[Snyk] Upgrade: , dotenv, express, firebase-admin, nodemon, query-string

[davidhin]

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

@google-cloud/storage
from 5.7.2 to 5.20.5 | 50 versions ahead of your current version | 2 years ago
on 2022-05-19
dotenv
from 8.2.0 to 8.6.0 | 5 versions ahead of your current version | 3 years ago
on 2021-05-05
express
from 4.17.1 to 4.19.2 | 9 versions ahead of your current version | 6 months ago
on 2024-03-25
firebase-admin
from 9.4.2 to 9.12.0 | 9 versions ahead of your current version | 3 years ago
on 2021-09-28
nodemon
from 2.0.7 to 2.0.22 | 25 versions ahead of your current version | a year ago
on 2023-03-22
query-string
from 6.13.8 to 6.14.1 | 2 versions ahead of your current version | 4 years ago
on 2021-02-26

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	696	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	696	Proof of Concept
	Uncontrolled resource consumption SNYK-JS-BRACES-6838727	696	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-NORMALIZEURL-1296539	696	No Known Exploit
	Prototype Poisoning SNYK-JS-QS-3153490	696	Proof of Concept
	Open Redirect SNYK-JS-GOT-2932019	696	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	696	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	696	No Known Exploit
	Open Redirect SNYK-JS-EXPRESS-6474509	696	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	696	Proof of Concept
	Prototype Pollution SNYK-JS-MINIMIST-2429795	696	Proof of Concept

Release notes

Package name: @google-cloud/storage

• 5.20.5 - 2022-05-19
  

  5.20.5 (2022-05-19)

  Bug Fixes

  • chore: move uuid package to dependencies (#1952) (0ff5aa3)
• 5.20.4 - 2022-05-18
  

  5.20.4 (2022-05-18)

  Bug Fixes

  • revert native typescript mocha tests (#1947) (1d0ea7d)
  • support empty object uploads for resumable upload (#1949) (da6016e)
• 5.20.3 - 2022-05-17
  

  5.20.3 (2022-05-17)

  Bug Fixes

  • move retrieval of package.json to utility function (#1941) (ac5cbdf)
• 5.20.2 - 2022-05-17
  

  5.20.2 (2022-05-17)

  Bug Fixes

  • use path.join and __dirname for require package.json (#1936) (b868762)
• 5.20.1 - 2022-05-16
  

  5.20.1 (2022-05-16)

  Bug Fixes

  • do not use import on package.json (#1932) (d0f0494)
• 5.20.0 - 2022-05-16
  

  5.20.0 (2022-05-16)

  Features

  • add x-goog-api-client headers for retry metrics (#1920) (0c7e4f6)
• 5.19.4 - 2022-04-28
  

  5.19.4 (2022-04-28)

  Bug Fixes

  • don't modify passed in options (#1895) (cd80ca3)
• 5.19.3 - 2022-04-20
  

  5.19.3 (2022-04-20)

  Bug Fixes

  • export idempotencystrategy and preconditionoptions from index (#1880) (8aafe04)
• 5.19.2 - 2022-04-14
  

  5.19.2 (2022-04-14)

  Bug Fixes

  • deleting, getting, and getting metadata for notifications (#1872) (451570e)
• 5.19.1 - 2022-04-11
  

  5.19.1 (2022-04-08)

  Bug Fixes

  • prevent retrying 200 response (#1857) (638a47b)
• 5.19.0 - 2022-04-06
• 5.18.3 - 2022-03-28
• 5.18.2 - 2022-02-16
• 5.18.1 - 2022-01-26
• 5.18.0 - 2022-01-19
• 5.17.0 - 2022-01-10
• 5.16.1 - 2021-12-01
• 5.16.0 - 2021-11-09
• 5.15.6 - 2021-11-08
• 5.15.5 - 2021-11-03
• 5.15.4 - 2021-11-01
• 5.15.3 - 2021-10-14
• 5.15.2 - 2021-10-13
• 5.15.1 - 2021-10-12
• 5.15.0 - 2021-10-07
• 5.14.8 - 2021-10-06
• 5.14.7 - 2021-10-06
• 5.14.6 - 2021-10-06
• 5.14.5 - 2021-10-04
• 5.14.4 - 2021-09-27
• 5.14.3 - 2021-09-22
• 5.14.2 - 2021-09-13
• 5.14.1 - 2021-09-08
• 5.14.0 - 2021-08-26
• 5.13.2 - 2021-08-26
• 5.13.1 - 2021-08-18
• 5.13.0 - 2021-08-09
• 5.12.0 - 2021-08-03
• 5.11.1 - 2021-08-02
• 5.11.0 - 2021-07-26
• 5.10.0 - 2021-07-22
• 5.9.0 - 2021-07-21
• 5.8.5 - 2021-05-04
• 5.8.4 - 2021-04-19
• 5.8.3 - 2021-03-29
• 5.8.2 - 2021-03-23
• 5.8.1 - 2021-03-03
• 5.8.0 - 2021-02-18
• 5.7.4 - 2021-02-01
• 5.7.3 - 2021-01-25
• 5.7.2 - 2021-01-11

from @google-cloud/storage GitHub release notes

Package name: dotenv

• 8.6.0 - 2021-05-05
  

  Show as 'added' in changelog

• 8.5.1 - 2021-05-05
  

  Bump version 8.5.1

• 8.5.0 - 2021-05-05
  

  Bump version 8.5.0

• 8.4.0 - 2021-05-05
  

  Point to types file for VS Code. Bump 8.4.0

• 8.3.0 - 2021-05-05
  

  Drop node 8 support

• 8.2.0 - 2019-10-16
  

  chore(release): 8.2.0

from dotenv GitHub release notes

Package name: express

• 4.19.2 - 2024-03-25
• 4.19.1 - 2024-03-20
  

  What's Changed

  • Fix ci after location patch by @ wesleytodd in #5552
  • fixed un-edited version in history.md for 4.19.0 by @ wesleytodd in #5556

  Full Changelog: 4.19.0...4.19.1

• 4.19.0 - 2024-03-20
  

  What's Changed

  • fix typo in release date by @ UlisesGascon in #5527
  • docs: nominating @ wesleytodd to be project captian by @ wesleytodd in #5511
  • docs: loosen TC activity rules by @ wesleytodd in #5510
  • Add note on how to update docs for new release by @ crandmck in #5541
  • Prevent open redirect allow list bypass due to encodeurl
  • Release 4.19.0 by @ wesleytodd in #5551

  New Contributors

  • @ crandmck made their first contribution in #5541

  Full Changelog: 4.18.3...4.19.0

• 4.18.3 - 2024-02-29
  

  Main Changes

  • Fix routing requests without method
  • deps: body-parser@1.20.2
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: raw-body@2.5.2

  Other Changes

  • Use https: protocol instead of deprecated git: protocol by @ vcsjones in #5032
  • build: Node.js@16.18 and Node.js@18.12 by @ abenhamdine in #5034
  • ci: update actions/checkout to v3 by @ armujahid in #5027
  • test: remove unused function arguments in params by @ raksbisht in #5124
  • Remove unused originalIndex from acceptParams by @ raksbisht in #5119
  • Fixed typos by @ raksbisht in #5117
  • examples: remove unused params by @ raksbisht in #5113
  • fix: parameter str is not described in JSDoc by @ raksbisht in #5130
  • fix: typos in History.md by @ raksbisht in #5131
  • build : add Node.js@19.7 by @ abenhamdine in #5028
  • test: remove unused function arguments in params by @ raksbisht in #5137
  • use random port in test so it won't fail on already listening by @ rluvaton in #5162
  • tests: use cb() instead of done() by @ kristof-low in #5233
  • examples: remove multipart example by @ riddlew in #5195
  • Update support Node.js@18 in the CI by @ UlisesGascon in #5490
  • Fix favicon-related bug in cookie-sessions example by @ DmytroKondrashov in #5414
  • Release 4.18.3 by @ UlisesGascon in #5505

  New Contributors

  • @ vcsjones made their first contribution in #5032
  • @ abenhamdine made their first contribution in #5034
  • @ armujahid made their first contribution in #5027
  • @ raksbisht made their first contribution in #5124
  • @ rluvaton made their first contribution in #5162
  • @ kristof-low made their first contribution in #5233
  • @ riddlew made their first contribution in #5195
  • @ DmytroKondrashov made their first contribution in #5414

  Full Changelog: 4.18.2...4.18.3

• 4.18.2 - 2022-10-08
  
  • Fix regression routing a large stack in a single route
  • deps: body-parser@1.20.1
    • deps: qs@6.11.0
    • perf: remove unnecessary object clone
  • deps: qs@6.11.0
• 4.18.1 - 2022-04-29
  
  • Fix hanging on large stack of sync routes
• 4.18.0 - 2022-04-25
  
  • Add "root" option to res.download
  • Allow options without filename in res.download
  • Deprecate string and non-integer arguments to res.status
  • Fix behavior of null/undefined as maxAge in res.cookie
  • Fix handling very large stacks of sync middleware
  • Ignore Object.prototype values in settings through app.set/app.get
  • Invoke default with same arguments as types in res.format
  • Support proper 205 responses using res.send
  • Use http-errors for res.format error
  • deps: body-parser@1.20.0
    • Fix error message for json parse whitespace in strict
    • Fix internal error when inflated body exceeds limit
    • Prevent loss of async hooks context
    • Prevent hanging when request already read
    • deps: depd@2.0.0
    • deps: http-errors@2.0.0
    • deps: on-finished@2.4.1
    • deps: qs@6.10.3
    • deps: raw-body@2.5.1
  • deps: cookie@0.5.0
    • Add priority option
    • Fix expires option to reject invalid dates
  • deps: depd@2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: finalhandler@1.2.0
    • Remove set content headers that break response
    • deps: on-finished@2.4.1
    • deps: statuses@2.0.1
  • deps: on-finished@2.4.1
    • Prevent loss of async hooks context
  • deps: qs@6.10.3
  • deps: send@0.18.0
    • Fix emitted 416 error missing headers property
    • Limit the headers removed for 304 response
    • deps: depd@2.0.0
    • deps: destroy@1.2.0
    • deps: http-errors@2.0.0
    • deps: on-finished@2.4.1
    • deps: statuses@2.0.1
  • deps: serve-static@1.15.0
    • deps: send@0.18.0
  • deps: statuses@2.0.1
    • Remove code 306
    • Rename 425 Unordered Collection to standard 425 Too Early
• 4.17.3 - 2022-02-17
  
  • deps: accepts@~1.3.8
    • deps: mime-types@~2.1.34
    • deps: negotiator@0.6.3
  • deps: body-parser@1.19.2
    • deps: bytes@3.1.2
    • deps: qs@6.9.7
    • deps: raw-body@2.4.3
  • deps: cookie@0.4.2
  • deps: qs@6.9.7
    • Fix handling of __proto__ keys
  • pref: remove unnecessary regexp for trust proxy
• 4.17.2 - 2021-12-17
  
  • Fix handling of undefined in res.jsonp
  • Fix handling of undefined when "json escape" is enabled
  • Fix incorrect middleware execution with unanchored RegExps
  • Fix res.jsonp(obj, status) deprecation message
  • Fix typo in res.is JSDoc
  • deps: body-parser@1.19.1
    • deps: bytes@3.1.1
    • deps: http-errors@1.8.1
    • deps: qs@6.9.6
    • deps: raw-body@2.4.2
    • deps: safe-buffer@5.2.1
    • deps: type-is@~1.6.18
  • deps: content-disposition@0.5.4
    • deps: safe-buffer@5.2.1
  • deps: cookie@0.4.1
    • Fix maxAge option to reject invalid values
  • deps: proxy-addr@~2.0.7
    • Use req.socket over deprecated req.connection
    • deps: forwarded@0.2.0
    • deps: ipaddr.js@1.9.1
  • deps: qs@6.9.6
  • deps: safe-buffer@5.2.1
  • deps: send@0.17.2
    • deps: http-errors@1.8.1
    • deps: ms@2.1.3
    • pref: ignore empty http tokens
  • deps: serve-static@1.14.2
    • deps: send@0.17.2
  • deps: setprototypeof@1.2.0
• 4.17.1 - 2019-05-26

from express GitHub release notes

Package name: firebase-admin

• 9.12.0 - 2021-09-28
  

  New Features

  • feat(rc): Add Remote Config Parameter Value Type Support (#1424)

  Bug Fixes

  • fix(fac): Verify Token: Change the jwks cache duration from 1 day to 6 hours (#1439)
  • fix(rtdb): Changed admin.database to use database-compat package (#1437)

  Miscellaneous

  • [chore] Release 9.12.0 (#1442)
  • Pin @ types/jsonwebtoken to 8.5.1 (#1438)
  • build(deps): bump tar from 6.1.3 to 6.1.11 (#1430)
  • build(deps-dev): bump @ types/lodash from 4.14.171 to 4.14.173 (#1435)
  • build(deps-dev): bump @ microsoft/api-extractor from 7.18.4 to 7.18.7 (#1423)
  • fix typo (#1420)
• 9.11.1 - 2021-08-19
  

  Bug Fixes

  • fix: Update comments in index files (#1414)
  • fix: Throw error on user disabled and check revoked set true (#1401)

  Miscellaneous

  • [chore] Release 9.11.1 (#1415)
  • build(deps): bump path-parse from 1.0.6 to 1.0.7 (#1413)
  • build(deps-dev): bump yargs from 17.0.1 to 17.1.1 (#1412)
  • chore: Add emulator tests to nightlies (#1409)
  • build(deps-dev): bump ts-node from 9.0.0 to 10.2.0 (#1402)
  • build(deps): bump tar from 6.1.0 to 6.1.3 (#1399)
  • build(deps-dev): bump @ microsoft/api-extractor from 7.15.2 to 7.18.4 (#1379)
  • build(deps): bump jwks-rsa from 2.0.3 to 2.0.4 (#1393)
  • build(deps-dev): bump @ types/minimist from 1.2.1 to 1.2.2 (#1388)
  • build(deps-dev): bump @ types/request from 2.48.5 to 2.48.6 (#1387)
  • build(deps-dev): bump @ types/lodash from 4.14.157 to 4.14.171 (#1386)
  • build(deps): bump @ firebase/database from 0.10.6 to 0.10.7 (#1385)
  • build(deps-dev): bump @ types/bcrypt from 2.0.0 to 5.0.0 (#1384)
  • build(deps-dev): bump nock from 13.1.0 to 13.1.1 (#1370)
• 9.11.0 - 2021-07-15
  

  New Features

  • feat(fac): Add custom TTL options for App Check (#1363)

  Miscellaneous

  • [chore] Release 9.11.0 (#1376)
  • Fix typo and formatting in docs (#1378)
  • Add AppCheckTokenOptions type to ToC (#1375)
  • Reduce App Check custom token exp to 5 mins (#1372)
  • build(deps): bump @ google-cloud/firestore from 4.12.2 to 4.13.1 (#1369)
  • Update index.ts (#1367)
  • build(deps-dev): bump @ types/chai from 4.2.11 to 4.2.21 (#1365)
  • build(deps-dev): bump yargs from 16.1.0 to 17.0.1 (#1357)
  • build(deps): bump jwks-rsa from 2.0.2 to 2.0.3 (#1361)
  • build(deps): bump @ firebase/database from 0.10.5 to 0.10.6 (#1356)
  • build(deps-dev): bump @ types/sinon from 9.0.4 to 10.0.2 (#1326)
  • build(deps-dev): bump @ types/nock from 9.3.1 to 11.1.0 (#1351)
  • build(deps): bump @ firebase/database from 0.10.4 to 0.10.5 (#1350)
  • build(deps-dev): bump @ types/request-promise from 4.1.46 to 4.1.47 (#1338)
• 9.10.0 - 2021-06-24
  

  New Features

  • feat(fis): Adding the admin.installations() API for deleting Firebase installation IDs (#1187)

  Bug Fixes

  • fix: Updated TOC for new Auth type aliases (#1342)
  • fix(docs): replace all global.html -> admin.html (#1341)
  • fix(auth): Better type hierarchies for Auth API (#1294)

  Miscellaneous

  • [chore] Release 9.10.0 (#1345)
  • build(deps-dev): bump @ types/minimist from 1.2.0 to 1.2.1 (#1336)
  • build(deps-dev): bump gulp-filter from 6.0.0 to 7.0.0 (#1334)
  • build(deps-dev): bump request-promise from 4.2.5 to 4.2.6 (