[Snyk] Upgrade morgan from 1.2.2 to 1.10.1

[zg-appsec]

Snyk has created this PR to upgrade morgan from 1.2.2 to 1.10.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 20 versions ahead of your current version.

• The recommended version was released 5 months ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Arbitrary Code Injection SNYK-JS-MORGAN-72579	661	Proof of Concept

Release notes

Package name: morgan

• 1.10.1 - 2025-07-17
  

  What's Changed

  • renaming simple to sample in readme by @ ryhinchey in #237
  • adding installation instructions to readme by @ ryhinchey in #233
  • chore: add support for OSSF scorecard reporting by @ inigomarquinez in #291
  • ci: replace travis with github actions by @ inigomarquinez in #290
  • docs: add example output for log formats by @ jonchurch in #299
  • ci: use ubuntu-latest by @ bjohansebas in #301
  • ci: apply OSSF Scorecard security best practices by @ UlisesGascon in #300
  • remove --bail by @ jonchurch in #314
  • ⬆️ bump on-headers by @ ctcpip in #319

  New Contributors

  • @ inigomarquinez made their first contribution in #291
  • @ jonchurch made their first contribution in #299
  • @ bjohansebas made their first contribution in #301
  • @ UlisesGascon made their first contribution in #300
  • @ ctcpip made their first contribution in #319

  Full Changelog: 1.10.0...1.10.1

• 1.10.0 - 2020-03-20
  
  • Add :total-time token
  • Fix trailing space in colored status code for dev format
  • deps: basic-auth@~2.0.1
    • deps: safe-buffer@5.1.2
  • deps: depd@~2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: on-headers@~1.0.2
    • Fix res.writeHead patch missing return value
• 1.9.1 - 2018-09-11
  
  • Fix using special characters in format
  • deps: depd@~1.1.2
    • perf: remove argument reassignment
• 1.9.0 - 2017-09-27
  
  • Use res.headersSent when available
  • deps: basic-auth@~2.0.0
    • Use safe-buffer for improved Buffer API
  • deps: debug@2.6.9
  • deps: depd@~1.1.1
    • Remove unnecessary Buffer loading
• 1.8.2 - 2017-05-24
  
  • deps: debug@2.6.8
    • Fix DEBUG_MAX_ARRAY_LENGTH
    • deps: ms@2.0.0
• 1.8.1 - 2017-02-11
  
  • deps: debug@2.6.1
    • Fix deprecation messages in WebStorm and other editors
    • Undeprecate DEBUG_FD set to 1 or 2
• 1.8.0 - 2017-02-05
  
  • Fix sending unnecessary undefined argument to token functions
  • deps: basic-auth@~1.1.0
  • deps: debug@2.6.0
    • Allow colors in workers
    • Deprecated DEBUG_FD environment variable
    • Fix error when running under React Native
    • Use same color for same namespace
    • deps: ms@0.7.2
  • perf: enable strict mode in compiled functions
• 1.7.0 - 2016-02-19
  
  • Add digits argument to response-time token
  • deps: depd@~1.1.0
    • Enable strict mode in more places
    • Support web browser loading
  • deps: on-headers@~1.0.1
    • perf: enable strict mode
• 1.6.1 - 2015-07-04
  
  • deps: basic-auth@~1.0.3
• 1.6.0 - 2015-06-13
  
  • Add morgan.compile(format) export
  • Do not color 1xx status codes in dev format
  • Fix response-time token to not include response latency
  • Fix status token incorrectly displaying before response in dev format
  • Fix token return values to be undefined or a string
  • Improve representation of multiple headers in req and res tokens
  • Use res.getHeader in res token
  • deps: basic-auth@~1.0.2
    • perf: enable strict mode
    • perf: hoist regular expression
    • perf: parse with regular expressions
    • perf: remove argument reassignment
  • deps: on-finished@~2.3.0
    • Add defined behavior for HTTP CONNECT requests
    • Add defined behavior for HTTP Upgrade requests
    • deps: ee-first@1.1.1
  • pref: enable strict mode
  • pref: reduce function closure scopes
  • pref: remove dynamic compile on every request for dev format
  • pref: remove an argument reassignment
  • pref: skip function call without skip option
• 1.5.3 - 2015-05-11
• 1.5.2 - 2015-03-15
• 1.5.1 - 2014-12-31
• 1.5.0 - 2014-11-07
• 1.4.1 - 2014-10-23
• 1.4.0 - 2014-10-17
• 1.3.2 - 2014-09-28
• 1.3.1 - 2014-09-14
• 1.3.0 - 2014-09-02
• 1.2.3 - 2014-08-17
• 1.2.2 - 2014-07-27

from morgan GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs