vaibhavb / carepack

CarePack is a Direct HISP and user interface client with packs which can be used by HISPs out of the box. Check out the current options available at http://carepack.lib13.com
GNU General Public License v3.0
8 stars 0 forks source link

[Snyk] Security upgrade express from 3.4.8 to 4.16.0 #27

Open snyk-bot opened 2 years ago

snyk-bot commented 2 years ago

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

merge advice

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 529/1000
Why? Has a fix available, CVSS 6.3
Non-Constant Time String Comparison
npm:cookie-signature:20160804
No No Known Exploit
medium severity 484/1000
Why? Has a fix available, CVSS 5.4
Cross-site Scripting (XSS)
npm:express:20140912
No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
npm:fresh:20170908
Yes No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7
Regular Expression Denial of Service (ReDoS)
npm:mime:20170907
Yes No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
npm:negotiator:20160616
Yes No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Denial of Service (DoS)
npm:qs:20140806
No No Known Exploit
medium severity 539/1000
Why? Has a fix available, CVSS 6.5
Denial of Service (DoS)
npm:qs:20140806-1
No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5
Prototype Override Protection Bypass
npm:qs:20170213
Yes No Known Exploit
medium severity 429/1000
Why? Has a fix available, CVSS 4.3
Directory Traversal
npm:send:20140912
Yes No Known Exploit
medium severity 479/1000
Why? Has a fix available, CVSS 5.3
Root Path Disclosure
npm:send:20151103
Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

With a Snyk patch:
Severity Priority Score (*) Issue Exploit Maturity
medium severity 479/1000
Why? Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
npm:uglify-js:20151024
No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

πŸ›  Adjust project settings

πŸ“š Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

πŸ¦‰ Directory Traversal πŸ¦‰ Denial of Service (DoS) πŸ¦‰ Denial of Service (DoS) πŸ¦‰ More lessons are available in Snyk Learn