[Snyk] Upgrade: , , bcrypt, cloudinary, mongodb, cookie-parser, dotenv, express, handlebars, express-handlebars, express-session, formidable, hbs, http-errors, morgan, passport, sharp

[nguyentanvinh7a]

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

@fortawesome/fontawesome-free
from 5.15.1 to 5.15.4 | 3 versions ahead of your current version | 3 years ago
on 2021-08-04
@sendgrid/mail
from 7.4.1 to 7.7.0 | 10 versions ahead of your current version | 2 years ago
on 2022-05-18
bcrypt
from 5.0.0 to 5.1.1 | 3 versions ahead of your current version | a year ago
on 2023-08-16
cloudinary
from 1.23.0 to 1.41.3 | 37 versions ahead of your current version | 8 months ago
on 2024-01-18
mongodb
from 3.6.3 to 3.7.4 | 14 versions ahead of your current version | a year ago
on 2023-06-21
cookie-parser
from 1.4.5 to 1.4.6 | 1 version ahead of your current version | 3 years ago
on 2021-11-16
dotenv
from 8.2.0 to 8.6.0 | 5 versions ahead of your current version | 3 years ago
on 2021-05-05
express
from 4.17.1 to 4.19.2 | 9 versions ahead of your current version | 5 months ago
on 2024-03-25
handlebars
from 4.7.7 to 4.7.8 | 1 version ahead of your current version | a year ago
on 2023-08-01
express-handlebars
from 5.2.0 to 5.3.5 | 7 versions ahead of your current version | 3 years ago
on 2021-11-13
express-session
from 1.17.1 to 1.18.0 | 3 versions ahead of your current version | 7 months ago
on 2024-01-28
formidable
from 1.2.2 to 1.2.6 | 4 versions ahead of your current version | 3 years ago
on 2021-10-30
hbs
from 4.1.1 to 4.2.0 | 2 versions ahead of your current version | 3 years ago
on 2021-11-17
http-errors
from 1.6.3 to 1.8.1 | 6 versions ahead of your current version | 3 years ago
on 2021-11-14
morgan
from 1.9.1 to 1.10.0 | 1 version ahead of your current version | 4 years ago
on 2020-03-20
passport
from 0.4.1 to 0.7.0 | 6 versions ahead of your current version | 9 months ago
on 2023-11-27
sharp
from 0.27.1 to 0.33.5 | 52 versions ahead of your current version | 22 days ago
on 2024-08-16

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	696	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	696	Proof of Concept
	Improper Input Validation SNYK-JS-FOLLOWREDIRECTS-6141137	696	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	696	Proof of Concept
	Arbitrary File Overwrite SNYK-JS-TAR-1536528	696	No Known Exploit
	Arbitrary File Overwrite SNYK-JS-TAR-1536531	696	No Known Exploit
	Code Injection SNYK-JS-LODASH-1040724	696	Proof of Concept
	Arbitrary File Write SNYK-JS-TAR-1579147	696	No Known Exploit
	Arbitrary File Write SNYK-JS-TAR-1579152	696	No Known Exploit
	Arbitrary File Write SNYK-JS-TAR-1579155	696	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	696	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	696	Proof of Concept
	Information Exposure SNYK-JS-SIMPLEGET-2361683	696	Proof of Concept
	Information Exposure SNYK-JS-SIMPLEGET-2361683	696	Proof of Concept
	Remote Code Execution (RCE) SNYK-JS-HANDLEBARS-1056767	696	Proof of Concept
	Open Redirect SNYK-JS-EXPRESS-6474509	696	No Known Exploit
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	696	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	696	Proof of Concept
	Session Fixation SNYK-JS-PASSPORT-2840631	696	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	696	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	696	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-COLORSTRING-1082939	696	Proof of Concept
	Information Exposure SNYK-JS-MONGODB-5871303	696	No Known Exploit
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	696	Proof of Concept
	Remote Code Execution (RCE) SNYK-JS-SHARP-2848109	696	No Known Exploit
	Prototype Pollution SNYK-JS-HANDLEBARS-1279029	696	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	696	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	696	No Known Exploit
	Heap-based Buffer Overflow SNYK-JS-SHARP-5922108	696	Mature

Release notes

Package name: @fortawesome/fontawesome-free

• 5.15.4 - 2021-08-04
• 5.15.3 - 2021-03-16
• 5.15.2 - 2021-01-13
• 5.15.1 - 2020-10-05

from @fortawesome/fontawesome-free GitHub release notes

Package name: @sendgrid/mail

• 7.7.0 - 2022-05-18
  

  Release Notes

  Library - Docs

  • PR #1360: Modify README.md in alignment with SendGrid Support. Thanks to @ garethpaul!
  • PR #1359: Fix troubleshooting in readme. Thanks to @ MarcusHSmith!

  Library - Feature

  • PR #1352: allow use of bypass options. Thanks to @ acanimal!

  Library - Fix

  • PR #1351: Fix typings for eventwebhook.d.ts PublicKey. Thanks to @ Cellule!
• 7.6.2 - 2022-03-09
  

  Release Notes

  Library - Chore

  • PR #1347: update Axios dependency. Thanks to @ JenniferMah!
  • PR #1341: push Datadog Release Metric upon deploy success. Thanks to @ eshanholtz!

  Library - Docs

  • PR #1342: fix broken image links on npm. Thanks to @ IObert!
  • PR #1340: Update docs with bodyParser exclusion for webhook signature verification. Thanks to @ danmana!
• 7.6.1 - 2022-02-09
  

  Release Notes

  Library - Chore

  • PR #1334: upgrade supported language versions. Thanks to @ childish-sambino!
  • PR #1329: migrate to gh actions. Thanks to @ shwetha-manvinkurke!
  • PR #1320: adjust 'packages/mail/src/mail.d.ts'. Thanks to @ collierrgbsitisfise!
  • PR #1325: update license year. Thanks to @ JenniferMah!

  Library - Test

  • PR #1330: set the right version for tests. Thanks to @ shwetha-manvinkurke!
  • PR #1327: get the integration tests running again. Thanks to @ shwetha-manvinkurke!

  Library - Fix

  • PR #1326: Revert "chore: adjust 'packages/mail/src/mail.d.ts' (#1320)". Thanks to @ eshanholtz!

  Library - Docs

  • PR #1324: fix npm docs link. Thanks to @ arvindell!
• 7.6.0 - 2021-11-03
  

  Release Notes

  Library - Docs

  • PR #1314: Fix example of creating a transactional template in usage.md. Thanks to @ robbieaverill!

  Library - Feature

  • PR #1312: allow personalization of the From name & email for each email recipient. Thanks to @ beebzz!
• 7.5.0 - 2021-10-18
  

  Release Notes

  Library - Feature

  • PR #1303: Added support of replyToList in the library, #339:. Thanks to @ subinoy7!

  Library - Docs

  • PR #1308: improve signed webhook validation instruction. Thanks to @ shwetha-manvinkurke!

  Library - Test

  • PR #1305: fix issue with new client overriding previously set api key. Thanks to @ seantcanavan!
• 7.4.7 - 2021-09-22
• 7.4.6 - 2021-08-11
• 7.4.5 - 2021-06-16
• 7.4.4 - 2021-05-05
• 7.4.2 - 2021-01-13
• 7.4.1 - 2021-01-06

from @sendgrid/mail GitHub release notes

Package name: bcrypt

• 5.1.1 - 2023-08-16
  

  What's Changed

  • Refactored example with async await by @ lpizzinidev in #894
  • Fixed z/OS build issue by @ laijonathan in #968
  • Update dependencies by @ recrsn in #993

  New Contributors

  • @ lpizzinidev made their first contribution in #894
  • @ laijonathan made their first contribution in #968

  Full Changelog: v5.1.0...v5.1.1

• 5.1.0 - 2022-10-06
  

  What's Changed

  • Update node-pre-gyp to 1.0.2 by @ feuxfollets1013 in #865
  • Update README for inclusion of musl by @ arbourd in #883
  • Version bump, security updates to sub dep npmlog by @ adaniels-parabol in #905
  • document ESM usage (#892) by @ mariusa in #899
  • fix: update travis CI Docker image repository by @ cokia in #930
  • Update node versions in appveyor test matrix by @ p-kuen in #936
  • chore(appveyor): not use latest npm by @ cokia in #932
  • chore: update Appveyor readme badge by @ cokia in #933
  • Use Github actions for CI by @ recrsn in #858
  • Update dependencies by @ recrsn in #953
  • Migrate tests to use Jest by @ recrsn in #958
  • Pin NAPI to v3 by @ recrsn in #959

  New Contributors

  • @ feuxfollets1013 made their first contribution in #865
  • @ arbourd made their first contribution in #883
  • @ adaniels-parabol made their first contribution in #905
  • @ mariusa made their first contribution in #899
  • @ cokia made their first contribution in #930
  • @ p-kuen made their first contribution in #936

  Full Changelog: v5.0.1...v5.1.0

• 5.0.1 - 2021-02-26
  

  Update node-pre-gyp to 1.0.0

• 5.0.0 - 2020-06-08
  
  • Fix the bcrypt "wrap-around" bug. It affects passwords with lengths >= 255.
    It is uncommon but it's a bug nevertheless. Previous attempts to fix the bug
    was unsuccessful.
  • Experimental support for z/OS
  • Fix a bug related to NUL in password input
  • Update node-pre-gyp to 0.15.0

from bcrypt GitHub release notes

Package name: cloudinary

• 1.41.3 - 2024-01-18
• 1.41.2 - 2024-01-08
• 1.41.1 - 2023-12-18
• 1.41.0 - 2023-09-26
• 1.40.0 - 2023-07-31
• 1.39.0 - 2023-07-24
• 1.38.0 - 2023-07-20
• 1.37.3 - 2023-06-26
• 1.37.2 - 2023-06-19
• 1.37.1 - 2023-06-09
• 1.37.0 - 2023-05-16
• 1.36.4 - 2023-05-02
• 1.36.3 - 2023-05-02
• 1.36.2 - 2023-04-24
• 1.36.1 - 2023-04-13
• 1.36.0 - 2023-04-13
• 1.35.0 - 2023-03-03
• 1.34.0 - 2023-02-13
• 1.33.0 - 2022-12-15
• 1.32.0 - 2022-09-14
• 1.31.0 - 2022-08-28
• 1.30.1 - 2022-07-21
• 1.30.0 - 2022-05-15
• 1.29.1 - 2022-04-17
• 1.29.0 - 2022-03-24
• 1.28.1 - 2022-01-06
• 1.28.0 - 2022-01-02
• 1.27.1 - 2021-10-11
• 1.27.0 - 2021-09-12
• 1.26.3 - 2021-08-01
• 1.26.2 - 2021-07-04
• 1.26.1 - 2021-06-22
• 1.26.0 - 2021-06-06
• 1.25.2 - 2021-05-30
• 1.25.1 - 2021-03-22
• 1.25.0 - 2021-02-22
• 1.24.0 - 2021-01-31
• 1.23.0 - 2020-08-26

from cloudinary GitHub release notes

Package name: mongodb

• 3.7.4 - 2023-06-21
  

  The MongoDB Node.js team is pleased to announce version 3.7.4 of the mongodb package!

  Release Highlights

  This release fixes a bug that throws a type error when SCRAM-SHA-256 is used with saslprep in a webpacked environment.

