[Snyk] Upgrade: , , , cookie-session, express, express-validator, mongoose, typescript

[AlexanderSCK]

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

@types/express
from 4.17.13 to 4.17.21 | 8 versions ahead of your current version | 10 months ago
on 2023-11-07
@types/cookie-session
from 2.0.44 to 2.0.49 | 5 versions ahead of your current version | 5 months ago
on 2024-04-17
@types/jsonwebtoken
from 8.5.8 to 8.5.9 | 1 version ahead of your current version | 2 years ago
on 2022-08-24
cookie-session
from 2.0.0 to 2.1.0 | 1 version ahead of your current version | 8 months ago
on 2024-01-24
express
from 4.17.3 to 4.19.2 | 7 versions ahead of your current version | 6 months ago
on 2024-03-25
express-validator
from 6.14.0 to 6.15.0 | 4 versions ahead of your current version | 2 years ago
on 2023-02-16
mongoose
from 6.2.9 to 6.13.0 | 73 versions ahead of your current version | 3 months ago
on 2024-06-06
typescript
from 4.6.3 to 4.9.5 | 260 versions ahead of your current version | 2 years ago
on 2023-01-30

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Prototype Pollution SNYK-JS-MONGOOSE-2961688	519	Proof of Concept
	Prototype Pollution SNYK-JS-MONGOOSE-5777721	519	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	519	Proof of Concept
	Open Redirect SNYK-JS-EXPRESS-6474509	519	No Known Exploit
	Information Exposure SNYK-JS-MONGODB-5871303	519	No Known Exploit
	Server-Side Request Forgery (SSRF) SNYK-JS-IP-7148531	519	Proof of Concept

Release notes

Package name: @types/express

• 4.17.21 - 2023-11-07
• 4.17.20 - 2023-10-18
• 4.17.19 - 2023-10-10
• 4.17.18 - 2023-09-23
• 4.17.17 - 2023-02-03
• 4.17.16 - 2023-01-23
• 4.17.15 - 2022-12-13
• 4.17.14 - 2022-09-13
• 4.17.13 - 2021-07-06

from @types/express GitHub release notes

Package name: @types/cookie-session

• 2.0.49 - 2024-04-17
• 2.0.48 - 2023-11-20
• 2.0.47 - 2023-11-07
• 2.0.46 - 2023-10-18
• 2.0.45 - 2023-09-04
• 2.0.44 - 2021-12-23

from @types/cookie-session GitHub release notes

Package name: @types/jsonwebtoken

• 8.5.9 - 2022-08-24
• 8.5.8 - 2022-01-17

from @types/jsonwebtoken GitHub release notes

Package name: cookie-session

• 2.1.0 - 2024-01-24
  
  • Fix loading sessions with special keys
  • deps: cookies@0.9.1
    • Add partitioned option for CHIPS support
    • Add priority option for Priority cookie support
    • Fix accidental cookie name/value truncation when given invalid chars
    • Fix maxAge option to reject invalid values
    • Remove quotes from returned quoted cookie value
    • Use req.socket over deprecated req.connection
    • pref: small lookup regexp optimization
• 2.0.0 - 2021-12-16
  
  • Change default cookie name to session
  • Change .populated to .isPopulated
  • Create new session for all types of invalid sessions
  • Drop support for Node.js 0.8
  • Remove private req.session.save()
  • Remove the key option; use name instead
  • Remove undocumented req.session.length to free up key name
  • Remove undocumented req.sessionCookies and req.sessionKey
  • Save all enumerable properties on req.session
    • Including _-prefixed properties
  • Use Object.defineProperty instead of deprecated __define*__
  • Use safe-buffer for improved Buffer API
  • deps: cookies@0.8.0
    • Fix check for default secure option behavior
    • Fix maxAge option preventing cookie deletion
    • Support "none" in sameSite option
    • deps: depd@~2.0.0
    • deps: keygrip@~1.1.0
    • perf: remove argument reassignment
  • deps: debug@3.2.7
    • Add DEBUG_HIDE_DATE
    • Add 256 color mode support
    • Enable / disable namespaces dynamically
    • Make millisecond timer namespace-specific
    • Remove DEBUG_FD support
    • Use Date#toISOString() when output is not a TTY
  • deps: on-headers@~1.0.2
    • Fix res.writeHead patch missing return value
  • deps: safe-buffer@5.2.1
  • perf: reduce the scope of try-catch deopt
  • perf: remove internal reference to request from session object

from cookie-session GitHub release notes

Package name: express

• 4.19.2 - 2024-03-25
• 4.19.1 - 2024-03-20
  

  What's Changed

  • Fix ci after location patch by @ wesleytodd in #5552
  • fixed un-edited version in history.md for 4.19.0 by @ wesleytodd in #5556

  Full Changelog: 4.19.0...4.19.1

• 4.19.0 - 2024-03-20
  

  What's Changed

  • fix typo in release date by @ UlisesGascon in #5527
  • docs: nominating @ wesleytodd to be project captian by @ wesleytodd in #5511
  • docs: loosen TC activity rules by @ wesleytodd in #5510
  • Add note on how to update docs for new release by @ crandmck in #5541
  • Prevent open redirect allow list bypass due to encodeurl
  • Release 4.19.0 by @ wesleytodd in #5551

  New Contributors

  • @ crandmck made their first contribution in #5541

  Full Changelog: 4.18.3...4.19.0

• 4.18.3 - 2024-02-29
  

  Main Changes

  • Fix routing requests without method
  • deps: body-parser@1.20.2
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: raw-body@2.5.2

  Other Changes

  • Use https: protocol instead of deprecated git: protocol by @ vcsjones in #5032
  • build: Node.js@16.18 and Node.js@18.12 by @ abenhamdine in #5034
  • ci: update actions/checkout to v3 by @ armujahid in #5027
  • test: remove unused function arguments in params by @ raksbisht in #5124
  • Remove unused originalIndex from acceptParams by @ raksbisht in #5119
  • Fixed typos by @ raksbisht in #5117
  • examples: remove unused params by @ raksbisht in #5113
  • fix: parameter str is not described in JSDoc by @ raksbisht in #5130
  • fix: typos in History.md by @ raksbisht in #5131
  • build : add Node.js@19.7 by @ abenhamdine in #5028
  • test: remove unused function arguments in params by @ raksbisht in #5137
  • use random port in test so it won't fail on already listening by @ rluvaton in #5162
  • tests: use cb() instead of done() by @ kristof-low in #5233
  • examples: remove multipart example by @ riddlew in #5195
  • Update support Node.js@18 in the CI by @ UlisesGascon in #5490
  • Fix favicon-related bug in cookie-sessions example by @ DmytroKondrashov in #5414
  • Release 4.18.3 by @ UlisesGascon in #5505

  New Contributors

  • @ vcsjones made their first contribution in #5032
  • @ abenhamdine made their first contribution in #5034
  • @ armujahid made their first contribution in #5027
  • @ raksbisht made their first contribution in #5124
  • @ rluvaton made their first contribution in #5162
  • @ kristof-low made their first contribution in #5233
  • @ riddlew made their first contribution in #5195
  • @ DmytroKondrashov made their first contribution in #5414

  Full Changelog: 4.18.2...4.18.3

• 4.18.2 - 2022-10-08
  
  • Fix regression routing a large stack in a single route
  • deps: body-parser@1.20.1
    • deps: qs@6.11.0
    • perf: remove unnecessary object clone
  • deps: qs@6.11.0
• 4.18.1 - 2022-04-29
  
