Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump the npm_and_yarn group with 5 updates #746

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump the npm_and_yarn group with 5 updates #746

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github May 30, 2024

Bumps the npm_and_yarn group with 5 updates:

Package From To
express 4.18.2 4.19.2
mysql2 3.6.1 3.9.8
pug 3.0.2 3.0.3
glob-parent 3.1.0 5.1.2
webpack 4.46.0 5.91.0

Updates express from 4.18.2 to 4.19.2

Release notes

Sourced from express's releases.

4.19.2

What's Changed

Full Changelog: expressjs/express@4.19.1...4.19.2

4.19.1

What's Changed

Full Changelog: expressjs/express@4.19.0...4.19.1

4.19.0

What's Changed

New Contributors

Full Changelog: expressjs/express@4.18.3...4.19.0

4.18.3

Main Changes

Other Changes

... (truncated)

Changelog

Sourced from express's changelog.

4.19.2 / 2024-03-25

  • Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

  • Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

4.18.3 / 2024-02-29

Commits
  • 04bc627 4.19.2
  • da4d763 Improved fix for open redirect allow list bypass
  • 4f0f6cc 4.19.1
  • a003cfa Allow passing non-strings to res.location with new encoding handling checks f...
  • a1fa90f fixed un-edited version in history.md for 4.19.0
  • 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
  • 084e365 4.19.0
  • 0867302 Prevent open redirect allow list bypass due to encodeurl
  • 567c9c6 Add note on how to update docs for new release (#5541)
  • 69a4cf2 deps: [email protected]
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.


Updates mysql2 from 3.6.1 to 3.9.8

Release notes

Sourced from mysql2's releases.

v3.9.8

3.9.8 (2024-05-26)

Bug Fixes

  • security: sanitize fields and tables when using nestTables (#2702) (efe3db5)
  • support deno + caching_sha2_password FULL_AUTHENTICATION_PACKET flow (#2704) (2e03694)
  • typings: typo from jonServerPublicKey to onServerPublicKey (#2699) (8b5f691)

v3.9.7

3.9.7 (2024-04-21)

Bug Fixes

  • security: sanitize timezone parameter value to prevent code injection - report by zhaoyudi (Nebulalab) (#2608) (7d4b098)

v3.9.6

3.9.6 (2024-04-18)

Bug Fixes

  • binary parser sometimes reads out of packet bounds when results contain null and typecast is false (#2601) (705835d)

v3.9.5

3.9.5 (2024-04-17)

Bug Fixes

  • revert breaking change in results creation (#2591) (f7c60d0)

v3.9.4

3.9.4 (2024-04-09)

Bug Fixes

  • SSL: separate each certificate into an individual item #2542 (63f1055)
  • security: improve supportBigNumbers and bigNumberStrings sanitization (#2572) (74abf9e)
    • Fixes a potential RCE attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
  • security: improve results object creation (#2574) (4a964a3)
    • Fixes a potential Prototype Pollution attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
  • docs: improve the contribution guidelines (#2552) (8a818ce)

v3.9.3

3.9.3 (2024-03-26)

... (truncated)

Changelog

Sourced from mysql2's changelog.

3.9.8 (2024-05-26)

Bug Fixes

  • security: sanitize fields and tables when using nestTables (#2702) (efe3db5)
  • support deno + caching_sha2_password FULL_AUTHENTICATION_PACKET flow (#2704) (2e03694)
  • typings: typo from jonServerPublicKey to onServerPublicKey (#2699) (8b5f691)

3.9.7 (2024-04-21)

Bug Fixes

  • security: sanitize timezone parameter value to prevent code injection (#2608) (7d4b098)

3.9.6 (2024-04-18)

Bug Fixes

  • binary parser sometimes reads out of packet bounds when results contain null and typecast is false (#2601) (705835d)

3.9.5 (2024-04-17)

Bug Fixes

  • revert breaking change in results creation (#2591) (f7c60d0)

3.9.4 (2024-04-09)

Bug Fixes

  • docs: improve the contribution guidelines (#2552) (8a818ce)
  • security: improve results object creation (#2574) (4a964a3)
  • security: improve supportBigNumbers and bigNumberStrings sanitization (#2572) (74abf9e)

3.9.3 (2024-03-26)

Bug Fixes

  • security: improve cache key formation (#2424) (0d54b0c)
    • Fixes a potential parser cache poisoning attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
  • update Amazon RDS SSL CA cert (#2131) (d9dccfd)

3.9.2 (2024-02-26)

... (truncated)

Commits
  • f637d3f chore(master): release 3.9.8 (#2700)
  • efe3db5 fix(security): sanitize fields and tables when using nestTables (#2702)
  • 2e03694 fix: support deno + caching_sha2_password FULL_AUTHENTICATION_PACKET flow (#2...
  • 8b5f691 fix(typings): typo from jonServerPublicKey to onServerPublicKey (#2699)
  • 5c75802 build(deps-dev): bump tsx from 4.10.5 to 4.11.0 in /website (#2695)
  • 179769f build(deps): bump @​easyops-cn/docusaurus-search-local in /website (#2696)
  • 56289e2 build(deps-dev): bump poku from 1.12.1 to 1.13.0 (#2698)
  • b029308 build(deps-dev): bump poku from 1.12.1 to 1.13.0 in /website (#2697)
  • 539acb8 build(deps): bump lucide-react from 0.378.0 to 0.379.0 in /website (#2693)
  • dc80580 build(deps-dev): bump @​typescript-eslint/eslint-plugin from 7.9.0 to 7.10.0 i...
  • Additional commits viewable in compare view

Updates pug from 3.0.2 to 3.0.3

Release notes

Sourced from pug's releases.

[email protected]

Bug Fixes

  • Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options (#3438)

[email protected]

Bug Fixes

  • Update pug-code-gen with the following fix: (#3438)

    Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options

Commits

Updates glob-parent from 3.1.0 to 5.1.2

Release notes

Sourced from glob-parent's releases.

v5.1.2

Bug Fixes

v5.1.1

Bug Fixes

v5.1.0

Features

  • add flipBackslashes option to disable auto conversion of slashes (closes #24) (#25) (eecf91d)

v5.0.0

⚠ BREAKING CHANGES

  • Drop support for node <6 & bump dependencies

Miscellaneous Chores

  • Drop support for node <6 & bump dependencies (896c0c0)

v4.0.0

⚠ BREAKING CHANGES

  • question marks are valid path characters on Windows so avoid flagging as a glob when alone
  • Update is-glob dependency

Features

  • hoist regexps and strings for performance gains (4a80667)
  • question marks are valid path characters on Windows so avoid flagging as a glob when alone (2a551dd)
  • Update is-glob dependency (e41fcd8)
Changelog

Sourced from glob-parent's changelog.

5.1.2 (2021-03-06)

Bug Fixes

6.0.2 (2021-09-29)

Bug Fixes

6.0.1 (2021-07-20)

Bug Fixes

6.0.0 (2021-05-03)

⚠ BREAKING CHANGES

  • Correct mishandled escaped path separators (#34)
  • upgrade scaffold, dropping node <10 support

Bug Fixes

  • Correct mishandled escaped path separators (#34) (32f6d52), closes #32

Miscellaneous Chores

  • upgrade scaffold, dropping node <10 support (e83d0c5)

5.1.1 (2021-01-27)

Bug Fixes

5.1.0 (2021-01-27)

Features

  • add flipBackslashes option to disable auto conversion of slashes (closes #24) (#25) (eecf91d)

5.0.0 (2021-01-27)

⚠ BREAKING CHANGES

  • Drop support for node <6 & bump dependencies

... (truncated)

Commits
  • eb2c439 chore: update changelog
  • 12bcb6c chore: release 5.1.2
  • f923116 fix: eliminate ReDoS (#36)
  • 0b014a7 chore: add JSDoc returns information (#33)
  • 2b24ebd chore: generate initial changelog
  • 9b6e874 chore: release 5.1.1
  • 749c35e ci: try wrapping the JOB_ID in a string
  • 5d39def ci: attempt to switch to published coveralls
  • 0b5b37f ci: put the npm step back in for only Windows
  • 473f5d8 ci: update azure build images
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by phated, a new releaser for glob-parent since your current version.


Updates webpack from 4.46.0 to 5.91.0

Release notes

Sourced from webpack's releases.

v5.91.0

Bug Fixes

  • Deserializer for ignored modules doesn't crash
  • Allow the unsafeCache option to be a proxy object
  • Normalize the snapshot.unmanagedPaths option
  • Fixed fs types
  • Fixed resolve's plugins types
  • Fixed wrongly calculate postOrderIndex
  • Fixed watching types
  • Output import attrbiutes/import assertions for external JS imports
  • Throw an error when DllPlugin needs to generate multiple manifest files, but the path is the same
  • [CSS] Output layer/supports/media for external CSS imports

New Features

  • Allow to customize the stage of BannerPlugin
  • [CSS] Support CSS exports convention
  • [CSS] support CSS local ident name
  • [CSS] Support __webpack_nonce__ for CSS chunks
  • [CSS] Support fetchPriority for CSS chunks
  • [CSS] Allow to use LZW to compress css head meta (enabled in the production mode by default)
  • [CSS] Support prefetch/preload for CSS chunks

v5.90.3

Bug Fixes

  • don't mangle when destructuring a reexport
  • types for Stats.toJson() and Stats.toString()
  • many internal types
  • [CSS] clean up export css local vars

Perf

  • simplify and optimize chunk graph creation

v5.90.2

Bug Fixes

  • use Math.imul in fnv1a32 to avoid loss of precision, directly hash UTF16 values
  • the setStatus() of the HMR module should not return an array, which may cause infinite recursion
  • __webpack_exports_info__.xxx.canMangle shouldn't always same as default
  • mangle export with destructuring
  • use new runtime to reconsider skipped connections activeState
  • make dynamic import optional in try/catch
  • improve auto publicPath detection

Dependencies & Maintenance

  • improve CI setup and include Node.js@21

... (truncated)

Commits
  • 60daca5 chore(release): 5.91.0
  • 8dad9ce chore(deps-dev): bump @​babel/preset-react from 7.23.3 to 7.24.1
  • a3229f9 chore(deps-dev): bump @​babel/core from 7.24.0 to 7.24.1
  • 40c2e44 chore(deps-dev): bump @​types/node from 20.11.29 to 20.11.30
  • a04faba chore(deps-dev): bump memfs from 4.7.7 to 4.8.0
  • 8f22221 chore(deps): bump es-module-lexer from 1.4.1 to 1.4.2
  • 8df6912 chore(deps): bump es-module-lexer from 1.4.1 to 1.4.2
  • 711c618 chore(deps-dev): bump memfs from 4.7.7 to 4.8.0
  • c462bb3 chore(deps-dev): bump @​types/node from 20.11.29 to 20.11.30
  • f0d3e3e chore(deps-dev): bump @​babel/preset-react from 7.23.3 to 7.24.1
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by evilebottnawi, a new releaser for webpack since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the npm_and_yarn group with 5 updates
66ce5f7 
Bumps the npm_and_yarn group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [express](https://github.com/expressjs/express) | `4.18.2` | `4.19.2` |
| [mysql2](https://github.com/sidorares/node-mysql2) | `3.6.1` | `3.9.8` |
| [pug](https://github.com/pugjs/pug) | `3.0.2` | `3.0.3` |
| [glob-parent](https://github.com/gulpjs/glob-parent) | `3.1.0` | `5.1.2` |
| [webpack](https://github.com/webpack/webpack) | `4.46.0` | `5.91.0` |


Updates `express` from 4.18.2 to 4.19.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@4.18.2...4.19.2)

Updates `mysql2` from 3.6.1 to 3.9.8
- [Release notes](https://github.com/sidorares/node-mysql2/releases)
- [Changelog](https://github.com/sidorares/node-mysql2/blob/master/Changelog.md)
- [Commits](sidorares/node-mysql2@v3.6.1...v3.9.8)

Updates `pug` from 3.0.2 to 3.0.3
- [Release notes](https://github.com/pugjs/pug/releases)
- [Commits](https://github.com/pugjs/pug/compare/[email protected]@3.0.3)

Updates `glob-parent` from 3.1.0 to 5.1.2
- [Release notes](https://github.com/gulpjs/glob-parent/releases)
- [Changelog](https://github.com/gulpjs/glob-parent/blob/main/CHANGELOG.md)
- [Commits](gulpjs/glob-parent@v3.1.0...v5.1.2)

Updates `webpack` from 4.46.0 to 5.91.0
- [Release notes](https://github.com/webpack/webpack/releases)
- [Commits](webpack/webpack@v4.46.0...v5.91.0)

---
updated-dependencies:
- dependency-name: express
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: mysql2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: pug
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: glob-parent
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: webpack
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label May 30, 2024
@dependabot dependabot bot mentioned this pull request May 30, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants