[Snyk] Fix for 9 vulnerabilities

[erikvullings]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:parsejson:20170908	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: fs-extra

The new version differs by 77 commits.

• 2da7def README: Node v0.12 deprecation notice.
• f074627 1.0.0
• 3b48231 CHANGELOG: add issues
• d722ae9 Merge pull request #286 from agnivade/walkSync
• 87dd3c8 Merge pull request #307 from jprichardson/coverage
• 7448648 Fix coverage
• 597a98f Merge pull request #305 from jprichardson/coveralls
• 9d19da7 Merge pull request #306 from jprichardson/deps
• ab3c29c Update devDeps, fix lint error
• 662b78b Re-add Coveralls
• 6f3caef Merge pull request #304 from jprichardson/path-is-absolute
• bebbe78 Remove path-is-absolute
• d71d9b3 Merge pull request #303 from jprichardson/docs-copySync
• 916462b Document copySync filter inconsistency
• 0314876 Merge pull request #300 from jprichardson/rimraf
• a837927 Inline rimraf
• 071f8ce Fix typo
• f31b88e Merge pull request #301 from jprichardson/copySync-chmod
• ac6f688 Remove chmod call from copySync
• 23b2096 Merge pull request #299 from jprichardson/filter
• 9da4958 Warn when filter is a RegExp
• 7632804 Merge pull request #294 from jprichardson/ncp
• abfe0be Merge pull request #293 from jprichardson/travis
• 620992b Merge pull request #295 from jprichardson/filter-docs

See the full diff

Package name: jasmine

The new version differs by 69 commits.

• e1657e3 Fixed grunt release task to use main, not master
• 0d56082 Bump version to 3.6
• 0e8022b Removed ancient Node versions from build matrix
• 4814296 Removed unnecessary check for passedExpectations truthiness
• 204e0a1 Fixed spec that wasn't verifying what it meant to
• 7e72bef Merge branch 'missing-core-config-options' of https://github.com/coyoteecd/jasmine-npm
• 4ecf63c Support 'failSpecWithNoExpectations' config option and include a message in the default ConsoleReporter when a spec contains no expectations
• af16759 Merge branch 'c4dt-master'
• 6c14ba2 not parsing argv after --
• f0c0d7d Merge branch 'wood1986-features/concurrent-v4'
• b78c149 feat: add the parallel functionality
• c2e0f30 bump version to 3.5
• f2dee59 Use the total time from Jasmine-Core instead of calculating ourself
• b44fcef Add newer node.js version to travis and bump year in license
• dd00f4b Bump version to 3.4
• b5d9ef9 Use `removeListener` instead of `off` since it always exists
• 78cf067 Merge branch 'battk-remove-listener'
• 8e9ab27 moved exit listener add and removal to completion reporter
• b8183d2 recognize that Windows paths may use a '/' or a '\' as a separator
• 82b395c update dependencies
• bf79dd2 Merge branch 'strama4-strama4-readme-update'
• 831b646 Merge branch 'strama4-readme-update' of https://github.com/strama4/jasmine-npm into strama4-strama4-readme-update
• 0f2531c Bump version to 3.3.1
• 82b7db2 Add `null` encoding when writing to streams on close

See the full diff

Package name: kafka-node

The new version differs by 124 commits.

• 77c005a 2.2.3 (#762)
• a13f85a Upgrade snappy (#760)
• 49bced2 consumer network recovery (#758)
• aa9ffa4 Update docker-compose to use 0.11 tag instead of latest (#754)
• 17a2202 2.2.2 (#753)
• c85cd9f Fix issue where disconnected idle brokers lingers around causing subsequent requests to fail with BrokerNotAvailable (#752)
• 52f38b5 Add timeout waiting for broker to be ready fixes #750 (#751)
• a580e80 2.2.1 (#748)
• dd3329b avoid doing versions request on longpolling sockets resolves #743 (#747)
• 163bbdb Verify cyclic partitioner works closes #725 (#745)
• 04a248a Consumer should throw an error if message exceeds fetchMaxBytes fixes… (#744)
• 0eb61c5 Fix imports in streaming example (#742)
• a102a48 2.2.0 (#738)
• 0f21b66 message protocol didn't take into account timestamp Fixes #736 (#737)
• 58662ef run tests against kafka version 0.11 (#735)
• c710659 Add producer stream (#734)
• fabfc80 Bump version and update changelog (#733)
• 0e68220 Consumer streams (#732)
• 60e5e11 Add support for Producer API V1 and V2 (#730)
• e20325e Upgrade to async 2 (#729)
• 5271896 Api versions support (#726)
• 2114683 use defaultDeep instead of default to merge retryOptions (#722)
• 415c7b8 Allow broker to disconnect clients for being idle (#718)
• d23e14b Fix doc for HLC addTopics method resolves #713 (#714)

See the full diff

Package name: mqtt

The new version differs by 250 commits.

• cc82753 Merge pull request #1291 from mqttjs/release_6_21_2021
• e6fc579 release: 4.2.7
• 6d817af Merge pull request #1209 from nosovk/patch-3
• 185307e Merge pull request #1224 from cameronelliott/master
• c8cebbf Merge pull request #1256 from nmggithub/master
• f3401a7 Update client-options.d.ts
• 6308dea Merge branch 'master' into master
• be17dd7 Merge pull request #1236 from ogis-yamazaki/fix_multi_protocol_test_mechanism
• 949e22a remove 10.x from gate
• 71dae75 Merge pull request #1249 from bkp7/bkp7-typescript-changes
• 59d257a Merge pull request #1239 from ogis-yamazaki/fix_close_websocket_stream
• 0725798 Merge pull request #1266 from simnalamburt/duplexify
• acb6117 Merge branch 'master' into duplexify
• a9d269b Merge pull request #1289 from LaurentGoderre/fix-production-vulnerability
• 8ef5ffc Fix production vulnerability
• 845561e Add missing 'duplexify' dependency
• d93c193 The stream's _writableState may still be false when the WebSocket close event occurs.
• 51c5c02 improved type definition for 'wsOptions'
• 61bcbe6 fix missing event types
• 2203585 reverse out changes to client.d.ts
• 063aa31 change reference to mqtt-packet v6.8.0
• 746c0bc Improved TypeScript declarations for userProperties
• e04e0f8 fix #1235, WebSocket client does not emit close event when disconnected from the server side.
• 4bd3f3c fix multi protocol test mechanism.

See the full diff

Package name: socket.io

The new version differs by 42 commits.

• 3367eaa [chore] Release 2.0.0
• 6c0705f [docs] Add an example of custom parser (#2929)
• 1980fb4 [chore] Merge history of 1.7.x and 0.9.x branches (#2930)
• 0d07c47 [chore] Added backers and sponsors on the README (#2933)
• a086588 [chore] Bump dependencies (#2926)
• 87b06ad [feat] Move binary detection to the parser (#2923)
• 199eec6 [docs] Replace non-breaking space with proper whitespace (#2913)
• f1b39a6 [docs] Update emit cheatsheet (#2906)
• 240b154 [docs] Explicitly document that Server extends EventEmitter (#2874)
• c5b7738 [docs] Add server.engine.generateId attribute (#2880)
• 03f3bc9 [docs] Fix wrong space character in README (#2900)
• e40accf [docs] Fix documentation for 'connect' event (#2898)
• 01a4623 [feat] Allow to join several rooms at once (#2879)
• 2d5b002 [docs] Add webpack build example (#2828)
• 5ae06e6 [chore] Bump socket.io-adapter to version 1.0.0 (#2867)
• 4d8f68c [chore] Bump engine.io to version 2.0.2 (#2864)
• 5b79ab1 [docs] Update the wording to match the code example (#2853)
• 54ff591 [feature] Merge Engine.IO and Socket.IO handshake packets (#2833)
• e1facd5 [docs] Small addition to the Express Readme Part (#2846)
• 3b92cc2 [feature] Allow the use of custom parsers (#2829)
• 3d695c6 [chore] Bump engine.io to version 2.0.0 (#2832)
• 3b5f433 [fix] Use path.resolve by default and require.resolve as a fallback (#2797)
• 23c9dd3 [docs] Add a 'Features' section in the README (#2824)
• e28b475 [docs] Add httpd cluster example (#2819)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Server-side Request Forgery (SSRF)
🦉 Improper Input Validation
🦉 More lessons are available in Snyk Learn