[Snyk] Fix for 27 vulnerabilities

[rasputtintin]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-HAPIACCEPT-548917	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-HAPIAMMO-548918	Yes	No Known Exploit
	475/1000 Why? Has a fix available, CVSS 5	Prototype Pollution SNYK-JS-HAPIHOEK-548452	Yes	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-HAPISUBTEXT-548912	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-HAPISUBTEXT-548916	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-INI-1048974	Yes	Proof of Concept
	644/1000 Why? Has a fix available, CVSS 8.6	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-Y18N-1021887	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @hapi/hapi

The new version differs by 102 commits.

• d5c665a v20.0.0
• b3f2eb5 remove route timeout assertions (#4123)
• 501a264 update to [email protected] (#4130)
• 783aa8a add isInjected property to request object (#4117)
• c31bd6d update to travis templates
• 815c854 update most out of date dependencies
• f46f864 Replace joi with validate
• f7e9193 headers: avoid sending null content-type
• 5c08509 Merge pull request #4132 from lloydbenson/master
• 3f25515 README needs this change to parse the slogan for site
• dc48d06 19.2.0
• 23abbfe Update README.md
• b2aa822 Merge pull request #4101 from dkozma/patch-1
• 5360d6d H3->H4 heading for `server.options.info.remote`
• 8f24209 Merge pull request #4094 from jonathansamines/feature/server-validator-docs
• efc9afe Update API.md
• 05109d7 Merge pull request #4087 from jonathansamines/feature/update-routes-config
• faab7a2 Closes #4079
• 6f3e08d Support node v14
• a8f5688 [server-validator-docs] Update server.validator() documentation to detail child plugins usage
• 07c95da [server-validator-docs] Improve server.validator() documentation to clarify it's usage inside plugins
• fa76016 Merge pull request #4090 from Yahkob/patch-2
• 3c3fc29 Update LICENSE.md
• cb96e07 [update-routes-config] Update API reference to use route.options instead of route.config

See the full diff

Package name: @mojaloop/central-services-error-handling

The new version differs by 7 commits.

• 3e636fd Feature/openapi backend changes (#1173 - Align response codes for PUT callbacks with spec mojaloop/quoting-service#140)
• 7242737 Added error handlers to factory for bug 1314 (Fix for #1173 - GET /quotes for unknown quote ID error response is 1001 instead of 3205 mojaloop/quoting-service#139)
• b1270b6 #1339: Fixes for 'cause' and '_cause' extension exclusion in error responses (Bump @mojaloop/central-services-shared from 8.8.2 to 8.8.3 mojaloop/quoting-service#137)
• 143c7a2 [Security] Bump acorn from 7.1.0 to 7.1.1 (Bump @mojaloop/event-sdk from 8.6.2 to 8.7.0 mojaloop/quoting-service#124)
• 68dfbe7 Added updated Mojaloop license (#1147 - Update dependencies mojaloop/quoting-service#118)
• 3321654 updated to latest node lts version 12.16.0 (Bump @types/jest from 24.0.23 to 24.0.24 mojaloop/quoting-service#112)
• 01324f6 Issue893-ValidateIncomingErrorCodesForErrorEnd-pointCallbackRequestsPerMojaloopSpec (Bump @mojaloop/central-services-shared from 8.6.1 to 8.6.2 mojaloop/quoting-service#96)

See the full diff

Package name: @mojaloop/central-services-shared

The new version differs by 89 commits.

