Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump the npm_and_yarn group with 13 updates #38

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 11, 2024

Bumps the npm_and_yarn group with 14 updates:

Package From To
karma 6.3.2 6.3.16
ansi-regex 5.0.0 5.0.1
ansi-regex 3.0.0 5.0.1
body-parser 1.19.0 1.20.3
got 11.8.3 11.8.6
json5 1.0.1 1.0.2
log4js 6.3.0 6.9.1
minimist 1.2.5 1.2.8
nanoid 3.1.20 removed
mocha 8.4.0 10.7.3
qs 6.7.0 6.13.0
socket.io 3.1.2 4.7.5
socket.io-parser 4.0.4 4.2.4
ws 7.4.5 8.17.1

Updates karma from 6.3.2 to 6.3.16

Release notes

Sourced from karma's releases.

v6.3.16

6.3.16 (2022-02-10)

Bug Fixes

  • security: mitigate the "Open Redirect Vulnerability" (ff7edbb)

v6.3.15

6.3.15 (2022-02-05)

Bug Fixes

v6.3.14

6.3.14 (2022-02-05)

Bug Fixes

  • remove string template from client code (91d5acd)
  • warn when singleRun and autoWatch are false (69cfc76)
  • security: remove XSS vulnerability in returnUrl query param (839578c)

v6.3.13

6.3.13 (2022-01-31)

Bug Fixes

  • deps: bump log4js to resolve security issue (5bf2df3), closes #3751

v6.3.12

6.3.12 (2022-01-24)

Bug Fixes

  • remove depreciation warning from log4js (41bed33)

v6.3.11

6.3.11 (2022-01-13)

Bug Fixes

  • deps: pin colors package to 1.4.0 due to security vulnerability (a5219c5)

... (truncated)

Changelog

Sourced from karma's changelog.

6.4.0 (2022-06-14)

Features

  • support SRI verification of link tags (dc51a2e)
  • support SRI verification of script tags (6a54b1c)

6.3.20 (2022-05-13)

Bug Fixes

  • prefer IPv4 addresses when resolving domains (e17698f), closes #3730

6.3.19 (2022-04-19)

Bug Fixes

  • client: error out when opening a new tab fails (099b85e)

6.3.18 (2022-04-13)

Bug Fixes

  • deps: upgrade socket.io to v4.4.1 (52a30bb)

6.3.17 (2022-02-28)

Bug Fixes

  • deps: update colors to maintained version (#3763) (fca1884)

6.3.16 (2022-02-10)

Bug Fixes

  • security: mitigate the "Open Redirect Vulnerability" (ff7edbb)

6.3.15 (2022-02-05)

Bug Fixes

... (truncated)

Commits
  • ab4b328 chore(release): 6.3.16 [skip ci]
  • ff7edbb fix(security): mitigate the "Open Redirect Vulnerability"
  • c1befa0 chore(release): 6.3.15 [skip ci]
  • d9dade2 fix(helper): make mkdirIfNotExists helper resilient to concurrent calls
  • 653c762 ci: prevent duplicate CI tasks on creating a PR
  • c97e562 chore(release): 6.3.14 [skip ci]
  • 91d5acd fix: remove string template from client code
  • 69cfc76 fix: warn when singleRun and autoWatch are false
  • 839578c fix(security): remove XSS vulnerability in returnUrl query param
  • db53785 chore(release): 6.3.13 [skip ci]
  • Additional commits viewable in compare view

Updates ansi-regex from 5.0.0 to 5.0.1

Release notes

Sourced from ansi-regex's releases.

v5.0.1

Fixes (backport of 6.0.1 to v5)

This is a backport of the minor ReDos vulnerability in ansi-regex@<6.0.1, as requested in #38.

  • Fix ReDoS in certain cases (#37) You are only really affected if you run the regex on untrusted user input in a server context, which it's very unlikely anyone is doing, since this regex is mainly used in command-line tools.

CVE-2021-3807

https://github.com/chalk/ansi-regex/compare/v5.0.0..v5.0.1

Thank you @​yetingli for the patch and reproduction case!

Commits

Updates ansi-regex from 3.0.0 to 5.0.1

Release notes

Sourced from ansi-regex's releases.

v5.0.1

Fixes (backport of 6.0.1 to v5)

This is a backport of the minor ReDos vulnerability in ansi-regex@<6.0.1, as requested in #38.

  • Fix ReDoS in certain cases (#37) You are only really affected if you run the regex on untrusted user input in a server context, which it's very unlikely anyone is doing, since this regex is mainly used in command-line tools.

CVE-2021-3807

https://github.com/chalk/ansi-regex/compare/v5.0.0..v5.0.1

Thank you @​yetingli for the patch and reproduction case!

Commits

Updates body-parser from 1.19.0 to 1.20.3

Release notes

Sourced from body-parser's releases.

1.20.3

What's Changed

Important

  • deps: qs@6.13.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

New Contributors

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

1.20.2

  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
    • perf: skip value escaping when unnecessary
  • deps: raw-body@2.5.2

1.20.1

  • deps: qs@6.11.0
  • perf: remove unnecessary object clone

1.20.0

  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: depd@2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: http-errors@2.0.0
    • deps: depd@2.0.0
    • deps: statuses@2.0.1
  • deps: on-finished@2.4.1
  • deps: qs@6.10.3

... (truncated)

Changelog

Sourced from body-parser's changelog.

1.20.3 / 2024-09-10

  • deps: qs@6.13.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

1.20.2 / 2023-02-21

  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
    • perf: skip value escaping when unnecessary
  • deps: raw-body@2.5.2

1.20.1 / 2022-10-06

  • deps: qs@6.11.0
  • perf: remove unnecessary object clone

1.20.0 / 2022-04-02

  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: depd@2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: http-errors@2.0.0
    • deps: depd@2.0.0
    • deps: statuses@2.0.1
  • deps: on-finished@2.4.1
  • deps: qs@6.10.3
  • deps: raw-body@2.5.1
    • deps: http-errors@2.0.0

1.19.2 / 2022-02-15

  • deps: bytes@3.1.2
  • deps: qs@6.9.7
    • Fix handling of __proto__ keys
  • deps: raw-body@2.4.3
    • deps: bytes@3.1.2

1.19.1 / 2021-12-10

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.


Updates got from 11.8.3 to 11.8.6

Release notes

Sourced from got's releases.

v11.8.6

  • Destroy request object after successful response

sindresorhus/got@v11.8.5...v11.8.6

v11.8.5

sindresorhus/got@v11.8.4...v11.8.5

Commits

Updates json5 from 1.0.1 to 1.0.2

Release notes

Sourced from json5's releases.

v1.0.2

  • Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295). This has been backported to v1. (#298)
Changelog

Sourced from json5's changelog.

Unreleased [code, diff]

v2.2.3 [code, diff]

  • Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2 [code, diff]

  • Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1 [code, diff]

v2.2.0 [code, diff]

  • New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)

v2.1.3 [code, diff]

  • Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)

v2.1.2 [code, diff]

... (truncated)

Commits

Updates log4js from 6.3.0 to 6.9.1

Changelog

Sourced from log4js's changelog.

6.9.1

6.9.0

6.8.0

6.7.1

... (truncated)

Commits
  • 26dcec6 6.9.1
  • 63ae5b9 Merge pull request #1379 from log4js-node/update-docs
  • 185fa66 docs: updated changelog for 6.9.1
  • ed54dc2 Merge pull request #1378 from log4js-node/1377-defaultparsecallstack-cant-par...
  • 2628688 fix(7922e82): regex for stacktrace
  • b3919d8 6.9.0
  • 7cfe8a4 Merge pull request #1376 from log4js-node/update-docs
  • f89e7b6 docs: updated changelog for 6.9.0
  • 0082928 Merge pull request #1375 from log4js-node/update-docs
  • c0db6a4 docs: added that log4js.getLogger() may call log4js.configure()
  • Additional commits viewable in compare view

Updates minimist from 1.2.5 to 1.2.8

Changelog

Sourced from minimist's changelog.

v1.2.8 - 2023-02-09

Merged

Fixed

Commits

  • Merge tag 'v0.2.3' a026794
  • [eslint] fix indentation and whitespace 5368ca4
  • [eslint] fix indentation and whitespace e5f5067
  • [eslint] more cleanup 62fde7d
  • [eslint] more cleanup 36ac5d0
  • [meta] add auto-changelog 73923d2
  • [actions] add reusable workflows d80727d
  • [eslint] add eslint; rules to enable later are warnings 48bc06a
  • [eslint] fix indentation 34b0f1c
  • [readme] rename and add badges 5df0fe4
  • [Dev Deps] switch from covert to nyc a48b128
  • [Dev Deps] update covert, tape; remove unnecessary tap f0fb958
  • [meta] create FUNDING.yml; add funding in package.json 3639e0c
  • [meta] use npmignore to autogenerate an npmignore file be2e038
  • Only apps should have lockfiles 282b570
  • isConstructorOrProto adapted from PR ef9153f
  • [Dev Deps] update @ljharb/eslint-config, aud 098873c
  • [Dev Deps] update @ljharb/eslint-config, aud 3124ed3
  • [meta] add safe-publish-latest 4b927de
  • [Tests] add aud in posttest b32d9bd
  • [meta] update repo URLs f9fdfc0
  • [actions] Avoid 0.6 tests due to build failures ba92fe6
  • [Dev Deps] update tape 950eaa7
  • [Dev Deps] add missing npmignore dev dep 3226afa
  • Merge tag 'v0.2.2' 980d7ac

v1.2.7 - 2022-10-10

Commits

... (truncated)

Commits
  • 6901ee2 v1.2.8
  • a026794 Merge tag 'v0.2.3'
  • c0b2661 v0.2.3
  • 63b8fee [Fix] Fix long option followed by single dash (#17)
  • 72239e6 [Tests] Remove duplicate test (#12)
  • 34b0f1c [eslint] fix indentation
  • 3226afa [Dev Deps] add missing npmignore dev dep
  • 098873c [Dev Deps] update @ljharb/eslint-config, aud
  • 9ec4d27 [Fix] Fix long option followed by single dash
  • ba92fe6 [actions] Avoid 0.6 tests due to build failures
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ljharb, a new releaser for minimist since your current version.


Removes nanoid

Updates mocha from 8.4.0 to 10.7.3

Release notes

Sourced from mocha's releases.

v10.7.3

10.7.3 (2024-08-09)

🩹 Fixes

v10.7.2

10.7.2 (2024-08-06)

📚 Documentation

🧹 Chores

v10.7.1

10.7.1 (2024-08-06)

🩹 Fixes

  • crash with --parallel and --retries both enabled (#5173) (d7013dd)

🧹 Chores

  • add knip to validate included dependencies (5c2989f)
  • more fully remove assetgraph-builder and canvas (#5175) (1883c41)
  • replace nps with npm scripts (#5128) (c44653a), closes #5126

v10.7.0

What's Changed

New Contributors

Full Changelog: mochajs/mocha@v10.6.1...v10.7.0

v10.6.1

What's Changed

... (truncated)

Changelog

Sourced from mocha's changelog.

10.7.3 (2024-08-09)

🩹 Fixes

10.7.2 (2024-08-06)

📚 Documentation

🧹 Chores

10.7.1 (2024-08-06)

🩹 Fixes

  • crash with --parallel and --retries both enabled (#5173) (d7013dd)

🧹 Chores

  • add knip to validate included dependencies (5c2989f)
  • more fully remove assetgraph-builder and canvas (#5175) (1883c41)
  • replace nps with npm scripts (#5128) (c44653a), closes #5126

10.7.0 / 2024-07-20

🎉 Enhancements

10.6.1 / 2024-07-20

🐛 Fixes

10.6.0 / 2024-07-02

🎉 Enhancements

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by voxpelli, a new releaser for mocha since your current version.


Updates qs from 6.7.0 to 6.13.0

Changelog

Sourced from qs's changelog.