  • Fix hanging on large stack of sync routes
• 4.18.0 - 2022-04-25
  
  • Add "root" option to res.download
  • Allow options without filename in res.download
  • Deprecate string and non-integer arguments to res.status
  • Fix behavior of null/undefined as maxAge in res.cookie
  • Fix handling very large stacks of sync middleware
  • Ignore Object.prototype values in settings through app.set/app.get
  • Invoke default with same arguments as types in res.format
  • Support proper 205 responses using res.send
  • Use http-errors for res.format error
  • deps: body-parser@1.20.0
    • Fix error message for json parse whitespace in strict
    • Fix internal error when inflated body exceeds limit
    • Prevent loss of async hooks context
    • Prevent hanging when request already read
    • deps: depd@2.0.0
    • deps: http-errors@2.0.0
    • deps: on-finished@2.4.1
    • deps: qs@6.10.3
    • deps: raw-body@2.5.1
  • deps: cookie@0.5.0
    • Add priority option
    • Fix expires option to reject invalid dates
  • deps: depd@2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: finalhandler@1.2.0
    • Remove set content headers that break response
    • deps: on-finished@2.4.1
    • deps: statuses@2.0.1
  • deps: on-finished@2.4.1
    • Prevent loss of async hooks context
  • deps: qs@6.10.3
  • deps: send@0.18.0
    • Fix emitted 416 error missing headers property
    • Limit the headers removed for 304 response
    • deps: depd@2.0.0
    • deps: destroy@1.2.0
    • deps: http-errors@2.0.0
    • deps: on-finished@2.4.1
    • deps: statuses@2.0.1
  • deps: serve-static@1.15.0
    • deps: send@0.18.0
  • deps: statuses@2.0.1
    • Remove code 306
    • Rename 425 Unordered Collection to standard 425 Too Early
• 4.17.3 - 2022-02-17
  
  • deps: accepts@~1.3.8
    • deps: mime-types@~2.1.34
    • deps: negotiator@0.6.3
  • deps: body-parser@1.19.2
    • deps: bytes@3.1.2
    • deps: qs@6.9.7
    • deps: raw-body@2.4.3
  • deps: cookie@0.4.2
  • deps: qs@6.9.7
    • Fix handling of __proto__ keys
  • pref: remove unnecessary regexp for trust proxy

from express GitHub release notes

Package name: express-validator

• 6.15.0 - 2023-02-16
  

  What's Changed

  • chore(deps): bump ua-parser-js from 0.7.32 to 0.7.33 by @ dependabot in #1208
  • chore(deps): bump eta from 1.12.3 to 2.0.0 by @ dependabot in #1211
  • chore(deps): bump http-cache-semantics from 4.1.0 to 4.1.1 by @ dependabot in #1210
  • feat: update to support validator 13.9.0 by @ fedeci in #1212

  Full Changelog: v6.14.3...v6.15.0

• 6.14.3 - 2023-01-20
  

  What's Changed

  • docs: fixed typo in sanitization chain example by @ ankushknr19 in #1195
  • fixed infinite recursion when the request has a field called * (#1205)

  New Contributors

  • @ ankushknr19 made their first contribution in #1195

  Full Changelog: v6.14.2...v6.14.3

• 6.14.2 - 2022-06-19
  

  What's Changed

  • correctly run .matches when passing regex object by @ tonysamperi in #1156

  New Contributors

  • @ tonysamperi made their first contribution in #1156

  Full Changelog: v6.14.1...v6.14.2

• 6.14.1 - 2022-05-22
  

  What's Changed

  • Add validationResult() for schema validation example by @ daenamkim in #1120
  • chore(deps): bump shelljs from 0.8.4 to 0.8.5 by @ dependabot in #1128
  • chore(deps): bump ajv from 6.11.0 to 6.12.6 by @ dependabot in #1129
  • chore(deps): bump prismjs from 1.25.0 to 1.27.0 by @ dependabot in #1135
  • docs: remove dependencies status badge by @ gustavohenke in #1131
  • chore(deps): bump minimist from 1.2.5 to 1.2.6 by @ dependabot in #1142
  • chore(deps): bump async from 2.6.3 to 2.6.4 by @ dependabot in #1147
  • Add missing SK postal code - #1144

  New Contributors

  • @ daenamkim made their first contribution in #1120

  Full Changelog: v6.14.0...v6.14.1

• 6.14.0 - 2021-12-11
  

  What's Changed

  • feat: update validator to 13.7 by @ fedeci in #1115
  • chore(deps): bump tmpl from 1.0.4 to 1.0.5 by @ dependabot in #1116
  • chore(deps): bump path-parse from 1.0.6 to 1.0.7 by @ dependabot in #1118
  • chore(deps): bump prismjs from 1.24.0 to 1.25.0 by @ dependabot in #1117

  Full Changelog: v6.13.0...v6.14.0

from express-validator GitHub release notes

Package name: mongoose

• 6.13.0 - 2024-06-06
• 6.12.9 - 2024-05-24
• 6.12.8 - 2024-04-10
• 6.12.7 - 2024-03-01
• 6.12.6 - 2024-01-22
• 6.12.5 - 2024-01-03
• 6.12.4 - 2023-12-27
• 6.12.3 - 2023-11-07
• 6.12.2 - 2023-10-25
• 6.12.1 - 2023-10-12
• 6.12.0 - 2023-08-24
• 6.11.6 - 2023-08-21
• 6.11.5 - 2023-08-01
• 6.11.4 - 2023-07-17
• 6.11.3 - 2023-07-11
• 6.11.2 - 2023-06-08
• 6.11.1 - 2023-05-08
• 6.11.0 - 2023-05-01
• 6.10.5 - 2023-04-06
• 6.10.4 - 2023-03-21
• 6.10.3 - 2023-03-13
• 6.10.2 - 2023-03-07
• 6.10.1 - 2023-03-03
• 6.10.0 - 2023-02-22
• 6.9.3 - 2023-02-22
• 6.9.2 - 2023-02-16
• 6.9.1 - 2023-02-06
• 6.9.0 - 2023-01-25
• 6.8.4 - 2023-01-17
• 6.8.3 - 2023-01-06
• 6.8.2 - 2022-12-28
• 6.8.1 - 2022-12-19
• 6.8.0 - 2022-12-05
• 6.7.5 - 2022-11-30
• 6.7.4 - 2022-11-28
• 6.7.3 - 2022-11-22
• 6.7.2 - 2022-11-07
• 6.7.1 - 2022-11-02
• 6.7.0 - 2022-10-24
• 6.6.7 - 2022-10-21
• 6.6.6 - 2022-10-20
• 6.6.5 - 2022-10-05
• 6.6.4 - 2022-10-03
• 6.6.3 - 2022-09-30
• 6.6.2 - 2022-09-26
• 6.6.1 - 2022-09-14
• 6.6.0 - 2022-09-08
• 6.5.5 - 2022-09-07
• 6.5.4 - 2022-08-30
• 6.5.3 - 2022-08-25
• 6.5.2 - 2022-08-10
• 6.5.1 - 2022-08-03
• 6.5.0 - 2022-07-26
• 6.4.7 - 2022-07-25
• 6.4.6 - 2022-07-20
• 6.4.5 - 2022-07-18
• 6.4.4 - 2022-07-08
• 6.4.3 - 2022-07-05
• 6.4.2 - 2022-07-01
• 6.4.1 - 2022-06-27
• 6.4.0 - 2022-06-17
• 6.3.9 - 2022-06-17
• 6.3.8 - 2022-06-13
• 6.3.7 - 2022-06-13
• 6.3.6 - 2022-06-07
• 6.3.5 - 2022-05-30
• 6.3.4 - 2022-05-19
• 6.3.3 - 2022-05-09
• 6.3.2 - 2022-05-02
• 6.3.1 - 2022-04-21
• 6.3.0 - 2022-04-14
• 6.2.11 - 2022-04-13
• 6.2.10 - 2022-04-04
• 6.2.9 - 2022-03-28

