Skip to content

[Snyk] Upgrade: , axios, express, mongodb #310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade: , axios, express, mongodb #310

wants to merge 1 commit into from

Conversation

@eliranRP
Copy link
Collaborator

@eliranRP eliranRP commented Sep 8, 2024

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

@aws-sdk/client-secrets-manager
from 3.321.1 to 3.632.0 | 152 versions ahead of your current version | 24 days ago
on 2024-08-15
axios
from 1.4.0 to 1.7.4 | 19 versions ahead of your current version | a month ago
on 2024-08-13
express
from 4.18.2 to 4.19.2 | 4 versions ahead of your current version | 5 months ago
on 2024-03-25
mongodb
from 5.3.0 to 5.9.2 | 11 versions ahead of your current version | 9 months ago
on 2023-12-05

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Cross-site Request Forgery (CSRF)
SNYK-JS-AXIOS-6032459		 676 Proof of Concept
high severity Prototype Pollution
SNYK-JS-AXIOS-6144788		 676 No Known Exploit
high severity Server-side Request Forgery (SSRF)
SNYK-JS-AXIOS-7361793		 676 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-FASTXMLPARSER-5668858		 676 No Known Exploit
high severity Improper Input Validation
SNYK-JS-FOLLOWREDIRECTS-6141137		 676 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-AXIOS-6124857		 676 Proof of Concept
medium severity Open Redirect
SNYK-JS-EXPRESS-6474509		 676 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-FASTXMLPARSER-7573289		 676 No Known Exploit
medium severity Information Exposure
SNYK-JS-MONGODB-5871303		 676 No Known Exploit
medium severity Information Exposure
SNYK-JS-FOLLOWREDIRECTS-6444610		 676 Proof of Concept
Release notes
Package name: @aws-sdk/client-secrets-manager
  • 3.632.0 - 2024-08-15

    3.632.0(2024-08-15)

    New Features
    • clients: update client endpoints as of 2024-08-15 (05ff22bf)
    • client-s3: Amazon Simple Storage Service / Features : Adds support for pagination in the S3 ListBuckets API. (f31c6ea7)
    • client-docdb: This release adds Global Cluster Failover capability which enables you to change your global cluster's primary AWS region, the region that serves writes, during a regional outage. Performing a failover action preserves your Global Cluster setup. (62c6973c)
    • client-iam: Make the LastUsedDate field in the GetAccessKeyLastUsed response optional. This may break customers who only call the API for access keys with a valid LastUsedDate. This fixes a deserialization issue for access keys without a LastUsedDate, because the field was marked as required but could be null. (2e20e957)
    • client-ecs: This release introduces a new ContainerDefinition configuration to support the customer-managed keys for ECS container restart feature. (e56be698)
    Bug Fixes
    • util-endpoints: parseArn when resourcePath contains both delimiters (#6387) (63cb133f)
    • credential-providers: avoid sharing http2 requestHandler with inner STS (#6389) (d7b16106)
    • lib-dynamodb: missing @ smithy/core dependency in @ aws-sdk/lib-dynamodb (#6384) (84fd78ba)

    For list of updated packages, view updated-packages.md in assets-3.632.0.zip

  • 3.631.0 - 2024-08-14

    3.631.0(2024-08-14)

    New Features
    • client-codebuild: AWS CodeBuild now supports using Secrets Manager to store git credentials and using multiple source credentials in a single project. (9e44d9f4)
    Bug Fixes
    • util-endpoints: check for entire resource-path being empty (#6380) (08ad5100)

    For list of updated packages, view updated-packages.md in assets-3.631.0.zip

  • 3.629.0 - 2024-08-12

    3.629.0(2024-08-12)

    Chores
    Documentation Changes
    • client-compute-optimizer: Doc only update for Compute Optimizer that fixes several customer-reported issues relating to ECS finding classifications (933816fb)
    • client-groundstation: Updating documentation for OEMEphemeris to link to AWS Ground Station User Guide (aee7efd6)
    New Features
    • client-medialive: AWS Elemental MediaLive now supports now supports editing the PID values for a Multiplex. (4f1db8e5)
    • client-config-service: Documentation update for the OrganizationConfigRuleName regex pattern. (032e287f)
    • client-ec2: This release adds new capabilities to manage On-Demand Capacity Reservations including the ability to split your reservation, move capacity between reservations, and modify the instance eligibility of your reservation. (6e0db432)
    • client-eks: Added support for new AL2023 GPU AMIs to the supported AMITypes. (54703e47)
    • client-sagemaker: Releasing large data support as part of CreateAutoMLJobV2 in SageMaker Autopilot and CreateDomain API for SageMaker Canvas. (014f34c3)
    • core/httpAuthSchemes: set configuration sources for sigv4a signingRegionSet (#6368) (03bb39fe)
    Bug Fixes
    • core/httpAuthSchemes: default sigv4aSigningRegionSet to undefined (#6375) (8cccf59c)

    For list of updated packages, view updated-packages.md in assets-3.629.0.zip

  • 3.624.0 - 2024-08-05
  • 3.623.0 - 2024-08-02
  • 3.622.0 - 2024-08-01
  • 3.621.0 - 2024-07-30
  • 3.620.1 - 2024-07-29
  • 3.620.0 - 2024-07-25
  • 3.616.0 - 2024-07-18
  • 3.614.0 - 2024-07-10
  • 3.613.0 - 2024-07-09
  • 3.609.0 - 2024-07-02
  • 3.606.0 - 2024-06-28
  • 3.600.0 - 2024-06-18
  • 3.599.0 - 2024-06-17
  • 3.598.0 - 2024-06-14
  • 3.596.0 - 2024-06-12
  • 3.592.0 - 2024-06-06
  • 3.590.0 - 2024-06-04
  • 3.588.0 - 2024-05-31
  • 3.587.0 - 2024-05-30
  • 3.583.0 - 2024-05-23
  • 3.582.0 - 2024-05-22
  • 3.580.0 - 2024-05-20
  • 3.578.0 - 2024-05-16
  • 3.577.0 - 2024-05-15
  • 3.576.0 - 2024-05-14
  • 3.575.0 - 2024-05-13
  • 3.574.0 - 2024-05-10
  • 3.572.0 - 2024-05-08
  • 3.569.0 - 2024-05-03
  • 3.568.0 - 2024-05-02
  • 3.567.0 - 2024-05-01
  • 3.565.0 - 2024-04-29
  • 3.564.0 - 2024-04-26
  • 3.563.0 - 2024-04-25
  • 3.556.0 - 2024-04-16
  • 3.554.0 - 2024-04-11
  • 3.552.0 - 2024-04-09
  • 3.549.0 - 2024-04-04
  • 3.543.0 - 2024-03-27
  • 3.540.0 - 2024-03-22
  • 3.535.0 - 2024-03-15
  • 3.534.0 - 2024-03-14
  • 3.533.0 - 2024-03-13
  • 3.529.1 - 2024-03-08
  • 3.529.0 - 2024-03-07
  • 3.525.0 - 2024-02-29
  • 3.523.0 - 2024-02-27
  • 3.521.0 - 2024-02-23
  • 3.515.0 - 2024-02-15
  • 3.514.0 - 2024-02-14
  • 3.513.0 - 2024-02-13
  • 3.511.0 - 2024-02-09
  • 3.509.0 - 2024-02-07
  • 3.507.0 - 2024-02-05
  • 3.504.0 - 2024-01-31
  • 3.503.1 - 2024-01-30
  • 3.503.0 - 2024-01-30
  • 3.502.0 - 2024-01-29
  • 3.501.0 - 2024-01-26
  • 3.499.0 - 2024-01-24
  • 3.496.0 - 2024-01-19
  • 3.495.0 - 2024-01-18
  • 3.491.0 - 2024-01-12
  • 3.490.0 - 2024-01-11
  • 3.489.0 - 2024-01-10
  • 3.485.0 - 2024-01-03
  • 3.484.0 - 2023-12-29
  • 3.481.0 - 2023-12-26
  • 3.480.0 - 2023-12-22
  • 3.478.0 - 2023-12-20
  • 3.477.0 - 2023-12-19
  • 3.476.0 - 2023-12-18
  • 3.474.0 - 2023-12-14
  • 3.473.0 - 2023-12-13
  • 3.470.0 - 2023-12-08
  • 3.468.0 - 2023-12-06
  • 3.465.0 - 2023-12-01
  • 3.462.0 - 2023-11-29
  • 3.461.0 - 2023-11-28
  • 3.460.0 - 2023-11-28
  • 3.458.0 - 2023-11-27
  • 3.454.0 - 2023-11-17
  • 3.451.0 - 2023-11-14
  • 3.450.0 - 2023-11-13
  • 3.449.0 - 2023-11-10
  • 3.445.0 - 2023-11-07
  • 3.441.0 - 2023-11-01
  • 3.438.0 - 2023-10-27
  • 3.437.0 - 2023-10-26
  • 3.436.0 - 2023-10-25
  • 3.435.0 - 2023-10-24
  • 3.433.0 - 2023-10-20
  • 3.432.0 - 2023-10-19
  • 3.431.0 - 2023-10-18
  • 3.430.0 - 2023-10-17
  • 3.429.0 - 2023-10-16
  • 3.428.0 - 2023-10-12
  • 3.427.0 - 2023-10-06
  • 3.425.0 - 2023-10-04
  • 3.423.0 - 2023-10-02
  • 3.421.0 - 2023-09-27
  • 3.418.0 - 2023-09-22
  • 3.414.0 - 2023-09-15
  • 3.413.0 - 2023-09-14
  • 3.410.0 - 2023-09-11
  • 3.409.0 - 2023-09-08
  • 3.408.0 - 2023-09-07
  • 3.405.0 - 2023-09-01
  • 3.398.0 - 2023-08-23
  • 3.395.0 - 2023-08-18
  • 3.391.0 - 2023-08-14
  • 3.389.0 - 2023-08-10
  • 3.388.0 - 2023-08-09
  • 3.387.0 - 2023-08-08
  • 3.386.0 - 2023-08-07
  • 3.385.0 - 2023-08-04
  • 3.382.0 - 2023-08-01
  • 3.379.1 - 2023-07-28
  • 3.378.0 - 2023-07-26
  • 3.377.0 - 2023-07-25
  • 3.370.0 - 2023-07-13
  • 3.369.0 - 2023-07-11
  • 3.363.0 - 2023-06-29
  • 3.362.0 - 2023-06-28
  • 3.360.0 - 2023-06-26
  • 3.359.0 - 2023-06-23
  • 3.358.0 - 2023-06-22
  • 3.357.0 - 2023-06-21
  • 3.354.0 - 2023-06-16
  • 3.353.0 - 2023-06-15
  • 3.352.0 - 2023-06-13
  • 3.350.0 - 2023-06-09
  • 3.348.0 - 2023-06-07
  • 3.347.1 - 2023-06-07
  • 3.347.0 - 2023-06-06
  • 3.345.0 - 2023-06-02
  • 3.344.0 - 2023-06-01
  • 3.342.0 - 2023-05-30
  • 3.341.0 - 2023-05-26
  • 3.338.0 - 2023-05-23
  • 3.337.0 - 2023-05-22
  • 3.335.0 - 2023-05-18
  • 3.334.0 - 2023-05-16
  • 3.332.0 - 2023-05-11
  • 3.329.0 - 2023-05-08
  • 3.328.0 - 2023-05-05
  • 3.327.0 - 2023-05-04
  • 3.326.0 - 2023-05-03
  • 3.325.0 - 2023-05-02
  • 3.321.1 - 2023-04-27
from @aws-sdk/client-secrets-manager GitHub release notes
Package name: axios from axios GitHub release notes
Package name: express from express GitHub release notes
Package name: mongodb
  • 5.9.2 - 2023-12-05

    5.9.2 (2023-11-16)

    The MongoDB Node.js team is pleased to announce version 5.9.2 of the mongodb package!

    Release Notes

    Fix connection leak when serverApi is enabled

    When enabling serverApi the driver's RTT mesurment logic (used to determine the closest node) still sent the legacy hello command "isMaster" causing the server to return an error. Unfortunately, the error handling logic did not correctly destroy the socket which would cause a leak.

    Both sending the correct hello command and the error handling connection clean up logic are fixed in this change.

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

  • 5.9.1 - 2023-10-20
  • 5.9.0 - 2023-09-14
  • 5.8.1 - 2023-08-23
  • 5.8.0 - 2023-08-21
  • 5.7.0 - 2023-07-06
  • 5.6.0 - 2023-06-01
  • 5.6.0-dev.20230606.sha.2b83ea4 - 2023-06-06
  • 5.6.0-dev.20230603.sha.008fd6f - 2023-06-03
  • 5.5.0 - 2023-05-11
  • 5.4.0 - 2023-05-04
  • 5.3.0 - 2023-04-18
from mongodb GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-bot
fix: upgrade multiple dependencies with Snyk
cadf077 
Snyk has created this PR to upgrade:
  - @aws-sdk/client-secrets-manager from 3.321.1 to 3.632.0.
    See this package in npm: https://www.npmjs.com/package/@aws-sdk/client-secrets-manager
  - axios from 1.4.0 to 1.7.4.
    See this package in npm: https://www.npmjs.com/package/axios
  - express from 4.18.2 to 4.19.2.
    See this package in npm: https://www.npmjs.com/package/express
  - mongodb from 5.3.0 to 5.9.2.
    See this package in npm: https://www.npmjs.com/package/mongodb

See this project in Snyk:
https://app.snyk.io/org/eliranrp/project/68604a49-9ac7-48bf-8661-282b7c3616d2?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@eliranRP @snyk-bot