wikiloop-doublecheck icon indicating copy to clipboard operation
wikiloop-doublecheck copied to clipboard

Published 20 hours ago verified publisher icon google

build(deps): bump the npm_and_yarn group across 2 directories with 32 updates

Open dependabot[bot] opened this issue 8 months ago • 0 comments

Bumps the npm_and_yarn group with 23 updates in the / directory:

Package From To
express 4.17.1 4.19.2
mongodb 3.6.3 3.6.10
mongoose 5.10.15 5.13.20
mysql2 1.7.0 3.9.8
nodemailer 6.4.16 6.9.9
socket.io 2.3.0 2.5.0
sqlite3 5.0.0 5.1.5
@actions/core 1.2.6 1.10.1
@babel/traverse 7.12.5 7.24.7
browserify-sign 4.2.1 4.2.3
cookiejar 2.1.2 2.1.4
decode-uri-component 0.2.0 0.2.2
lodash-es 4.17.15 4.17.21
moment-timezone 0.5.32 0.5.45
nanoid 3.1.16 3.3.7
protobufjs 6.10.2 6.11.4
pug 3.0.0 3.0.3
qs 6.5.2 6.5.3
socket.io-parser 3.3.1 3.3.3
tmpl 1.0.4 1.0.5
trim-off-newlines 1.0.1 1.0.3
ua-parser-js 0.7.22 0.7.38
word-wrap 1.2.3 1.2.5

Bumps the npm_and_yarn group with 6 updates in the /mailer directory:

Package From To
json-schema 0.2.3 0.4.0
jsprim 1.4.1 1.4.2
minimist 1.2.5 1.2.8
qs 6.5.2 6.5.3
yargs-parser 16.1.0 18.1.3
yargs 15.1.0 15.4.1

Updates express from 4.17.1 to 4.19.2

Release notes

Sourced from express's releases.

4.19.2

What's Changed

Full Changelog: https://github.com/expressjs/express/compare/4.19.1...4.19.2

4.19.1

What's Changed

Full Changelog: https://github.com/expressjs/express/compare/4.19.0...4.19.1

4.19.0

What's Changed

New Contributors

Full Changelog: https://github.com/expressjs/express/compare/4.18.3...4.19.0

4.18.3

Main Changes

Other Changes

... (truncated)

Changelog

Sourced from express's changelog.

4.19.2 / 2024-03-25

  • Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

  • Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

4.18.3 / 2024-02-29

4.18.2 / 2022-10-08

4.18.1 / 2022-04-29

  • Fix hanging on large stack of sync routes

4.18.0 / 2022-04-25

  • Add "root" option to res.download
  • Allow options without filename in res.download
  • Deprecate string and non-integer arguments to res.status
  • Fix behavior of null/undefined as maxAge in res.cookie
  • Fix handling very large stacks of sync middleware
  • Ignore Object.prototype values in settings through app.set/app.get

... (truncated)

Commits
  • 04bc627 4.19.2
  • da4d763 Improved fix for open redirect allow list bypass
  • 4f0f6cc 4.19.1
  • a003cfa Allow passing non-strings to res.location with new encoding handling checks f...
  • a1fa90f fixed un-edited version in history.md for 4.19.0
  • 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
  • 084e365 4.19.0
  • 0867302 Prevent open redirect allow list bypass due to encodeurl
  • 567c9c6 Add note on how to update docs for new release (#5541)
  • 69a4cf2 deps: [email protected]
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.


Updates mongodb from 3.6.3 to 3.6.10

Release notes

Sourced from mongodb's releases.

v3.6.10

The MongoDB Node.js team is pleased to announce version 3.6.10 of the mongodb package!

Release Highlights

This patch addresses a few bugs listed below. Notably the bsonRegExp option is now respected by the underlying BSON library, you can use this to decode regular expressions that contain syntax not permitted in native JS RegExp objects. Take a look at this example:

await collection.insertOne({ a: new BSONRegExp('(?-i)AA_') })
await collection.findOne({ a: new BSONRegExp('(?-i)AA_') }, { bsonRegExp: true })
// { _id: ObjectId,  a: BSONRegExp { pattern: '(?-i)AA_', options: '' } }

Also there was an issue with Cursor.forEach where user defined forEach callbacks that throw errors incorrectly handled catching errors. Take a look at the comments in this example:

collection.find({}).forEach(doc => {
    if(doc.bad) throw new Error('bad document!');
}).catch(error => {
    // now this is called! and error is `bad document!`
})
// before this fix the `bad document!` error would be thrown synchronously
// and have to be caught with try catch out here

Bug Fixes

  • NODE-2035: Exceptions thrown from awaited cursor forEach do not propagate (#2852) (a917dfa)
  • NODE-3150: added bsonRegExp option for v3.6 (#2843) (e4a9a57)
  • NODE-3358: Command monitoring objects hold internal state references (#2858) (750760c)
  • NODE-3380: perform retryable write checks against server (#2861) (621677a)
  • NODE-3397: report more helpful error with unsupported authMechanism in initial handshake (#2876) (3ce148d)

Documentation

We invite you to try the mongodb package immediately, and report any issues to the NODE project.

v3.6.9

The MongoDB Node.js team is pleased to announce version 3.6.9 of the driver!

Release Highlights

This release fixes a major performance bug in bulk write operations, which was inadvertently introduced by an incomplete code change in the previous release. The bug resulted in redundant array iterations and caused exponential increases in bulk operation completion times. Thank you Jan Schwalbe for bringing this to our attention!

Bug Fixes

... (truncated)

Commits
  • 1297cd1 chore(release): 3.6.10
  • e9196ab refactor(NODE-3324): bump max wire version to 13 (#2875)
  • 3ce148d fix(NODE-3397): report more helpful error with unsupported authMechanism in i...
  • 558182f test(NODE-3307): unified runner does not assert identical keys (#2867)
  • 621677a fix(NODE-3380): perform retryable write checks against server (#2861)
  • e4a9a57 fix(NODE-3150): added bsonRegExp option for v3.6 (#2843)
  • 750760c fix(NODE-3358): Command monitoring objects hold internal state references (#2...
  • a917dfa fix(NODE-2035): Exceptions thrown from awaited cursor forEach do not propagat...
  • b98f206 refactor(NODE-3356): Update command monitoring logging (#2853)
  • 68b4665 test(NODE-2856): ensure defaultTransactionOptions get used from session (#2845)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by nbbeeken, a new releaser for mongodb since your current version.


Updates mongoose from 5.10.15 to 5.13.20

Changelog

Sourced from mongoose's changelog.

8.4.3 / 2024-06-17

  • fix: remove 0x flamegraph files from release

8.4.2 / 2024-06-17

  • perf: more toObject() perf improvements #14623 #14606 #14394
  • fix(model): check the value of overwriteModels in options when calling discriminator() #14646 uditha-g
  • fix: avoid throwing TypeError when deleting an null entry on a populated Map #14654 futurliberta
  • fix(connection): fix up some inconsistencies in operation-end event and add to docs #14659 #14648
  • types: avoid inferring Boolean, Buffer, ObjectId as Date in schema definitions under certain circumstances #14667 #14630
  • docs: add note about parallelism in transations #14647 fiws

8.4.1 / 2024-05-31

  • fix: pass options to clone instead of get in applyVirtuals #14606 #14543 andrews05
  • fix(document): fire pre validate hooks on 5 level deep single nested subdoc when modifying after save() #14604 #14591
  • fix: ensure buildBulkWriteOperations target shard if shardKey is set #14622 #14621 matlpriceshape
  • types: pass DocType down to subdocuments so HydratedSingleSubdocument and HydratedArraySubdocument toObject() returns correct type #14612 #14601

7.6.12 / 2024-05-21

  • fix(array): avoid converting to $set when calling pull() on an element in the middle of the array #14531 #14502
  • fix: bump mongodb driver to 5.9.2 #14561 lorand-horvath
  • fix(update): cast array of strings underneath doc array with array filters #14605 #14595

8.4.0 / 2024-05-17

  • feat: upgrade mongodb -> 6.6.2 #14584
  • feat: add transactionAsyncLocalStorage option to opt in to automatically setting session on all transactions #14583 #13889
  • feat: handle initially null driver when instantiating Mongoose for Rollup support #14577 #12335
  • feat(mongoose): export omitUndefined() helper #14582 #14569
  • feat: add Model.listSearchIndexes() #14519 #14450
  • feat(connection): add listDatabases() function #14506 #9048
  • feat(schema): add schema-level readConcern option to apply default readConcern for all queries #14579 #14511
  • fix(error): remove model property from CastError to avoid printing all model properties to console #14568 #14529
  • fix(model): make bulkWrite() and insertMany() throw if throwOnValidationError set and all ops invalid #14587 #14572
  • fix(document): ensure transform function passed to toObject() options applies to subdocs #14600 #14589
  • types: add inferRawDocType helper #13900 #13772
  • types(document): make document _id type default to unknown instead of any #14541

8.3.5 / 2024-05-15

  • fix(query): shallow clone $or, $and if merging onto empty query filter #14580 #14567
  • types(model+query): pass TInstanceMethods to QueryWithHelpers so populated docs have methods #14581 #14574
  • docs(typescript): clarify that setting THydratedDocumentType on schemas is necessary for correct method context #14575 #14573

8.3.4 / 2024-05-06

  • perf(document): avoid cloning options using spread operator for perf reasons #14565 #14394

... (truncated)

Commits
  • 0f3997a chore: release 5.13.20
  • f1efabf fix: avoid prototype pollution on init
  • 98e0762 chore: release 5.13.19
  • 7e36d21 chore: release 5.13.18
  • 6759c60 undo accidental changes and actually pin @​types/json-schema
  • 4ed4a89 chore: pin version of @​types/json-schema because of install issues on node v4...
  • 9a9536d Merge pull request #13535 from lorand-horvath/patch-12
  • 26424d5 5.x - bump mongodb driver to 3.7.4
  • 4b8b0a9 add versionNumber to 5.x
  • 1bc07ec chore: release 5.13.17
  • Additional commits viewable in compare view

Updates mysql2 from 1.7.0 to 3.9.8

Release notes

Sourced from mysql2's releases.

v3.9.8

3.9.8 (2024-05-26)

Bug Fixes

  • security: sanitize fields and tables when using nestTables (#2702) (efe3db5)
  • support deno + caching_sha2_password FULL_AUTHENTICATION_PACKET flow (#2704) (2e03694)
  • typings: typo from jonServerPublicKey to onServerPublicKey (#2699) (8b5f691)

v3.9.7

3.9.7 (2024-04-21)

Bug Fixes

  • security: sanitize timezone parameter value to prevent code injection - report by zhaoyudi (Nebulalab) (#2608) (7d4b098)

v3.9.6

3.9.6 (2024-04-18)

Bug Fixes

  • binary parser sometimes reads out of packet bounds when results contain null and typecast is false (#2601) (705835d)

v3.9.5

3.9.5 (2024-04-17)

Bug Fixes

  • revert breaking change in results creation (#2591) (f7c60d0)

v3.9.4

3.9.4 (2024-04-09)

Bug Fixes

  • SSL: separate each certificate into an individual item #2542 (63f1055)
  • security: improve supportBigNumbers and bigNumberStrings sanitization (#2572) (74abf9e)
    • Fixes a potential RCE attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
  • security: improve results object creation (#2574) (4a964a3)
    • Fixes a potential Prototype Pollution attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
  • docs: improve the contribution guidelines (#2552) (8a818ce)

v3.9.3

3.9.3 (2024-03-26)

... (truncated)

Changelog

Sourced from mysql2's changelog.

3.9.8 (2024-05-26)

Bug Fixes

  • security: sanitize fields and tables when using nestTables (#2702) (efe3db5)
  • support deno + caching_sha2_password FULL_AUTHENTICATION_PACKET flow (#2704) (2e03694)
  • typings: typo from jonServerPublicKey to onServerPublicKey (#2699) (8b5f691)

3.9.7 (2024-04-21)

Bug Fixes

  • security: sanitize timezone parameter value to prevent code injection (#2608) (7d4b098)

3.9.6 (2024-04-18)

Bug Fixes

  • binary parser sometimes reads out of packet bounds when results contain null and typecast is false (#2601) (705835d)

3.9.5 (2024-04-17)

Bug Fixes

  • revert breaking change in results creation (#2591) (f7c60d0)

3.9.4 (2024-04-09)

Bug Fixes

  • docs: improve the contribution guidelines (#2552) (8a818ce)
  • security: improve results object creation (#2574) (4a964a3)
  • security: improve supportBigNumbers and bigNumberStrings sanitization (#2572) (74abf9e)

3.9.3 (2024-03-26)

Bug Fixes

  • security: improve cache key formation (#2424) (0d54b0c)
    • Fixes a potential parser cache poisoning attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
  • update Amazon RDS SSL CA cert (#2131) (d9dccfd)

3.9.2 (2024-02-26)

... (truncated)

Commits

Updates nodemailer from 6.4.16 to 6.9.9

Release notes

Sourced from nodemailer's releases.

v6.9.9

6.9.9 (2024-02-01)

Bug Fixes

  • security: Fix issues described in GHSA-9h6g-pr28-7cqp. Do not use eternal matching pattern if only a few occurences are expected (dd8f5e8)
  • tests: Use native node test runner, added code coverage support, removed grunt (#1604) (be45c1b)

v6.9.8

6.9.8 (2023-12-30)

Bug Fixes

  • punycode: do not use native punycode module (b4d0e0c)

v6.9.7

6.9.7 (2023-10-22)

Bug Fixes

  • customAuth: Do not require user and pass to be set for custom authentication schemes (fixes #1584) (41d482c)

v6.9.6

6.9.6 (2023-10-09)

Bug Fixes

  • inline: Use 'inline' as the default Content Dispostion value for embedded images (db32c93)
  • tests: Removed Node v12 from test matrix as it is not compatible with the test framework anymore (7fe0a60)

v6.9.5

6.9.5 (2023-09-06)

Bug Fixes

  • license: Updated license year (da4744e)
Changelog

Sourced from nodemailer's changelog.

6.9.9 (2024-02-01)

Bug Fixes

  • security: Fix issues described in GHSA-9h6g-pr28-7cqp. Do not use eternal matching pattern if only a few occurences are expected (dd8f5e8)
  • tests: Use native node test runner, added code coverage support, removed grunt (#1604) (be45c1b)

6.9.8 (2023-12-30)

Bug Fixes

  • punycode: do not use native punycode module (b4d0e0c)

6.9.7 (2023-10-22)

Bug Fixes

  • customAuth: Do not require user and pass to be set for custom authentication schemes (fixes #1584) (41d482c)

6.9.6 (2023-10-09)

Bug Fixes

  • inline: Use 'inline' as the default Content Dispostion value for embedded images (db32c93)
  • tests: Removed Node v12 from test matrix as it is not compatible with the test framework anymore (7fe0a60)

6.9.5 (2023-09-06)

Bug Fixes

  • license: Updated license year (da4744e)

6.9.4 2023-07-19

  • Renamed SendinBlue to Brevo

6.9.3 2023-05-29

  • Specified license identifier (was defined as MIT, actual value MIT-0)
  • If SMTP server disconnects with a message, process it and include as part of the response error

6.9.2 2023-05-11

  • Fix uncaught exception on invalid attachment content payload

... (truncated)

Commits
  • 5a2e10f chore(master): release 6.9.9 [skip-ci] (#1606)
  • dd8f5e8 fix(security): Fix issues described in GHSA-9h6g-pr28-7cqp. Do not use eterna...
  • 2c2b46a chore: do not use caret in version specifier
  • be45c1b fix(tests): Use native node test runner, added code coverage support, removed...
  • 4233f6f chore(master): release 6.9.8 [skip-ci] (#1605)
  • 09d502f chore: removed double file
  • b4d0e0c fix(punycode): do not use native punycode module
  • 8376c02 Test new github notice syntax for README
  • bc46a3b Updated stale github action
  • 78bdaf8 chore: remove redundant AWS SDK for JavaScript v2 (#1593)
  • Additional commits viewable in compare view

Updates socket.io from 2.3.0 to 2.5.0

Release notes

Sourced from socket.io's releases.

2.5.0

:warning: WARNING :warning:

The default value of the maxHttpBufferSize option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.

Security advisory: https://github.com/advisories/GHSA-j4f2-536g-r55m

Bug Fixes

  • fix race condition in dynamic namespaces (05e1278)
  • ignore packet received after disconnection (22d4bdf)
  • only set 'connected' to true after middleware execution (226cc16)
  • prevent the socket from joining a room after disconnection (f223178)

Links:

2.4.1

This release reverts the breaking change introduced in 2.4.0 (https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7).

If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests:

  • without CORS (server and client are served from the same domain):
const io = require("socket.io")(httpServer, {
  allowRequest: (req, callback) => {
    callback(null, req.headers.origin === undefined); // cross-origin requests will not be allowed
  }
});
  • with CORS (server and client are served from distinct domains):
io.origins(["http://localhost:3000"]); // for local development
io.origins(["https://example.com"]);

In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default).

Reverts

  • fix(security): do not allow all origins by default (a169050)

Links:

... (truncated)

Changelog

Sourced from socket.io's changelog.

2.5.0 (2022-06-26)

⚠️ WARNING ⚠️

The default value of the maxHttpBufferSize option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.

Security advisory: GHSA-j4f2-536g-r55m

Bug Fixes

  • fix race condition in dynamic namespaces (05e1278)
  • ignore packet received after disconnection (22d4bdf)
  • only set 'connected' to true after middleware execution (226cc16)
  • prevent the socket from joining a room after disconnection (f223178)

Dependencies

4.5.1 (2022-05-17)

Bug Fixes

  • forward the local flag to the adapter when using fetchSockets() (30430f0)
  • typings: add HTTPS server to accepted types (#4351) (9b43c91)

Dependencies

4.5.0 (2022-04-23)

Bug Fixes

  • typings: ensure compatibility with TypeScript 3.x (#4259) (02c87a8)

Features

Catch-all listeners for outgoing packets

... (truncated)

Commits
  • baa6804 chore(release): 2.5.0
  • f223178 fix: prevent the socket from joining a room after disconnection
  • 226cc16 fix: only set 'connected' to true after middleware execution
  • 05e1278 fix: fix race condition in dynamic namespaces
  • 22d4bdf fix: ignore packet received after disconnection
  • dfded53 chore: update engine.io version to 3.6.0
  • e6b8697 chore(release): 2.4.1
  • a169050 revert: fix(security): do not allow all origins by default
  • 873fdc5 chore(release): 2.4.0
  • f78a575 fix(security): do not allow all origins by default
  • Additional commits viewable in compare view

Updates sqlite3 from 5.0.0 to 5.1.5

Release notes

Sourced from sqlite3's releases.

v5.1.5

What's Changed

Full Changelog: https://github.com/TryGhost/node-sqlite3/compare/v5.1.4...v5.1.5

v5.1.4

What's Changed

Full Changelog: https://github.com/TryGhost/node-sqlite3/compare/v5.1.3...v5.1.4

v5.1.3

What's Changed

Full Changelog: https://github.com/TryGhost/node-sqlite3/compare/v5.1.2...v5.1.3

v5.1.2

What's Changed

Full Changelog: https://github.com/TryGhost/node-sqlite3/compare/v5.1.1...v5.1.2

v5.1.1

What's Changed

A huge thanks to MacStadium for providing an M1 Mac Mini so we can offer ARM64 binaries.

Full Changelog: https://github.com/TryGhost/node-sqlite3/compare/v5.1.0...v5.1.1

v5.1.0

✨ We're very excited to announce node-sqlite3's first minor release of v5, packed with features and improvements.

If you encounter any problems, please open a detailed issue using the templates.

What's Changed

... (truncated)

Commits
  • 6a806f8 v5.1.5
  • edb1934 Fixed code execution vulnerability due to Object coercion
  • 3a48888 Updated bundled SQLite to v3.41.1
  • c1440bd Fixed rpath linker option when using a custom sqlite (#1654)
  • 93affa4 Update microsoft/setup-msbuild action to v1.3
  • 6f6318e v5.1.4
  • aeafe25 Revert "Renamed master references to main"
  • 57ce2d4 Fixed glib compatibility by downgrading to Ubuntu 20
  • af8e567 Renamed master references to main
  • 8fd18a3 Extracted function checking code into macro
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by daniellockyer, a new releaser for sqlite3 since your current version.


Updates @actions/core from 1.2.6 to 1.10.1

Changelog

Sourced from @​actions/core's changelog.

1.10.1

  • Fix error message reference in oidc utils #1511

1.10.0

  • saveState and setOutput now use environment files if available #1178
  • getMultilineInput now correctly trims whitespace by default #1185

1.9.1

  • Randomize delimiter when calling core.exportVariable

1.9.0

  • Added toPosixPath, toWin32Path and toPlatformPath utilities #1102

1.8.2

  • Update to v2.0.1 of @actions/http-client #1087

1.8.1

  • Update to v2.0.0 of @actions/http-client

1.8.0

1.7.0

1.6.0

1.5.0

1.4.0

1.3.0

1.2.7

Commits

Updates @babel/traverse from 7.12.5 to 7.24.7

Release notes

Sourced from @​babel/traverse's releases.

v7.24.7 (2024-06-05)

:bug: Bug Fix

:house: Internal

  • babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

Committers: 7

  • Amjad Yahia Robeen Hassan (@​amjed-98)
  • Bab...

    Description has been truncated

dependabot[bot] avatar Jun 19 '24 21:06 dependabot[bot]