[Snyk] Fix for 11 vulnerabilities

[suvajit]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	661/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.8	Arbitrary Code Injection SNYK-JS-MORGAN-72579	No	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:ms:20151024	No	No Known Exploit
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	No	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Root Path Disclosure npm:send:20151103	No	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: body-parser

The new version differs by 225 commits.

• 0f1bed0 1.17.1
• 0532096 lint: remove unreachable code branches
• b34aab5 build: [email protected]
• 77b1ca1 build: [email protected]
• e51dbc5 deps: [email protected]
• 79bc939 1.17.0
• e6140e1 build: [email protected]
• 42f467d deps: [email protected]
• 4954aec build: test against Node.js 8.x nightly
• e2050df build: [email protected]
• 2f941c4 build: [email protected]
• 6549617 build: [email protected]
• d1c2c7f deps: http-errors@~1.6.1
• e7b86ba build: [email protected]
• 7b630f7 1.16.1
• de574bf build: [email protected]
• 889bcc9 build: [email protected]
• dba8ac4 deps: [email protected]
• 95a3ebb docs: fix history file with incorrect qs version
• c5a73d5 1.16.0
• 9744dda deps: [email protected]
• 7807757 deps: [email protected]
• 0e44768 lint: use standard style in the README
• 14952be build: [email protected]

See the full diff

Package name: debug

The new version differs by 205 commits.

• 13abeae Release 2.6.9
• f53962e remove ReDoS regexp in %o formatter (#504)
• 52e1f21 Release 2.6.8
• 2482e08 Check for undefined on browser globals (#462)
• 6bb07f7 release 2.6.7
• 15850cb Fix Regular Expression Denial of Service (ReDoS)
• 4a6c85c update "debug" to v1.0.0 (#454)
• b68dbf8 Fix typo (#455)
• 1351d2f Inline extend function in node implementation (#452)
• c211947 update version for component
• 14df14c release 2.6.5
• cae07b7 cleanup browser tests and fix null reference check on window.documentElement.style.WebkitAppearance (#447)
• f311b10 release 2.6.4
• 1f01b70 Fix bug that would occure if process.env.DEBUG is a non-string value. (#444)
• 2f3ebf4 Update CHANGELOG.md
• f5ae332 Update CHANGELOG.md
• 9742c5f chore(): ignore bower.json in npm installations. (#437)
• 27d93a3 update "debug" to v0.7.3
• 9dc30f8 release 2.6.3
• 0fb8ea4 LocalStorage returns undefined for any key not present (#431)
• ce4d93e changelog fix
• 017a9d6 release 2.6.2
• 23bc780 fix DEBUG_MAX_ARRAY_LENGTH
• 065cbfb Add backers and sponsors from Open Collective (#422)

See the full diff

Package name: express

The new version differs by 250 commits.

• f974d22 4.16.0
• 8d4ceb6 docs: add more information to installation
• c0136d8 Add express.json and express.urlencoded to parse bodies
• 86f5df0 deps: [email protected]
• 4196458 deps: [email protected]
• ddeb713 tests: add maxAge option tests for res.sendFile
• 7154014 Add "escape json" setting for res.json and res.jsonp
• 628438d deps: update example dependencies
• a24fd0c Add options to res.download
• 95fb5cc perf: remove dead .charset set in res.jsonp
• 44591fe deps: vary@~1.1.2
• 2df1ad2 Improve error messages when non-function provided as middleware
• 12c3712 Use safe-buffer for improved Buffer API
• fa272ed docs: fix typo in jsdoc comment
• d9d09b8 perf: re-use options object when generating ETags
• 02a9d5f deps: proxy-addr@~2.0.2
• c2f4fb5 deps: [email protected]
• 673d51f deps: [email protected]
• 5cc761c deps: parseurl@~1.3.2
• ad7d96d deps: [email protected]
• e62bb8b deps: etag@~1.8.1
• 70589c3 deps: content-type@~1.0.4
• 9a99c15 deps: accepts@~1.3.4
• 550043c deps: [email protected]

See the full diff

Package name: jade

The new version differs by 71 commits.

• 53cec74 Merge pull request #1746 from rlidwka/text-block-stuff
• d451082 Fix empty text-only block case
• 1870f47 Merge pull request #1734 from jadejs/date-warn-all
• a5dbbb1 Warn about future change to ISO 8601 style dates
• 87554b3 Merge pull request #1736 from skylerzhang/master
• 28cf735 Merge pull request #1735 from jadejs/ampersand-warn
• f4cf1e3 Add warning if a data attribute value contains ampersand(s)
• 5598487 Merge pull request #1725 from TimothyGu/contrib
• ce563fd Merge pull request #1726 from TimothyGu/pretty
• 28007f1 Merge pull request #1729 from TimothyGu/less
• acada93 Pin to less <2.0.0
• 8fb4272 Better `pretty` documentation
• a85c86f layout: Add "contributed by many others"
• d8dd7ee layout: Remove commented out cruft
• 6181f5d Update Readme_zh-cn.md
• 77b2caa Merge pull request #1716 from TimothyGu/globals-doc
• abca356 Document `globals` option
• 2314090 Merge pull request #1703 from chharvey/master
• 0d87396 Merge pull request #1663 from bfred-it/master
• f2d9266 Merge pull request #1708 from TimothyGu/master
• 45f8f6f Fix link to Travis CI and GitHub repo
• e236e1a Merge pull request #1704 from jadejs/object-classes
• 138e255 Document the object form of `class` and `style` attributes
• 8e85b96 Add support for an object in the style attribute

See the full diff

Package name: morgan

The new version differs by 202 commits.

• 572dd93 1.9.1
• e02de38 lint: apply standard 12 style
• e329663 Fix using special characters in format
• eb1968a tests: use strict equality checks
• 310b206 build: use yaml eslint configuration
• 5810937 build: [email protected]
• f60afd5 build: [email protected]
• 5295b0c build: [email protected]
• 178daaf build: [email protected]
• 7b08641 build: [email protected]
• 73cb666 build: [email protected]
• edc95aa build: [email protected]
• ace86c3 build: [email protected]
• 4dd1180 lint: apply standard 11 style
• 60c31e8 build: [email protected]
• 05e382f build: [email protected]
• 1a5be20 build: [email protected]
• cf9565f docs: remove gratipay badge
• b66251d build: [email protected]
• 0113732 build: [email protected]
• 47659a9 deps: depd@~1.1.2
• 695f659 build: support Node.js 9.x
• f4c51e9 build: [email protected]
• 4f15f36 build: [email protected]

See the full diff

Package name: serve-favicon

The new version differs by 110 commits.

• 68b34f5 2.4.5
• 930b0a0 deps: [email protected]
• 8105b88 deps: etag@~1.8.1
• c050d26 2.4.4
• d36c44e deps: [email protected]
• c33f25e deps: parseurl@~1.3.2
• 878c248 tests: use mocha context for server
• e24fa4b deps: [email protected]
• 998dcb5 build: [email protected]
• a5cff5d build: [email protected]
• c2e05e8 build: support Node.js 8.x
• 52cb604 build: [email protected]
• 44c4c6e build: [email protected]
• 9293f89 2.4.3
• 53a3778 deps: [email protected]
• b5b9412 build: [email protected]
• df97c51 build: [email protected]
• dcf75b3 build: [email protected]
• 11108e1 Use safe-buffer for improved Buffer API
• 08135aa tests: use temp-path for paths
• ca3ce4e build: [email protected]
• b450452 2.4.2
• 0b0bf0a build: [email protected]
• 4e083b7 build: [email protected]

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn