[Snyk] Upgrade: , , axios, compromise, dotenv, express, express-rate-limit, google-libphonenumber, mongoose, mysql2, nodemailer, sequelize, socket.io, socket.io-client, uuid, winston

[Luis-Caxi-Calani]

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

@nlpjs/ner
from 4.26.1 to 4.27.0 | 1 version ahead of your current version | a year ago
on 2023-05-25
@nlpjs/nlp
from 4.26.1 to 4.27.0 | 1 version ahead of your current version | a year ago
on 2023-05-25
axios
from 1.6.7 to 1.7.7 | 12 versions ahead of your current version | 21 days ago
on 2024-08-31
compromise
from 14.8.2 to 14.14.0 | 9 versions ahead of your current version | 2 months ago
on 2024-07-31
dotenv
from 16.0.3 to 16.4.5 | 17 versions ahead of your current version | 7 months ago
on 2024-02-20
express
from 4.18.2 to 4.19.2 | 4 versions ahead of your current version | 6 months ago
on 2024-03-25
express-rate-limit
from 7.1.5 to 7.4.0 | 4 versions ahead of your current version | 2 months ago
on 2024-07-23
google-libphonenumber
from 3.2.34 to 3.2.38 | 4 versions ahead of your current version | 2 months ago
on 2024-07-27
mongoose
from 7.5.0 to 7.8.1 | 21 versions ahead of your current version | a month ago
on 2024-08-19
mysql2
from 3.6.0 to 3.11.0 | 23 versions ahead of your current version | 2 months ago
on 2024-07-27
nodemailer
from 6.9.9 to 6.9.14 | 5 versions ahead of your current version | 3 months ago
on 2024-06-19
sequelize
from 6.32.1 to 6.37.3 | 10 versions ahead of your current version | 5 months ago
on 2024-04-13
socket.io
from 4.7.4 to 4.7.5 | 1 version ahead of your current version | 6 months ago
on 2024-03-14
socket.io-client
from 4.7.4 to 4.7.5 | 1 version ahead of your current version | 6 months ago
on 2024-03-14
uuid
from 9.0.0 to 9.0.1 | 1 version ahead of your current version | a year ago
on 2023-09-12
winston
from 3.8.2 to 3.14.2 | 10 versions ahead of your current version | a month ago
on 2024-08-14

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Server-side Request Forgery (SSRF) SNYK-JS-AXIOS-7361793	646	Proof of Concept
	Prototype Pollution SNYK-JS-MYSQL2-6861580	646	Proof of Concept
	Use of Web Browser Cache Containing Sensitive Information SNYK-JS-MYSQL2-6591300	646	Proof of Concept
	Arbitrary Code Injection SNYK-JS-MYSQL2-6670046	646	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	646	Proof of Concept
	Open Redirect SNYK-JS-EXPRESS-6474509	646	No Known Exploit
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	646	Proof of Concept
	Server-Side Request Forgery (SSRF) SNYK-JS-IP-7148531	646	Proof of Concept
	Prototype Poisoning SNYK-JS-MYSQL2-6591084	646	Proof of Concept
	Remote Code Execution (RCE) SNYK-JS-MYSQL2-6591085	646	Proof of Concept

Release notes

Package name: @nlpjs/ner

• 4.27.0 - 2023-05-25
  

  v4.27.0

• 4.26.1 - 2023-01-12
  

  v4.26.1

from @nlpjs/ner GitHub release notes

Package name: @nlpjs/nlp

• 4.27.0 - 2023-05-25
  

  v4.27.0

• 4.26.1 - 2023-01-12
  

  v4.26.1

from @nlpjs/nlp GitHub release notes

Package name: axios

• 1.7.7 - 2024-08-31
  

  Release notes:

  Bug Fixes

  • fetch: fix stream handling in Safari by fallback to using a stream reader instead of an async iterator; (#6584) (d198085)
  • http: fixed support for IPv6 literal strings in url (#5731) (364993f)

  Contributors to this release

  • Rishi556
  • Dmitriy Mozgovoy
• 1.7.6 - 2024-08-30
  

  Release notes:

  Bug Fixes

  • fetch: fix content length calculation for FormData payload; (#6524) (085f568)
  • fetch: optimize signals composing logic; (#6582) (df9889b)

  Contributors to this release

  • Dmitriy Mozgovoy
  • Jacques Germishuys
  • kuroino721
• 1.7.5 - 2024-08-23
  

  Release notes:

  Bug Fixes

  • adapter: fix undefined reference to hasBrowserEnv (#6572) (7004707)
  • core: add the missed implementation of AxiosError#status property; (#6573) (6700a8a)
  • core: fix ReferenceError: navigator is not defined for custom environments; (#6567) (fed1a4b)
  • fetch: fix credentials handling in Cloudflare workers (#6533) (550d885)

  Contributors to this release

  • Dmitriy Mozgovoy
  • Antonin Bas
  • Hans Otto Wirtz
• 1.7.4 - 2024-08-13
  

  Release notes:

  Bug Fixes

  • sec: CVE-2024-39338 (#6539) (#6543) (6b6b605)
  • sec: disregard protocol-relative URL to remediate SSRF (#6539) (07a661a)

  Contributors to this release

  • Lev Pachmanov
  • Đỗ Trọng Hải
• 1.7.3 - 2024-08-01
  

  Release notes:

  Bug Fixes

  • adapter: fix progress event emitting; (#6518) (e3c76fc)
  • fetch: fix withCredentials request config (#6505) (85d4d0e)
  • xhr: return original config on errors from XHR adapter (#6515) (8966ee7)

  Contributors to this release

  • Dmitriy Mozgovoy
  • Valerii Sidorenko
  • prianYu
• 1.7.2 - 2024-05-21
  

  Release notes:

  Bug Fixes

  • fetch: enhance fetch API detection; (#6413) (4f79aef)

  Contributors to this release

  • Dmitriy Mozgovoy
• 1.7.1 - 2024-05-20
  

  Release notes:

  Bug Fixes

  • fetch: fixed ReferenceError issue when TextEncoder is not available in the environment; (#6410) (733f15f)

  Contributors to this release

  • Dmitriy Mozgovoy
• 1.7.0 - 2024-05-19
  

  Release notes:

  Features

  • adapter: add fetch adapter; (#6371) (a3ff99b)

  Bug Fixes

  • core/axios: handle un-writable error stack (#6362) (81e0455)

  Contributors to this release

  • Dmitriy Mozgovoy
  • Jay
  • Alexandre ABRIOUX
• 1.7.0-beta.2 - 2024-05-19
  

  Release notes:

  Bug Fixes

  • fetch: capitalize HTTP method names; (#6395) (ad3174a)
  • fetch: fix & optimize progress capturing for cases when the request data has a nullish value or zero data length (#6400) (95a3e8e)
  • fetch: fix headers getting from a stream response; (#6401) (870e0a7)

  Contributors to this release

  • Dmitriy Mozgovoy
• 1.7.0-beta.1 - 2024-05-07
  

  Release notes:

  Bug Fixes

  • core/axios: handle un-writable error stack (#6362) (81e0455)
  • fetch: fix cases when ReadableStream or Response.body are not available; (#6377) (d1d359d)
  • fetch: treat fetch-related TypeError as an AxiosError.ERR_NETWORK error; (#6380) (bb5f9a5)

