[Snyk] Upgrade: , argon2, config, dayjs, dotenv, express-fileupload, express-rate-limit, mongoose, nanoid, nodemailer, pino, zod

[JonasLang-dev]

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

@typegoose/typegoose
from 9.10.1 to 9.13.2 | 12 versions ahead of your current version | 2 years ago
on 2022-12-01
argon2
from 0.28.7 to 0.41.0 | 15 versions ahead of your current version | 22 days ago
on 2024-08-25
config
from 3.3.7 to 3.3.12 | 5 versions ahead of your current version | 3 months ago
on 2024-06-25
dayjs
from 1.11.4 to 1.11.13 | 9 versions ahead of your current version | a month ago
on 2024-08-20
dotenv
from 16.0.1 to 16.4.5 | 19 versions ahead of your current version | 7 months ago
on 2024-02-20
express-fileupload
from 1.4.0 to 1.5.1 | 5 versions ahead of your current version | 2 months ago
on 2024-07-13
express-rate-limit
from 6.5.1 to 6.11.2 | 12 versions ahead of your current version | a year ago
on 2023-09-12
mongoose
from 6.4.6 to 6.13.0 | 54 versions ahead of your current version | 3 months ago
on 2024-06-06
nanoid
from 3.3.4 to 3.3.7 | 3 versions ahead of your current version | 10 months ago
on 2023-11-06
nodemailer
from 6.7.7 to 6.9.14 | 17 versions ahead of your current version | 3 months ago
on 2024-06-19
pino
from 8.3.0 to 8.21.0 | 35 versions ahead of your current version | 5 months ago
on 2024-04-24
zod
from 3.17.10 to 3.23.8 | 111 versions ahead of your current version | 4 months ago
on 2024-05-08

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ZOD-5925617	305	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	305	Proof of Concept
	Prototype Pollution SNYK-JS-MONGOOSE-5777721	305	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	305	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	305	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	305	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	305	Proof of Concept
	Open Redirect SNYK-JS-EXPRESS-6474509	305	No Known Exploit
	Cross-site Scripting SNYK-JS-EXPRESS-7926867	305	No Known Exploit
	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	305	Proof of Concept
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	305	Proof of Concept
	Server-Side Request Forgery (SSRF) SNYK-JS-IP-7148531	305	Proof of Concept
	Prototype Pollution SNYK-JS-JSON5-3182856	305	Proof of Concept
	Information Exposure SNYK-JS-MONGODB-5871303	305	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-NODEMAILER-6219989	305	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	305	Proof of Concept
	Cross-site Scripting SNYK-JS-SEND-7926862	305	No Known Exploit

Release notes

Package name: @typegoose/typegoose

• 9.13.2 - 2022-12-01
  

  9.13.2 (2022-12-01)

  Fixes

  • deprecate option "runSyncIndexes" (40f6d30)
• 9.13.1 - 2022-11-24
  

  9.13.1 (2022-11-24)

  Fixes

  • typeguards: quick fix for typescript 4.9 (df36c34), closes #772
• 9.13.0 - 2022-11-22
  

  9.13.0 (2022-11-22)

  Features

  • fix non-nested discriminator hooks & plugins (8cc7301), closes Automattic/mongoose#12472 Automattic/mongoose#12604 Automattic/mongoose#12613 Automattic/mongoose#12696 typegoose/typegoose#768

  Dependencies

  • @ types/lodash: upgrade to 4.14.186 (8367452)
  • @ types/lodash: upgrade to 4.14.189 (6257223)
  • @ types/semver: upgrade to 7.3.13 (9c7a151)
  • @ typescript-eslint/*: upgrade to 5.41.0 (e10e53a)
  • @ typescript-eslint/*: upgrade to 5.43.0 (851163f)
  • eslint: upgrade to 8.26.0 (187c843)
  • eslint: upgrade to 8.27.0 (436036a)
  • loglevel: upgrade to 1.8.1 (b017f76)
  • mongodb-memory-server: upgrade to 8.10.0 (79242e6)
  • mongodb-memory-server: upgrade to 8.9.3 (1725f65)
  • mongoose: upgrade to 6.7.0 (d5fa0e0)
  • mongoose: upgrade to 6.7.2 (d1e83f7)
  • semver: upgrade to 7.3.8 (7dc8138)
  • tslib: upgrade to 2.4.1 (9da2600)
  • typescript: upgrade to 4.8.4 (6590961), closes #644

  Style

  • dbIndex.test: remove unused imports (7c1c7be)
• 9.13.0-beta.2 - 2022-11-17
  

  9.13.0-beta.2 (2022-11-17)

  Features

  • fix non-nested discriminator hooks & plugins (8cc7301), closes #12472 #12604 #12613 #12696 typegoose/typegoose#768

  Dependencies

  • @ types/lodash: upgrade to 4.14.189 (6257223)
  • @ typescript-eslint/*: upgrade to 5.43.0 (851163f)
  • eslint: upgrade to 8.27.0 (436036a)
  • loglevel: upgrade to 1.8.1 (b017f76)
  • mongodb-memory-server: upgrade to 8.10.0 (79242e6)
  • mongoose: upgrade to 6.7.2 (d1e83f7)
  • tslib: upgrade to 2.4.1 (9da2600)
• 9.13.0-beta.1 - 2022-10-27
  

  9.13.0-beta.1 (2022-10-27)

  Dependencies

  • @ types/lodash: upgrade to 4.14.186 (8367452)
  • @ types/semver: upgrade to 7.3.13 (9c7a151)
  • @ typescript-eslint/*: upgrade to 5.41.0 (e10e53a)
  • eslint: upgrade to 8.26.0 (187c843)
  • mongodb-memory-server: upgrade to 8.9.3 (1725f65)
  • mongoose: upgrade to 6.7.0 (d5fa0e0)
  • semver: upgrade to 7.3.8 (7dc8138)
  • typescript: upgrade to 4.8.4 (6590961), closes #644
• 9.12.1 - 2022-09-26
  

  9.12.1 (2022-09-26)

  Fixes

  • add option to skip applying plugins on discriminators (f9cbc90)
• 9.12.0 - 2022-09-13
  

  9.12.0 (2022-09-13)

  Dependencies

  • @ types/jest: upgrade to 28.1.8 (cc0377f)
  • @ types/lodash: upgrade to 4.14.185 (58bde50)
  • @ types/semver: upgrade to 7.3.12 (570d6d2)
  • @ typescript-eslint/*: upgrade to 5.37.0 (0eb4fa6)
  • eslint: upgrade to 8.23.1 (fe69e01)
  • jest-runner-tsd: upgrade to 3.1.1 (28dfd2a)
  • mongodb-memory-server: upgrade to 8.9.1 (76b8ba9)
  • mongoose: upgrade to 6.6.0 (44fce67)
  • ts-jest: upgrade to 28.0.8 (7bfba67)
• 9.11.2 - 2022-08-25
  

  9.11.2 (2022-08-25)

  Style

  • fix some typos (#754) (12b7007)
• 9.11.1 - 2022-08-25
  

  9.11.1 (2022-08-25)

  Fixes

  • scripts: use double quotes in lint file glob (#755) (e383d32)
• 9.11.0 - 2022-07-28
  

  9.11.0 (2022-07-28)

  Dependencies

  • @ types/jest: upgrade to 28.1.6 (3d93a26)
  • @ typescript-eslint/*: upgrade to 5.31.0 (8a10681)
  • eslint: upgrade to 8.20.0 (eaf2af4)
  • jest: upgrade to 28.1.3 (436eda7)
  • lint-staged: upgrade to 12.5.0 (f447011)
  • mongodb-memory-server: upgrade to 8.8.0 (f7b95d5)
  • mongoose: upgrade to 6.5.0 (5535fa8)
  • ts-jest: upgrade to 28.0.7 (7dc67be)
• 9.11.0-beta.2 - 2022-07-28
• 9.11.0-beta.1 - 2022-07-27
• 9.10.1 - 2022-07-03

from @typegoose/typegoose GitHub release notes

Package name: argon2

• 0.41.0 - 2024-08-25
  

  What's Changed

  • Disable LTO to avoid missing symbols in some envs by @ amarshall in #415

  New Contributors

  • @ amarshall made their first contribution in #415

  Full Changelog: v0.40.2...v0.41.0

• 0.40.3 - 2024-05-25
• 0.40.2 - 2024-05-25
  

  Fix issue with publishing tags starting with v

• 0.40.1 - 2024-02-22
• 0.40.0-alpha.3 - 2024-01-10
• 0.40.0-alpha.2 - 2023-12-30
• 0.40.0-alpha.1 - 2023-12-20
• 0.31.2 - 2023-11-04
  

  Note: this is the last version that will support Node 16 since it's support has ended on 2023-09-11. Please upgrade to 18 or preferably 20 as soon as possible.

  What's Changed

  • Fix macos m1 build/release by @ CarsonF in #387
  • Change workflow bridge routes by @ RavelloH in #388

  New Contributors

  • @ CarsonF made their first contribution in #387
  • @ RavelloH made their first contribution in #388

  Full Changelog: v0.31.1...v0.31.2

• 0.31.1 - 2023-09-01
  

  Maintenance release intended to fix missing prebuilts due to failure when building v0.31.0

  Note: v0.31.x will be the last version supporting Node v16. Please update to Node v18 or newer.

  Full Changelog: v0.31.0...v0.31.1

• 0.31.0 - 2023-08-02
  

  What's Changed

  • Security update: bump @ mapbox/node-pre-gyp by @ jdforsythe in #383

  Please update to v0.31.0 as soon as possible.

  New Contributors

  • @ abcfy2 made their first contribution in #371
  • @ jdforsythe made their first contribution in #383

  Full Changelog: v0.30.3...v0.31.0

• 0.30.3 - 2023-01-05
  

  What's Changed

  • Change binding resolution to mitigate "Module parse failed" errors by @ Voltra in #366

  New Contributors

  • @ Voltra made their first contribution in #366

  Full Changelog: v0.30.2...v0.30.3

• 0.30.2 - 2022-11-08
  

  Fixes #362

• 0.30.1 - 2022-10-13
  

  Defaults have been updated to use RFC recommended values, see #360

• 0.29.1 - 2022-08-23
  

  Added builds for FreeBSD, closes #320 and hopefully fixes coder/code-server#4669 coder/code-server#4670

• 0.29.0 - 2022-08-22
• 0.28.7 - 2022-07-03

from argon2 GitHub release notes

Package name: config

• 3.3.12 - 2024-06-25
  

  What's Changed

  • Remove usage of deprecated utils to fix warnings in Node 22 by @ KidkArolis in #764

  New Contributors

  • @ KidkArolis made their first contribution in #764

  Full Changelog: v3.3.11...v3.3.12

• 3.3.11 - 2024-02-01
  

  What's Changed

  • fix: webpack bundling compatibility by @ cbazureau in #757

  New Contributors

  • @ cbazureau made their first contribution in #757

  Full Changelog: v3.3.10...v3.3.11

• 3.3.10 - 2024-01-09
  

  What's Changed

  • replace var to let and const by @ jamashita in #720
  • refactor: 💡 xxx === undefined => typeof xxx === 'undefined' by @ jamashita in #729
  • Fix source maps when using ts config files, improve performance loading ts config files by @ andrzej-woof in #721
  • fix: lack of comments removal, invalid regexp by @ DeutscherDude in #745

  New Contributors

  • @ jamashita made their first contribution in #720
  • @ andrzej-woof made their first contribution in #721
  • @ DeutscherDude made their first contribution in #745

  Full Changelog: v3.3.9...v3.3.10

• 3.3.9 - 2023-01-17
  

  What's Changed

  • Support loading transpiled JS config files by @ Tomas2D in #692
  • fix(vulnerability): upgrade json5 version from 2.2.1 to 2.2.2 by @ veekays in #713

  New Contributors

  • @ Tomas2D made their first contribution in #692
  • @ veekays made their first contribution in #713

  Full Changelog: v3.3.8...v3.3.9

• 3.3.8 - 2022-09-09
  

  What's Changed

  • bump json5 dep to 2.2.1
  • Cleanup of file scoped environment variables by @ jdmarshall in #667
  • Allow multiple relative directory paths separated by path.delimiter to work by @ inside in #661
  • Reentrancy bugs by @ jdmarshall in #668
  • Fixed property mutation. Throw an exception on such an attempt. Updat… by @ fgheorghe in #516
  • docs: update copyright & fix misspelling by @ DigitalGreyHat in #677

  New Contributors

  • @ jdmarshall made their first contribution in #667
  • @ inside made their first contribution in #661
  • @ DigitalGreyHat made their first contribution in #677

  Full Changelog: v3.3.7...v3.3.8

• 3.3.7 - 2022-01-11
  
  • No code changes. Resolving versioning / release mix-up

from config GitHub release notes

Package name: dayjs

• 1.11.13 - 2024-08-20
  

  1.11.13 (2024-08-20)

  Bug Fixes

  • customParseFormat supports Q quter / w ww weekOfYear (#2705) (8ca74f1)
• 1.11.12 - 2024-07-18
  

  1.11.12 (2024-07-18)

  Bug Fixes

  • Add NegativeYear Plugin support (#2640) (6a42e0d)
  • add UTC support to negativeYear plugin (#2692) (f3ef705)
  • Fix zero offset issue when use tz with locale (#2532) (d0e6738)
  • Improve typing for min/max plugin (#2573) (4fbe94a)
  • timezone plugin currect parse UTC tz (#2693) (b575c81)
• 1.11.11 - 2024-04-28
  

  1.11.11 (2024-04-28)

  Bug Fixes

  • day of week type literal (#2630) (f68d73e)
  • improve locale "zh-hk" format and meridiem (#2419) (a947a51)
  • Update 'da' locale to match correct first week of year (#2592) (44b0936)
  • update locale Bulgarian monthsShort Jan (#2538) (f0c9a41)
• 1.11.10 - 2023-09-19
  

  1.11.10 (2023-09-19)

  Bug Fixes

  • Add Korean Day of Month with ordinal (#2395) (dd55ee2)
  • change back fa locale to the Gregorian calendar equivalent (#2411) (95e9458)
  • duration plugin - MILLISECONDS_A_MONTH const calculation (#2362) (f0a0b54)
  • duration plugin getter get result 0 instead of undefined (#2369) (061aa7e)
  • fix isDayjs check logic (#2383) (5f3f878)
  • fix timezone plugin to get correct locale setting (#2420) (4f45012)
  • locale: add meridiem in ar locale (#2418) (361be5c)
  • round durations to millisecond precision for ISO string (#2367) (890a17a)
  • sub-second precisions need to be rounded at the seconds field to avoid adding floats (#2377) (a9d7d03)
  • update $x logic to avoid plugin error (#2429) (2254635)
  • Update Slovenian locale for relative time (#2396) (5470a15)
  • update uzbek language translation (#2327) (0a91056)
• 1.11.9 - 2023-07-01
  

  1.11.9 (2023-07-01)

  Bug Fixes

  • Add null to min and max plugin return type (#2355) (62d9042)
  • check if null passed to objectSupport parser (#2175) (013968f)
  • dayjs.diff improve performance (#2244) (33c80e1)
  • dayjs(null) throws error, not return dayjs object as invalid date (#2334) (c79e2f5)
  • objectSupport plugin causes an error when null is passed to dayjs function (closes #2277) (#2342) (89bf31c)
  • Optimize format method (#2313) (1fe1b1d)
  • update Duration plugin add/subtract take into account days in month (#2337) (3b1060f)
  • update MinMax plugin 1. ignore the 'null' in args 2. return the only one arg (#2330) (3c2c6ee)
• 1.11.8 - 2023-06-02
  

  1.11.8 (2023-06-02)

  Bug Fixes

  • .format add padding to 'YYYY' (#2231) (00c223b)
  • Added .valueOf method to Duration class (#2226) (9b4fcfd)
  • timezone type mark date parameter as optional (#2222) (b87aa0e)
  • type file first parameter date is optional in isSame(), isBefore(), isAfter() (#2272) (4d56f3e)
• 1.11.7 - 2022-12-06
  

  1.11.7 (2022-12-06)

  Bug Fixes

  • Add locale (zh-tw) meridiem (#2149) (1e9ba76)
  • update fa locale (#2151) (1c26732)
• 1.11.6 - 2022-10-21
  

  1.11.6 (2022-10-21)

  Bug Fixes

  • add BigIntSupport plugin (