[Snyk] Upgrade: , dotenv, express, express-rate-limit, google-auth-library, mongoose #126

MihikaNigam · 2024-09-14T10:28:10Z

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

@cyclonedx/cyclonedx-npm
from 1.16.1 to 1.19.3 | 6 versions ahead of your current version | 2 months ago
on 2024-07-15
dotenv
from 16.4.1 to 16.4.5 | 4 versions ahead of your current version | 7 months ago
on 2024-02-20
express
from 4.18.2 to 4.19.2 | 4 versions ahead of your current version | 6 months ago
on 2024-03-25
express-rate-limit
from 7.1.5 to 7.4.0 | 4 versions ahead of your current version | 2 months ago
on 2024-07-23
google-auth-library
from 9.6.3 to 9.14.0 | 8 versions ahead of your current version | 25 days ago
on 2024-08-20
mongoose
from 8.1.1 to 8.5.4 | 24 versions ahead of your current version | 22 days ago
on 2024-08-23

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	XML External Entity (XXE) Injection SNYK-JS-CYCLONEDXCYCLONEDXLIBRARY-6820989	726	Proof of Concept
	Open Redirect SNYK-JS-EXPRESS-6474509	726	No Known Exploit

Release notes

Package name: @cyclonedx/cyclonedx-npm

1.19.3 - 2024-07-15
Dependencies
- Raised runtime dependency @ cyclonedx/cyclonedx-library@^6.11.0, was @^6.6.0 (via #1205)
  This was done to incorporate non-breaking upstream changes and fixes.
Build
- Use TypeScript v5.5.3 now, was v5.4.5 (via #1201)
What's Changed
- Raised runtime dependency @ cyclonedx/cyclonedx-library@^6.11.0 by @ jkowalleck in #1205
- chore(deps): bum [email protected] by @ jkowalleck in #1206
- chore(deps-dev): bump typescript from 5.4.5 to 5.5.3 in the typescript group across 1 directory by @ dependabot in #1201
Full Changelog: v1.19.2...v1.19.3
1.19.2 - 2024-07-10
Fixed
- CycloneDX externalReferences for vcs type (#1198 via #1202)
- CycloneDX property cdx:npm:package:path's value on Windows systems (via #1203)
What's Changed
- tests: tests are less noisy by @ jkowalleck in #1194
- tests: more tests by @ jkowalleck in #1195
- fix: path property on windows by @ jkowalleck in #1203
- fix: vcs url git ssh by @ jkowalleck in #1202
Full Changelog: v1.19.0...v1.19.2
1.19.0 - 2024-06-01
Changed
- Try to sanitize distribution URLs (via #1187, #1191)
Added
- More debug output when it comes to package manifest loading (via #1189)
Misc
- Added direct dependency hosted-git-info@^4||^5||^6||^7 (via #1191)
  This is also a transitive dependency via already existing direct dependency normalize-package-data.
What's Changed
- test: alternative package registry by @ jkowalleck in #1186
- feat: try sanitize dist urls by @ jkowalleck in #1187
- feat: more debug when loading package manifests by @ jkowalleck in #1189
- feat: git url sanitation by @ jkowalleck in #1191
Full Changelog: v1.18.0...v1.19.0
1.18.0 - 2024-05-08
Added
- Licenses acknowledgement might be populated (#1171 via #1183)
Misc
- Raised dependency @ cyclonedx/cyclonedx-library@^6.6.0, was @^6.5.0 (via #1183)
What's Changed
- chore(ci): fix macos runners by @ jkowalleck in #1176
- ci: modernize artifact action by @ jkowalleck in #1178
- ci: use node22 by @ jkowalleck in #1179
- chore: reduce duplicate test beds by @ jkowalleck in #1181
- feat: license acknowledgement by @ jkowalleck in #1183
Full Changelog: v1.17.0...v1.18.0
1.17.0 - 2024-04-23
Added support for CycloneDX Specification-1.6.

Changed
- This tool explicitly supports CycloneDX Specification-1.6 now (via #1175)
Added
- CLI switch --spec-version now supports value 1.6 to reflect CycloneDX Specification-1.6 (via #1175)
  Default value for that option is unchanged - still 1.4.
Build
- Use TypeScript v5.4.5 now, was v5.4.2 (via #1167)
What's Changed
- docs: add CycloneDX 1.6 to README by @ XSpielinbox in #1174
- feat: explicitely support CycloneDX 1.6 by @ jkowalleck in #1175
- chore(deps-dev): bump typescript from 5.4.2 to 5.4.5 in the typescript group by @ dependabot in #1167
New Contributors
- @ XSpielinbox made their first contribution in #1174
Full Changelog: v1.16.2...v1.17.0
1.16.2 - 2024-03-19
Style
- Applied latest code standards (via #1149)
Build
- Use TypeScript v5.4.2 now, was v5.3.3 (via #1160)
What's Changed
- refactor: fix typescript-eslint annotations by @ jkowalleck in #1146
- chore(deps-dev): bump the eslint group with 2 updates by @ dependabot in #1149
- chore(deps-dev): bump the eslint group with 2 updates by @ dependabot in #1152
- chore(deps-dev): bump the eslint group with 2 updates by @ dependabot in #1157
- tests: run with latest CDX spec-version by @ jkowalleck in #1158
- chore(deps): bump softprops/action-gh-release from 1 to 2 by @ dependabot in #1159
- chore(deps-dev): bump the typescript group with 1 update by @ dependabot in #1160
Full Changelog: v1.16.1...v1.16.2
1.16.1 - 2024-01-11
- Fixed
  - Writing large results to buffered streams no longer drops data, but retries until success (via #1145)
- Docs
  - Showcase programmatic CLI usage (#1142 via #1145)
What's Changed
- chore(deps-dev): bump the eslint group with 2 updates by @ dependabot in #1139
- fix: large results on small streams by @ jkowalleck in #1145
Full Changelog: v1.16.0...v1.16.1

from @cyclonedx/cyclonedx-npm GitHub release notes

Package name: dotenv

16.4.5 - 2024-02-20
16.4.5
16.4.4 - 2024-02-13
16.4.4
16.4.3 - 2024-02-12
16.4.3
16.4.2 - 2024-02-10
16.4.2
16.4.1 - 2024-01-24
16.4.1

from dotenv GitHub release notes

Package name: express

4.19.2 - 2024-03-25
4.19.1 - 2024-03-20
What's Changed
- Fix ci after location patch by @ wesleytodd in #5552
- fixed un-edited version in history.md for 4.19.0 by @ wesleytodd in #5556
Full Changelog: 4.19.0...4.19.1
4.19.0 - 2024-03-20
What's Changed
- fix typo in release date by @ UlisesGascon in #5527
- docs: nominating @ wesleytodd to be project captian by @ wesleytodd in #5511
- docs: loosen TC activity rules by @ wesleytodd in #5510
- Add note on how to update docs for new release by @ crandmck in #5541
- Prevent open redirect allow list bypass due to encodeurl
- Release 4.19.0 by @ wesleytodd in #5551
New Contributors
- @ crandmck made their first contribution in #5541
Full Changelog: 4.18.3...4.19.0
4.18.3 - 2024-02-29
Main Changes
- Fix routing requests without method
- deps: [email protected]
  - Fix strict json error message on Node.js 19+
  - deps: content-type@~1.0.5
  - deps: [email protected]
Other Changes
- Use https: protocol instead of deprecated git: protocol by @ vcsjones in #5032
- build: [email protected] and [email protected] by @ abenhamdine in #5034
- ci: update actions/checkout to v3 by @ armujahid in #5027
- test: remove unused function arguments in params by @ raksbisht in #5124
- Remove unused originalIndex from acceptParams by @ raksbisht in #5119
- Fixed typos by @ raksbisht in #5117
- examples: remove unused params by @ raksbisht in #5113
- fix: parameter str is not described in JSDoc by @ raksbisht in #5130
- fix: typos in History.md by @ raksbisht in #5131
- build : add [email protected] by @ abenhamdine in #5028
- test: remove unused function arguments in params by @ raksbisht in #5137
- use random port in test so it won't fail on already listening by @ rluvaton in #5162
- tests: use cb() instead of done() by @ kristof-low in #5233
- examples: remove multipart example by @ riddlew in #5195
- Update support Node.js@18 in the CI by @ UlisesGascon in #5490
- Fix favicon-related bug in cookie-sessions example by @ DmytroKondrashov in #5414
- Release 4.18.3 by @ UlisesGascon in #5505
New Contributors
- @ vcsjones made their first contribution in #5032
- @ abenhamdine made their first contribution in #5034
- @ armujahid made their first contribution in #5027
- @ raksbisht made their first contribution in #5124
- @ rluvaton made their first contribution in #5162
- @ kristof-low made their first contribution in #5233
- @ riddlew made their first contribution in #5195
- @ DmytroKondrashov made their first contribution in #5414
Full Changelog: 4.18.2...4.18.3
4.18.2 - 2022-10-08
- Fix regression routing a large stack in a single route
- deps: [email protected]
  - deps: [email protected]
  - perf: remove unnecessary object clone
- deps: [email protected]

from express GitHub release notes

Package name: express-rate-limit

7.4.0 - 2024-07-23
You can view the changelog here.
7.3.1 - 2024-06-07
Fixed
- Changed error displayed for the creationStack validation check when a store
  with localKeys set to false is used.
- Improved documentation for the creationStack check.
You can view the full changelog here.
7.3.0 - 2024-06-01
Added
- Added a new unsharedStore validation check that identifies cases where a
  single store instance is shared across multiple limiters.
You can view the full changelog here.
7.2.0 - 2024-03-02
Added
- Added a new creationStack validation check that looks for instances created
  in a request handler.
You can view the full changelog here.
7.1.5 - 2023-11-27
Fixed
- Enable async requestWasSuccessful methods to work as documented.
You can view the full changelog here.

from express-rate-limit GitHub release notes

Package name: google-auth-library

9.14.0 - 2024-08-20
9.14.0 (2024-08-19)

Features
- Add AnyAuthClient type (#1843) (3ae120d)
- Extend API Key Support (#1835) (5fc3bcc)
- Group Concurrent getClient Requests (#1848) (243ce28)
Bug Fixes
- deps: Update dependency @ googleapis/iam to v21 (#1847) (e9459f3)
9.13.0 - 2024-07-31
9.13.0 (2024-07-29)

Features
- Group Concurrent Access Token Requests for Base External Clients (#1840) (0e08fc5)
9.12.0 - 2024-07-27
9.12.0 (2024-07-26)

Features
- Expose More Public API Types (#1838) (5745a49)
Bug Fixes
- deps: Update dependency @ googleapis/iam to v19 (#1823) (b070ffb)
- deps: Update dependency @ googleapis/iam to v20 (#1832) (e31a831)
9.11.0 - 2024-06-12
9.11.0 (2024-06-01)

Features
- Adding support of client authentication method. (#1814) (4a14e8c)
9.10.0 - 2024-05-13
9.10.0 (2024-05-10)

Features
- Implement UserRefreshClient#fetchIdToken (#1811) (ae8bc54)
Bug Fixes
- deps: Update dependency @ googleapis/iam to v16 (#1803) (40406a0)
- deps: Update dependency @ googleapis/iam to v17 (#1808) (4d67f07)
- deps: Update dependency @ googleapis/iam to v18 (#1809) (b2b9676)
9.9.0 - 2024-04-24
9.9.0 (2024-04-18)

Features
- Adds suppliers for custom subject token and AWS credentials (#1795) (c680b5d)
9.8.0 - 2024-04-15

Snyk has created this PR to upgrade: - @cyclonedx/cyclonedx-npm from 1.16.1 to 1.19.3. See this package in npm: https://www.npmjs.com/package/@cyclonedx/cyclonedx-npm - dotenv from 16.4.1 to 16.4.5. See this package in npm: https://www.npmjs.com/package/dotenv - express from 4.18.2 to 4.19.2. See this package in npm: https://www.npmjs.com/package/express - express-rate-limit from 7.1.5 to 7.4.0. See this package in npm: https://www.npmjs.com/package/express-rate-limit - google-auth-library from 9.6.3 to 9.14.0. See this package in npm: https://www.npmjs.com/package/google-auth-library - mongoose from 8.1.1 to 8.5.4. See this package in npm: https://www.npmjs.com/package/mongoose See this project in Snyk: https://app.snyk.io/org/mihikanigam/project/47fb0e1b-bb33-4c1d-a88e-84fce84eeb43?utm_source=github&utm_medium=referral&page=upgrade-pr

[Snyk] Upgrade: , dotenv, express, express-rate-limit, google-auth-library, mongoose #126

Are you sure you want to change the base?

[Snyk] Upgrade: , dotenv, express, express-rate-limit, google-auth-library, mongoose #126

Conversation

MihikaNigam commented Sep 14, 2024

Snyk has created this PR to upgrade multiple dependencies.

Issues fixed by the recommended upgrade:

Dependencies

Build

What's Changed

Fixed

What's Changed

Changed

Added

Misc

What's Changed

Added

Misc

What's Changed

Changed

Added

Build

What's Changed

New Contributors

Style

Build

What's Changed

What's Changed

What's Changed

What's Changed

New Contributors

Main Changes

Other Changes

New Contributors

Fixed

Added

Added

Fixed

9.14.0 (2024-08-19)

Features

Bug Fixes

9.13.0 (2024-07-29)

Features

9.12.0 (2024-07-26)

Features

Bug Fixes

9.11.0 (2024-06-01)

Features

9.10.0 (2024-05-10)

Features

Bug Fixes

9.9.0 (2024-04-18)

Features