vue-wordpress-pwa
vue-wordpress-pwa copied to clipboard
bstavroulakis
fix(deps): update dependency serialize-javascript to v3 [security]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| serialize-javascript | 1.7.0 -> 3.1.0 |
GitHub Vulnerability Alerts
CVE-2019-16769
Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.
Recommendation
Upgrade to version 2.1.1 or later.
CVE-2020-7660
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as {"foo": /1"/, "bar": "a\"@​__R-<UID>-0__@​"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.
Release Notes
yahoo/serialize-javascript (serialize-javascript)
v3.1.0
- Bump mocha from 7.1.2 to 7.2.0 (#83)
- Bump mocha from 7.1.1 to 7.1.2 (#82)
- Bump nyc from 15.0.0 to 15.0.1 (#81)
- Don't replace regex / function placeholders within string literals (#79)
- [Security] Bump minimist from 1.2.0 to 1.2.5 (#78)
- Bump mocha from 7.1.0 to 7.1.1 (#77)
- Bump mocha from 7.0.1 to 7.1.0 (#74)
- Update example in README (#73)
Note: the randombytes has been added to the dependency package to improve the generation of UIDs. Check the #22 for more information. Thanks to @JordanMilne and @Siebes for this change.
v3.0.0
- Introduce support for Infinity (@vthibault, #72)
- Bump mocha from 7.0.0 to 7.0.1 (#71)
- Test on Node.js v12 (@okuryu, #70)
- Bump mocha from 6.2.2 to 7.0.0 (#69)
- Bump nyc from 14.1.1 to 15.0.0 (#68)
Behavior changes for Infinity
It serializes Infinity values as follows since this version. The result of serialization may be changed if you are passing Infinity values into the serialize-javascript.
v3.x
const serialize = require('serialize-javascript');
serialize({inf: Infinity}); // '{"inf":Infinity}'
v2.x
const serialize = require('serialize-javascript');
serialize({inf: Infinity}); // '{"inf":null}'
v2.1.2
v2.1.1
- Fix regular expressions Cross-Site Scripting (XSS) vulnerability (see security advisory)
- Migrate to nyc from istanbul
v2.1.0
- Add
ignoreFunctionoption (@realdennis, #58)
v2.0.0
Behavior changes for undefined
It serializes undefined values as follows since this version. The result of serialization may be changed if you are passing undefined values into the serialize-javascript.
v2.x
const serialize = require('serialize-javascript');
serialize({undef: undefined}); // '{"undef":undefined}'
v1.x
const serialize = require('serialize-javascript');
serialize({undef: undefined}); // '{}'
v1.9.1
- Revert #54 for breaking changes (see: https://github.com/yahoo/serialize-javascript/issues/57)
- Bump mocha from 5.2.0 to 6.2.0 (#56)
v1.9.0
v1.8.0
- Enhanced object literals don't have arrows (@jowenjowen, #51)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}