[Snyk] Upgrade: concurrently, express, mongoose, passport, passport-jwt, validator

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

concurrently
from 6.2.0 to 6.5.1 | 6 versions ahead of your current version | 3 years ago
on 2021-12-19 express
from 4.17.1 to 4.19.2 | 9 versions ahead of your current version | 5 months ago
on 2024-03-25 mongoose
from 5.13.15 to 5.13.22 | 7 versions ahead of your current version | 8 months ago
on 2024-01-02 passport
from 0.4.1 to 0.7.0 | 6 versions ahead of your current version | 9 months ago
on 2023-11-27 passport-jwt
from 4.0.0 to 4.0.1 | 1 version ahead of your current version | 2 years ago
on 2022-12-24 validator
from 13.5.1 to 13.12.0 | 6 versions ahead of your current version | 4 months ago
on 2024-05-09

Issues fixed by the recommended upgrade:

Issue	Score	Exploit Maturity
Prototype Pollution SNYK-JS-MONGOOSE-5777721	586	Proof of Concept
Prototype Poisoning SNYK-JS-QS-3153490	586	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	586	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	586	Proof of Concept
Open Redirect SNYK-JS-EXPRESS-6474509	586	No Known Exploit
Session Fixation SNYK-JS-PASSPORT-2840631	586	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	586	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	586	Proof of Concept

Release notes

Package name: concurrently

6.5.1 - 2021-12-19
- Fix command names when using npm wildcard (#148, #165, #211, #212)
6.5.0 - 2021-12-17
- Add support for configuring via environment variables that start with CONCURRENTLY_ prefix (#289)
- Add --timings flag to show when each process started and stopped, and how long they ran for (#291, #295)
6.4.0 - 2021-11-13
- Add --hide flag to hide the output of specified commands (#138, #173)
6.3.0 - 2021-10-02
- Distribute prefix colors correctly when using npm/yarn/pnpm script expansion (#186, #210, #234, #286)
- Add new option to programmatic API, prefixColors, which serves as fallback for commands without a prefixColor (#286)
6.2.2 - 2021-09-27
- Remove read-pkg dependency which had a vulnerability issue (#274)
6.2.1 - 2021-08-08
- Fix hanging issue after using programmatic API to read from stdin (#252, #253)
  Big kudos to @ brandonchinn178 for finding and fixing this! 🏆 🎉
- Correctly reexport flow controllers (#278)
6.2.0 - 2021-05-24
- Include killed in the command result in programmatic API (#250)
- Make --restart-tries restart forever with negative values (#263)

from concurrently GitHub release notes

Package name: express

4.19.2 - 2024-03-25
4.19.1 - 2024-03-20
What's Changed
- Fix ci after location patch by @ wesleytodd in #5552
- fixed un-edited version in history.md for 4.19.0 by @ wesleytodd in #5556
Full Changelog: 4.19.0...4.19.1
4.19.0 - 2024-03-20
What's Changed
- fix typo in release date by @ UlisesGascon in #5527
- docs: nominating @ wesleytodd to be project captian by @ wesleytodd in #5511
- docs: loosen TC activity rules by @ wesleytodd in #5510
- Add note on how to update docs for new release by @ crandmck in #5541
- Prevent open redirect allow list bypass due to encodeurl
- Release 4.19.0 by @ wesleytodd in #5551
New Contributors
- @ crandmck made their first contribution in #5541
Full Changelog: 4.18.3...4.19.0
4.18.3 - 2024-02-29
Main Changes
- Fix routing requests without method
- deps: body-parser@1.20.2
  - Fix strict json error message on Node.js 19+
  - deps: content-type@~1.0.5
  - deps: raw-body@2.5.2
Other Changes
- Use https: protocol instead of deprecated git: protocol by @ vcsjones in #5032
- build: Node.js@16.18 and Node.js@18.12 by @ abenhamdine in #5034
- ci: update actions/checkout to v3 by @ armujahid in #5027
- test: remove unused function arguments in params by @ raksbisht in #5124
- Remove unused originalIndex from acceptParams by @ raksbisht in #5119
- Fixed typos by @ raksbisht in #5117
- examples: remove unused params by @ raksbisht in #5113
- fix: parameter str is not described in JSDoc by @ raksbisht in #5130
- fix: typos in History.md by @ raksbisht in #5131
- build : add Node.js@19.7 by @ abenhamdine in #5028
- test: remove unused function arguments in params by @ raksbisht in #5137
- use random port in test so it won't fail on already listening by @ rluvaton in #5162
- tests: use cb() instead of done() by @ kristof-low in #5233
- examples: remove multipart example by @ riddlew in #5195
- Update support Node.js@18 in the CI by @ UlisesGascon in #5490
- Fix favicon-related bug in cookie-sessions example by @ DmytroKondrashov in #5414
- Release 4.18.3 by @ UlisesGascon in #5505
New Contributors
- @ vcsjones made their first contribution in #5032
- @ abenhamdine made their first contribution in #5034
- @ armujahid made their first contribution in #5027
- @ raksbisht made their first contribution in #5124
- @ rluvaton made their first contribution in #5162
- @ kristof-low made their first contribution in #5233
- @ riddlew made their first contribution in #5195
- @ DmytroKondrashov made their first contribution in #5414
Full Changelog: 4.18.2...4.18.3
4.18.2 - 2022-10-08
- Fix regression routing a large stack in a single route
- deps: body-parser@1.20.1
  - deps: qs@6.11.0
  - perf: remove unnecessary object clone
- deps: qs@6.11.0
4.18.1 - 2022-04-29
- Fix hanging on large stack of sync routes
4.18.0 - 2022-04-25
- Add "root" option to res.download
- Allow options without filename in res.download
- Deprecate string and non-integer arguments to res.status
- Fix behavior of null/undefined as maxAge in res.cookie
- Fix handling very large stacks of sync middleware
- Ignore Object.prototype values in settings through app.set/app.get
- Invoke default with same arguments as types in res.format
- Support proper 205 responses using res.send
- Use http-errors for res.format error
- deps: body-parser@1.20.0
  - Fix error message for json parse whitespace in strict
  - Fix internal error when inflated body exceeds limit
  - Prevent loss of async hooks context
  - Prevent hanging when request already read
  - deps: depd@2.0.0
  - deps: http-errors@2.0.0
  - deps: on-finished@2.4.1
  - deps: qs@6.10.3
  - deps: raw-body@2.5.1
- deps: cookie@0.5.0
  - Add priority option
  - Fix expires option to reject invalid dates
- deps: depd@2.0.0
  - Replace internal eval usage with Function constructor
  - Use instance methods on process to check for listeners
- deps: finalhandler@1.2.0
  - Remove set content headers that break response
  - deps: on-finished@2.4.1
  - deps: statuses@2.0.1
- deps: on-finished@2.4.1
  - Prevent loss of async hooks context
- deps: qs@6.10.3
- deps: send@0.18.0
  - Fix emitted 416 error missing headers property
  - Limit the headers removed for 304 response
  - deps: depd@2.0.0
  - deps: destroy@1.2.0
  - deps: http-errors@2.0.0
  - deps: on-finished@2.4.1
  - deps: statuses@2.0.1
- deps: serve-static@1.15.0
  - deps: send@0.18.0
- deps: statuses@2.0.1
  - Remove code 306
  - Rename 425 Unordered Collection to standard 425 Too Early
4.17.3 - 2022-02-17
- deps: accepts@~1.3.8
  - deps: mime-types@~2.1.34
  - deps: negotiator@0.6.3
- deps: body-parser@1.19.2
  - deps: bytes@3.1.2
  - deps: qs@6.9.7
  - deps: raw-body@2.4.3
- deps: cookie@0.4.2
- deps: qs@6.9.7
  - Fix handling of __proto__ keys
- pref: remove unnecessary regexp for trust proxy
4.17.2 - 2021-12-17
- Fix handling of undefined in res.jsonp
- Fix handling of undefined when "json escape" is enabled
- Fix incorrect middleware execution with unanchored RegExps
- Fix res.jsonp(obj, status) deprecation message
- Fix typo in res.is JSDoc
- deps: body-parser@1.19.1
  - deps: bytes@3.1.1
  - deps: http-errors@1.8.1
  - deps: qs@6.9.6
  - deps: raw-body@2.4.2
  - deps: safe-buffer@5.2.1
  - deps: type-is@~1.6.18
- deps: content-disposition@0.5.4
  - deps: safe-buffer@5.2.1
- deps: cookie@0.4.1
  - Fix maxAge option to reject invalid values
- deps: proxy-addr@~2.0.7
  - Use req.socket over deprecated req.connection
  - deps: forwarded@0.2.0
  - deps: ipaddr.js@1.9.1
- deps: qs@6.9.6
- deps: safe-buffer@5.2.1
- deps: send@0.17.2
  - deps: http-errors@1.8.1
  - deps: ms@2.1.3
  - pref: ignore empty http tokens
- deps: serve-static@1.14.2
  - deps: send@0.17.2
- deps: setprototypeof@1.2.0
4.17.1 - 2019-05-26

