OpenBot icon indicating copy to clipboard operation
OpenBot copied to clipboard
verified publisher icon isl-org

Bump the npm_and_yarn group across 3 directories with 26 updates

Open dependabot[bot] opened this issue 1 year ago • 0 comments

Bumps the npm_and_yarn group with 12 updates in the /controller/web-server directory:

Package From To
ws 8.13.0 8.17.1
@babel/traverse 7.22.8 7.24.7
@grpc/grpc-js 1.8.21 1.8.22
braces 3.0.2 3.0.3
browserslist 4.21.10 4.23.1
loader-utils 3.2.1 3.3.1
postcss 8.4.27 8.4.39
react-devtools-core 4.28.0 4.28.5
tar 6.1.15 6.2.1
terser 5.19.2 5.31.1
undici 5.26.5 5.28.4
@firebase/firestore 4.4.1 4.6.4

Bumps the npm_and_yarn group with 4 updates in the /controller/web-server/server directory: ws, braces, ejs and express. Bumps the npm_and_yarn group with 16 updates in the /policy/frontend directory:

Package From To
ws 6.2.1 6.2.3
@babel/traverse 7.12.10 7.24.7
hosted-git-info 2.8.8 2.8.9
path-parse 1.0.6 1.0.7
ssri 6.0.1 6.0.2
tar 6.0.5 6.2.1
tmpl 1.0.4 1.0.5
tough-cookie 4.1.3 4.1.4
express 4.18.2 4.19.2
browserify-sign 4.2.1 4.2.3
color-string 1.5.4 1.9.1
dns-packet 1.3.1 1.3.4
elliptic 6.5.3 6.5.5
es5-ext 0.10.53 0.10.64
follow-redirects 1.13.1 1.15.6
react-dev-utils 11.0.1 11.0.4

Updates ws from 8.13.0 to 8.17.1

Release notes

Sourced from ws's releases.

8.17.1

Bug fixes

  • Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;


for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;


for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';

if (++count === 2000) break;
}



}


headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';


const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});


request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

  1. Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size][] and/or the [maxHeaderSize][] options so that no more headers than the server.maxHeadersCount limit can be sent.

... (truncated)

Commits
  • 3c56601 [dist] 8.17.1
  • e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
  • 6a00029 [test] Increase code coverage
  • ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
  • b73b118 [dist] 8.17.0
  • 29694a5 [test] Use the highWaterMark variable
  • 934c9d6 [ci] Test on node 22
  • 1817bac [ci] Do not test on node 21
  • 96c9b3d [major] Flip the default value of allowSynchronousEvents (#2221)
  • e5f32c7 [fix] Emit at most one event per event loop iteration (#2218)
  • Additional commits viewable in compare view

Updates @babel/traverse from 7.22.8 to 7.24.7

Release notes

Sourced from @​babel/traverse's releases.

v7.24.7 (2024-06-05)

:bug: Bug Fix

:house: Internal

  • babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

Committers: 7

v7.24.6 (2024-05-24)

Thanks @​amjed-98, @​blakewilson, @​coelhucas, and @​SukkaW for your first PRs!

:bug: Bug Fix

  • babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties
  • babel-core, babel-generator, babel-plugin-transform-modules-commonjs
  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3
    • #16483 Fix: throw TypeError if addInitializer is called after finished (@​JLHwung)
  • babel-parser, babel-plugin-transform-typescript

:house: Internal

  • babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • babel-helpers
  • babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • babel-parser, babel-traverse
  • Other

... (truncated)

Changelog

Sourced from @​babel/traverse's changelog.

v7.24.7 (2024-06-05)

:bug: Bug Fix

:house: Internal

  • babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

v7.24.6 (2024-05-24)

:bug: Bug Fix

  • babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties
  • babel-core, babel-generator, babel-plugin-transform-modules-commonjs
  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3
    • #16483 Fix: throw TypeError if addInitializer is called after finished (@​JLHwung)
  • babel-parser, babel-plugin-transform-typescript

:house: Internal

  • babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • babel-helpers
  • babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • babel-parser, babel-traverse
  • Other

v7.24.5 (2024-04-29)

:bug: Bug Fix

  • babel-plugin-transform-classes, babel-traverse
  • babel-helpers, babel-plugin-proposal-explicit-resource-management, babel-runtime-corejs3

:nail_care: Polish

  • babel-parser

... (truncated)

Commits

Updates @grpc/grpc-js from 1.8.21 to 1.8.22

Release notes

Sourced from @​grpc/grpc-js's releases.

@​grpc/grpc-js 1.8.22

  • Avoid buffering significantly more than grpc.max_receive_message_size per received message.
Commits
  • a8a0203 Merge pull request from GHSA-7v5v-9h63-cj86
  • 3b110cd grpc-js: Bump to 1.8.22
  • 8e62222 grpc-js: Avoid buffering significantly more than max_receive_message_size per...
  • 9d83947 Merge pull request #2742 from sergiitk/backport-1.8-psm-interop-common-prod-t...
  • 00f348c Merge pull request #2729 from sergiitk/psm-interop-common-prod-tests
  • 36d105b Merge pull request #2737 from murgatroid99/backport-1.8-grpc-js_linkify-it_fix
  • 969e305 Merge pull request #2735 from murgatroid99/grpc-js_linkify-it_fix
  • d78216f Merge pull request #2715 from sergiitk/backport-1.8-psm-interop-pkg-dev
  • f38966a Merge pull request #2712 from sergiitk/psm-interop-pkg-dev
  • ffefff2 Merge pull request #2640 from XuanWang-Amos/backport-1.8-psm-interop-shared-b...
  • Additional commits viewable in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

Updates browserslist from 4.21.10 to 4.23.1

Release notes

Sourced from browserslist's releases.

4.23.1

  • Fixed feature query with mobile to desktop when caniuse lags (by @​steverep).

4.23.0

Changelog

Sourced from browserslist's changelog.

4.23.1

  • Fixed feature query with mobile to desktop when caniuse lags (by @​steverep).

4.23.0

4.22.3

  • Fixed white spaces support in supports query (@​g-plane).
  • Fixed shared config like @company/package/browserslist-config (@​boucodes).

4.22.2

  • Fixed idempotency in time queries with mobileToDesktop (by Aliaksei Sapach).

4.22.1

4.22

  • Added fully supports query (by Ben Scott).
  • Added partially supports alias for supports query (by Ben Scott).

4.21.11

  • Added warning to --update-db to move to new CLI (by Ivan Vasilev).
  • Fixed docs (by Tatsunori Uchino).
Commits

Updates loader-utils from 3.2.1 to 3.3.1

Release notes

Sourced from loader-utils's releases.

v3.3.1

3.3.1 (2024-06-05)

Bug Fixes

v3.3.0

3.3.0 (2024-06-04)

Features

v3.2.2

3.2.2 (2024-05-29)

Bug Fixes

  • unreachable code for directories (128f945)
Changelog

Sourced from loader-utils's changelog.

3.3.1 (2024-06-05)

Bug Fixes

3.3.0 (2024-06-04)

Features

3.2.2 (2024-05-29)

Bug Fixes

  • unreachable code for directories (128f945)
Commits

Updates postcss from 8.4.27 to 8.4.39

Release notes

Sourced from postcss's releases.

8.4.39

8.4.38

8.4.37

  • Fixed original.column are not numbers error in another case.

8.4.36

  • Fixed original.column are not numbers error on broken previous source map.

8.4.35

  • Avoid ! in node.parent.nodes type.
  • Allow to pass undefined to node adding method to simplify types.

8.4.34

8.4.33

8.4.32

8.4.31

  • Fixed \r parsing to fix CVE-2023-44270.

8.4.30

8.4.29

8.4.28

  • Fixed Root.source.end for better source map (by @​romainmenke).
  • Fixed Result.root types when process() has no parser.
Changelog

Sourced from postcss's changelog.

8.4.39

8.4.38

8.4.37

  • Fixed original.column are not numbers error in another case.

8.4.36

  • Fixed original.column are not numbers error on broken previous source map.

8.4.35

  • Avoid ! in node.parent.nodes type.
  • Allow to pass undefined to node adding method to simplify types.

8.4.34

  • Fixed AtRule#nodes type (by Tim Weißenfels).
  • Cleaned up code (by Dmitry Kirillov).

8.4.33

  • Fixed NoWorkResult behavior difference with normal mode (by Romain Menke).
  • Fixed NoWorkResult usage conditions (by @​ahmdammarr).

8.4.32

  • Fixed postcss().process() types (by Andrew Ferreira).

8.4.31

  • Fixed \r parsing to fix CVE-2023-44270.

8.4.30

  • Improved source map performance (by Romain Menke).

8.4.29

  • Fixed Node#source.offset (by Ido Rosenthal).
  • Fixed docs (by Christian Oliff).

8.4.28

  • Fixed Root.source.end for better source map (by Romain Menke).
  • Fixed Result.root types when process() has no parser.
Commits

Updates react-devtools-core from 4.28.0 to 4.28.5

Commits

Updates tar from 6.1.15 to 6.2.1

Changelog

Sourced from tar's changelog.

Changelog

7.4

  • Deprecate onentry in favor of onReadEntry for clarity.