  3.7.4 (2023-06-21)

  Bug Fixes

  • NODE-3711: retry txn end on retryable write (#3047) (1595140)
  • NODE-5355: prevent error when saslprep is not a function (#3733) (152425a)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 3.7.3 - 2021-10-20
• 3.7.2 - 2021-10-05
• 3.7.1 - 2021-09-14
• 3.7.0 - 2021-08-31
• 3.6.12 - 2021-08-30
• 3.6.11 - 2021-08-05
• 3.6.10 - 2021-07-06
• 3.6.9 - 2021-05-26
• 3.6.8 - 2021-05-21
• 3.6.7 - 2021-05-18
• 3.6.6 - 2021-04-06
• 3.6.5 - 2021-03-16
• 3.6.4 - 2021-02-02
• 3.6.3 - 2020-11-06

from mongodb GitHub release notes

Package name: cookie-parser

• 1.4.6 - 2021-11-16
  
  • deps: [email protected]
• 1.4.5 - 2020-03-15
  
  • deps: [email protected]

from cookie-parser GitHub release notes

Package name: dotenv

• 8.6.0 - 2021-05-05
  

  Show as 'added' in changelog

• 8.5.1 - 2021-05-05
  

  Bump version 8.5.1

• 8.5.0 - 2021-05-05
  

  Bump version 8.5.0

• 8.4.0 - 2021-05-05
  

  Point to types file for VS Code. Bump 8.4.0

• 8.3.0 - 2021-05-05
  

  Drop node 8 support

• 8.2.0 - 2019-10-16
  

  chore(release): 8.2.0

from dotenv GitHub release notes

Package name: express

• 4.19.2 - 2024-03-25
• 4.19.1 - 2024-03-20
  

  What's Changed

  • Fix ci after location patch by @ wesleytodd in #5552
  • fixed un-edited version in history.md for 4.19.0 by @ wesleytodd in #5556

  Full Changelog: 4.19.0...4.19.1

• 4.19.0 - 2024-03-20
  

  What's Changed

  • fix typo in release date by @ UlisesGascon in #5527
  • docs: nominating @ wesleytodd to be project captian by @ wesleytodd in #5511
  • docs: loosen TC activity rules by @ wesleytodd in #5510
  • Add note on how to update docs for new release by @ crandmck in #5541
  • Prevent open redirect allow list bypass due to encodeurl
  • Release 4.19.0 by @ wesleytodd in #5551

  New Contributors

  • @ crandmck made their first contribution in #5541

  Full Changelog: 4.18.3...4.19.0

• 4.18.3 - 2024-02-29
  

  Main Changes

  • Fix routing requests without method
  • deps: [email protected]
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: [email protected]

  Other Changes

  • Use https: protocol instead of deprecated git: protocol by @ vcsjones in #5032
  • build: [email protected] and [email protected] by @ abenhamdine in #5034
  • ci: update actions/checkout to v3 by @ armujahid in #5027
  • test: remove unused function arguments in params by @ raksbisht in #5124
  • Remove unused originalIndex from acceptParams by @ raksbisht in #5119
  • Fixed typos by @ raksbisht in #5117
  • examples: remove unused params by @ raksbisht in #5113
  • fix: parameter str is not described in JSDoc by @ raksbisht in #5130
  • fix: typos in History.md by @ raksbisht in #5131
  • build : add [email protected] by @ abenhamdine in #5028
  • test: remove unused function arguments in params by @ raksbisht in #5137
  • use random port in test so it won't fail on already listening by @ rluvaton in #5162
  • tests: use cb() instead of done() by @ kristof-low in #5233
  • examples: remove multipart example by @ riddlew in #5195
  • Update support Node.js@18 in the CI by @ UlisesGascon in #5490
  • Fix favicon-related bug in cookie-sessions example by @ DmytroKondrashov in #5414
  • Release 4.18.3 by @ UlisesGascon in #5505

  New Contributors

  • @ vcsjones made their first contribution in #5032
  • @ abenhamdine made their first contribution in #5034
  • @ armujahid made their first contribution in #5027
  • @ raksbisht made their first contribution in #5124
  • @ rluvaton made their first contribution in #5162
  • @ kristof-low made their first co...