Bump the npm_and_yarn group across 1 directory with 9 updates

Open dependabot[bot] opened this issue 1 year ago • 3 comments

Bumps the npm_and_yarn group with 8 updates in the /insecure-js directory:

Package	From	To
lodash	`4.16.1`	`4.17.21`
semver	`5.4.1`	`5.7.2`
jquery	`2.1.0`	`3.5.0`
chart.js	`2.8.0`	`2.9.4`
sequelize	`4.44.1`	`6.29.0`
mysql2	`2.3.3`	`3.9.8`
@babel/traverse	`7.0.0-rc.1`	`7.25.6`
@babel/core	`7.0.0-rc.1`	`7.25.2`

Updates lodash from 4.16.1 to 4.17.21

Commits

f299b52 Bump to v4.17.21
c4847eb Improve performance of toNumber, trim and trimEnd on large input strings
3469357 Prevent command injection through _.template's variable option
ded9bc6 Bump to v4.17.20.
63150ef Documentation fixes.
00f0f62 test.js: Remove trailing comma.
846e434 Temporarily use a custom fork of lodash-cli.
5d046f3 Re-enable Travis tests on 4.17 branch.
aa816b3 Remove /npm-package.
d7fbc52 Bump to v4.17.19
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by bnjmnt4n, a new releaser for lodash since your current version.

Updates semver from 5.4.1 to 5.7.2

Release notes

Sourced from semver's releases.

v5.7.2

5.7.2 (2023-07-10)

Bug Fixes

2f8fd41 #585 better handling of whitespace (#585) (@joaomoreno, @lukekarrys)

Changelog

Sourced from semver's changelog.

5.7.2 (2023-07-10)

Bug Fixes

2f8fd41 #585 better handling of whitespace (#585) (@joaomoreno, @lukekarrys)

5.7

Add minVersion method

5.6

Move boolean loose param to an options object, with backwards-compatibility protection.

Add ability to opt out of special prerelease version handling with the includePrerelease option flag.

5.5

Add version coercion capabilities

5.4

Add intersection checking

5.3

Add minSatisfying method

5.2

Add prerelease(v) that returns prerelease components

5.1

Add Backus-Naur for ranges

Remove excessively cute inspection methods

5.0

Remove AMD/Browserified build artifacts

Fix ltr and gtr when using the * range

Fix for range * with a prerelease identifier

Commits

f8cc313 chore: release 5.7.2
2f8fd41 fix: better handling of whitespace (#585)
deb5ad5 chore: @npmcli/template-oss@4.16.0
c83c18c 5.7.1
956e228 Correct typo in README
8055dda 5.7.0
604e73d auto-publishing scripts
bed01e2 remove the nomin comments, since we don't minify any more anyway
9cb68f1 document parse method
38d42ca 5.7 changelog
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.

Updates jquery from 2.1.0 to 3.5.0

Release notes

Sourced from jquery's releases.

jQuery 3.5.0 Released!

See the blog post: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ and the upgrade guide: https://jquery.com/upgrade-guide/3.5/

NOTE: Despite being a minor release, this update includes a breaking change that we had to make to fix a security issue ( CVE-2020-11022). Please follow the blog post & the upgrade guide for more details.

Commits

7a0a850 3.5.0
8570a08 Release: Update AUTHORS.txt
da3dd85 Ajax: Do not execute scripts for unsuccessful HTTP responses
065143c Ajax: Overwrite s.contentType with content-type header value, if any
1a4f10d Tests: Blacklist one focusin test in IE
9e15d6b Event: Use only one focusin/out handler per matching window & document
966a709 Manipulation: Skip the select wrapper for <option> outside of IE 9
1d61fd9 Manipulation: Make jQuery.htmlPrefilter an identity function
04bf577 Selector: Update Sizzle from 2.3.4 to 2.3.5
7506c9c Build: Resolve Travis config warnings
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by mgol, a new releaser for jquery since your current version.

Updates chart.js from 2.8.0 to 2.9.4

Release notes

Sourced from chart.js's releases.

v2.9.4

This is the last release of v2 and focused on fixing bugs identified in the v2.9.3 release.

Bugs Fixed

#7404 - Preserve prototypes when cloning. Thanks @iddings

#7587 - Fix docs for external moment.js. Thanks @mojoaxel

#7853 - Fix box recursion when dimensions are NaN. Thanks @alessandroasm

#7883 - Fix call stack exception when computing label sizes. Thanks @silentmatt

#7918 - Prevent global prototype pollution via the merge helper

#7920 - Use Object.create(null) as merge target, to prevent prototype pollution

v2.9.3

Bug Fixes

#6698 Fix undefined variable

#6719 Don't make legend empty when fill is false

Thanks to the maintainers and collaborators for their help to improve and test Chart.js (@kurkle, @benmccann, and @etimberg).

v2.9.2

Bug Fixes

#6641 IE11 & Edge compatible style injection

#6655 Backwards compatible default fill for radar charts

#6660 Improve clipping of line charts when border widths are large

#6661 When a legend item is clicked, make sure the correct item is hidden

#6663 Refresh package-lock file to pick up new dependency

Performance

#6671 Stop unnecessary line calculations

Documentation

#6643 Combine performance documentation sections

Thanks to the maintainers and collaborators for their help to improve and test Chart.js (@nagix, @kurkle, @benmccann, @etimberg and @simonbrunel).

v2.9.1

Bug Fixes

#6603 Fix deprecation warnings for horizontal bar charts

#6608 Fix zoom plugin by no longer clipping scale.getDecimalForPixel to the chart area

#6617 Non numeric Y axes did not work

Documentation

#6613 Add link to performance documentation

... (truncated)

Commits

9bd4cf8 Release v2.9.4
1d92605 Use Object.create(null) as merge target (#7920)
dff7140 When objects are merged together, the target prototype can be polluted. (#7918)
d919188 Bump verison number to v2.9.4
42ed589 Fix Maximum call stack size exception in computeLabelSizes (#7883)
063b7dc [2.9] FitBoxes recursion when dimensions are NaN (#7853)
2493cb5 Use node v12.18.2 on Travis CI (#7864)
679ec4a docs: fix rollup external moment (#7587)
484f0d1 Preserve object prototypes when cloning (#7404)
2df6986 Look for any branch starting with release (#7087) (#7089)
Additional commits viewable in compare view

Updates sequelize from 4.44.1 to 6.29.0

Release notes

Sourced from sequelize's releases.

v6.29.0

6.29.0 (2023-02-23)

Features

throw an error if attribute includes parentheses (fixes CVE-2023-22578) (#15710) (d3f5b5a)

v6.28.2

6.28.2 (2023-02-22)

Bug Fixes

accept undefined in where (#15703) (13f2e89)

v6.28.1

6.28.1 (2023-02-21)

Bug Fixes

throw if where receives an invalid value (#15699) (d9e0728)

update moment-timezone version (#15685) (48d6193)

v6.28.0

6.28.0 (2022-12-20)

Features

types: use retry-as-promised types for retry options to match documentation (#15484) (fd4afa6)

v6.27.0

6.27.0 (2022-12-12)

Features

add support for bigints (backport of #14485) (#15413) (1247c01)

v6.26.0

6.26.0 (2022-11-29)

Features

postgres: add support for lock_timeout [#15345] (#15355) (94beace)

v6.25.8

... (truncated)

Commits

d3f5b5a feat: throw an error if attribute includes parentheses (fixes CVE-2023-22578)...
53bd9b7 meta: fix null test getWhereConditions (#15705)
13f2e89 fix: accept undefined in where (#15703)
d9e0728 fix: throw if where receives an invalid value (#15699)
48d6193 fix: update moment-timezone version (#15685)
fd4afa6 feat(types): use retry-as-promised types for retry options to match documenta...
1247c01 feat: add support for bigints (backport of #14485) (#15413)
94beace feat(postgres): add support for lock_timeout #15345 (#15355)
7885000 fix(oracle): remove hardcoded maxRows value (#15323)
bc39fd6 fix: fix parameters not being replaced when after $$ strings (#15307)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by sdepold, a new releaser for sequelize since your current version.

Updates mysql2 from 2.3.3 to 3.9.8

Release notes

Sourced from mysql2's releases.

v3.9.8

3.9.8 (2024-05-26)

Bug Fixes

security: sanitize fields and tables when using nestTables (#2702) (efe3db5)

support deno + caching_sha2_password FULL_AUTHENTICATION_PACKET flow (#2704) (2e03694)

typings: typo from jonServerPublicKey to onServerPublicKey (#2699) (8b5f691)

v3.9.7

3.9.7 (2024-04-21)

Bug Fixes

security: sanitize timezone parameter value to prevent code injection - report by zhaoyudi (Nebulalab) (#2608) (7d4b098)

v3.9.6

3.9.6 (2024-04-18)

Bug Fixes

binary parser sometimes reads out of packet bounds when results contain null and typecast is false (#2601) (705835d)

v3.9.5

3.9.5 (2024-04-17)

Bug Fixes

revert breaking change in results creation (#2591) (f7c60d0)

v3.9.4

3.9.4 (2024-04-09)

Bug Fixes

SSL: separate each certificate into an individual item #2542 (63f1055)

security: improve supportBigNumbers and bigNumberStrings sanitization (#2572) (74abf9e)

Fixes a potential RCE attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab

security: improve results object creation (#2574) (4a964a3)

Fixes a potential Prototype Pollution attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab

docs: improve the contribution guidelines (#2552) (8a818ce)

v3.9.3

3.9.3 (2024-03-26)

... (truncated)

Changelog

Sourced from mysql2's changelog.

3.9.8 (2024-05-26)

Bug Fixes

security: sanitize fields and tables when using nestTables (#2702) (efe3db5)

support deno + caching_sha2_password FULL_AUTHENTICATION_PACKET flow (#2704) (2e03694)

typings: typo from jonServerPublicKey to onServerPublicKey (#2699) (8b5f691)

3.9.7 (2024-04-21)

Bug Fixes

security: sanitize timezone parameter value to prevent code injection (#2608) (7d4b098)

3.9.6 (2024-04-18)

Bug Fixes

binary parser sometimes reads out of packet bounds when results contain null and typecast is false (#2601) (705835d)

3.9.5 (2024-04-17)

Bug Fixes

revert breaking change in results creation (#2591) (f7c60d0)

3.9.4 (2024-04-09)

Bug Fixes

docs: improve the contribution guidelines (#2552) (8a818ce)

security: improve results object creation (#2574) (4a964a3)

security: improve supportBigNumbers and bigNumberStrings sanitization (#2572) (74abf9e)

3.9.3 (2024-03-26)

Bug Fixes

security: improve cache key formation (#2424) (0d54b0c)

Fixes a potential parser cache poisoning attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab

update Amazon RDS SSL CA cert (#2131) (d9dccfd)

3.9.2 (2024-02-26)

... (truncated)

Commits

f637d3f chore(master): release 3.9.8 (#2700)
efe3db5 fix(security): sanitize fields and tables when using nestTables (#2702)
2e03694 fix: support deno + caching_sha2_password FULL_AUTHENTICATION_PACKET flow (#2...
8b5f691 fix(typings): typo from jonServerPublicKey to onServerPublicKey (#2699)
5c75802 build(deps-dev): bump tsx from 4.10.5 to 4.11.0 in /website (#2695)
179769f build(deps): bump @easyops-cn/docusaurus-search-local in /website (#2696)
56289e2 build(deps-dev): bump poku from 1.12.1 to 1.13.0 (#2698)
b029308 build(deps-dev): bump poku from 1.12.1 to 1.13.0 in /website (#2697)
539acb8 build(deps): bump lucide-react from 0.378.0 to 0.379.0 in /website (#2693)
dc80580 build(deps-dev): bump @typescript-eslint/eslint-plugin from 7.9.0 to 7.10.0 i...
Additional commits viewable in compare view

Updates @babel/traverse from 7.0.0-rc.1 to 7.25.6

Release notes

Sourced from @babel/traverse's releases.

v7.25.6 (2024-08-29)

Thanks @j4k0xb for your first PR!

:bug: Bug Fix

babel-generator

#16783 Properly print inner comments in TS array types (@nicolo-ribaudo)

#16775 fix: jsx whitespace is not properly preserved when retainLines (@liuxingbaoyu)

babel-traverse

#16727 fix: path.getAssignmentIdentifiers may be undefined (@liuxingbaoyu)

babel-parser

#16761 fix: improve static canFollowModifier checks (@JLHwung)

babel-helpers, babel-plugin-transform-optional-chaining, babel-runtime-corejs3

#16769 Only wrap functions in superPropertyGet helper (@nicolo-ribaudo)

:nail_care: Polish

babel-generator, babel-plugin-transform-async-to-generator, babel-plugin-transform-block-scoping, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-duplicate-named-capturing-groups-regex, babel-plugin-transform-named-capturing-groups-regex, babel-plugin-transform-react-jsx-development, babel-plugin-transform-react-jsx, babel-plugin-transform-react-pure-annotations, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env

#16780 Do not enforce printing space between ( and comments (@nicolo-ribaudo)

babel-plugin-syntax-import-assertions, babel-plugin-syntax-import-attributes

#16781 Don't throw when enabling both syntax-import-{assertions,attributes} (@nicolo-ribaudo)

babel-generator

#16782 TS union/intersection nested in union does not need parens (@nicolo-ribaudo)

:house: Internal

babel-generator

#16777 Remove unused parent params in the generator (@nicolo-ribaudo)

Committers: 5

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@j4k0xb

@liuxingbaoyu

v7.25.5 (2024-08-23)

:bug: Bug Fix

babel-generator, babel-traverse

#16764 fix: Generate sequence expression parentheses correctly (@liuxingbaoyu)

:nail_care: Polish

babel-generator

#16738 Only force-parenthesize satisfies's LHS if it has newlines (@nicolo-ribaudo)

Committers: 2

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

v7.25.4 (2024-08-22)

... (truncated)

Changelog

Sourced from @babel/traverse's changelog.

v7.25.6 (2024-08-29)

:bug: Bug Fix

babel-generator

#16783 Properly print inner comments in TS array types (@nicolo-ribaudo)

#16775 fix: jsx whitespace is not properly preserved when retainLines (@liuxingbaoyu)

babel-traverse

#16727 fix: path.getAssignmentIdentifiers may be undefined (@liuxingbaoyu)

babel-parser

#16761 fix: improve static canFollowModifier checks (@JLHwung)

babel-helpers, babel-plugin-transform-optional-chaining, babel-runtime-corejs3

#16769 Only wrap functions in superPropertyGet helper (@nicolo-ribaudo)

:nail_care: Polish

babel-generator, babel-plugin-transform-async-to-generator, babel-plugin-transform-block-scoping, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-duplicate-named-capturing-groups-regex, babel-plugin-transform-named-capturing-groups-regex, babel-plugin-transform-react-jsx-development, babel-plugin-transform-react-jsx, babel-plugin-transform-react-pure-annotations, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env

#16780 Do not enforce printing space between ( and comments (@nicolo-ribaudo)

babel-plugin-syntax-import-assertions, babel-plugin-syntax-import-attributes

#16781 Don't throw when enabling both syntax-import-{assertions,attributes} (@nicolo-ribaudo)

babel-generator

#16782 TS union/intersection nested in union does not need parens (@nicolo-ribaudo)

:house: Internal

babel-generator

#16777 Remove unused parent params in the generator (@nicolo-ribaudo)

v7.25.5 (2024-08-23)

:bug: Bug Fix

babel-generator, babel-traverse

#16764 fix: Generate parentheses correctly (@liuxingbaoyu)

:nail_care: Polish

babel-generator

#16738 Only force-parenthesize satisfies's LHS if it has newlines (@nicolo-ribaudo)

v7.25.4 (2024-08-22)

:bug: Bug Fix

babel-traverse

#16756 fix: Skip computed key when renaming (@liuxingbaoyu)

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

#16755 fix: Decorator 2018-09 may throw an exception (@liuxingbaoyu)

babel-types

#16710 Visit AST fields nodes according to their syntactical order (@nicolo-ribaudo)

babel-generator

#16709 Print semicolon after TS export namespace as A (@nicolo-ribaudo)

:nail_care: Polish

babel-generator, babel-plugin-proposal-decorators, babel-plugin-proposal-destructuring-private, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-class-properties, babel-plugin-transform-destructuring, babel-plugin-transform-optional-chaining, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-typescript, babel-runtime-corejs2, babel-runtime, babel-traverse

#16722 Avoid unnecessary parens around sequence expressions (@nicolo-ribaudo)

babel-generator, babel-plugin-transform-class-properties

#16714 Avoid unnecessary parens around exported arrow functions (@nicolo-ribaudo)

... (truncated)

Commits

2f72b97 v7.25.6
faceae9 fix: path.getAssignmentIdentifiers may be undefined (#16727)
46ee612 Remove some NodePath methods (#16655)
2fdc8b5 fix: Generate sequence expression parentheses correctly (#16764)
cbf124c v7.25.4
2b289fb fix: skip computed key when renaming (#16756)
575863c Avoid unnecessary parens around sequence expressions (#16722)
5174ad1 Clean all always enabled parser plugins (#16572)
52718ab Discontinue babel-eslint-config-internal (#16718)
dba45d3 Ignore devDependencies when generating tsconfig.json (#16659)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by nicolo-ribaudo, a new releaser for @babel/traverse since your current version.

Updates @babel/core from 7.0.0-rc.1 to 7.25.2

Release notes

Sourced from @babel/core's releases.

v7.25.2 (2024-07-30)

:bug: Bug Fix

babel-core, babel-traverse

#16695 Ensure that requeueComputedKeyAndDecorators is available (@nicolo-ribaudo)

Committers: 2

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

v7.25.1 (2024-07-28)

:bug: Bug Fix

babel-plugin-transform-function-name

#16683 fix: ensureFunctionName may be undefined (@liuxingbaoyu)

babel-plugin-transform-react-constant-elements

#16582 fix plugin-transform-react-constant-elements transform JSXFrament but not add JSXExpressionContainer (@keiseiTi)

babel-traverse

#16587 fix: fixed issue16583 + test (@nerodesu017)

:house: Internal

#16663 Test eslint plugin against eslint 9 (@JLHwung)

Committers: 4

Adrian (@nerodesu017)

Huáng Jùnliàng (@JLHwung)

@keiseiTi

@liuxingbaoyu

v7.25.0 (2024-07-26)

Thanks @davidtaylorhq and @slatereax for your first PR!

You can find the release blog post with some highlights at https://babeljs.io/blog/2024/07/26/7.25.0.

:eyeglasses: Spec Compliance

babel-helpers, babel-plugin-proposal-explicit-resource-management, babel-runtime-corejs3

#16537 await using normative updates (@JLHwung)

babel-plugin-transform-typescript

#16602 Ensure enum members syntactically determinable to be strings do not get reverse mappings (@liuxingbaoyu)

:rocket: New Feature

babel-helper-create-class-features-plugin, babel-helper-function-name, babel-helper-plugin-utils, babel-helper-wrap-function, babel-plugin-bugfix-safari-class-field-initializer-scope, babel-plugin-bugfix-safari-id-destructuring-collision-in-function-expression, babel-plugin-transform-classes, babel-plugin-transform-function-name, babel-preset-env, babel-traverse, babel-types

#16658 Move ensureFunctionName to NodePath.prototype (@nicolo-ribaudo)

babel-helper-hoist-variables, babel-helper-plugin-utils, babel-plugin-proposal-async-do-expressions, babel-plugin-transform-modules-systemjs, babel-traverse

#16644 Move hoistVariables to Scope.prototype (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-helper-module-transforms, babel-helper-plugin-utils, babel-helper-split-export-declaration, babel-plugin-transform-classes, babel-traverse, babel-types

#16645 Move splitExportDeclaration to NodePath.prototype (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-helper-environment-visitor, babel-helper-module-transforms, babel-helper-plugin-utils, babel-helper-remap-async-to-generator, babel-helper-replace-supers, babel-plugin-bugfix-firefox-class-in-computed-class-key, babel-plugin-bugfix-v8-static-class-fields-redefine-readonly, babel-plugin-transform-async-generator-functions, babel-plugin-transform-classes, babel-traverse

#16649 Move environment-visitor helper into @babel/traverse (@nicolo-ribaudo)

... (truncated)

Changelog

Sourced from @babel/core's changelog.

v7.25.2 (2024-07-30)

:bug: Bug Fix

babel-core, babel-traverse

#16695 Ensure that requeueComputedKeyAndDecorators is available (@nicolo-ribaudo)

v7.25.1 (2024-07-28)

:bug: Bug Fix

babel-plugin-transform-function-name

#16683 fix: ensureFunctionName may be undefined (@liuxingbaoyu)

babel-plugin-transform-react-constant-elements

#16582 fix plugin-transform-react-constant-elements transform JSXFrament but not add JSXExpressionContainer (@keiseiTi)

babel-traverse

#16587 fix: fixed issue16583 + test (@nerodesu017)

:house: Internal

#16663 Test eslint plugin against eslint 9 (@JLHwung)

v7.25.0 (2024-07-26)

:eyeglasses: Spec Compliance

babel-helpers, babel-plugin-proposal-explicit-resource-management, babel-runtime-corejs3

#16537 await using normative updates (@JLHwung)

babel-plugin-transform-typescript

#16602 Ensure enum members syntactically determinable to be strings do not get reverse mappings (@liuxingbaoyu)

:rocket: New Feature

babel-helper-create-class-features-plugin, babel-helper-function-name, babel-helper-plugin-utils, babel-helper-wrap-function, babel-plugin-bugfix-safari-class-field-initializer-scope, babel-plugin-bugfix-safari-id-destructuring-collision-in-function-expression, babel-plugin-transform-classes, babel-plugin-transform-function-name, babel-preset-env, babel-traverse, babel-types

#16658 Move ensureFunctionName to NodePath.prototype (@nicolo-ribaudo)

babel-helper-hoist-variables, babel-helper-plugin-utils, babel-plugin-proposal-async-do-expressions, babel-plugin-transform-modules-systemjs, babel-traverse

#16644 Move hoistVariables to Scope.prototype (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-helper-module-transforms, babel-helper-plugin-utils, babel-helper-split-export-declaration, babel-plugin-transform-classes, babel-traverse, babel-types

#16645 Move splitExportDeclaration to NodePath.prototype (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-helper-environment-visitor, babel-helper-module-transforms, babel-helper-plugin-utils, babel-helper-remap-async-to-generator, babel-helper-replace-supers, babel-plugin-bugfix-firefox-class-in-computed-class-key, babel-plugin-bugfix-v8-static-class-fields-redefine-readonly, babel-plugin-transform-async-generator-functions, babel-plugin-transform-classes, babel-traverse

#16649 Move environment-visitor helper into @babel/traverse (@nicolo-ribaudo)

babel-core, babel-parser

#16480 Expose wether a module has TLA or not as .extra.async (@nicolo-ribaudo)

babel-compat-data, babel-plugin-bugfix-safari-class-field-initializer-scope, babel-preset-env

#16569 Introduce bugfix-safari-class-field-initializer-scope (@davidtaylorhq)

babel-plugin-transform-block-scoping, babel-traverse, babel-types

#16551 Add NodePath#getAssignmentIdentifiers (@JLHwung)

babel-helper-import-to-platform-api, babel-plugin-proposal-json-modules

#16579 Add uncheckedRequire option for JSON imports to CJS (@nicolo-ribaudo)

babel-helper-transform-fixture-test-runner, babel-node

#16642 Allow using custom config in babel-node --eval (@slatereax)

babel-compat-data, babel-helper-create-regexp-features-plugin, babel-plugin-proposal-duplicate-named-capturing-groups-regex, babel-plugin-transform-duplicate-named-capturing-groups-regex, babel-preset-env, babel-standalone

#16445 Add duplicate-named-capturing-groups-regex to preset-env (@JLHwung)

:bug: Bug Fix

babel-generator

#16678 Print parens around as expressions on the LHS (@nicolo-ribaudo)

... (truncated)

Commits

0f8f408 v7.25.2
6a15d7a Ensure that requeueComputedKeyAndDecorators is available (#16695)
9f7e29a chore: fix one suppressed eslint error (#16696)
2413d1a Add eslint-plugin-regexp (#16680)
5dc3b44 Expose wether a module has TLA or not as .extra.async (#16480)
30aa644 v7.24.9
7d923b8 Avoid require() call in @babel/standalone bundle (#16639)
889c58f Revert "Pin CI ...
Description has been truncated

Sep 22 '24 17:09 dependabot[bot]

DryRun Security Summary

The pull request contains routine dependency updates for the "insecure-js" project, including security-related fixes and improvements, as well as a major version change for the "sequelize" dependency that may require more extensive testing.

Expand for full summary

Summary:

The changes in this pull request appear to be routine dependency updates for the "insecure-js" project, which is generally a positive security practice. The key updates include versions changes for several dependencies, such as @babel/core, chart.js, jquery, lodash, mysql2, semver, and sequelize.

From an application security perspective, these updates are likely to include security fixes and improvements. However, it's important to review the changelogs and release notes for each dependency to understand the specific security implications of the updates. Additionally, the major version change for the sequelize dependency (from 4.x to 6.x) may introduce breaking changes and require more extensive testing to ensure the application continues to function as expected.

The use of resolutions and overrides in the package.json file to lock specific dependency versions is a recommended security practice, as it helps ensure that the application uses a consistent set of dependencies, reducing the risk of version conflicts and potential security issues. It's also crucial to regularly audit the project's dependencies to identify any known security vulnerabilities and ensure that the application code follows secure coding practices.

Files Changed:

insecure-js/package-lock.json: This file reflects the updated dependency versions, including:
- @babel/core updated from 7.0.0-rc.1 to 7.25.2
- chart.js updated from 2.8.0 to 2.9.4
- jquery updated from 2.1.0 to 3.5.0
- lodash updated from 4.16.1 to 4.17.21
- mysql2 updated from 2.3.3 to 3.9.8
- semver updated from 5.4.1 to 5.7.2
- sequelize updated from 4.44.1 to 6.29.0
insecure-js/package.json: This file contains the updated dependency versions, as well as the use of resolutions and overrides to lock specific dependency versions.

Code Analysis

We ran 9 analyzers against 2 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Sensitive Files Analyzer	2 findings

Riskiness

:green_circle: Risk threshold not exceeded.

View PR in the DryRun Dashboard.

Sep 22 '24 17:09 dryrunsecurity[bot]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@babel/[email protected]	environment, filesystem, unsafe Transitive: shell	`+47`	11.3 MB	nicolo-ribaudo
npm/[email protected]	None	`+6`	5.87 MB	etimberg
npm/[email protected]	None	`0`	1.32 MB	mgol
npm/[email protected]	None	`0`	1.41 MB	bnjmnt4n
npm/[email protected]	environment, network Transitive: eval	`+11`	2.09 MB	sidorares
npm/[email protected]	None	`0`	63.3 kB	lukekarrys
npm/[email protected]	filesystem Transitive: environment	`+18`	14 MB	sdepold

🚮 Removed packages: npm/@babel/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

Sep 22 '24 17:09 socket-security[bot]

Checkmarx One – Scan Summary & Details – acfb263f-4266-48df-9afb-d196cb23f223

New Issues

Issue	Source File / Package	Checkmarx Insight
Unpinned Actions Full Length Commit SHA	/publish-insecure.yml: 40	desc
Unpinned Actions Full Length Commit SHA	/publish-insecure.yml: 52	desc
Unpinned Actions Full Length Commit SHA	/publish-insecure.yml: 47	desc

Fixed Issues

Severity	Issue	Source File / Package
	CVE-2019-10744	Npm-lodash-4.16.1
	CVE-2019-10748	Npm-sequelize-4.44.1
	CVE-2019-10752	Npm-sequelize-4.44.1
	CVE-2020-7746	Npm-chart.js-2.8.0
	CVE-2023-22578	Npm-sequelize-4.44.1
	CVE-2023-25813	Npm-sequelize-4.44.1
	CVE-2024-21508	Npm-mysql2-2.3.3
	CVE-2024-21511	Npm-mysql2-2.3.3
	CVE-2016-10707	Npm-jquery-2.1.0
	CVE-2020-8203	Npm-lodash-4.16.1
	CVE-2021-23337	Npm-lodash-4.16.1
	CVE-2021-3765	Npm-validator-10.11.0
	CVE-2022-25883	Npm-semver-5.4.1
	CVE-2023-22579	Npm-sequelize-4.44.1
	CVE-2023-22580	Npm-sequelize-4.44.1
	CVE-2023-45133	Npm-@babel/traverse-7.0.0-rc.1
	CVE-2024-21512	Npm-mysql2-2.3.3
	Cx0b414307-5d4b	Npm-lodash-4.16.1
	Cx4615fedd-34f3	Npm-validator-10.11.0
	Cx89601373-08db	Npm-debug-2.6.9
	Cx89601373-08db	Npm-debug-3.2.7
	Cxc7705965-e0f0	Npm-@babel/core-7.0.0-rc.1
	Cxd312845a-fedc	Npm-validator-10.11.0
	CVE-2015-9251	Npm-jquery-2.1.0
	CVE-2018-16487	Npm-lodash-4.16.1
	CVE-2018-3721	Npm-lodash-4.16.1
	CVE-2019-1010266	Npm-lodash-4.16.1
	CVE-2019-11358	Npm-jquery-2.1.0
	CVE-2020-11022	Npm-jquery-2.1.0
	CVE-2020-11023	Npm-jquery-2.1.0
	CVE-2020-28500	Npm-lodash-4.16.1
	CVE-2024-21507	Npm-mysql2-2.3.3
	CVE-2024-21509	Npm-mysql2-2.3.3
	Cx7d80a499-a51a	Npm-jquery-2.1.0
	Cxf0b588a3-5c6f	Npm-jquery-2.1.0
	Cxda14f253-4e52	Npm-bluebird-3.7.2

Sep 22 '24 17:09 confusedcrib

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

Feb 15 '25 13:02 dependabot[bot]