[Snyk-dev] Fix for 35 vulnerabilities

[pmlyng]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

#### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - test/fixtures/severity-control/package.json - test/fixtures/severity-control/.snyk #### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------  | **619/1000**
**Why?** Has a fix available, CVSS 8.1 | Prototype Pollution
[SNYK-JS-AJV-584908](https://dev.snyk.io/vuln/SNYK-JS-AJV-584908) | Yes | No Known Exploit  | **696/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 7.5 | Regular Expression Denial of Service (ReDoS)
[SNYK-JS-ANSIREGEX-1583908](https://dev.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908) | Yes | Proof of Concept  | **696/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 7.5 | Prototype Pollution
[SNYK-JS-ASYNC-2441827](https://dev.snyk.io/vuln/SNYK-JS-ASYNC-2441827) | Yes | Proof of Concept  | **706/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 7.7 | Remote Memory Exposure
[SNYK-JS-BL-608877](https://dev.snyk.io/vuln/SNYK-JS-BL-608877) | Yes | Proof of Concept  | **630/1000**
**Why?** Has a fix available, CVSS 8.1 | Internal Property Tampering
[SNYK-JS-BSON-561052](https://dev.snyk.io/vuln/SNYK-JS-BSON-561052) | Yes | No Known Exploit  | **584/1000**
**Why?** Has a fix available, CVSS 7.4 | Regular Expression Denial of Service (ReDoS)
[SNYK-JS-HAWK-2808852](https://dev.snyk.io/vuln/SNYK-JS-HAWK-2808852) | Yes | No Known Exploit  | **586/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS)
[SNYK-JS-HOSTEDGITINFO-1088355](https://dev.snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355) | Yes | Proof of Concept  | **589/1000**
**Why?** Has a fix available, CVSS 7.5 | Regular Expression Denial of Service (ReDoS)
[SNYK-JS-MINIMATCH-1019388](https://dev.snyk.io/vuln/SNYK-JS-MINIMATCH-1019388) | No | No Known Exploit  | **589/1000**
**Why?** Has a fix available, CVSS 7.5 | Denial of Service (DoS)
[SNYK-JS-MONGODB-473855](https://dev.snyk.io/vuln/SNYK-JS-MONGODB-473855) | Yes | No Known Exploit  | **601/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 5.6 | Prototype Pollution
[SNYK-JS-MONGOOSE-1086688](https://dev.snyk.io/vuln/SNYK-JS-MONGOOSE-1086688) | Yes | Proof of Concept  | **671/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 7 | Prototype Pollution
[SNYK-JS-MONGOOSE-2961688](https://dev.snyk.io/vuln/SNYK-JS-MONGOOSE-2961688) | Yes | Proof of Concept  | **601/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 5.6 | Prototype Pollution
[SNYK-JS-MPATH-1577289](https://dev.snyk.io/vuln/SNYK-JS-MPATH-1577289) | Yes | Proof of Concept  | **686/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 7.3 | Prototype Pollution
[SNYK-JS-MQUERY-1050858](https://dev.snyk.io/vuln/SNYK-JS-MQUERY-1050858) | Yes | Proof of Concept  | **696/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 7.5 | Prototype Pollution
[SNYK-JS-MQUERY-1089718](https://dev.snyk.io/vuln/SNYK-JS-MQUERY-1089718) | Yes | Proof of Concept  | **726/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 8.1 | Arbitrary File Overwrite
[SNYK-JS-NPM-537603](https://dev.snyk.io/vuln/SNYK-JS-NPM-537603) | Yes | Proof of Concept  | **451/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 2.6 | Unauthorized File Access
[SNYK-JS-NPM-537604](https://dev.snyk.io/vuln/SNYK-JS-NPM-537604) | Yes | Proof of Concept  | **726/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 8.1 | Arbitrary File Write
[SNYK-JS-NPM-537606](https://dev.snyk.io/vuln/SNYK-JS-NPM-537606) | Yes | Proof of Concept  | **479/1000**
**Why?** Has a fix available, CVSS 5.3 | Insertion of Sensitive Information into Log File
[SNYK-JS-NPM-575435](https://dev.snyk.io/vuln/SNYK-JS-NPM-575435) | Yes | No Known Exploit  | **589/1000**
**Why?** Has a fix available, CVSS 7.5 | Regular Expression Denial of Service (ReDoS)
[SNYK-JS-NPMUSERVALIDATE-1019352](https://dev.snyk.io/vuln/SNYK-JS-NPMUSERVALIDATE-1019352) | Yes | No Known Exploit  | **624/1000**
**Why?** Has a fix available, CVSS 8.2 | Arbitrary File Overwrite
[SNYK-JS-TAR-1536528](https://dev.snyk.io/vuln/SNYK-JS-TAR-1536528) | Yes | No Known Exploit  | **624/1000**
**Why?** Has a fix available, CVSS 8.2 | Arbitrary File Overwrite
[SNYK-JS-TAR-1536531](https://dev.snyk.io/vuln/SNYK-JS-TAR-1536531) | Yes | No Known Exploit  | **410/1000**
**Why?** Has a fix available, CVSS 3.7 | Regular Expression Denial of Service (ReDoS)
[SNYK-JS-TAR-1536758](https://dev.snyk.io/vuln/SNYK-JS-TAR-1536758) | Yes | No Known Exploit  | **639/1000**
**Why?** Has a fix available, CVSS 8.5 | Arbitrary File Write
[SNYK-JS-TAR-1579147](https://dev.snyk.io/vuln/SNYK-JS-TAR-1579147) | Yes | No Known Exploit  | **639/1000**
**Why?** Has a fix available, CVSS 8.5 | Arbitrary File Write
[SNYK-JS-TAR-1579152](https://dev.snyk.io/vuln/SNYK-JS-TAR-1579152) | Yes | No Known Exploit  | **639/1000**
**Why?** Has a fix available, CVSS 8.5 | Arbitrary File Write
[SNYK-JS-TAR-1579155](https://dev.snyk.io/vuln/SNYK-JS-TAR-1579155) | Yes | No Known Exploit  | **434/1000**
**Why?** Has a fix available, CVSS 4.4 | Time of Check Time of Use (TOCTOU)
[npm:chownr:20180731](https://dev.snyk.io/vuln/npm:chownr:20180731) | Yes | No Known Exploit  | **636/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 6.3 | Prototype Pollution
[npm:hoek:20180212](https://dev.snyk.io/vuln/npm:hoek:20180212) | Yes | Proof of Concept  | **589/1000**
**Why?** Has a fix available, CVSS 7.5 | Regular Expression Denial of Service (ReDoS)
[npm:minimatch:20160620](https://dev.snyk.io/vuln/npm:minimatch:20160620) | No | No Known Exploit  | **479/1000**
**Why?** Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS)
[npm:ms:20151024](https://dev.snyk.io/vuln/npm:ms:20151024) | No | No Known Exploit  | **479/1000**
**Why?** Has a fix available, CVSS 5.3 | Access Restriction Bypass
[npm:npm:20180222](https://dev.snyk.io/vuln/npm:npm:20180222) | Yes | No Known Exploit  | **576/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 5.1 | Uninitialized Memory Exposure
[npm:tunnel-agent:20170305](https://dev.snyk.io/vuln/npm:tunnel-agent:20170305) | Yes | Proof of Concept (*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: meanio

The new version differs by 47 commits.

• 36bd4db bumped version
• 64a4945 Merge pull request #111 from linnovate/snyk-fix-86f5d575
• 76dd175 fix: package.json & .snyk to reduce vulnerabilities
• 61e7da3 bumping version deploying new npm
• d1f252f Wilcard events and sticky sockets (#109)
• cd5820f pushing 0.9.0
• d2b2409 Merge pull request #106 from clowenhg/fixes-0.9.0/config-module
• eebd431 newline
• 0f1ba09 Including `loadConfig` for backward compatibility
• 2ea4199 updated module/index to use getConfig()
• 8710ae4 Updated db to use getConfig()
• 6a3295c Creating a 'static' getConfig
• c52d9bf Fixed some missed conflicts
• 874ab45 Merge branch '0.9.0' into fixes-0.9.0/config-module
• 76e76e7 Merge pull request #108 from pashist/0.9.0
• b929780 fix mod static routes
• 2d81916 fix
• dfd0e86 Addressing some houndci style issues
• b5e8b97 Merge pull request #107 from clowenhg/0.9.0
• 6d88b06 Setting to node "5" to use latest stable
• 3fa11f0 Updating travis config
• a483d7a removed aggregation
• f34d1e8 changing aggregation to getConfig()
• fc5a13c Updated libraries to call getConfig()

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• ca7996b chore: release 5.13.15
• e75732a Merge pull request #12307 from Automattic/vkarpov15/fix-5x-build
• a1144dc test: run node 7 tests with upgraded npm re: #12297
• dfc4ad7 test: try upgrading npm for node v4 tests re: #12297
• b9e985c test: more strict @ types/node version
• 4d813fa test: fix @ types/node version in tests re: #12297
• 99b4189 Merge pull request #12297 from shubanker/issue/prototype-pollution-5.x-patch
• 5eb11dd made function non async
• 6a19731 fix(schema): disallow setting __proto__ when creating schema with dotted properties
• a2ec28d Merge pull request #11366 from laissonsilveira/5.x
• 05ce577 Fix broken link from findandmodify method deprecation
• d2b846f chore: release 5.13.14
• 69c1f6c docs(models): fix up nModified example for 5.x
• 4cfc4d6 fix(timestamps): avoid setting `createdAt` on documents that already exist but dont have createdAt
• a738440 chore: release 5.13.13
• 4d12a62 Merge pull request #10942 from jneal-afs/fix-query-set-ts-type
• c3463c4 Merge pull request #10916 from iovanom/gh-10902-v5
• ff5ddb5 fix: hardcode base 10 for nodeMajorVersion parseInt() call
• d205c4d make value optional
• c6fd7f7 Fix ts types for query set
• 22e9b3b [gh-10902 v5] Add node major version to utils
• 5468642 [gh-10902 v5] Emit end event in before close
• 271bc60 Merge pull request #10910 from lorand-horvath/patch-2
• b7ebeec Update mongodb driver to 3.7.3

See the full diff

Package name: npm

The new version differs by 250 commits.

• 30a9844 7.21.0
• 0b2cd9d update AUTHORS
• 06461ec docs: changelog for v7.21.0
• 771a1cb chore(tests): fix snapshots
• 71cdfd8 spdx-license-ids@3.0.10
• 94f92de make-fetch-happen@9.0.5
• 7ac621c smart-buffer@4.2.0
• 218caca is-core-module@2.6.0
• ff6626a fix(docs): update npm-publish access flag info
• b6f40b5 tar@6.1.10
• e9e5ee5 @ npmcli/arborist@2.8.2
• 991a3bd read-package-json@4.0.0
• f077724 init-package-json@2.0.4
• 68a19bb fix(error-message): look for er.path not er.file
• ff34d6c feat(cache): initial implementation of ls and rm
• 8183976 normalize-package-data@3.0.3
• df57f0d @ npmcli/run-script@1.8.6
• 487731c fix(logging): sanitize logged argv
• 7a58264 chore(ci): check that docs are up to date in ci
• 22f3bbb chore(docs): add more 'autogenerated' comments
• 4314490 fix(docs): revert auto-generated portion of docs
• 32e88c9 fix(did-you-mean): switch levenshtein libraries
• 59b9851 7.20.6
• 2591e67 update AUTHORS

See the full diff

##### With a [Snyk patch](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities#patches): Severity | Priority Score (*) | Issue | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------  | **399/1000**
**Why?** Has a fix available, CVSS 3.7 | Regular Expression Denial of Service (ReDoS)
[npm:debug:20170905](https://dev.snyk.io/vuln/npm:debug:20170905) | No Known Exploit  | **636/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 6.3 | Prototype Pollution
[npm:hoek:20180212](https://dev.snyk.io/vuln/npm:hoek:20180212) | Proof of Concept  | **469/1000**
**Why?** Has a fix available, CVSS 5.1 | Remote Memory Exposure
[npm:request:20160119](https://dev.snyk.io/vuln/npm:request:20160119) | No Known Exploit  | **509/1000**
**Why?** Has a fix available, CVSS 5.9 | Regular Expression Denial of Service (ReDoS)
[npm:tough-cookie:20170905](https://dev.snyk.io/vuln/npm:tough-cookie:20170905) | No Known Exploit  | **576/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 5.1 | Uninitialized Memory Exposure
[npm:tunnel-agent:20170305](https://dev.snyk.io/vuln/npm:tunnel-agent:20170305) | Proof of Concept  | **479/1000**
**Why?** Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS)
[npm:uglify-js:20151024](https://dev.snyk.io/vuln/npm:uglify-js:20151024) | No Known Exploit (*) Note that the real score may have changed since the PR was raised. Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded. Check the changes in this PR to ensure they won't cause issues with your project. ------------ **Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.* For more information: 🧐 [View latest project report](https://app.dev.snyk.io/org/pmlyng/project/4e5f8d72-3d05-43cf-8390-a3ca79380fb1?utm_source=github&utm_medium=referral&page=fix-pr) 🛠 [Adjust project settings](https://app.dev.snyk.io/org/pmlyng/project/4e5f8d72-3d05-43cf-8390-a3ca79380fb1?utm_source=github&utm_medium=referral&page=fix-pr/settings) 📚 [Read more about Snyk's upgrade and patch logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities) [//]: # (snyk:metadata:{"prId":"c7ba17c9-84e1-47e8-b4c5-a121115fc596","prPublicId":"c7ba17c9-84e1-47e8-b4c5-a121115fc596","dependencies":[{"name":"meanio","from":"0.8.85","to":"0.9.2"},{"name":"mongoose","from":"4.13.21","to":"5.13.15"},{"name":"npm","from":"2.15.12","to":"7.21.0"}],"packageManager":"npm","projectPublicId":"4e5f8d72-3d05-43cf-8390-a3ca79380fb1","projectUrl":"https://app.dev.snyk.io/org/pmlyng/project/4e5f8d72-3d05-43cf-8390-a3ca79380fb1?utm_source=github&utm_medium=referral&page=fix-pr","type":"auto","patch":["npm:debug:20170905","npm:hoek:20180212","npm:request:20160119","npm:tough-cookie:20170905","npm:tunnel-agent:20170305","npm:uglify-js:20151024"],"vulns":["npm:chownr:20180731","SNYK-JS-NPM-537604","SNYK-JS-NPM-537606","SNYK-JS-NPM-575435","npm:npm:20180222","SNYK-JS-NPM-537603","npm:debug:20170905","npm:hoek:20180212","SNYK-JS-NPMUSERVALIDATE-1019352","SNYK-JS-TAR-1536528","SNYK-JS-TAR-1536531","SNYK-JS-TAR-1536758","SNYK-JS-TAR-1579147","SNYK-JS-TAR-1579152","SNYK-JS-TAR-1579155","npm:uglify-js:20151024","npm:minimatch:20160620","SNYK-JS-MINIMATCH-1019388","npm:ms:20151024","npm:request:20160119","npm:tough-cookie:20160722","npm:tough-cookie:20170905","npm:tunnel-agent:20170305","SNYK-JS-AJV-584908","SNYK-JS-ANSIREGEX-1583908","SNYK-JS-ASYNC-2441827","SNYK-JS-BL-608877","SNYK-JS-BSON-561052","SNYK-JS-HAWK-2808852","SNYK-JS-HOSTEDGITINFO-1088355","SNYK-JS-MONGODB-473855","SNYK-JS-MONGOOSE-1086688","SNYK-JS-MONGOOSE-2961688","SNYK-JS-MPATH-1577289","SNYK-JS-MQUERY-1050858","SNYK-JS-MQUERY-1089718"],"upgrade":["SNYK-JS-AJV-584908","SNYK-JS-ANSIREGEX-1583908","SNYK-JS-ASYNC-2441827","SNYK-JS-BL-608877","SNYK-JS-BSON-561052","SNYK-JS-HAWK-2808852","SNYK-JS-HOSTEDGITINFO-1088355","SNYK-JS-MINIMATCH-1019388","SNYK-JS-MONGODB-473855","SNYK-JS-MONGOOSE-1086688","SNYK-JS-MONGOOSE-2961688","SNYK-JS-MPATH-1577289","SNYK-JS-MQUERY-1050858","SNYK-JS-MQUERY-1089718","SNYK-JS-NPM-537603","SNYK-JS-NPM-537604","SNYK-JS-NPM-537606","SNYK-JS-NPM-575435","SNYK-JS-NPMUSERVALIDATE-1019352","SNYK-JS-TAR-1536528","SNYK-JS-TAR-1536531","SNYK-JS-TAR-1536758","SNYK-JS-TAR-1579147","SNYK-JS-TAR-1579152","SNYK-JS-TAR-1579155","npm:chownr:20180731","npm:hoek:20180212","npm:minimatch:20160620","npm:ms:20151024","npm:npm:20180222","npm:tunnel-agent:20170305"],"isBreakingChange":true,"env":"dev","prType":"fix","templateVariants":["priorityScore"],"priorityScoreList":[434,451,726,479,479,726,399,636,589,624,624,410,639,639,639,479,589,589,479,469,589,509,576,619,696,696,706,630,584,586,589,601,671,601,686,696]}) --- **Learn how to fix vulnerabilities with free interactive lessons:** 🦉 [Arbitrary File Write](https://learn.dev.snyk.io/lessons/directory-traversal/javascript/?loc=fix-pr) 🦉 [Access Restriction Bypass](https://learn.dev.snyk.io/lessons/broken-access-control/javascript/?loc=fix-pr) 🦉 [Arbitrary File Overwrite](https://learn.dev.snyk.io/lessons/directory-traversal/javascript/?loc=fix-pr) 🦉 [More lessons are available in Snyk Learn](https://learn.dev.snyk.io?loc=fix-pr)