• 14f0b3e feat(2151)!: helm-release-v12.1.0 (fix: #2704 core services support for non breaking backward api compatibility mojaloop/quoting-service#297)
• a5d9141 chore: fix service type typescript enum (chore(deps): bump urijs from 1.19.7 to 1.19.9 mojaloop/quoting-service#296)
• 5aaf087 fix(#2182)!: regex validations against swagger interface spec no longer working (feat(mojaloop/#2704): core-services support for non-breaking backward api compatibility mojaloop/quoting-service#295)
• 0e538d8 chore: bump package version (chore(deps): bump urijs from 1.19.7 to 1.19.8 mojaloop/quoting-service#294)
• fc4fe7e chore: add 'example' as whitelisted keyword (chore(deps): bump follow-redirects from 1.14.7 to 1.14.8 mojaloop/quoting-service#293)
• 6f9496d chore: address vulnerabilities (Bump follow-redirects from 1.14.4 to 1.14.7 mojaloop/quoting-service#291)
• 6275eb0 chore: add services endpoints (fix(mojaloop/#2535): fspiop api version negotiation not handled by quoting service (#289) mojaloop/quoting-service#290)
• 5860510 feat(#2119): fixes for updated for AJV error objects change (fix(mojaloop/#2535): fspiop api version negotiation not handled by quoting service mojaloop/quoting-service#289)
• b83a8bd fixed typo (squash-commits mojaloop/quoting-service#288)
• aee59ed Feature/#2057 refactoring for cs ([Snyk] Security upgrade @mojaloop/central-services-shared from 8.7.1 to 10.6.0 #3) (quoteParty.partySubIdOrTypeId column should not have FK constraint to partyIdentifierType table mojaloop/quoting-service#284)
• 082d373 chore: add PATCH consentRequests endpoint (chore(#864): change instanbul to nyc for coverage on all projects mojaloop/quoting-service#279)
• 7702879 chore: add enums to interface (fix(#2358): firstname, middlename and lastname regex not supporting myanmar script unicode strings mojaloop/quoting-service#278)
• 5dcbe73 chore: add consent and consent request events and patch action (Bump tar from 6.1.0 to 6.1.6 mojaloop/quoting-service#277)
• 9f8713f chore: add accounts callback endpoints ([Security] Bump urijs from 1.19.6 to 1.19.7 mojaloop/quoting-service#275)
• 5e49222 chore: add enums and bump package ([Security] Bump postcss from 7.0.35 to 7.0.36 mojaloop/quoting-service#274)
• f6009d7 chore: 1975 update deps (Bump glob-parent from 5.1.1 to 5.1.2 mojaloop/quoting-service#273)
• f678b43 [Security] Bump axios from 0.21.0 to 0.21.1 (fix: helm release v12.1.0 mojaloop/quoting-service#269)
• a8bfb9c Bump urijs from 1.19.2 to 1.19.5 (chore: helm release v12.1.0  mojaloop/quoting-service#270)
• 7b00ed8 [Security] Bump urijs from 1.19.2 to 1.19.5 (Bump ws from 7.4.1 to 7.4.6 mojaloop/quoting-service#268)
• 46d88e6 #1885: Fix for "multiple servers per repo" use case (fix(#2182): regex validations against swagger interface spec no longer working mojaloop/quoting-service#267)
• cbd0434 Hotfix: Fix dependencies for API documentation (fix: #2103 fix subid functionality in POST quotes request mojaloop/quoting-service#264)
• 327a51c chore: update license file (feat(#2119): fixes for updated for AJV error objects change mojaloop/quoting-service#265)
• df81389 #1885: Add API documentation utility, plugin, and endpoints (Bump djv from 2.1.2 to 2.1.4 mojaloop/quoting-service#263)
• 9c88000 Add FSPIOP headers validation for bulk transfers (chore: adding documentation on rules mojaloop/quoting-service#262)

See the full diff

Package name: @mojaloop/event-sdk

The new version differs by 31 commits.

