[Snyk] Fix for 14 vulnerabilities

[ljzwolfdu]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-IMMER-1019369	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-IMMER-1540542	Yes	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	No	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	No	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution npm:deep-extend:20180409	No	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:hoek:20180212	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal npm:koa-body:20180127	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	Yes	No Known Exploit
	761/1000 Why? Mature exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) npm:ws:20171108	Yes	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: json-schema-ref-parser

The new version differs by 9 commits.

• 51b4ed8 release v4.0.2
• 5fe3a56 Removed the half-implemented validator plugin
• 4ac0d7b Added JSDoc comments for the `path` parameter of each method
• b6c6dd6 Changed a devDependency (from `npm-check-updates` to `npm-check`)
• b4ba766 release v4.0.1
• d8aa8d2 updated dependencies
• 281e86e Moved the `normalizeArgs()` function to a separate file
• 34570c9 Removed Sinon dependency, since it's no longer used
• 2872115 Use Mocha 3.x, since 4.x no longer includes a browser-compatible script

See the full diff

Package name: jsonwebtoken

The new version differs by 28 commits.

• f313850 8.0.0
• f38bd8e updated changelog
• 2ec3263 Merge pull request demo网站无法访问 YMFE/yapi#393 from ziluvatar/migration-notes-to-readme
• 12cd8f7 docs: readme, migration notes
• cfc04a9 Merge pull request 设置基本路径时不能包含文件后缀 YMFE/yapi#349 from ziluvatar/fix-max-age-number-and-seconds
• 3305cf0 verify: remove process.nextTick (希望添加对多种http状态码返回结果的支持 YMFE/yapi#302)
• 0be5409 Reduce size of NPM package (1.3.16升级后测试集合报404 YMFE/yapi#347)
• 2e7e68d Remove joi to shrink module size (只修改参数 必需/非必需, 文本/文件 时, 查看改动详情, 提示没有改动 YMFE/yapi#348)
• 66a4f8b maxAge: Add validation to timespan result
• e54e53c update changelog
• fb48dde 7.4.3
• 2e4e30b Merge pull request 环境配置的header中能否填写变量? YMFE/yapi#386 from ziluvatar/issue_381
• 2a3404f add test & modify guard code
• 91ba14d Fixed alg non + secret set unit test
• b1ff632 Fix for 1.3.17版本创建接口问题 YMFE/yapi#381. Set secret string before using jws when alg is none
• e56f904 update changelog
• 480bb9b 7.4.2
• c6a7026 Merge pull request yapi 支持 jsonp 跨域数据么? YMFE/yapi#374 from ziluvatar/add-check-for-empty-secrets
• c584d1c sign: add check to be sure secret has a value
• 43739dc Merge pull request 复制接口操作，"返回数据设置"开关没有被复制 YMFE/yapi#371 from ziluvatar/docs-about-refreshing-tokens
• 016fc10 docs: about refreshing tokens
• 5f44a86 Merge pull request 命令行导入数据 YMFE/yapi#365 from ziluvatar/information-regarding-base64-secrets
• c25e990 docs: verifying with base64 encoded secrets
• 2f36063 Merge pull request [bug] body数据为json格式的接口无法保存到测试用例中，手动添加该接口的测试用例的body数据还是无法保存起来 YMFE/yapi#360 from ziluvatar/add-ecdsa-tests

See the full diff

Package name: koa-body

The new version differs by 9 commits.

• d9db03c Less strict version of formidable. Fixes [Snyk] Security upgrade axios from 0.18.1 to 0.21.1 #46
• 032fd0a v3
• 8f1dda6 Merge branch 'koa1-maint/security-pr-89' into koa1
• 73fc2a9 Use `ctx.request.files` instead of `ctx.request.body.files` (feat: 建议合并 PR的时候使用 squash 或者 rebase 方式 YMFE/yapi#89)
• ff2b222 Merge branch 'koa1-maint/no-multiline-dep' into koa1
• f3008cc removing multiline development dependency
• cb7b157 Merge pull request yapi server YMFE/yapi#88 from dlau/koa1-co-lock
• f48ca64 Update tests, lock versions
• 95b61e1 Lock co-body to 5.x

See the full diff

Package name: koa-bodyparser

The new version differs by 18 commits.

• 81002ab Release 4.1.0
• e7fe741 deps: upgrade co-body@5 (请求一个接口时间过长时，在7s以上，测试集合执行会显示‘执行异常’ YMFE/yapi#64)
• 27c5dc0 docs: fix node version badge
• 07466eb Release 4.0.0
• 2245bd2 docs: how to use with koa@2 in readme
• 31aa5df refactor: use async function and support koa@2 (服务启动后自己会挂掉，没有有效日志输出，问题原因不明 YMFE/yapi#62)
• 6f8763b Release 2.3.0
• 1328029 feat: support dynamic disable body parser
• ed407f7 Release 2.2.0
• 67a3884 feat: support enableTypes and text ([Snyk] Fix for 11 vulnerabilities #44)
• ab5a06a test: node@4,5,6
• e1827bd Release 2.1.0
• 8e5a784 deps: co-body@4
• ceb7df2 add koa@2 support readme
• a2c221e Merge pull request [Snyk] Security upgrade vm2 from 3.9.1 to 3.9.15 #35 from koajs/greenkeeper-mocha-2.4.1
• 683ab7b chore(package): update mocha to version 2.4.1
• 0b62f12 Merge pull request [Snyk] Security upgrade json5 from 0.5.1 to 2.2.2 #32 from koajs/greenkeeper-autod-2.4.2
• 3491cfe chore(package): update autod to version 2.4.2

See the full diff

Package name: koa-websocket

The new version differs by 8 commits.

• d8ef22a Bump version
• a12987e Upgrade dependencies
• ff333bb Merge pull request [Snyk] Security upgrade swagger-client from 3.5.1 to 3.12.0 #33 from stripedpajamas/feature/wss
• 8c5e461 Update tests for wss support.
• 7b45c68 Add optional third parameter for HTTPS options
• f2e7c7e Merge pull request [Snyk] Security upgrade jsonwebtoken from 7.4.1 to 9.0.0 #31 from marvinhagemeister/syntax_highlight
• cff6101 Fix syntax highlighting in README
• 0364fbe Correct install example

See the full diff

Package name: moox

The new version differs by 37 commits.

• 2c6bf8b feat: init
• 592d1da ignore lock
• 8060172 feat: 2.0
• f0be06e feat: tw
• d6c96c3 feat: docs
• f0ac491 opti: docs
• b78b49d opti: docs
• b328cd0 opti: docs
• 939c3c1 opti: docs
• b9522e7 fix: doc conflict
• ad23b1c feat: ts
• 000933a Update README.md
• 08465a3 feat:
• 7872a94 feat
• 880f6a7 feat
• 29b5acd Merge branch 'master' of github.com:Open-Federation/moox
• 4a6aa70 feat:
• 539e439 Update README.md
• 9dce146 Update README.md
• 581ba12 Update README.md
• 0180abe feat: update immer version
• e0c7d73 feat: ts rafactor
• d7fc036 feat: use ts
• 726b9f8 Update README.md

See the full diff

Package name: swagger-client

The new version differs by 174 commits.

• cb95875 release: v3.10.2
• af7f7b5 fix: amend header serialization algorithm (1.8.6版本 from 格式入参上传文件限制,希望恢复from上传文件，谢谢 YMFE/yapi#1523)
• d89a926 docs(tags-interface): add authorizations example (请问能否从eolinker迁移到yapi上呢？如何迁移呢？ YMFE/yapi#1525)
• 39d8b0c docs(tags-interface): document usage of security
• 0340b15 test(client): fix test for requesting https over http
• b55fa92 docs(http-client): document possible upload progress
• 0dffbec Fix typos in documentation (write lock file to separate directory '{yapi.WEBROOT_RUNTIME}/data' YMFE/yapi#1520)
• 3e7d9bf refactor: use noop instead of Function object (官网说明文档打不开 YMFE/yapi#1515)
• dcddd66 docs(tags-interface): add file uploads example
• 42718aa docs(try-it-out): add docs for attachContentTypeForEmptyPayload option
• 13ed570 docs(try-it-out): document interceptor options
• d82c8dc docs(try-it-out): add array parameter example
• 2213b8d docs(resolver): fix option default value and description
• 8a2357b docs(resolver): mention instance method
• da389b0 docs(API): add basic documentation about library API
• df76bf0 docs(README): consolide new and old documentation
• bb1c2ec docs(development): add developemnt documentation
• 127226b docs(installation): add istallation instructions for different envs
• c0ebc6e docs(tags-interface): document Tags Interface with proper examples
• 2b950ee docs: consolidate documentation into swagger-ui like system
• 27cc3bb docs: increase documentation coverage for swagger spec resolver (https请求如何设置允许在没有证书的情况下连接到SSL站点 YMFE/yapi#1506)
• c06a685 docs(TryItOut): increse documentation coverage (1.8.0升级到1.8.1页面都打不开了 YMFE/yapi#1509)
• 42b35a2 release: v3.10.1
• 45031b2 docs(HTTPClient): increase documentation coverage (yapi帐号丢失，之前保存的接口信息也丢失 YMFE/yapi#1507)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Directory Traversal