[Snyk] Fix for 6 vulnerabilities

[hezro]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity	Reachability
	22/1000 Why? Confidentiality impact: None, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 2, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: Low, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 1.18, Likelihood: 1.86, Score Version: V5	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	No	No Known Exploit	No Path Found
	93/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00114, Social Trends: No, Days since published: 571, Reachable: Yes, Transitive dependency: Yes, Is Malicious: No, Business Criticality: Low, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.1, Likelihood: 4.41, Score Version: V5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	No	Proof of Concept	Reachable
	38/1000 Why? Confidentiality impact: Low, Integrity impact: None, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00121, Social Trends: No, Days since published: 599, Reachable: Yes, Transitive dependency: Yes, Is Malicious: No, Business Criticality: Low, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 1.18, Likelihood: 3.16, Score Version: V5	Information Exposure SNYK-JS-SEQUELIZE-3324089	No	No Known Exploit	Reachable
	48/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: None, Scope: Changed, Exploit Maturity: No data, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Local, EPSS: 0.00689, Social Trends: No, Days since published: 1161, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: Low, Provider Urgency: High, Package Popularity Score: 99, Impact: 4.8, Likelihood: 0.984, Score Version: V5	Arbitrary File Overwrite SNYK-JS-TAR-1536528	No	No Known Exploit	No Path Found
	20/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Unproven, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1160, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: Low, Provider Urgency: Low, Package Popularity Score: 99, Impact: 1.18, Likelihood: 1.69, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	No	No Known Exploit	No Path Found
	56/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.0015, Social Trends: No, Days since published: 466, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: Low, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.1, Likelihood: 2.64, Score Version: V5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	No	Proof of Concept	No Path Found

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: cookie-parser

The new version differs by 12 commits.

• 5d61e1e 1.4.7
• ccf1f54 deps: [email protected] (Fix challenge assessment for redirects juice-shop/juice-shop#116)
• 429cfd4 ci: Use GITHUB_OUTPUT envvar instead of set-output command (Update app.js #100)
• ca4c97e ci: fix errors in ci pipeline for node 8 and 9 (File suffix validation bypassable with // in path juice-shop/juice-shop#104)
• 97bdf39 ci: add support for OSSF scorecard reporting ("Error: e is undefined" when adding products to basket juice-shop/juice-shop#103)
• e5862bd build: [email protected]
• f0688d2 build: [email protected]
• 44ec541 build: [email protected]
• 695435a deps: [email protected]
• f66e7e1 build: [email protected]
• 05e40b1 build: [email protected]
• bc1d501 build: use [email protected] for Node.js 6.x

See the full diff

Package name: express

The new version differs by 219 commits.

• 8e229f9 4.21.1
• a024c8a fix(deps): [email protected]
• 7e562c6 4.21.0
• 1bcde96 fix(deps): [email protected] (#5946)
• 7d36477 fix(deps): [email protected] (#5951)
• 40d2d8f fix(deps): [email protected]
• 77ada90 Deprecate `"back"` magic string in redirects (#5935)
• 21df421 4.20.0
• 4c9ddc1 feat: upgrade to [email protected]
• 9ebe5d5 feat: upgrade to [email protected] (#5928)
• ec4a01b feat: upgrade to [email protected] (#5926)
• 54271f6 fix: don't render redirect values in anchor href
• 125bb74 [email protected] (#5902)
• 2a980ad [email protected] (#5781)
• a3e7e05 docs: specify new instructions for `question` and `discuss`
• c5addb9 deps: [email protected] (#5603)
• e35380a docs: add @ IamLizu to the triage team (#5836)
• f5b6e67 docs: update scorecard link (#5814)
• 2177f67 docs: add OSSF Scorecard badge (#5436)
• f4bd86e Replace Appveyor windows testing with GHA (#5599)
• 2ec589c Fix Contributor Covenant link definition reference in attribution section (#5762)
• 4cf7eed remove minor version pinning from ci (#5722)
• 6d08471 📝 update people, add ctcpip to TC (#5683)
• 61421a8 skip QUERY tests for Node 21 only, still not supported (#5695)

See the full diff

Package name: sequelize

The new version differs by 210 commits.

• d9e0728 fix: throw if where receives an invalid value (#15699)
• 48d6193 fix: update moment-timezone version (#15685)
• fd4afa6 feat(types): use retry-as-promised types for retry options to match documentation (#15484)
• 1247c01 feat: add support for bigints (backport of #14485) (#15413)
• 94beace feat(postgres): add support for lock_timeout [#15345] (#15355)
• 7885000 fix(oracle): remove hardcoded maxRows value (#15323)
• bc39fd6 fix: fix parameters not being replaced when after $$ strings (#15307)
• a205765 fix(postgres): invalidate connection after client-side timeout (#15283)
• 67e69cd fix: remove options.model overwrite on bulkUpdate (#15252)
• 00c6da3 fix(types): add instance.dataValues property to model.d.ts (#15240)
• bf98d7c meta: swap Slack links (#15159)
• 7990095 fix: don't treat \ as escape in standard strings, support E-strings, support vars after ->> operator, treat lowercase e as valid e-string prefix (#15139)
• 851daaf fix(types): fix TS 4.9 excessive depth error on `InferAttributes` (v6) (#15135)
• 9dd93b8 fix(types): expose legacy "types" folder in export alias ( #15123)
• 06ad05d feat(oracle): add support for `dialectOptions.connectString` (#15042)
• a44772e feat(snowflake): Add support for `QueryGenerator#tableExistsQuery` (#15087)
• 55051d0 docs: add missing ssl options for sequelize instance (v6) (#15049)
• 5c88734 docs(model): Added paranoid option for Model.BelongsToMany.through (#15065)
• 7203b66 fix(postgres): add custom order direction to subQuery ordering with minified alias (#15056)
• 5f621d7 fix(oracle): add support for Oracle DB 18c CI (#15016)
• 3468378 feat(types): add typescript 4.8 compatibility (#14990)
• 1da6657 fix(types): missing type for oracle dialect in v6 (#14992)
• c230d80 feat(oracle): add oracle dialect support (#14638)
• 33d94b2 fix(types): backport #14704 for v6 (#14964)

See the full diff

Package name: sqlite3

The new version differs by 170 commits.

• ba4ba07 v5.1.7
• d04c1fb Removed Node version from matrix title
• 03d6e75 v5.1.7-rc.0
• 8398daa Fixed uploading assets from Docker
• 8b86e41 Fixed uploading release assets on Windows
• 83c8c0a Configured releases to be created as prereleases
• f792f69 Update dependency node-addon-api to v7
• 4ef11bf Removed extraneous parameter to event emit function
• e99160a Inlined `init()` functions into class header files
• 3372130 Improved `RowToJS` performance by removing `Napi::String::New` instantiation
• 77b327c Increased number of rows inserted into benchmark database
• 603e468 Fixed minor linting warning
• 8bda876 Refactored Database to use macros for method definitions
• 5809f62 Fixed uploading prebuilt binaries from Docker
• aabd297 Update actions/setup-node action to v4
• c775b81 Extracted common Node-API queuing code into macro
• 2595304 Updated list of supported targets
• 605c7f9 Replaced `@ mapbox/node-pre-gyp` in favor of `prebuild` + `prebuild-install`
• a2cee71 Update dependency mocha to v10
• 7674271 Update dependency eslint to v8
• 83e282d Update actions/checkout digest to b4ffde6
• 8482aaf Update docker/setup-buildx-action action to v3
• c74f267 Update docker/setup-qemu-action action to v3
• 9e8b2ee Reworked CI versions

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)
🦉 Server-side Request Forgery (SSRF)
🦉 Arbitrary File Overwrite
🦉 More lessons are available in Snyk Learn