• e90cdda chore(release): 12.0.0 [skip ci]
• 52f81db chore(mojaloop/#3455): nodejs upgrade (Bump @mojaloop/central-services-error-handling from 8.2.1 to 8.3.0 mojaloop/quoting-service#73)
• 2aa1caf chore(release): 11.0.2 [skip ci]
• f57c3b3 fix: moved logger dependency as a peerDependency to be consistent with other mojaloop repos
• c7c7714 chore(release): 11.0.1 [skip ci]
• 0fab3e9 fix: postchangelog now will correctly work
• 28ce298 chore(release): 11.0.0 [skip ci]
• 6fa9f74 feat(mojaloop/#2092): upgrade nodeJS version for core services (Commented out the function getParticipantEndpoint in cachedDatabase mojaloop/quoting-service#67)
• f5d863a chore: add tsconfig option to build declaration file (Bump @mojaloop/central-services-error-handling from 8.2.0 to 8.2.1 mojaloop/quoting-service#64)
• 085a6ae feat(2151): helm release v12.1.0 (Hotfix/invalid config used to number precision mojaloop/quoting-service#56)
• 4eea6cd feat(2151): helm-release-v12.1.0 (Changes to fix config issues in the database.js file mojaloop/quoting-service#55)
• 86d4c3d feat(ci/cd): add pr title check (Issue990-AddressBugFixingPerIssue9 mojaloop/quoting-service#47)
• 8eec478 chore: update license file ([Snyk] Fix for 2 vulnerabilities #45)
• fa0d1ff Bump ini from 1.3.5 to 1.3.7 (Bump @mojaloop/central-services-shared from 8.1.3 to 8.1.4 mojaloop/quoting-service#46)
• 5aef313 Bump highlight.js from 10.1.1 to 10.4.1 ([Snyk] Security upgrade json-rules-engine from 5.0.0 to 7.1.0 #44)
• e6597ac update dependencies to remove vulnerabilities ([Snyk] Fix for 17 vulnerabilities #42)
• 45ca858 updated link ([Snyk] Security upgrade @mojaloop/central-services-shared from 8.7.1 to 8.7.2 #40)
• bd02ba9 Resolve some of the audit issues ([Snyk] Security upgrade knex from 0.20.6 to 0.95.0 #39)
• ea95367 Feature/#1383 doc update ([Snyk] Fix for 1 vulnerabilities #38)
• 726108f Fix/#1263 tracetags refresh ([Snyk] Fix for 1 vulnerabilities #37)
• 678319f Fix/#1263 encode tracestate missing tracestates on new ([Snyk] Fix for 1 vulnerabilities #36)
• 53735fe Feature/#1263 encode tracestate ([Snyk] Security upgrade @mojaloop/central-services-shared from 8.7.1 to 18.3.0 #35)
• 1e3a873 Fix/other tracestate missing 2 ([Snyk] Security upgrade axios from 0.19.0 to 1.6.4 #34)
• 063e50d Fix/other tracestate missing ([Snyk] Fix for 1 vulnerabilities #33)

See the full diff

Package name: blipp

The new version differs by 3 commits.

• eea0f6c 4.0.2
• f9f94ce Update dependencies (including the Joi package rename) (Hotfix/invalid config used to number precision mojaloop/quoting-service#56)
• 86280cf Bump handlebars from 4.1.0 to 4.5.3 (Bump @mojaloop/central-services-shared from 8.1.3 to 8.1.4 mojaloop/quoting-service#46)

See the full diff

Package name: hapi-openapi

The new version differs by 3 commits.

• a4dd048 updated changelog and version to new major (breaking changes upgrading hapi)
• d18bbb5 Upgrade dependencies to support hapi 19 (Poc/validation for name places accents mojaloop/quoting-service#173)
• 429bfbf fix(validation): respect `allowUnknown` route property (Bump @mojaloop/central-services-shared from 9.3.0 to 9.4.0 mojaloop/quoting-service#169)

See the full diff

Package name: knex

The new version differs by 250 commits.

• ed0e8a5 Fix SQLite not doing rollback when altering columns fails (#4336)
• 3c70dca Prepare 0.95.0 for release
• c1ab23c Await asynchronous expect assertions (#4334)
• 3e6176a SQLite parser improvements (#4333)
• a98614d Made the constraint detection case-insensitive (#4330)
• 5d2db21 Fix ArrayIfAlready type (#4331)
• 887a4f6 Improve join and conflict types v2 (#4318)
• 29b8a36 Adjust generateDdlCommands return type (#4326)
• d807832 mssql: schema builder - attempt to drop default constraints when changing default value on columns (#4321)
• c0d8c5c mssql: schema builder - add predictable constraint names for default values (#4319)
• 5ec76f5 Convert produced statements to objects before querying (#4323)
• 9e28a72 Add support for altering columns to SQLite (#4322)
• 7db2d18 fix mssql alter column must have its own query (#4317)
• 371864d Bump typescript from 4.1.5 to 4.2.2 (#4312)
• 6c3e7b5 mssql: don't raise query-error twice (#4314)
• 168f2af Bump eslint-config-prettier from 7.2.0 to 8.1.0 (#4315)
• 3718d64 Respect KNEX_TEST, support omitting sqlite3 from DB, and reduce outside mssql test db config (#4313)
• c58794b Prepare to release 0.95.0-next3
• 61e1046 Avoid importing entire lodash to ensure tree-shaking is working correctly (#4302)
• 8c73417 events: introduce queryContext on query-error (#4301)
• b6fd941 Include 'name' property in MigratorConfig (#4300)
• 9581100 Prepare to release 0.95.0-next2
• 5614c18 Timestamp UTC Standardization for Migrations (#4245)
• 4899346 Fix for ES Module detection using npm@7 (#4295) (#4296)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Command Injection
🦉 More lessons are available in Snyk Learn