[Snyk] Upgrade: , dotenv, express, helmet, mongodb, passport, passport-jwt

[richyhoopd]

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

@hapi/boom
from 7.4.2 to 7.4.11 | 9 versions ahead of your current version | 5 years ago
on 2019-09-27
dotenv
from 8.0.0 to 8.6.0 | 7 versions ahead of your current version | 3 years ago
on 2021-05-05
express
from 4.17.1 to 4.19.2 | 9 versions ahead of your current version | 6 months ago
on 2024-03-25
helmet
from 3.22.0 to 3.23.3 | 5 versions ahead of your current version | 4 years ago
on 2020-06-26
mongodb
from 3.2.7 to 3.7.4 | 42 versions ahead of your current version | a year ago
on 2023-06-21
passport
from 0.4.1 to 0.7.0 | 6 versions ahead of your current version | 9 months ago
on 2023-11-27
passport-jwt
from 4.0.0 to 4.0.1 | 1 version ahead of your current version | 2 years ago
on 2022-12-24

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Internal Property Tampering SNYK-JS-BSON-561052	416	No Known Exploit
	Internal Property Tampering SNYK-JS-BSON-6056525	416	No Known Exploit
	Prototype Poisoning SNYK-JS-QS-3153490	416	Proof of Concept
	Open Redirect SNYK-JS-EXPRESS-6474509	416	No Known Exploit
	Prototype Pollution SNYK-JS-HAPIHOEK-548452	416	No Known Exploit
	Session Fixation SNYK-JS-PASSPORT-2840631	416	No Known Exploit

Release notes

Package name: @hapi/boom

• 7.4.11 - 2019-09-27
  

  7.4.11

• 7.4.10 - 2019-09-23
  

  7.4.10

• 7.4.9 - 2019-09-21
  

  7.4.9

• 7.4.8 - 2019-09-20
  

  7.4.8

• 7.4.7 - 2019-09-20
  

  7.4.7

• 7.4.6 - 2019-09-20
  

  7.4.6

• 7.4.5 - 2019-09-19
  

  7.4.5

• 7.4.4 - 2019-09-19
  

  7.4.4

• 7.4.3 - 2019-08-14
  

  7.4.3

• 7.4.2 - 2019-03-29

from @hapi/boom GitHub release notes

Package name: dotenv

• 8.6.0 - 2021-05-05
  

  Show as 'added' in changelog

• 8.5.1 - 2021-05-05
  

  Bump version 8.5.1

• 8.5.0 - 2021-05-05
  

  Bump version 8.5.0

• 8.4.0 - 2021-05-05
  

  Point to types file for VS Code. Bump 8.4.0

• 8.3.0 - 2021-05-05
  

  Drop node 8 support

• 8.2.0 - 2019-10-16
  

  chore(release): 8.2.0

• 8.1.0 - 2019-08-18
  

  chore(release): 8.1.0

• 8.0.0 - 2019-05-02
  

  chore(release): 8.0.0

from dotenv GitHub release notes

Package name: express

• 4.19.2 - 2024-03-25
• 4.19.1 - 2024-03-20
  

  What's Changed

  • Fix ci after location patch by @ wesleytodd in #5552
  • fixed un-edited version in history.md for 4.19.0 by @ wesleytodd in #5556

  Full Changelog: 4.19.0...4.19.1

• 4.19.0 - 2024-03-20
  

  What's Changed

  • fix typo in release date by @ UlisesGascon in #5527
  • docs: nominating @ wesleytodd to be project captian by @ wesleytodd in #5511
  • docs: loosen TC activity rules by @ wesleytodd in #5510
  • Add note on how to update docs for new release by @ crandmck in #5541
  • Prevent open redirect allow list bypass due to encodeurl
  • Release 4.19.0 by @ wesleytodd in #5551

  New Contributors

  • @ crandmck made their first contribution in #5541

  Full Changelog: 4.18.3...4.19.0

• 4.18.3 - 2024-02-29
  

  Main Changes

  • Fix routing requests without method
  • deps: body-parser@1.20.2
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: raw-body@2.5.2

  Other Changes

  • Use https: protocol instead of deprecated git: protocol by @ vcsjones in #5032
  • build: Node.js@16.18 and Node.js@18.12 by @ abenhamdine in #5034
  • ci: update actions/checkout to v3 by @ armujahid in #5027
  • test: remove unused function arguments in params by @ raksbisht in #5124
  • Remove unused originalIndex from acceptParams by @ raksbisht in #5119
  • Fixed typos by @ raksbisht in #5117
  • examples: remove unused params by @ raksbisht in #5113
  • fix: parameter str is not described in JSDoc by @ raksbisht in #5130
  • fix: typos in History.md by @ raksbisht in #5131
  • build : add Node.js@19.7 by @ abenhamdine in #5028
  • test: remove unused function arguments in params by @ raksbisht in #5137
  • use random port in test so it won't fail on already listening by @ rluvaton in #5162
  • tests: use cb() instead of done() by @ kristof-low in #5233
  • examples: remove multipart example by @ riddlew in #5195
  • Update support Node.js@18 in the CI by @ UlisesGascon in #5490
  • Fix favicon-related bug in cookie-sessions example by @ DmytroKondrashov in #5414
  • Release 4.18.3 by @ UlisesGascon in #5505

  New Contributors

  • @ vcsjones made their first contribution in #5032
  • @ abenhamdine made their first contribution in #5034
  • @ armujahid made their first contribution in #5027
  • @ raksbisht made their first contribution in #5124
  • @ rluvaton made their first contribution in #5162
  • @ kristof-low made their first contribution in #5233
  • @ riddlew made their first contribution in #5195
  • @ DmytroKondrashov made their first contribution in #5414

  Full Changelog: 4.18.2...4.18.3

• 4.18.2 - 2022-10-08
  
  • Fix regression routing a large stack in a single route
  • deps: body-parser@1.20.1
    • deps: qs@6.11.0
    • perf: remove unnecessary object clone
  • deps: qs@6.11.0
• 4.18.1 - 2022-04-29
  
  • Fix hanging on large stack of sync routes
• 4.18.0 - 2022-04-25
  
  • Add "root" option to res.download
  • Allow options without filename in res.download
  • Deprecate string and non-integer arguments to res.status
  • Fix behavior of null/undefined as maxAge in res.cookie
  • Fix handling very large stacks of sync middleware
  • Ignore Object.prototype values in settings through app.set/app.get
  • Invoke default with same arguments as types in res.format
  • Support proper 205 responses using res.send
  • Use http-errors for res.format error
  • deps: body-parser@1.20.0
    • Fix error message for json parse whitespace in strict
    • Fix internal error when inflated body exceeds limit
    • Prevent loss of async hooks context
    • Prevent hanging when request already read
    • deps: depd@2.0.0
    • deps: http-errors@2.0.0
    • deps: on-finished@2.4.1
    • deps: qs@6.10.3
    • deps: raw-body@2.5.1
  • deps: cookie@0.5.0
    • Add priority option
    • Fix expires option to reject invalid dates
  • deps: depd@2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: finalhandler@1.2.0
    • Remove set content headers that break response
    • deps: on-finished@2.4.1
    • deps: statuses@2.0.1
  • deps: on-finished@2.4.1
    • Prevent loss of async hooks context
  • deps: qs@6.10.3
  • deps: send@0.18.0
    • Fix emitted 416 error missing headers property
    • Limit the headers removed for 304 response
    • deps: depd@2.0.0
    • deps: destroy@1.2.0
    • deps: http-errors@2.0.0
    • deps: on-finished@2.4.1
    • deps: statuses@2.0.1
  • deps: serve-static@1.15.0
    • deps: send@0.18.0
  • deps: statuses@2.0.1
    • Remove code 306
    • Rename 425 Unordered Collection to standard 425 Too Early
• 4.17.3 - 2022-02-17
  
  • deps: accepts@~1.3.8
    • deps: mime-types@~2.1.34
    • deps: negotiator@0.6.3
  • deps: body-parser@1.19.2
    • deps: bytes@3.1.2
    • deps: qs@6.9.7
    • deps: raw-body@2.4.3
  • deps: cookie@0.4.2
  • deps: qs@6.9.7
    • Fix handling of __proto__ keys
  • pref: remove unnecessary regexp for trust proxy
• 4.17.2 - 2021-12-17
  
  • Fix handling of undefined in res.jsonp
  • Fix handling of undefined when "json escape" is enabled
  • Fix incorrect middleware execution with unanchored RegExps
  • Fix res.jsonp(obj, status) deprecation message
  • Fix typo in res.is JSDoc
  • deps: body-parser@1.19.1
    • deps: bytes@3.1.1
    • deps: http-errors@1.8.1
    • deps: qs@6.9.6
    • deps: raw-body@2.4.2
    • deps: safe-buffer@5.2.1
    • deps: type-is@~1.6.18
  • deps: content-disposition@0.5.4
    • deps: safe-buffer@5.2.1
  • deps: cookie@0.4.1
    • Fix maxAge option to reject invalid values
  • deps: proxy-addr@~2.0.7
    • Use req.socket over deprecated req.connection
    • deps: forwarded@0.2.0
    • deps: ipaddr.js@1.9.1
  • deps: qs@6.9.6
  • deps: safe-buffer@5.2.1
  • deps: send@0.17.2
    • deps: http-errors@1.8.1
    • deps: ms@2.1.3
    • pref: ignore empty http tokens
  • deps: serve-static@1.14.2
    • deps: send@0.17.2
  • deps: setprototypeof@1.2.0
• 4.17.1 - 2019-05-26

from express GitHub release notes

Package name: helmet

• 3.23.3 - 2020-06-26
  

  3.23.3

• 3.23.2 - 2020-06-23
  

  3.23.2

• 3.23.1 - 2020-06-16
  

  3.23.1

• 3.23.0 - 2020-06-12
  

  3.23.0

• 3.22.1 - 2020-06-10
  

  3.22.1

• 3.22.0 - 2020-03-24
  

  3.22.0

from helmet GitHub release notes

Package name: mongodb

• 3.7.4 - 2023-06-21
  

  The MongoDB Node.js team is pleased to announce version 3.7.4 of the mongodb package!

  Release Highlights

  This release fixes a bug that throws a type error when SCRAM-SHA-256 is used with saslprep in a webpacked environment.

  3.7.4 (2023-06-21)

  Bug Fixes

  • NODE-3711: retry txn end on retryable write (#3047) (1595140)
  • NODE-5355: prevent error when saslprep is not a function (#3733) (152425a)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 3.7.3 - 2021-10-20
• 3.7.2 - 2021-10-05
• 3.7.1 - 2021-09-14
• 3.7.0 - 2021-08-31
• 3.6.12 - 2021-08-30
• 3.6.11 - 2021-08-05
• 3.6.10 - 2021-07-06
• 3.6.9 - 2021-05-26
• 3.6.8 - 2021-05-21
• 3.6.7 - 2021-05-18
• 3.6.6 - 2021-04-06
• 3.6.5 - 2021-03-16
• 3.6.4 - 2021-02-02
• 3.6.3 - 2020-11-06
• 3.6.2 - 2020-09-10
• 3.6.1 - 2020-09-02
• 3.6.0 - 2020-07-30
• 3.6.0-beta.0 - 2020-04-14
• 3.5.11 - 2020-09-10
• 3.5.10 - 2020-07-30
• 3.5.9 - 2020-06-12
• 3.5.8 - 2020-05-28
• 3.5.7 - 2020-04-29
• 3.5.6 - 2020-04-14
• 3.5.5 - 2020-03-11
• 3.5.4 - 2020-02-25
• 3.5.3 - 2020-02-12
• 3.5.2 - 2020-01-20
• 3.5.1 - 2020-01-17
• 3.5.0 - 2020-01-14
• 3.4.1 - 2019-12-19
• 3.4.0 - 2019-12-10
• 3.3.5 - 2019-11-26
• 3.3.4 - 2019-11-11
• 3.3.4-rc0 - 2019-11-06
• 3.3.3 - 2019-10-16
• 3.3.2 - 2019-08-28
• 3.3.1 - 2019-08-23
• 3.3.0 - 2019-08-13
• 3.3.0-beta2 - 2019-07-18
• 3.3.0-beta1 - 2019-06-18
• 3.2.7 - 2019-06-04

from mongodb GitHub release notes

Package name: passport

• 0.7.0 - 2023-11-27
  

  0.7.0

• 0.6.0 - 2022-05-20
  

  0.6.0

• 0.5.3 - 2022-05-16
  

  0.5.3

• 0.5.2 - 2021-12-16
  

  0.5.2

• 0.5.1 - 2021-12-15
  

  0.5.1

• 0.5.0 - 2021-09-23
  

  0.5.0

• 0.4.1 - 2019-12-09
  

  0.4.1

from passport GitHub release notes

Package name: passport-jwt

• 4.0.1 - 2022-12-24
  
  • Updates jsonwebtoken dependency to ^9.0.0 to address high severity
    vulnerability CVE-2022-3517
  • Updates a number of other dependencies
  • Fixes a number of typos

  [Developer facing]

  • Updates CI to use github actions
• 4.0.0 - 2018-03-13
  

  Fixes #147 - Vulnerability due to dependency on jsonwebtoken 7.x.x

from passport-jwt GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs