This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
#### Changes included in this PR
- Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json
- Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
[Find out more](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities).
#### Vulnerabilities that will be fixed
##### With an upgrade:
Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity
:-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------
 | **479/1000** **Why?** Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS) [SNYK-JS-NATURAL-1915418](https://snyk.io/vuln/SNYK-JS-NATURAL-1915418) | Yes | No Known Exploit
 | **454/1000** **Why?** Has a fix available, CVSS 4.8 | Session Fixation [SNYK-JS-PASSPORT-2840631](https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631) | No | No Known Exploit
(*) Note that the real score may have changed since the PR was raised.
Commit messagesPackage name: natural
The new version differs by 243 commits.
See the full diff
##### With a [Snyk patch](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities#patches):
Severity | Priority Score (*) | Issue | Exploit Maturity
:-------------------------:|-------------------------|:-------------------------|:-------------------------
 | **731/1000** **Why?** Proof of Concept exploit, Has a fix available, CVSS 8.2 | Prototype Pollution [SNYK-JS-LODASH-567746](https://snyk.io/vuln/SNYK-JS-LODASH-567746) | Proof of Concept
(*) Note that the real score may have changed since the PR was raised.
Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.
Check the changes in this PR to ensure they won't cause issues with your project.
------------
**Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.*
For more information:
🧐 [View latest project report](https://app.snyk.io/org/mynahmarie/project/08b6daf4-16af-4756-95f6-4d5feaa5536a?utm_source=github&utm_medium=referral&page=fix-pr)
🛠 [Adjust project settings](https://app.snyk.io/org/mynahmarie/project/08b6daf4-16af-4756-95f6-4d5feaa5536a?utm_source=github&utm_medium=referral&page=fix-pr/settings)
📚 [Read more about Snyk's upgrade and patch logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities)
[//]: # (snyk:metadata:{"prId":"a77ac524-cf82-41c1-acb6-bf4d9b6983b0","prPublicId":"a77ac524-cf82-41c1-acb6-bf4d9b6983b0","dependencies":[{"name":"natural","from":"0.5.6","to":"5.1.11"},{"name":"passport","from":"0.4.0","to":"0.6.0"}],"packageManager":"npm","projectPublicId":"08b6daf4-16af-4756-95f6-4d5feaa5536a","projectUrl":"https://app.snyk.io/org/mynahmarie/project/08b6daf4-16af-4756-95f6-4d5feaa5536a?utm_source=github&utm_medium=referral&page=fix-pr","type":"auto","patch":["SNYK-JS-LODASH-567746"],"vulns":["SNYK-JS-PASSPORT-2840631","SNYK-JS-NATURAL-1915418","SNYK-JS-LODASH-567746","SNYK-JS-LODASH-450202"],"upgrade":["SNYK-JS-NATURAL-1915418","SNYK-JS-PASSPORT-2840631"],"isBreakingChange":true,"env":"prod","prType":"fix","templateVariants":["priorityScore"],"priorityScoreList":[454,479,731,686]})
---
**Learn how to fix vulnerabilities with free interactive lessons:**
🦉 [Regular Expression Denial of Service (ReDoS)](https://learn.snyk.io/lessons/redos/javascript/?loc=fix-pr)
🦉 [Prototype Pollution](https://learn.snyk.io/lessons/redos/javascript/?loc=fix-pr)
🦉 [Prototype Pollution](https://learn.snyk.io/lessons/redos/javascript/?loc=fix-pr)
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
#### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - package.json - package-lock.json - Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches. [Find out more](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities). #### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------  | **479/1000****Why?** Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS)
[SNYK-JS-NATURAL-1915418](https://snyk.io/vuln/SNYK-JS-NATURAL-1915418) | Yes | No Known Exploit  | **454/1000**
**Why?** Has a fix available, CVSS 4.8 | Session Fixation
[SNYK-JS-PASSPORT-2840631](https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631) | No | No Known Exploit (*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: natural
The new version differs by 243 commits.- bc85e32 5.1.11
- 90e85af Follow up of pull request #626 (#627)
- 7689c9a Update README.md
- 93925ec Update CONTRIBUTING.md
- a82ab35 Update SECURITY.md
- d59e757 Create SECURITY.md
- bb5f854 Create codeql-analysis.yml (#624)
- c079b23 5.1.10
- 6e49236 Security patch set value (#623)
- 6320546 5.1.9
- eb43511 Bump path-parse from 1.0.6 to 1.0.7 (#622)
- 106ab78 Bumped glob-parent dependency to 5.1.2 (#621)
- d5aa79e 5.1.8
- cdf1644 Bump hosted-git-info from 2.8.8 to 2.8.9 (#620)
- 02cbe62 5.1.7
- f17611e Bump lodash from 4.17.11 to 4.17.21 (#619)
- 9cb2761 5.1.6
- 2a4a193 Bump underscore from 1.9.1 to 1.12.1 (#618)
- 9f57acc 5.1.5
- 93d8e04 Bump ssri from 6.0.1 to 6.0.2 (#617)
- d844455 5.1.4
- 51ffa5a Bump y18n from 3.2.1 to 3.2.2 (#616)
- 336594d 5.1.3
- a55aa0a Bump elliptic from 6.4.1 to 6.5.4 (#615)
See the full diffPackage name: passport
The new version differs by 126 commits.- c33067b 0.6.0
- 3052bb4 Update changelog.
- 42630cb Merge pull request #900 from jaredhanson/fix-fixation
- 8dd79fe Use utils-merge rather than Object.assign for compatibility.
- 4f6bd5b Change keepSessionData to keepSessionData.
- 46756e5 Silence verbose logging.
- 987b191 Add tests.
- f8a175f Add tests.
- 29a90d6 No need to guard callback existence.
- bfba8a1 Add tests.
- 17111d7 Add option to keep session data on logout.
- a349c2b Add option to keep session data.
- e69834e Add optional options to login and logout.
- 8825a9a Add tests.
- c1991cf Add tests.
- 294f22c Better session detection and exceptions.
- 80cc4e3 Add tests.
- 3001654 Add tests.
- b395106 Clean up tests.
- cfa8259 Add tests.
- ee0bf81 Add tests.
- cc7606c Add tests.
- 71c54f6 Add test.
- 88c1f1b Handle logout without session manager.
See the full diff**Why?** Proof of Concept exploit, Has a fix available, CVSS 8.2 | Prototype Pollution
[SNYK-JS-LODASH-567746](https://snyk.io/vuln/SNYK-JS-LODASH-567746) | Proof of Concept (*) Note that the real score may have changed since the PR was raised. Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded. Check the changes in this PR to ensure they won't cause issues with your project. ------------ **Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.* For more information: