[Snyk] Fix for 1 vulnerabilities

[debrupishere]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • ee/server/services/package.json
  • ee/server/services/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	601/1000 Why? Recently disclosed, Has a fix available, CVSS 6.3	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: cookie

The new version differs by 122 commits.

• ab057d6 0.7.0
• 5f02ca8 Migrate history to GitHub releases
• a5d591c Migrate history to GitHub releases
• 51968f9 Skip isNaN
• 9e7ca51 perf(parse): cache length, return early (We should replace new lines for <br>, allowing the text to span multiple lines RocketChat/Rocket.Chat#144)
• d6f39b0 Fix tests for old node
• 6bb701f Remove failing scorecard
• ca70da4 test(serialize): additional tests for name, domain and path RFC validations (Option to enable/disable notification sound/message RocketChat/Rocket.Chat#171)
• 47917c9 Iterate whitespace for perf (Automatically close code tags RocketChat/Rocket.Chat#170)
• 927d48a Add `main` to `package.json` (Hebrew translation RocketChat/Rocket.Chat#166)
• c679ccc Fix CI
• e100428 fix: narrow the validation of cookies to match RFC6265 (Ability to select specific messages to reply to RocketChat/Rocket.Chat#167)
• 26031e3 docs: fix typo in function description (Better Stylesheet organization + Fix for scroll in chatlist/messages/userlist RocketChat/Rocket.Chat#161)
• 2294a8f ci: add scorecard pipeline (Group messages RocketChat/Rocket.Chat#158)
• 38323ba 0.6.0
• 7560154 build: top-sites@1.1.194
• c45b52d docs: switch badges to badgen
• 84a1567 Add partitioned option
• c67a478 docs: fix typos in HISTORY
• 52a76c1 docs: fix typo in HISTORY
• 5f22857 Fix typo in JSDoc
• da7e44e build: mocha@10.2.0
• 936036a build: eslint-plugin-markdown@3.0.1
• 197f670 build: eslint@8.53.0

See the full diff

Package name: cookie-parser

The new version differs by 42 commits.

• 5d61e1e 1.4.7
• ccf1f54 deps: cookie@0.7.2 ([Snyk] Fix for 3 vulnerabilities #116)
• 429cfd4 ci: Use GITHUB_OUTPUT envvar instead of set-output command ([Snyk] Security upgrade express from 4.17.1 to 4.20.0 #100)
• ca4c97e ci: fix errors in ci pipeline for node 8 and 9 ([Snyk] Fix for 3 vulnerabilities #104)
• 97bdf39 ci: add support for OSSF scorecard reporting ([Snyk] Fix for 3 vulnerabilities #103)
• e5862bd build: Node.js@17.6
• f0688d2 build: Node.js@14.19
• 44ec541 build: Node.js@16.14
• 695435a deps: cookie@0.4.2
• f66e7e1 build: mocha@9.2.1
• 05e40b1 build: Node.js@17.3
• bc1d501 build: use supertest@3.4.2 for Node.js 6.x
• dda4c5b 1.4.6
• 8653e78 build: support Node.js 17.x
• 6ec9c5b deps: cookie@0.4.1
• ee68a8a build: eslint-plugin-standard@4.1.0
• 7828d66 build: mocha@9.1.3
• dafa811 build: use nyc for coverage testing
• d80cf11 build: eslint-plugin-promise@4.3.1
• c954873 build: supertest@6.1.6
• 8ad6c54 build: mocha@8.4.0
• 716f5a4 build: support Node.js 16.x
• 90c418d build: eslint@7.32.0
• a3cff78 build: support Node.js 15.x

See the full diff

Package name: express

The new version differs by 250 commits.

• 8e229f9 4.21.1
• a024c8a fix(deps): cookie@0.7.1
• 7e562c6 4.21.0
• 1bcde96 fix(deps): qs@6.13.0 (Outgoing Webhook sends empty body RocketChat/Rocket.Chat#5946)
• 7d36477 fix(deps): serve-static@1.16.2 (Using iframe integration not able to login to exact user which i am suppose to RocketChat/Rocket.Chat#5951)
• 40d2d8f fix(deps): finalhandler@1.3.1
• 77ada90 Deprecate `"back"` magic string in redirects (Rocketchat client doesn't show popup  RocketChat/Rocket.Chat#5935)
• 21df421 4.20.0
• 4c9ddc1 feat: upgrade to serve-static@0.16.0
• 9ebe5d5 feat: upgrade to send@0.19.0 (render emoji as images in emails RocketChat/Rocket.Chat#5928)
• ec4a01b feat: upgrade to body-parser@1.20.3 (Support multiple certificates/apps on Push Notification (iOS and Android) RocketChat/Rocket.Chat#5926)
• 54271f6 fix: don't render redirect values in anchor href
• 125bb74 path-to-regexp@0.1.10 ([NEW] Adds a Keyboard Shortcut option to the flextab RocketChat/Rocket.Chat#5902)
• 2a980ad merge-descriptors@1.0.3 (Internal hubot default user name should be lower-case RocketChat/Rocket.Chat#5781)
• a3e7e05 docs: specify new instructions for `question` and `discuss`
• c5addb9 deps: path-to-regexp@0.1.8 (Add relation between client cache and user’s token RocketChat/Rocket.Chat#5603)
• e35380a docs: add @ IamLizu to the triage team (Don’t report gravitar 404 as server error RocketChat/Rocket.Chat#5836)
• f5b6e67 docs: update scorecard link (fix search z-index RocketChat/Rocket.Chat#5814)
• 2177f67 docs: add OSSF Scorecard badge (Add a reset button in permissions RocketChat/Rocket.Chat#5436)
• f4bd86e Replace Appveyor windows testing with GHA (API Groups rename fix RocketChat/Rocket.Chat#5599)
• 2ec589c Fix Contributor Covenant link definition reference in attribution section (Guggy Integration cannot work RocketChat/Rocket.Chat#5762)
• 4cf7eed remove minor version pinning from ci (Sort menu items by translations RocketChat/Rocket.Chat#5722)
• 6d08471 📝 update people, add ctcpip to TC (Don't require user exist in a public room to add other users RocketChat/Rocket.Chat#5683)
• 61421a8 skip QUERY tests for Node 21 only, still not supported (Issue with import from Slack RocketChat/Rocket.Chat#5695)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)