  Contributors to this release

  • Alexandre ABRIOUX
  • Dmitriy Mozgovoy

  Install

  npm i axios@next
  

• 1.7.0-beta.0 - 2024-04-28
• 1.6.8 - 2024-03-15
• 1.6.7 - 2024-01-25

from axios GitHub release notes

Package name: compromise

• 14.14.0 - 2024-07-31
  
  • [new] - .slashes() and .slashes().split() methods #1100
  • [fix] - multiple contraction issue #1128
  • [fix] - toNumbers() return values #1113
  • [fix] - (plugins/wikipedia) - fix hard-coded path for #1116
  • [fix] - (plugins/dates) - limit values in mm/dd format
  • [fix] - (plugins/dates) params mutation #1109
  • [change] - split people names by commas #1111
  • [change] - typescript export update #1104
  • [update] - eslint config format
  • [update] - github actions
  • [update] - dependencies
• 14.13.0 - 2024-04-01
  
  • [new] - .compute('freeze')
  • [new] - .debug('freeze')
  • [change] - allow 3-slashes in a word
• 14.12.0 - 2024-02-16
  
  • [new] - .payload() plugin
  • [new] - .numbers().isUnit() method #1089
  • [change] - update github workflow (thanks FDawgs!)
  • [fix] - README issues (thanks track0x1!)
  • [fix] - .has() inconsistency
  • [new] - support adding debug methods via plugins
  • [change] - remove deprecated .debug(object) support
  • [fix] - parentheses() match issue
  • [fix] - tokenization issue #1085
  • [new] - dates().isBefore(), dates().isBefore() methods
  • [new] - .debug('dates') method
  • [fix] - lazy join() issue
  • [update] - dependencies
• 14.11.2 - 2024-01-23
  
  • [new] - support for frozen lex in plugin object #1080
  • [fix] - toggling options in .json()
  • [new] - .join() and .joinIf() methods
  • [new] - support freeze in sweep
  • [change] - internal typescript improvements
  • [fix] - tagging issues
  • [change] - @ hasEllipses ellipse must be following the word
  • [update] - dependencies
• 14.11.1 - 2024-01-16
  
  • [fix] - missing words in html output (thanks ryan!)
  • [change] - better #Possessive tagging for #1074
  • [change] - improved is/has contraction classifier #1074
  • [change] - fixes to subordinate clause identification #1072
  • [update] - dependencies
• 14.11.0 - 2023-12-21
  
  • [new] - tagging .freeze() and .unfreeze() feature
  • [change] - stronger deferal to internal lexicon
  • [change] - support any-length phrases in lexicon
  • [fix] - prevent missed overlapping lexicon phrases
  • [update] - dependencies
• 14.10.1 - 2023-11-16
  
  • [fix] - abbreviation checks for sentence-tokenizer #1061
  • [change] - improve person tagger #1059
  • [change] - add #FutureTense tag
  • [fix] - .out() runtime error #1056
  • [fix] - punctuation loss in .not() #1022
  • [update] - dependencies
• 14.10.0 - 2023-08-10
  
  • [fix] - verb conjugation fixes
  • [fix] - tagger fixes
  • [change] - align package.json with ESM module #1023
  • [fix] - .splitBefore() bugfix
  • [fix] - typescript+docs fixes #1023
  • [fix] - subtle changes to .text() and .isFull()
  • [update] - dependencies
• 14.9.0 - 2023-05-07
  
  • [new] - .verbs().toPastParticiple() method
  • [new] - .normalize({ debullet: true }) #1004
  • [change] - typescript path changes (thanks @ rotemdan !)
  • [fix] - suffix tagging issues
  • [fix] - match syntax issue #997
  • [change] - keep possessive in replace #1011
  • [change] - major improvements to adj.toNoun() conjugator
  • [fix] - parsematch bug #997
  • [fix] - "there's been" contraction
  • [new] - .conjugate() methods on Noun/Adverb/Adjective classes
  • [new] - add Gerund and PastParticiple to .verbs().conjugate() results
  • [new] - option to keep possessives in .replace() #1011
  • [fix] - tagger fix #998
  • [update] - dependencies
• 14.8.2 - 2023-02-04
  
  • [change] - #Actor tagging - in advance of #565
  • [change] - .noun() lumping changes - in advance of #565
  • [new] - support japanese full-stop
  • [fix] - number tagging #992
  • [update] - dependencies

from compromise GitHub release notes

Package name: dotenv

• 16.4.5 - 2024-02-20
  

  16.4.5

• 16.4.4 - 2024-02-13
  

  16.4.4

• 16.4.3 - 2024-02-12
  

  16.4.3

• 16.4.2 - 2024-02-10
  

  16.4.2

• 16.4.1 - 2024-01-24
  

  16.4.1

• 16.4.0 - 2024-01-23
  

  16.4.0

• 16.3.2 - 2024-01-19
  

  16.3.2

• 16.3.1 - 2023-06-17
  

  16.3.1

• 16.3.0 - 2023-06-16
  

  16.3.0

• 16.2.0 - 2023-06-16
  

  16.2.0

• 16.1.4 - 2023-06-04
• 16.1.3 - 2023-05-31
• 16.1.2 - 2023-05-31
• 16.1.1 - 2023-05-31
• 16.1.0 - 2023-05-30
• 16.1.0-rc2 - 2023-05-21
• 16.1.0-rc1 - 2023-04-07
• 16.0.3 - 2022-09-29

from dotenv GitHub release notes

Package name: express

• 4.19.2 - 2024-03-25
• 4.19.1 - 2024-03-20
  

  What's Changed

  • Fix ci after location patch by @ wesleytodd in #5552
  • fixed un-edited version in history.md for 4.19.0 by @ wesleytodd in #5556

  Full Changelog: 4.19.0...4.19.1

• 4.19.0 - 2024-03-20
  

  What's Changed

  • fix typo in release date by @ UlisesGascon in #5527
  • docs: nominating @ wesleytodd to be project captian by @ wesleytodd in #5511
  • docs: loosen TC activity rules by @ wesleytodd in #5510
  • Add note on how to update docs for new release by @ crandmck in #5541
  • Prevent open redirect allow list bypass due to encodeurl
  • Release 4.19.0 by @ wesleytodd in #5551

  New Contributors

  • @ crandmck made their first contribution in #5541

  Full Changelog: 4.18.3...4.19.0

• 4.18.3 - 2024-02-29
  

  Main Changes

  • Fix routing requests without method
  • deps: body-parser@1.20.2
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: raw-body@2.5.2

  Other Changes

  • Use https: protocol instead of deprecated git: protocol by @ vcsjones in #5032
  • build: Node.js@16.18 and Node.js@18.12 by @ abenhamdine in #5034
  • ci: update actions/checkout to v3 by @ armujahid in #5027
  • test: remove unused function arguments in params by @ raksbisht in #5124
  • Remove unused originalIndex from acceptParams by @ raksbisht in #5119
  • Fixed typos by @ raksbisht in #5117
  • examples: remove unused params by @ raksbisht in #5113
  • fix: parameter str is not described in JSDoc by @ raksbisht in #5130
  • fix: typos in History.md by @ raksbisht in #5131
  • build : add Node.js@19.7 by @ abenhamdine in #5028
  • test: remove unused function arguments in params by @ raksbisht in #5137
  • use random port in test so it won't fail on already listening by @ rluvaton in #5162
  • tests: use cb() instead of done() by @ kristof-low in #5233
  • examples: remove multipart example by @ riddlew in #5195
  • Update support Node.js@18 in the CI by @ UlisesGascon in #5490
  • Fix favicon-related bug in cookie-sessions example by @ DmytroKondrashov in #5414
  • Release 4.18.3 by @ UlisesGascon in #5505

  New Contributors

  • @ vcsjones made their first contribution in #5032
  • @ abenhamdine made their first contribution in #5034
  • @ armujahid made their first contribution in #5027
  • @ raksbisht made their first contribution in #5124
  • @ rluvaton made their first contribution in #5162