[Snyk] Fix for 26 vulnerabilities

[ntheanh201]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • backend/package.json
  • backend/package-lock.json
  • backend/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	/1000 Why?	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	Yes	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	Yes	Proof of Concept
	462/1000 Why? Proof of Concept exploit, CVSS 7.1	Cross-site Request Forgery (CSRF) SNYK-JS-AXIOS-6032459	Yes	Proof of Concept
	/1000 Why?	Prototype Pollution SNYK-JS-CLASSTRANSFORMER-564431	No	Proof of Concept
	/1000 Why?	Improper Input Validation SNYK-JS-CLASSVALIDATOR-1730566	No	No Known Exploit
	/1000 Why?	Authorization Bypass SNYK-JS-EXPRESSJWT-575022	Yes	No Known Exploit
	/1000 Why?	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	Yes	Proof of Concept
	/1000 Why?	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	Yes	No Known Exploit
	/1000 Why?	Improper Authentication SNYK-JS-JSONWEBTOKEN-3180022	Yes	No Known Exploit
	/1000 Why?	Improper Restriction of Security Token Assignment SNYK-JS-JSONWEBTOKEN-3180024	Yes	No Known Exploit
	/1000 Why?	Use of a Broken or Risky Cryptographic Algorithm SNYK-JS-JSONWEBTOKEN-3180026	Yes	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	/1000 Why?	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	/1000 Why?	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	/1000 Why?	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	/1000 Why?	Information Exposure SNYK-JS-NESTJSCORE-2869127	Yes	No Known Exploit
	/1000 Why?	Session Fixation SNYK-JS-PASSPORT-2840631	No	No Known Exploit
	/1000 Why?	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	/1000 Why?	Server-side Request Forgery (SSRF) SNYK-JS-SWAGGERUIDIST-2314884	No	Mature
	/1000 Why?	Server-side Request Forgery (SSRF) SNYK-JS-SWAGGERUIDIST-6056393	No	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	No	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	No	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	No	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @nestjs/jwt

The new version differs by 250 commits.

• 0274acc Merge pull request #1144 from nestjs/renovate/typescript-eslint-monorepo
• c6bbf14 Merge pull request #1150 from nestjs/renovate/prettier-2.x
• 414aea3 chore(deps): update typescript-eslint monorepo to v5.47.1
• 44fd45a chore(deps): update dependency prettier to v2.8.1
• d8ed56a Merge pull request #1149 from nestjs/renovate/commitlint-monorepo
• 74a21f9 Merge pull request #1057 from nestjs/renovate/jsonwebtoken-8.x
• f367329 Merge pull request #1159 from nestjs/renovate/release-it-15.x
• b3f4fc7 chore(deps): update dependency release-it to v15.5.1
• 15ad133 chore(deps): update commitlint monorepo to v17.3.0
• d14521f fix(deps): update dependency @ types/jsonwebtoken to v8.5.9
• cc04cce Merge pull request #1158 from nestjs/renovate/node-18.x
• 3ebfaf0 chore(deps): update dependency @ types/node to v18.11.18
• a14a3be Merge pull request #1146 from nestjs/renovate/typescript-4.x
• df59940 chore(deps): update dependency typescript to v4.9.4
• e5661b9 Merge pull request #1157 from nestjs/dependabot/npm_and_yarn/minimatch-3.1.2
• 8d74976 Merge pull request #1151 from nestjs/renovate/lint-staged-13.x
• 76b0ee3 Merge pull request #1148 from nestjs/renovate/eslint-8.x
• f3dd100 chore(deps): bump minimatch from 3.0.4 to 3.1.2
• 7b3319a chore(deps): update dependency lint-staged to v13.1.0
• a97c753 Merge pull request #1145 from nestjs/renovate/jest-monorepo
• 73a7440 Merge pull request #1155 from nestjs/renovate/npm-jsonwebtoken-vulnerability
• 8a6a459 chore(deps): update dependency eslint to v8.30.0
• 20c2366 chore(deps): update dependency @ types/jest to v29.2.4
• 98a4464 chore(deps): update dependency jsonwebtoken to 9.0.0 [security]

See the full diff

Package name: @nestjs/swagger

The new version differs by 250 commits.

• f90cb7b Merge pull request #1205 from nestjs/renovate/class-transformer-0.x
• bd18c89 chore(deps): update dependency class-transformer to v0.4.0
• 28127a1 Merge pull request #1251 from nestjs/renovate/nestjs-mapped-types-0.x
• 61fecaa fix(deps): update dependency @ nestjs/mapped-types to v0.4.0
• e4f8d2f Merge pull request #1219 from nestjs/renovate/lodash-monorepo
• 649f666 chore(deps): update typescript-eslint monorepo to v4.17.0
• 40cbb0f chore(deps): update dependency @ types/node to v11.15.48
• 17e45c4 chore(deps): update dependency fastify-swagger to v4.4.0
• 7684efd chore(deps): update dependency typescript to v4.2.3
• e9863b0 chore(deps): update dependency ts-jest to v26.5.3
• bef1c0e chore(deps): update dependency fastify-swagger to v4.3.3
• 4c3059c chore(deps): update dependency fastify-swagger to v4.3.2
• 97c68df chore(deps): update dependency husky to v5.1.3
• 48c2555 chore(deps): update typescript-eslint monorepo to v4.16.1
• 5012037 chore(deps): update typescript-eslint monorepo to v4.16.0
• 91e997a chore(deps): update dependency husky to v5.1.2
• 2004131 chore(deps): update dependency eslint to v7.21.0
• de629e4 chore(deps): update commitlint monorepo to v12.0.1
• 1408043 chore(deps): update dependency eslint-config-prettier to v8.1.0
• 9c5bdf1 chore(): release v4.7.15
• 3e3b78b Merge branch 'master' of https://github.com/nestjs/swagger
• b417b92 fix(plugin): support typescript 4.2+
• a54b765 chore(deps): update dependency typescript to v4.2.2
• 27becc1 chore(): release v4.7.14

See the full diff

Package name: express

The new version differs by 117 commits.

• 3d7fce5 4.17.3
• f906371 build: update example dependencies
• 6381bc6 deps: [email protected]
• a007863 deps: [email protected]
• e98f584 Revert "build: use [email protected] for Node.js < 4"
• a659137 tests: use strict mode
• a39e409 tests: prevent leaking changes to NODE_ENV
• 82de4de examples: fix path traversal in downloads example
• 12310c5 build: use nyc for test coverage
• 884657d examples: remove bitwise syntax for includes check
• 7511d08 build: use [email protected] for Node.js < 4
• 2585f20 tests: fix test missing assertion
• 9d09762 build: [email protected]
• 43cc56e build: clean up gitignore
• 1c7bbcc build: [email protected]
• 9cbbc8a deps: [email protected]
• 6fbc269 pref: remove unnecessary regexp for trust proxy
• 2bc734a deps: accepts@~1.3.8
• 89bb531 docs: fix typo in res.download jsdoc
• 744564f tests: add test for multiple ips in "trust proxy"
• da6cb0e tests: add range tests to res.download
• 00ad5be tests: add more tests for app.request & app.response
• 141914e tests: fix tests that did not bubble errors
• bd4fdfe tests: remove global dependency on should

See the full diff

Package name: express-jwt

The new version differs by 97 commits.

• c69a0e4 update changelog
• 2157954 8.0.0
• d8ffa02 upgrade jsonwebtoken to v9
• c555b48 Merge pull request #306 from auth0/SRE-57-Upload-opslevel-yaml
• 172d07c 7.7.7
• f79b001 7.7.6
• 076b3dc remove types for express-unless and update it. closes #307
• 0c87c3a Upload OpsLevel YAML
• f0e41d6 Fix misspelled word in readme
• 45ba2e0 7.7.5
• 139aa05 update express-unless
• 2f99e2d 7.7.4
• 2242f01 update express-unless
• eb50853 update changelog
• c30feb4 7.7.3
• c583fdd Merge branch 'ItzRabbs-master'
• 9ccf0cf Remove esModuleInterop and fix assert import in tests
• e1fe1d2 Fix tsc build error for express-unless
• 7c1fb33 7.7.2
• 6c87fe4 fix instaceof comparison for UnauthorizedError. closes #292
• b1344fa update changelog
• c5f00ea 7.7.1
• 7a02ca7 fix readme and package-lock
• f3f5af5 build(deps): required runtime types

See the full diff

Package name: jsonwebtoken

The new version differs by 17 commits.

• e1fa9dc Merge pull request from GHSA-8cf7-32gw-wr33
• 5eaedbf chore(ci): remove github test actions job (#861)
• cd4163e chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
• ecdf6cc fix!: Prevent accidental use of insecure key sizes & misconfiguration of secrets (#852)
• 8345030 fix(sign&verify)!: Remove default `none` support from `sign` and `verify` methods, and require it to be explicitly configured (#851)
• 7e6a86b Upload OpsLevel YAML (#849)
• 74d5719 docs: update references vercel/ms references (#770)
• d71e383 docs: document "invalid token" error
• 3765003 docs: fix spelling in README.md: Peak -> Peek (#754)
• a46097e docs: make decode impossible to discover before verify
• 15a1bc4 refactor: make decode non-enumerable
• 5f10bf9 docs: add jwtid to options of jwt.verify (#704)
• 88cb9df Replace tilde-indexOf with includes (#647)
• a6235fa Adds not to README on decoded payload validation (#646)
• 5ed1f06 docs: fix tiny style change in readme (#622)
• 9fb90ca style: add missing semicolon (#641)
• a9e38b8 ci: use circleci (#589)

See the full diff

Package name: passport

The new version differs by 100 commits.

