[Snyk] Fix for 1 vulnerabilities

[ekmixon]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	768/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-QS-3153490	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: body-parser

The new version differs by 101 commits.

• 424dadd 1.19.2
• 11248a2 deps: raw-body@2.4.3
• 7a088eb build: Node.js@14.19
• ecedf31 build: Node.js@16.14
• b6bfabd build: Node.js@17.5
• badd6b2 build: fix code coverage aggregate upload
• 96b448a build: Node.js@17.4
• 70560b1 build: mocha@9.2.0
• 548a06f build: supertest@6.2.2
• 3b00678 deps: bytes@3.1.2
• d5acb61 build: mocha@9.1.4
• 82c8a7c tests: add limit + inflate tests
• b356758 deps: qs@6.9.7
• c631b58 build: supertest@6.2.1
• c81a8e2 build: eslint-plugin-import@2.25.4
• 3c4dcb8 build: Node.js@17.3
• d0a214b 1.19.1
• fb172d4 build: eslint-plugin-promise@5.2.0
• c5e63cb build: Node.js@17.2
• c6d43bd build: eslint-plugin-import@2.25.3
• 313ed6d build: eslint-plugin-promise@5.1.1
• 8389b51 deps: bytes@3.1.1
• aae94b2 deps: http-errors@1.8.1
• 7f84d4f deps: raw-body@2.4.2

See the full diff

Package name: qs

The new version differs by 36 commits.

• 834389a v6.7.3
• 45143b6 [Tests] use `nyc` for coverage
• 5d55ddc [meta] do not publish workflow files
• f945393 [Fix] `parse`: ignore `__proto__` keys (add widescript to apps using express expressjs/express#428)
• a8d5286 [Robustness] `stringify`: avoid relying on a global `undefined` (Querystring module expressjs/express#427)
• 04eac8d [Fix] `stringify`: avoid encoding arrayformat comma when `encodeValuesOnly = true` (before/after filters in 1.0 expressjs/express#424)
• 9dab77e [readme] remove travis badge; add github actions/codecov badges; update URLs
• b9a039d [Tests] clean up stringify tests slightly
• 29c8f3c [Docs] add note and links for coercing primitive values (Connect expressjs/express#408)
• c87c8c9 [meta] fix README.md (App events expressjs/express#399)
• 9836e5c [actions] backport actions from main
• 1c0dc75 [Dev Deps] backport updates from main
• bf93c57 v6.7.2
• 74fcd83 [Fix] proper comma parsing of URL-encoded commas (Error in examples, "Each layer must have a route and a handle function" expressjs/express#361)
• 3756d40 [Fix] parses comma delimited array while having percent-encoded comma treated as normal text (Please load body-decoder by default in plugins.js expressjs/express#336)
• 92f97f2 v6.7.1
• a80b84a [Fix] `parse`: Fix parsing array from object with `comma` true (Fix blog example expressjs/express#359)
• cbd2469 [actions] add automatic rebasing / merge commit blocking
• 0fc71c9 [meta] add tidelift marketing copy
• 7977bc9 [meta] add `funding` field
• ea21ba8 [Fix] `parse`: with comma true, handle field that holds an array of arrays (Request.stream doesn't trigger('response') expressjs/express#335)
• 174493b [fix] `parse`: with comma true, do not split non-string values (Sends a response body when method is HEAD expressjs/express#334)
• 427da67 [Tests] `parse`: add passing `arrayFormat` tests
• dca1643 [Tests] use shared travis-ci configs

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

[secure-code-warrior-for-github]

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior