[Snyk-dev] Fix for 15 vulnerabilities

[ramy-abbas]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	696/1000 Why? Recently disclosed, Has a fix available, CVSS 8.2	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	No	No Known Exploit
	541/1000 Why? Recently disclosed, Has a fix available, CVSS 5.1	Cross-site Scripting SNYK-JS-EXPRESS-7926867	No	No Known Exploit
	531/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.2	Prototype Pollution SNYK-JS-IOREDIS-1567196	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Code Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JS-MOMENT-2440688	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	Yes	Proof of Concept
	738/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	391/1000 Why? Recently disclosed, Has a fix available, CVSS 2.1	Cross-site Scripting SNYK-JS-SEND-7926862	No	No Known Exploit
	391/1000 Why? Recently disclosed, Has a fix available, CVSS 2.1	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	No	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-Y18N-1021887	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: bull

The new version differs by 250 commits.

• f71b455 chore(release): 4.11.0 [skip ci]
• f6cbcab chore: update ubuntu build version
• a217a7d fix: add mising getMetrics type (#2640)
• 13fe324 docs: update README.md typo (#2607)
• 4ce36fe fix: remove deprecated debuglog
• 532b1a7 docs: fix typo in issue_template.md (#2627)
• a1fe08e docs: fix typos in docs (#2623)
• dcca1e8 fix(worker): high-memory-usage-when-providing-float-to-concurrency (#2620)
• 47722ed fix(typings): return type of getJobCountByTypes (#2622)
• 4b8a386 chore: upgrade semver version 7.3.2 to 7.5.2 (#2617)
• bae6427 fix(types): rename strategyOptions to options to reflect js file
• e4e6457 fix(types): add missing keys to repeat opts
• 909a07e fix: change option name to match ts declaration
• 11331b7 fix: ts declaration metrics option and getMetrics function
• e1883f0 feat: upgrade ioredis to 5.3.2
• 9dc9fd0 docs: correct createClient property typing
• aa17891 docs: removed wrong property in QueueOptions
• 3aabb74 chore(release): 4.10.4 [skip ci]
• 5b4bc0b test(retry): fix retry test error
• 9f945d6 fix(retry): handle pause queue status
• 6c6ecb2 chore(deps): bump http-cache-semantics from 4.1.0 to 4.1.1
• 829e26e chore(release): 4.10.3 [skip ci]
• 8a0292a fix: don't reschedule delay timer if closing (#2535)
• 486c148 docs: update README

See the full diff

Package name: express

The new version differs by 250 commits.

• 7e562c6 4.21.0
• 1bcde96 fix(deps): [email protected] (#5946)
• 7d36477 fix(deps): [email protected] (#5951)
• 40d2d8f fix(deps): [email protected]
• 77ada90 Deprecate `"back"` magic string in redirects (#5935)
• 21df421 4.20.0
• 4c9ddc1 feat: upgrade to [email protected]
• 9ebe5d5 feat: upgrade to [email protected] (#5928)
• ec4a01b feat: upgrade to [email protected] (#5926)
• 54271f6 fix: don't render redirect values in anchor href
• 125bb74 [email protected] (#5902)
• 2a980ad [email protected] (#5781)
• a3e7e05 docs: specify new instructions for `question` and `discuss`
• c5addb9 deps: [email protected] (#5603)
• e35380a docs: add @ IamLizu to the triage team (#5836)
• f5b6e67 docs: update scorecard link (#5814)
• 2177f67 docs: add OSSF Scorecard badge (#5436)
• f4bd86e Replace Appveyor windows testing with GHA (#5599)
• 2ec589c Fix Contributor Covenant link definition reference in attribution section (#5762)
• 4cf7eed remove minor version pinning from ci (#5722)
• 6d08471 📝 update people, add ctcpip to TC (#5683)
• 61421a8 skip QUERY tests for Node 21 only, still not supported (#5695)
• f42b160 [v4] Deprecate `res.clearCookie` accepting `options.maxAge` and `options.expires` (#5672)
• 689073d ✨ bring back query tests for node 21 (#5690)

See the full diff

Package name: yargs

The new version differs by 189 commits.

• c53e171 chore: v17.6.0 release
• 6cd8e2d chore(main): release 17.6.0 (#2213)
• 38e8df1 fix(deps): cliui with forced strip-ansi update (#2241)
• 394f5f8 fix(typescript): address warning with objectKeys
• 561fc7a fix(deno): use 'globalThis' instead of 'window' (#2186) (#2215)
• 5895cf1 feat(lang): Czech locale (#2220)
• f91d9b3 fix: dont clobber description for multiple option calls (#2171)
• b680ace feat(usage): add YARGS_DISABLE_WRAP env variable to disable wrap (#2210)
• 659dbbb docs: update links to main branch
• 0251511 chore(main): release 17.5.1 (#2187)
• 22e9af2 fix(completion): correct zsh installation instructions
• cbc2eb7 fix: address bug when strict and async middleware used together (#2164)
• 8912078 refactor: use prototype (#2165)
• 1c331f2 fix(lang): add missing terms to Russian translation (#2181)
• 2109bd6 refactor: make isDefaulted private (#2188)
• b672e70 fix: prevent infinite loop with empty locale (#2179)
• 4dac5b8 fix: passed arguments should take precedence over values in config (#2100)
• e0823dd fix: handle multiple node_modules folders determining mainFilename for ESM (#2123)
• b42e0ca test: remove console.log (#2157)
• 5685382 fix: add missing entries to published files (#2185)
• fcb4d38 chore(main): release 17.5.0 (#2184)
• 7e85096 Revert "chore: Set permissions for GitHub actions (#2168)" (#2183)
• 95aed1c fix: import yargs/yargs in esm projects (#2151)
• db35423 fix(completion): support for default flags

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Cross-site Scripting
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn