firewalla icon indicating copy to clipboard operation
firewalla copied to clipboard

Published 20 hours ago verified publisher icon firewalla

Bump the npm_and_yarn group with 17 updates

Open parkerbxyz opened this issue 8 months ago • 0 comments

Bumps the npm_and_yarn group with 16 updates in the root directory:

Package From To
async 2.6.1 2.6.4
debug 2.2.0 2.6.9
express 4.16.3 4.19.2
flat 4.1.0 5.0.1
ip 1.1.5 2.0.1
jsonwebtoken 8.3.0 9.0.0
minimatch 3.0.4 3.0.5
minimist 1.2.0 1.2.6
moment 2.22.2 2.29.4
node-forge 0.7.6 1.3.0
redis 2.8.0 3.1.1
requestretry 4.1.2 7.0.0
underscore 1.9.1 1.12.1
validator 9.4.1 13.7.0
xml2js 0.4.23 0.5.0
semver 5.5.1 5.7.2

These versions of these dependencies currently in use have known vulnerabilities. This pull request aims to resolve 65 known vulnerabilities by upgrading to patched versions of these packages.

Yarn audit results before:

$ yarn audit --summary
98 vulnerabilities found - Packages audited: 330
Severity: 9 Low | 33 Moderate | 42 High | 14 Critical

Yarn audit results after:

$ yarn audit --summary
33 vulnerabilities found - Packages audited: 332
Severity: 4 Low | 12 Moderate | 12 High | 5 Critical

Updates async from 2.6.1 to 2.6.4

Changelog

Sourced from async's changelog.

v2.6.4

  • Fix potential prototype pollution exploit (#1828)

v2.6.3

  • Updated lodash to squelch a security warning (#1675)

v2.6.2

  • Updated lodash to squelch a security warning (#1620)
Commits
Maintainer changes

This version was pushed to npm by hargasinski, a new releaser for async since your current version.


Updates debug from 2.2.0 to 2.6.9

Release notes

Sourced from debug's releases.

2.6.9

Patches

  • Remove ReDoS regexp in %o formatter: #504

Credits

Huge thanks to @​zhuangya for their help!

release 2.6.7

No release notes provided.

release 2.6.6

No release notes provided.

release 2.6.5

No release notes provided.

release 2.6.4

No release notes provided.

release 2.6.3

No release notes provided.

release 2.6.2

No release notes provided.

release 2.6.1

No release notes provided.

release 2.6.0

No release notes provided.

release 2.5.2

No release notes provided.

release 2.5.1

No release notes provided.

release 2.4.5

No release notes provided.

release 2.4.4

No release notes provided.

release 2.4.3

No release notes provided.

release 2.4.2

No release notes provided.

... (truncated)

Changelog

Sourced from debug's changelog.

2.6.9 / 2017-09-22

  • remove ReDoS regexp in %o formatter (#504)

2.6.8 / 2017-05-18

2.6.7 / 2017-05-16

2.6.5 / 2017-04-27

2.6.4 / 2017-04-20

2.6.3 / 2017-03-13

2.6.2 / 2017-03-10

2.6.1 / 2017-02-10

  • Fix: Module's export default syntax fix for IE8 Expected identifier error
  • Fix: Whitelist DEBUG_FD for values 1 and 2 only (#415, @​pi0)

... (truncated)

Commits

Updates express from 4.16.3 to 4.19.2

Release notes

Sourced from express's releases.

4.19.2

What's Changed

Full Changelog: https://github.com/expressjs/express/compare/4.19.1...4.19.2

4.19.1

What's Changed

Full Changelog: https://github.com/expressjs/express/compare/4.19.0...4.19.1

4.19.0

What's Changed

New Contributors

Full Changelog: https://github.com/expressjs/express/compare/4.18.3...4.19.0

4.18.3

Main Changes

Other Changes

... (truncated)

Changelog

Sourced from express's changelog.

4.19.2 / 2024-03-25

  • Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

  • Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

4.18.3 / 2024-02-29

4.18.2 / 2022-10-08

4.18.1 / 2022-04-29

  • Fix hanging on large stack of sync routes

4.18.0 / 2022-04-25

  • Add "root" option to res.download
  • Allow options without filename in res.download
  • Deprecate string and non-integer arguments to res.status
  • Fix behavior of null/undefined as maxAge in res.cookie
  • Fix handling very large stacks of sync middleware
  • Ignore Object.prototype values in settings through app.set/app.get

... (truncated)

Commits
  • 04bc627 4.19.2
  • da4d763 Improved fix for open redirect allow list bypass
  • 4f0f6cc 4.19.1
  • a003cfa Allow passing non-strings to res.location with new encoding handling checks f...
  • a1fa90f fixed un-edited version in history.md for 4.19.0
  • 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
  • 084e365 4.19.0
  • 0867302 Prevent open redirect allow list bypass due to encodeurl
  • 567c9c6 Add note on how to update docs for new release (#5541)
  • 69a4cf2 deps: [email protected]
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.


Updates flat from 4.1.0 to 5.0.1

Commits
  • f25d3a1 Release 5.0.1
  • 54cc7ad use standard formatting
  • 779816e drop dependencies
  • 2eea6d3 Bump lodash from 4.17.15 to 4.17.19
  • a61a554 Bump acorn from 7.1.0 to 7.4.0
  • 20ef0ef Fix prototype pollution on unflatten
  • e8fb281 Test prototype pollution on unflatten
  • 6e95c43 Add node 10 & 12 to travis config.
  • 38239cc Release 5.0.0
  • beaea9d Add tests around cli. Only show usage if on TTY & no argument, allow eaccess ...
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by timoxley, a new releaser for flat since your current version.


Updates ip from 1.1.5 to 2.0.1

Commits

Updates jsonwebtoken from 8.3.0 to 9.0.0

Changelog

Sourced from jsonwebtoken's changelog.

9.0.0 - 2022-12-21

Breaking changes: See Migration from v8 to v9

Breaking changes

Security fixes

  • security: fixes Arbitrary File Write via verify function - CVE-2022-23529
  • security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
  • security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
  • security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

8.5.1 - 2019-03-18

Bug fix

Docs

8.5.0 - 2019-02-20

New Functionality

Test Improvements

Docs

8.4.0 - 2018-11-14

New Functionality

... (truncated)

Commits
  • e1fa9dc Merge pull request from GHSA-8cf7-32gw-wr33
  • 5eaedbf chore(ci): remove github test actions job (#861)
  • cd4163e chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
  • ecdf6cc fix!: Prevent accidental use of insecure key sizes & misconfiguration of secr...
  • 8345030 fix(sign&verify)!: Remove default none support from sign and verify met...
  • 7e6a86b Upload OpsLevel YAML (#849)
  • 74d5719 docs: update references vercel/ms references (#770)
  • d71e383 docs: document "invalid token" error
  • 3765003 docs: fix spelling in README.md: Peak -> Peek (#754)
  • a46097e docs: make decode impossible to discover before verify
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jsonwebtoken since your current version.


Updates minimatch from 3.0.4 to 3.0.5

Commits

Updates minimist from 1.2.0 to 1.2.6

Changelog

Sourced from minimist's changelog.

v1.2.6 - 2022-03-21

Commits

  • test from prototype pollution PR bc8ecee
  • isConstructorOrProto adapted from PR c2b9819
  • security notice for additional prototype pollution issue ef88b93

v1.2.5 - 2020-03-12

v1.2.4 - 2020-03-11

Commits

  • security notice 4cf1354
  • additional test for constructor prototype pollution 1043d21

v1.2.3 - 2020-03-10

Commits

  • more failing proto pollution tests 13c01a5
  • even more aggressive checks for protocol pollution 38a4d1c

v1.2.2 - 2020-03-10

Commits

v1.2.1 - 2020-03-10

Merged

Commits

Commits

Updates moment from 2.22.2 to 2.29.4

Changelog

Sourced from moment's changelog.

2.29.4

  • Release Jul 6, 2022
    • #6015 [bugfix] Fix ReDoS in preprocessRFC2822 regex

2.29.3 Full changelog

  • Release Apr 17, 2022
    • #5995 [bugfix] Remove const usage
    • #5990 misc: fix advisory link

2.29.2 See full changelog

  • Release Apr 3 2022

Address https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4

2.29.1 See full changelog

  • Release Oct 6, 2020

Updated deprecation message, bugfix in hi locale

2.29.0 See full changelog

  • Release Sept 22, 2020

New locales (es-mx, bn-bd). Minor bugfixes and locale improvements. More tests. Moment is in maintenance mode. Read more at this link: https://momentjs.com/docs/#/-project-status/

2.28.0 See full changelog

  • Release Sept 13, 2020

Fix bug where .format() modifies original instance, and locale updates

2.27.0 See full changelog

  • Release June 18, 2020

Added Turkmen locale, other locale improvements, slight TypeScript fixes

2.26.0 See full changelog

  • Release May 19, 2020

... (truncated)

Commits

Updates node-forge from 0.7.6 to 1.3.0

Changelog

Sourced from node-forge's changelog.

1.3.0 - 2022-03-17

Security

  • Three RSA PKCS#1 v1.5 signature verification issues were reported by Moosa Yahyazadeh ([email protected]).
  • HIGH: Leniency in checking digestAlgorithm structure can lead to signature forgery.
  • HIGH: Failing to check tailing garbage bytes can lead to signature forgery.
  • MEDIUM: Leniency in checking type octet.
    • DigestInfo is not properly checked for proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.
    • CVE ID: CVE-2022-24773
    • GHSA ID: GHSA-2r2c-g63r-vccr

Fixed

  • [asn1] Add fallback to pretty print invalid UTF8 data.
  • [asn1] fromDer is now more strict and will default to ensuring all input bytes are parsed or throw an error. A new option parseAllBytes can disable this behavior.
    • NOTE: The previous behavior is being changed since it can lead to security issues with crafted inputs. It is possible that code doing custom DER parsing may need to adapt to this new behavior and optional flag.
  • [rsa] Add and use a validator to check for proper structure of parsed ASN.1 RSASSA-PKCS-v1_5 DigestInfo data. Additionally check that the hash algorithm identifier is a known value from RFC 8017 PKCS1-v1-5DigestAlgorithms. An invalid DigestInfo or algorithm identifier will now throw an error.
    • NOTE: The previous lenient behavior is being changed to be more strict since it could lead to security issues with crafted inputs. It is possible that code may have to handle the errors from these stricter checks.

... (truncated)

Commits

Updates redis from 2.8.0 to 3.1.1

Changelog

Sourced from redis's changelog.

v3.1.1

Enhancements

  • Upgrade node and dependencies

Fixes

  • Fix a potential exponential regex in monitor mode

v3.1.0 - 31 Mar, 2021

Enhancements

  • Upgrade node and dependencies and redis-commands to support Redis 6
  • Add support for Redis 6 auth pass [user]

v3.0.0 - 09 Feb, 2020

This version is mainly a release to distribute all the unreleased changes on master since 2017 and additionally removes a lot of old deprecated features and old internals in preparation for an upcoming modernization refactor (v4).

Breaking Changes

  • Dropped support for Node.js < 6
  • Dropped support for hiredis (no longer required)
  • Removed previously deprecated drain event
  • Removed previously deprecated idle event
  • Removed previously deprecated parser option
  • Removed previously deprecated max_delay option
  • Removed previously deprecated max_attempts option
  • Removed previously deprecated socket_no_delay option

Bug Fixes

  • Removed development files from published package (#1370)
  • Duplicate function now allows db param to be passed (#1311)

Features

  • Upgraded to latest redis-commands package
  • Upgraded to latest redis-parser package, v3.0.0, which brings performance improvements
  • Replaced double-ended-queue with denque, which brings performance improvements
  • Add timestamps to debug traces
  • Add socket_initial_delay option for socket.setKeepAlive (#1396)
  • Add support for rediss protocol in url (#1282)
Commits
Maintainer changes

This version was pushed to npm by leibale, a new releaser for redis since your current version.


Updates requestretry from 4.1.2 to 7.0.0

Changelog

Sourced from requestretry's changelog.

7.0.0 (2022-02-21)

  • changes (2d822ad)
  • Prevent Cookie & Authorization Headers from being forwarded when the URL redirects to another domain (0979c60), closes #137
  • Release v7.0.0. (4569005)
  • Update leak.test.js (2768f5c)
  • Update leak.test.js (afa27ef)
  • Update README.md (5e1a63c)
  • Update README.md (ebf3471)
  • test: add more test (c7c47d6)
  • fix: :facepalm: (3c0d686)
  • fix: breaking test suite (95e7a3b)
  • docs(changelog): updated (a450999)

6.0.0 (2021-08-24)

  • Release v6.0.0. (1b8ea5c)
  • fix: remove dependency on when in favor of native Promises (52d0603)
  • docs(changelog): updated (a1189ef)

5.0.0 (2021-02-16)

Commits

Updates underscore from 1.9.1 to 1.12.1

Commits
  • c627e38 Mention CVE-2021-23358 in code, test and documentation (#2915)
  • c9e803e Add diff and docs to the 1.12.1 change log entry
  • 0c20985 Restore comments from 7e89b79f95e7b
  • bf5a0ed Merge branch 'template-variable-parameter'
  • 7e3d404 Update annotated sources and minified bundles for 1.12.1
  • 5343fbc Add version 1.12.1 to the documentation
  • 44df929 Bump the version to 1.12.1
  • 7e89b79 Un-document the fix for #2911 for the time being
  • 4c73526 Fix #2911
  • ef646cc Reflect real issue of #2911 in test from #2912
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by jgonggrijp, a new releaser for underscore since your current version.


Updates validator from 9.4.1 to 13.7.0

Updates xml2js from 0.4.23 to 0.5.0

Updates semver from 5.5.1 to 5.7.2

parkerbxyz avatar Jul 01 '24 18:07 parkerbxyz