from mongoose GitHub release notes

Package name: typescript

• 4.9.5 - 2023-01-30
• 4.9.4 - 2022-12-07
• 4.9.3 - 2022-11-15
• 4.9.2-rc - 2022-11-01
• 4.9.1-beta - 2022-09-23
• 4.9.0-dev.20221031 - 2022-10-31
• 4.9.0-dev.20221030 - 2022-10-30
• 4.9.0-dev.20221029 - 2022-10-29
• 4.9.0-dev.20221028 - 2022-10-28
• 4.9.0-dev.20221027 - 2022-10-27
• 4.9.0-dev.20221026 - 2022-10-26
• 4.9.0-dev.20221025 - 2022-10-25
• 4.9.0-dev.20221024 - 2022-10-24
• 4.9.0-dev.20221023 - 2022-10-23
• 4.9.0-dev.20221022 - 2022-10-22
• 4.9.0-dev.20221021 - 2022-10-21
• 4.9.0-dev.20221020 - 2022-10-20
• 4.9.0-dev.20221019 - 2022-10-19
• 4.9.0-dev.20221018 - 2022-10-18
• 4.9.0-dev.20221017 - 2022-10-17
• 4.9.0-dev.20221016 - 2022-10-16
• 4.9.0-dev.20221015 - 2022-10-15
• 4.9.0-dev.20221014 - 2022-10-14
• 4.9.0-dev.20221013 - 2022-10-13
• 4.9.0-dev.20221012 - 2022-10-12
• 4.9.0-dev.20221011 - 2022-10-11
• 4.9.0-dev.20221007 - 2022-10-07
• 4.9.0-dev.20221006 - 2022-10-06
• 4.9.0-dev.20221005 - 2022-10-05
• 4.9.0-dev.20221004 - 2022-10-04
• 4.9.0-dev.20221003 - 2022-10-03
• 4.9.0-dev.20221002 - 2022-10-02
• 4.9.0-dev.20221001 - 2022-10-01
• 4.9.0-dev.20220930 - 2022-09-30
• 4.9.0-dev.20220929 - 2022-09-29
• 4.9.0-dev.20220928 - 2022-09-28
• 4.9.0-dev.20220927 - 2022-09-27
• 4.9.0-dev.20220926 - 2022-09-26
• 4.9.0-dev.20220925 - 2022-09-25
• 4.9.0-dev.20220924 - 2022-09-24
• 4.9.0-dev.20220923 - 2022-09-23
• 4.9.0-dev.20220922 - 2022-09-22
• 4.9.0-dev.20220921 - 2022-09-21
• 4.9.0-dev.20220920 - 2022-09-20
• 4.9.0-dev.20220919 - 2022-09-19
• 4.9.0-dev.20220918 - 2022-09-18
• 4.9.0-dev.20220917 - 2022-09-17
• 4.9.0-dev.20220916 - 2022-09-16
• 4.9.0-dev.20220915 - 2022-09-15
• 4.9.0-dev.20220914 - 2022-09-14
• 4.9.0-dev.20220913 - 2022-09-13
• 4.9.0-dev.20220912 - 2022-09-12
• 4.9.0-dev.20220911 - 2022-09-11
• 4.9.0-dev.20220910 - 2022-09-10
• 4.9.0-dev.20220909 - 2022-09-09
• 4.9.0-dev.20220908 - 2022-09-08
• 4.9.0-dev.20220907 - 2022-09-07
• 4.9.0-dev.20220905 - 2022-09-05
• 4.9.0-dev.20220904 - 2022-09-04
• 4.9.0-dev.20220903 - 2022-09-03
• 4.9.0-dev.20220902 - 2022-09-02
• 4.9.0-dev.20220901 - 2022-09-01
• 4.9.0-dev.20220831 - 2022-08-31
• 4.9.0-dev.20220830 - 2022-08-30
• 4.9.0-dev.20220829 - 2022-08-29
• 4.9.0-dev.20220828 - 2022-08-28
• 4.9.0-dev.20220827 - 2022-08-27
• 4.9.0-dev.20220825 - 2022-08-25
• 4.9.0-dev.20220824 - 2022-08-24
• 4.9.0-dev.20220823 - 2022-08-23
• 4.9.0-dev.20220822 - 2022-08-22
• 4.9.0-dev.20220821 - 2022-08-21
• 4.9.0-dev.20220820 - 2022-08-20
• 4.9.0-dev.20220819 - 2022-08-19
• 4.9.0-dev.20220818 - 2022-08-18
• 4.9.0-dev.20220817 - 2022-08-17
• 4.9.0-dev.20220816 - 2022-08-16
• 4.9.0-dev.20220815 - 2022-08-15
• 4.9.0-dev.20220814 - 2022-08-14
• 4.9.0-dev.20220813 - 2022-08-13
• 4.9.0-dev.20220812 - 2022-08-12
• 4.9.0-dev.20220811 - 2022-08-11
• 4.9.0-beta - 2022-09-23
• 4.8.4 - 2022-09-27
• 4.8.3 - 2022-09-08
• 4.8.2 - 2022-08-25
• 4.8.1-rc - 2022-08-11
• 4.8.0-dev.20220809 - 2022-08-09
• 4.8.0-dev.20220808 - 2022-08-08
• 4.8.0-dev.20220807 - 2022-08-07
• 4.8.0-dev.20220806 - 2022-08-06
• 4.8.0-dev.20220805 - 2022-08-05
• 4.8.0-dev.20220804 - 2022-08-04
• 4.8.0-dev.20220803 - 2022-08-03
• 4.8.0-dev.20220802 - 2022-08-02
• 4.8.0-dev.20220801 - 2022-08-01
• 4.8.0-dev.20220731 - 2022-07-31
• 4.8.0-dev.20220730 - 2022-07-30
• 4.8.0-dev.20220729 - 2022-07-29
• 4.8.0-dev.20220728 - 2022-07-28
• 4.8.0-dev.20220727 - 2022-07-27
• 4.8.0-dev.20220726 - 2022-07-26
• 4.8.0-dev.20220725 - 2022-07-25
• 4.8.0-dev.20220724 - 2022-07-24
• 4.8.0-dev.20220723 - 2022-07-23
• 4.8.0-dev.20220722 - 2022-07-22
• 4.8.0-dev.20220721 - 2022-07-21
• 4.8.0-dev.20220720 - 2022-07-20
• 4.8.0-dev.20220719 - 2022-07-19
• 4.8.0-dev.20220718 - 2022-07-18
• 4.8.0-dev.20220717 - 2022-07-17
• 4.8.0-dev.20220716 - 2022-07-16
• 4.8.0-dev.20220715 - 2022-07-15
• 4.8.0-dev.20220714 - 2022-07-14
• 4.8.0-dev.20220713 - 2022-07-13
• 4.8.0-dev.20220712 - 2022-07-12
• 4.8.0-dev.20220711 - 2022-07-11
• 4.8.0-dev.20220710 - 2022-07-10
• 4.8.0-dev.20220709 - 2022-07-09
• 4.8.0-dev.20220708 - 2022-07-08
• 4.8.0-dev.20220707 - 2022-07-07
• 4.8.0-dev.20220706 - 2022-07-06
• 4.8.0-dev.20220705 - 2022-07-05
• 4.8.0-dev.20220704 - 2022-07-04
• 4.8.0-dev.20220703 - 2022-07-03
• 4.8.0-dev.20220701 - 2022-07-01
• 4.8.0-dev.20220630 - 2022-06-30
• 4.8.0-dev.20220629 - 2022-06-...