7.3

  • Add onWriteEntry option

7.2

  • DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

  • Update minipass to v7.1.0
  • Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

  • Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
  • Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
  • Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
  • Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

6.2

  • Add support for brotli compression
  • Add maxDepth option to prevent extraction into excessively deep folders.

6.1

  • remove dead link to benchmarks (#313) (@​yetzt)
  • add examples/explanation of using tar.t (@​isaacs)
  • ensure close event is emited after stream has ended (@​webark)

... (truncated)

Commits

Updates terser from 5.19.2 to 5.31.1

Changelog

Sourced from terser's changelog.

v5.31.1

  • Allow drop-unused to drop the whole assignment (not just the assigned name) in more situations, in order to avoid duplication of long strings.

v5.31.0

  • Sync up property mangler exceptions with current contents of Firefox and Chrome environments
  • Add more webcomponent properties to property mangler exceptions (#1525)
  • Drop non-nullish constants in ...spreads in objects (#1141)

v5.30.4

  • Fix parsing #private in ... when next to other operators

v5.30.3

  • Fix precedence of #private in ... operator

v5.30.2

  • Avoid optimizations inside computed keys, because they can cause js-engine-specific bugs.

v5.30.1

  • Removed useless \ escapes for non-ascii characters
  • Make modern identifier characters quoted for older environments (#1512)

v5.30.0

  • Improve removal of classes referring to themselves

v5.29.2

  • Make sure 'computed_props' creates string keys
  • Take into account the evaluated size when inlining

v5.29.1

  • fix optimisation of all-bits mask check

v5.29.0

  • Re-releases previously reverted 5.28.0
  • Fix crash while optimizing some bitwise ops
  • (internal) Remove needless wrapper for from_moz (#1499)

v5.28.1

(hotfix release)

  • Reverts v5.28.0

v5.28.0

  • Optimise redundant or shrinkable bitwise operations (|, ^, &, >>, <<)
  • Evaluate some BigInt math operations

v5.27.2

  • Recognise this as a reference to the surrounding class in drop_unused. Closes #1472

v5.27.1

  • Fixed case where collapse_vars inlines await expressions into non-async functions.

... (truncated)

Commits

Updates undici from 5.26.5 to 5.28.4

Release notes

Sourced from undici's releases.

v5.28.4

:warning: Security Release :warning:

Full Changelog: https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4

v5.28.3

⚠️ Security Release ⚠️

Fixes:

Full Changelog: https://github.com/nodejs/undici/compare/v5.28.2...v5.28.3

v5.28.2

What's Changed

New Contributors

Full Changelog: https://github.com/nodejs/undici/compare/v5.28.1...v5.28.2

v5.28.1

What's Changed

... (truncated)

Commits
  • fb98306 Bumped v5.28.4
  • 2b39440 Merge pull request from GHSA-9qxr-qj54-h672
  • 64e3402 Merge pull request from GHSA-m4v8-wqvr-p9f7
  • 723c4e7 Revert "build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 (#2389)"
  • 0e9d54b skip failing test due to Node.js changes
  • e71cb4c Bumped v5.28.3
  • 20c65b8 Fix tests for Node.js v20.11.0 (#2618)
  • 8ec52cd Fix tests for Node.js v21 (#2609)
  • d3aa574 Merge pull request from GHSA-3787-6prv-h9w3
  • 9a14e5f Bumped v5.28.2
  • Additional commits viewable in compare view

Updates @firebase/firestore from 4.4.1 to 4.6.4

Release notes

Sourced from @​firebase/firestore's releases.

4.5.2

Fixes

  • Fixed a regression where the react-native property was missing from the firebase package.json
  • Fixed a regression where the value of firebase.SDK_VERSION wasn't properly being populated.

4.5.1

Features

Shipped individual modules for the following packages:

  • @firebase/app
  • @firebase/auth
  • @firebase/database
  • @firebase/firestore
  • @firebase/messaging
  • @firebase/polyfill
  • @firebase/storage
  • @firebase/util

4.5.0

Features

Changelog

Sourced from @​firebase/firestore's changelog.

4.6.4

Patch Changes

4.6.3

Patch Changes

  • 2ce95696f #8247 - Fix multi-tab persistence raising empty snapshot issue

4.6.2

Patch Changes

4.6.1

Patch Changes

  • 224419457 #8145 - Prevent spurious "Backend didn't respond within 10 seconds" errors when network is indeed responding, just slowly.

  • bd12e83cd #8150 - Updated protobufjs transitive dependency in Firetore.

  • e1a7764cf #8197 - Go back using xmlhttprequest for bidi-streams, as fetch streams seem to be having connection ...

    Description has been truncated

dependabot[bot] avatar Jul 04 '24 01:07 dependabot[bot]