Package name: nodemon

@snyk-bot
fix: upgrade multiple dependencies with Snyk
367a2c6 
Snyk has created this PR to upgrade:
  - apollo-server-express from 2.19.1 to 2.26.2.
    See this package in npm: https://www.npmjs.com/package/apollo-server-express
  - graphql from 15.5.1 to 15.9.0.
    See this package in npm: https://www.npmjs.com/package/graphql
  - express from 4.17.1 to 4.19.2.
    See this package in npm: https://www.npmjs.com/package/express
  - bcrypt from 5.0.1 to 5.1.1.
    See this package in npm: https://www.npmjs.com/package/bcrypt
  - module-alias from 2.2.2 to 2.2.3.
    See this package in npm: https://www.npmjs.com/package/module-alias
  - mongodb from 3.6.6 to 3.7.4.
    See this package in npm: https://www.npmjs.com/package/mongodb
  - nodemon from 2.0.7 to 2.0.22.
    See this package in npm: https://www.npmjs.com/package/nodemon
  - swagger-ui-express from 4.1.6 to 4.6.3.
    See this package in npm: https://www.npmjs.com/package/swagger-ui-express
  - validator from 13.6.0 to 13.12.0.
    See this package in npm: https://www.npmjs.com/package/validator

See this project in Snyk:
https://app.snyk.io/org/catapandanilo/project/d0682a5e-259a-4bd5-9439-edcd3c983659?utm_source=github&utm_medium=referral&page=upgrade-pr
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Defaulting to ts-node is confusing when using ESM loaders Consider removing/replacing update-notifier
2 participants
@danilocatapan @snyk-bot