from express GitHub release notes

Package name: mongoose

5.13.22 - 2024-01-02
5.13.21 - 2023-10-19
5.13.20 - 2023-07-12
5.13.19 - 2023-06-22
5.13.18 - 2023-06-22
5.13.17 - 2023-04-04
5.13.16 - 2023-02-20
5.13.15 - 2022-08-22

from mongoose GitHub release notes

Package name: passport

0.7.0 - 2023-11-27
0.7.0
0.6.0 - 2022-05-20
0.6.0
0.5.3 - 2022-05-16
0.5.3
0.5.2 - 2021-12-16
0.5.2
0.5.1 - 2021-12-15
0.5.1
0.5.0 - 2021-09-23
0.5.0
0.4.1 - 2019-12-09
0.4.1

from passport GitHub release notes

Package name: passport-jwt

4.0.1 - 2022-12-24
- Updates jsonwebtoken dependency to ^9.0.0 to address high severity
  vulnerability CVE-2022-3517
- Updates a number of other dependencies
- Fixes a number of typos
[Developer facing]
- Updates CI to use github actions
4.0.0 - 2018-03-13
Fixes #147 - Vulnerability due to dependency on jsonwebtoken 7.x.x

from passport-jwt GitHub release notes

Package name: validator

13.12.0 - 2024-05-09
What's Changed

New Features / Validators
- #2143 isAbaRouting @ songyuew
Fixes, New Locales and Enhancements
- #2207 isLicensePlate add Pakistani en-PK locale @ anasshakil
- #2208 isPort fix invalid leading zeros @ anasshakil
- #2224 isTaxID added Argentina es-AR locale @ estefrare
- #2257 isDate timezone offset fix @ tomaspanek
- #2265 isPassportNumber added ZA locale @ GMorris-professional
- isMobilePhone:
  - #2267 added en-MW locale @ SimranSiddiqui
  - #2140 fix am-AM locale @ AlexKrupko
- #2271 isPostalAddress fix NL locale @ RobinvanderVliet
- #2273 isISO4217 add SLE currency @ urg
- #2278 isStrongPassword fix symbolRegex to include \ @ nandavikas
- #2279 isVAT fixed KZ locale @ MatthieuLemoine
- #2285 isAlpha, isAlphanumeric added eo locale @ RobinvanderVliet
- #2320 isIBAN add Algeria DZ locale @ thibault-lr
- #2343 isVATimprove AU locale @ matthewberryman
- #2345 isUUID add support for v7 @ ruscon
- #2358 isTaxID add Ukraine uk-UA locale @ arttiger
- #2381 isDate disallow hiphen before year @ Sumit-tech-joshi
- Doc fixes and others:
New Contributors
- @ tomaspanek made their first contribution in #2257
- @ estefrare made their first contribution in #2224
- @ GMorris-professional made their first contribution in #2265
- @ SimranSiddiqui made their first contribution in #2267
- @ ZhulinskiiDanil made their first contribution in #2368
- @ devmanbud made their first contribution in #2371
- @ ruscon made their first contribution in #2345
- @ amaliacatalina made their first contribution in #2284
- @ RobinvanderVliet made their first contribution in #2285
- @ anasshakil made their first contribution in #2211
- @ AlexKrupko made their first contribution in #2140
- @ urg made their first contribution in #2273
- @ meyfa made their first contribution in

wambugucoder / MERN-STACK-APP-FCC-CHALLENGE

[Snyk] Upgrade: concurrently, express, mongoose, passport, passport-jwt, validator #630

Snyk has created this PR to upgrade multiple dependencies.

Issues fixed by the recommended upgrade:

What's Changed

What's Changed

New Contributors

Main Changes

Other Changes

New Contributors

What's Changed

New Features / Validators

Fixes, New Locales and Enhancements

New Contributors