devextreme-angular-template
devextreme-angular-template copied to clipboard
Bump node-forge and @angular-devkit/build-angular
Bumps node-forge to 1.3.1 and updates ancestor dependency @angular-devkit/build-angular. These dependencies need to be updated together.
Updates node-forge
from 0.10.0 to 1.3.1
Changelog
Sourced from node-forge's changelog.
1.3.1 - 2022-03-29
Fixes
- RFC 3447 and RFC 8017 allow for optional
DigestAlgorithm
NULL
parameters forsha*
algorithms and requireNULL
paramters formd2
andmd5
algorithms.1.3.0 - 2022-03-17
Security
- Three RSA PKCS#1 v1.5 signature verification issues were reported by Moosa Yahyazadeh ([email protected]).
- HIGH: Leniency in checking
digestAlgorithm
structure can lead to signature forgery.
- The code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.
- CVE ID: CVE-2022-24771
- GHSA ID: GHSA-cfm4-qjh2-4765
- HIGH: Failing to check tailing garbage bytes can lead to signature forgery.
- The code does not check for tailing garbage bytes after decoding a
DigestInfo
ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.- CVE ID: CVE-2022-24772
- GHSA ID: GHSA-x4jg-mjrx-434g
- MEDIUM: Leniency in checking type octet.
DigestInfo
is not properly checked for proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.- CVE ID: CVE-2022-24773
- GHSA ID: GHSA-2r2c-g63r-vccr
Fixed
- [asn1] Add fallback to pretty print invalid UTF8 data.
- [asn1]
fromDer
is now more strict and will default to ensuring all input bytes are parsed or throw an error. A new optionparseAllBytes
can disable this behavior.
- NOTE: The previous behavior is being changed since it can lead to security issues with crafted inputs. It is possible that code doing custom DER parsing may need to adapt to this new behavior and optional flag.
- [rsa] Add and use a validator to check for proper structure of parsed ASN.1
... (truncated)
Commits
a0a4a42
Release 1.3.1.a33830f
Update changelog.740954d
Allow optional DigestAlgorithm parameters.56f4316
Allow DigestInfo.DigestAlgorith.parameters to be optionalcbf0bd5
Start 1.3.1-0.6c5b901
Release 1.3.0.0f3972a
Update changelog.dc77b39
Fix error checking.bb822c0
Add advisory links.d4395fe
Update changelog.- Additional commits viewable in compare view
Updates @angular-devkit/build-angular
from 12.2.15 to 14.2.5
Release notes
Sourced from @angular-devkit/build-angular
's releases.
v14.2.5
14.2.5 (2022-10-05)
@angular-devkit/schematics
Commit Description throw more relevant error when Rule returns invalid null value Special Thanks
Alan Agius and Charles Lyding
v14.2.4
14.2.4 (2022-09-28)
@angular/cli
Commit Description add builders and schematic names as page titles in collected analytics Special Thanks
Alan Agius, Jason Bedard and Paul Gschwendtner
v14.2.3
14.2.3 (2022-09-15)
@angular-devkit/build-angular
Commit Description correctly display error messages that contain "at" text. watch symbolic links
@ngtools/webpack
Commit Description avoid bootstrap conversion AST traversal where possible Special Thanks
Alan Agius, Charles Lyding, Jason Bedard and Joey Perrott
v14.2.2
14.2.2 (2022-09-08)
@schematics/angular
Commit Description update minimum Angular version to 14.2
@angular/cli
Commit Description favor non deprecated packages during update
@angular-devkit/build-angular
Commit Description allow esbuild-based builder to use SVG Angular templates
... (truncated)
Changelog
Sourced from @angular-devkit/build-angular
's changelog.
14.2.5 (2022-10-05)
@angular-devkit/schematics
Commit Type Description 17eb20c77 fix throw more relevant error when Rule returns invalid null value Special Thanks
Alan Agius and Charles Lyding
15.0.0-next.3 (2022-09-28)
Breaking Changes
@angular-devkit/build-angular
The server builder
bundleDependencies
option has been removed. This option was used pre Ivy. Currently, using this option is unlikely to produce working server bundles.The
externalDependencies
option can be used instead to exclude specific node_module packages from the final bundle.
- Deprecated support for tilde import has been removed. Please update the imports by removing the
~
.Before
@import '~font-awesome/scss/font-awesome';
After
@import 'font-awesome/scss/font-awesome';
- By default the CLI will use Sass modern API, While not recommended, users can still opt to use legacy API by setting
NG_BUILD_LEGACY_SASS=1
.
require.context
are no longer parsed. Webpack specific features are not supported nor guaranteed to work in the future.
@schematics/angular
Commit Type Description 766d4a089 feat add migration to remove require calls from karma builder main file 597bfea1b feat drop polyfills.ts
file from new templates
... (truncated)
Commits
86b84a8
release: cut the v14.2.5 release17eb20c
fix(@angular-devkit/schematics
): throw more relevant error when Rule returns ...a4f4b33
docs(@angular/cli
): update platform support information in auto-completion1322324
test: reduce polling test median greatest value1f26cc1
release: cut the v14.2.4 releaseb49f4c5
ci: increase theresource_class
ofbuild-bazel-e2e
14ac8c6
ci: remove test-executor2023138
test: run e2e tests on pre-compiled packagesb73521b
build: setup remote execution through shared command05b18f4
fix(@angular/cli
): add builders and schematic names as page titles in collect...- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase
.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
-
@dependabot rebase
will rebase this PR -
@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it -
@dependabot merge
will merge this PR after your CI passes on it -
@dependabot squash and merge
will squash and merge this PR after your CI passes on it -
@dependabot cancel merge
will cancel a previously requested merge and block automerging -
@dependabot reopen
will reopen this PR if it is closed -
@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually -
@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -
@dependabot use these labels
will set the current labels as the default for future PRs for this repo and language -
@dependabot use these reviewers
will set the current reviewers as the default for future PRs for this repo and language -
@dependabot use these assignees
will set the current assignees as the default for future PRs for this repo and language -
@dependabot use this milestone
will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page.