• c33067b 0.6.0
• 3052bb4 Update changelog.
• 42630cb Merge pull request #900 from jaredhanson/fix-fixation
• 8dd79fe Use utils-merge rather than Object.assign for compatibility.
• 4f6bd5b Change keepSessionData to keepSessionData.
• 46756e5 Silence verbose logging.
• 987b191 Add tests.
• f8a175f Add tests.
• 29a90d6 No need to guard callback existence.
• bfba8a1 Add tests.
• 17111d7 Add option to keep session data on logout.
• a349c2b Add option to keep session data.
• e69834e Add optional options to login and logout.
• 8825a9a Add tests.
• c1991cf Add tests.
• 294f22c Better session detection and exceptions.
• 80cc4e3 Add tests.
• 3001654 Add tests.
• b395106 Clean up tests.
• cfa8259 Add tests.
• ee0bf81 Add tests.
• cc7606c Add tests.
• 71c54f6 Add test.
• 88c1f1b Handle logout without session manager.

See the full diff

Package name: passport-jwt

The new version differs by 31 commits.

• fed94fa 4.0.1 release
• cfb5566 Merge pull request #248 from mikenicholson/update-minmatch
• 8e4ad5b Address minmatch vulnerability
• e9cf2ce Merge pull request #247 from mikenicholson/jsonwebtoken-9
• bfbc6cc Update jsonwebtoken to 9.0.0
• a49b43e Update minimist due to prototype pollution vulnerability in previous version
• a5137c6 Merge pull request #192 from markhoney/patch-1
• ea824cd Update jsonwebtoken and run npm audit fix
• 8e57eec Remove older node versions shiping npm without support for "ci"
• 3ab9305 Add CI workflow in GitHub Actions
• 96a6e55 Merge pull request #218 from Sambego/patch-1
• 809cdbf Update Auth0 sponsorship link
• ec35fa4 Add nodejs 13 & 14 to CI
• 2cab4dd Update mocha to resolve vulnerabilities
• b196eb8 Use nyc for coverage
• ddafcd2 Fix typo
• 6b92631 Merge pull request #176 from epicfaace/patch-1
• 154af70 Stop building for Node v5 and earlier
• d311551 Add newer node versions to Travis CI build
• 0e39a48 Update dependencies to resolve vulnerabilities.
• d488147 Update URLs to reference new GitHub username
• 89152d5 Rename extrators-test.js to extractors-test.js
• 0bb68bf Clarify use of custom extractor function.
• 499bd4a Add js formatting to extractor example in README.

See the full diff

Package name: pg

The new version differs by 250 commits.

• 7ffe68e Publish
• 125a268 Update changelog
• da2bb85 Bump node-fetch from 2.6.0 to 2.6.1
• 7649890 Update SPONSORS.md
• c5445f0 Fix metadata for pg-connection-string
• a02dfac Replace semver with optional peer dependencies
• 5825843 Public export of DatabaseError
• e421167 Add ssl=true into the test
• 9cbea21 Solve issues caused by config.ssl = true
• 6be3b90 Add support for ?sslmode connection string param
• f0fc470 Update README.md (#2330)
• 95b5daa Publish
• 1f0d3d5 Add test for pgpass check function scope
• 0758b76 Fix context (this) in _checkPgPass.
• acfbafa Publish
• 07ee1ba Bump version
• 65156e7 Small readme updates & auto-formatting
• 61e4b7f Merge pull request #2309 from chris--young/ssl-err
• f4d123b Prevents bad ssl credentials from causing a crash
• 316bec3 Merge pull request #2294 from charmander/test-fixes
• 3edcbb7 Fix most SSL negotiation packet tests being ignored
• 1b022f8 Remove accidentally duplicated methods
• b8773ce Merge pull request #2289 from brianc/dependabot/npm_and_yarn/lodash-4.17.19
• 692e418 Fix documenation typo in README (#2291)

See the full diff

Package name: swagger-ui-express

The new version differs by 14 commits.

• aa3d56a Bumped version of swagger-ui-dist and moved js template usage
• ff10df4 Update README.md
• fe789d8 Update README.md
• d07439b Merge pull request #270 from jdgarcia/security-update
• 9011cdf Merge pull request #269 from artyhedgehog/patch-1
• e09c35f update swagger-ui-dist dependency to fix security vulnerabilities
• de8e7eb readme: fix broken link to swagger-jsdoc
• 5824af0 Merge pull request #236 from H3nSte1n/feature/Add_converage_section_to_readme
• da7b5ff feat: Remove Coverage headline from README
• b46e892 feat: Add coverage section to README
• feb0664 Merge pull request #235 from tingstad/patch-1
• 1699685 Update README - two swagger documents (typo)
• 44d5e10 Updated docs for multiple instances example
• 5071048 Fix issue with swaggerInit

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	/1000 Why?	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-Side Request Forgery (SSRF)
🦉 Cross-site Request Forgery (CSRF)
🦉 More lessons are available in Snyk Learn