6.13.0

  • [New] parse: add strictDepth option (#511)
  • [Tests] use npm audit instead of aud

6.12.3

  • [Fix] parse: properly account for strictNullHandling when allowEmptyArrays
  • [meta] fix changelog indentation

6.12.2

  • [Fix] parse: parse encoded square brackets (#506)
  • [readme] add CII best practices badge

6.12.1

  • [Fix] parse: Disable decodeDotInKeys by default to restore previous behavior (#501)
  • [Performance] utils: Optimize performance under large data volumes, reduce memory usage, and speed up processing (#502)
  • [Refactor] utils: use +=
  • [Tests] increase coverage

6.12.0

  • [New] parse/stringify: add decodeDotInKeys/encodeDotKeys options (#488)
  • [New] parse: add duplicates option
  • [New] parse/stringify: add allowEmptyArrays option to allow [] in object values (#487)
  • [Refactor] parse/stringify: move allowDots config logic to its own variable
  • [Refactor] stringify: move option-handling code into normalizeStringifyOptions
  • [readme] update readme, add logos (#484)
  • [readme] stringify: clarify default arrayFormat behavior
  • [readme] fix line wrapping
  • [readme] remove dead badges
  • [Deps] update side-channel
  • [meta] make the dist build 50% smaller
  • [meta] add sideEffects flag
  • [meta] run build in prepack, not prepublish
  • [Tests] parse: remove useless tests; add coverage
  • [Tests] stringify: increase coverage
  • [Tests] use mock-property
  • [Tests] stringify: improve coverage
  • [Dev Deps] update @ljharb/eslint-config , aud, has-override-mistake, has-property-descriptors, mock-property, npmignore, object-inspect, tape
  • [Dev Deps] pin glob, since v10.3.8+ requires a broken jackspeak
  • [Dev Deps] pin jackspeak since 2.1.2+ depends on npm aliases, which kill the install process in npm < 6

6.11.2

  • [Fix] parse: Fix parsing when the global Object prototype is frozen (#473)
  • [Tests] add passing test cases with empty keys (#473)

6.11.1

  • [Fix] stringify: encode comma values more consistently (#463)
  • [readme] add usage of filter option for injecting custom serialization, i.e. of custom types (#447)
  • [meta] remove extraneous code backticks (#457)
  • [meta] fix changelog markdown

... (truncated)

Commits
  • 5cf516c v6.13.0
  • 8d56df2 [New] parse: add strictDepth option
  • c9a6694 [Tests] use npm audit instead of aud
  • f90cc35 v6.12.3
  • 1bf9f7a [Fix] parse: properly account for strictNullHandling when allowEmptyArrays
  • 7ebf48b [meta] fix changelog indentation
  • d0dff11 v6.12.2
  • f0b8d03 [Dev Deps] update @ljharb/eslint-config, object-inspect, tape
  • 81835ff [Fix]: parse: parse encoded square brackets
  • db47dcc [readme] add CII best practices badge
  • Additional commits viewable in compare view

Updates socket.io from 3.1.2 to 4.7.5

Release notes

Sourced from socket.io's releases.

4.7.5

Bug Fixes

  • close the adapters when the server is closed (bf64870)
  • remove duplicate pipeline when serving bundle (e426f3e)

Links

4.7.4

Bug Fixes

  • typings: calling io.emit with no arguments incorrectly errored (cb6d2e0), closes #4914

Links

4.7.3

Bug Fixes

  • return the first response when broadcasting to a single socket (#4878) (df8e70f)
  • typings: allow to bind to a non-secure Http2Server (#4853) (8c9ebc3)

Links

4.7.2

Bug Fixes

  • clean up child namespace when client is rejected in middleware (#4773) (0731c0d)...

    Description has been truncated

Bumps the npm_and_yarn group with 14 updates:

| Package | From | To |
| --- | --- | --- |
| [karma](https://github.com/karma-runner/karma) | `6.3.2` | `6.3.16` |
| [ansi-regex](https://github.com/chalk/ansi-regex) | `5.0.0` | `5.0.1` |
| [ansi-regex](https://github.com/chalk/ansi-regex) | `3.0.0` | `5.0.1` |
| [body-parser](https://github.com/expressjs/body-parser) | `1.19.0` | `1.20.3` |
| [got](https://github.com/sindresorhus/got) | `11.8.3` | `11.8.6` |
| [json5](https://github.com/json5/json5) | `1.0.1` | `1.0.2` |
| [log4js](https://github.com/log4js-node/log4js-node) | `6.3.0` | `6.9.1` |
| [minimist](https://github.com/minimistjs/minimist) | `1.2.5` | `1.2.8` |
| [nanoid](https://github.com/ai/nanoid) | `3.1.20` | `removed` |
| [mocha](https://github.com/mochajs/mocha) | `8.4.0` | `10.7.3` |
| [qs](https://github.com/ljharb/qs) | `6.7.0` | `6.13.0` |
| [socket.io](https://github.com/socketio/socket.io) | `3.1.2` | `4.7.5` |
| [socket.io-parser](https://github.com/Automattic/socket.io-parser) | `4.0.4` | `4.2.4` |
| [ws](https://github.com/websockets/ws) | `7.4.5` | `8.17.1` |


Updates `karma` from 6.3.2 to 6.3.16
- [Release notes](https://github.com/karma-runner/karma/releases)
- [Changelog](https://github.com/karma-runner/karma/blob/master/CHANGELOG.md)
- [Commits](karma-runner/karma@v6.3.2...v6.3.16)

Updates `ansi-regex` from 5.0.0 to 5.0.1
- [Release notes](https://github.com/chalk/ansi-regex/releases)
- [Commits](chalk/ansi-regex@v5.0.0...v5.0.1)

Updates `ansi-regex` from 3.0.0 to 5.0.1
- [Release notes](https://github.com/chalk/ansi-regex/releases)
- [Commits](chalk/ansi-regex@v5.0.0...v5.0.1)

Updates `body-parser` from 1.19.0 to 1.20.3
- [Release notes](https://github.com/expressjs/body-parser/releases)
- [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md)
- [Commits](expressjs/body-parser@1.19.0...1.20.3)

Updates `got` from 11.8.3 to 11.8.6
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](sindresorhus/got@v11.8.3...v11.8.6)

Updates `json5` from 1.0.1 to 1.0.2
- [Release notes](https://github.com/json5/json5/releases)
- [Changelog](https://github.com/json5/json5/blob/main/CHANGELOG.md)
- [Commits](json5/json5@v1.0.1...v1.0.2)

Updates `log4js` from 6.3.0 to 6.9.1
- [Changelog](https://github.com/log4js-node/log4js-node/blob/master/CHANGELOG.md)
- [Commits](log4js-node/log4js-node@v6.3.0...v6.9.1)

Updates `minimist` from 1.2.5 to 1.2.8
- [Changelog](https://github.com/minimistjs/minimist/blob/main/CHANGELOG.md)
- [Commits](minimistjs/minimist@v1.2.5...v1.2.8)

Removes `nanoid`

Updates `mocha` from 8.4.0 to 10.7.3
- [Release notes](https://github.com/mochajs/mocha/releases)
- [Changelog](https://github.com/mochajs/mocha/blob/main/CHANGELOG.md)
- [Commits](mochajs/mocha@v8.4.0...v10.7.3)

Updates `qs` from 6.7.0 to 6.13.0
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.7.0...v6.13.0)

Updates `socket.io` from 3.1.2 to 4.7.5
- [Release notes](https://github.com/socketio/socket.io/releases)
- [Changelog](https://github.com/socketio/socket.io/blob/4.7.5/CHANGELOG.md)
- [Commits](socketio/socket.io@3.1.2...4.7.5)

Updates `socket.io-parser` from 4.0.4 to 4.2.4
- [Release notes](https://github.com/Automattic/socket.io-parser/releases)
- [Changelog](https://github.com/socketio/socket.io-parser/blob/4.2.4/CHANGELOG.md)
- [Commits](socketio/socket.io-parser@4.0.4...4.2.4)

Updates `ws` from 7.4.5 to 8.17.1
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@7.4.5...8.17.1)

---
updated-dependencies:
- dependency-name: karma
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: ansi-regex
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ansi-regex
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: body-parser
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: got
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: json5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: log4js
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimist
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: nanoid
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: mocha
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: qs
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: socket.io
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: socket.io-parser
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants