search

PrismarineJS / prismarine-viewer

Web based viewer for servers and bots
https://prismarinejs.github.io/prismarine-viewer/
MIT License
255 stars 71 forks source link

Bump @tweenjs/tween.js from 23.1.3 to 25.0.0 #432

Open dependabot[bot] opened 2 months ago

dependabot[bot] commented 2 months ago

Bumps @tweenjs/tween.js from 23.1.3 to 25.0.0.

Release notes

Sourced from @​tweenjs/tween.js's releases.

v25.0.0 - end of the end

BREAKING: no longer auto-start tweens by default when calling tween.update(). To restore previous behavior for the whole app, set the static Tween.autoStartOnUpdate property to true.

fix: make the end() method work better by setting the end time to start + duration instead of Infinity.

Full Changelog: https://github.com/tweenjs/tween.js/compare/v24.0.0...v25.0.0

v24.0.0 - groupies!

This release finally deprecates usage of TWEEN as a default Group. All new Tweens now default to having no group, and must be explicitly added to a group if desired. Plus some other improvements to related to groups, including breaking changes (see below for all details and how to migrate if affected).

What's Changed

New Contributors

More Details

  feat: do not automatically add/remove a tween to/from its associated group, and do not automatically add new Tweens to the global TWEEN group by default.

feat: the tween.group(group) method now has a reciprocal tween.remove() method that will remove a tween from its associated group, and unassociate the group. tween.group() without an arg is no longer valid, see breaking changes and migration below.

fix: when a tween is stopped before its end time, do not allow its update method to continue, therefore preventing logic (f.e. repeat logic) from being triggered

docs: improved the docs, adding some missing information, removing all examples of the global TWEEN group which has been deprecated, and adding docs on how to manage groups of tweens. Also updated samples to use import syntax for importing Tween, avoiding the use of the TWEEN UMD global variable which has been deprecated.

feat: A new Group.allStopped() method returns true if all tweens in a group are not playing (i.e. stopped, and not paused), otherwise false. Useful for stopping an animation loop once all tweens in a group have finished their animation.

deprecated: Methods on TWEEN that come from Group are now deprecated to be removed in a future major version. Migrate forward by making a new Group instead of using TWEEN as a group.

deprecated: The UMD script that creates a global TWEEN variable is deprecated to be removed in a future major version.

deprecated: The CommonJS build is deprecated to be removed in a future major version.

BREAKING:

  • Tweens are no longer automatically added or removed from groups by default when you call any Tween methods such as start(), stop(), or pause(), and the preserve parameter to Group.update() now defaults to true and is deprecated to be removed in a future major version.
    • MIGRATION: To keep old behavior for a while, explicitly call group.update() with false for the second parameter. To migrate forward, do not rely on automatic add/remove of tweens, and instead add/remove tweens to/from groups manually.
  • Group.update() no longer returns a boolean indicating if all tweens have been removed.
    • MIGRATION: Don't rely on auto-add/remove to/from groups. This boolean return was previously useful for stopping an animation loop once all tweens were finished animating. Instead, use the new Group.allStopped() method to check if all tweens in a group are stopped in order to determine whether or not to continue an animation loop.
  • The second group parameter to Tween.constructor now defaults to undefined instead of the global TWEEN group. Additionally it accepts a value of true to restore the old default behavior. The true value is deprecated and will be removed in a future major version.
    • MIGRATION: For the time being the parameter can be set to true to restore the old behavior. To migrate forward, use tween.group(group) or group.add(tween) instead.
  • The argless tween.group() signature has been removed.

... (truncated)

Commits
  • eb07dd2 v25.0.0
  • 79fd510 BREAKING: no longer auto-start tweens by default when calling tween.update()....
  • c92f761 v24.0.0
  • 20169e2 Merge pull request #688 from tweenjs/default-to-no-global-group
  • f28f069 feat: do not automatically add/remove a tween to/from its associated group
  • 2469f1c Merge pull request #685 from Bug-Reaper/patch-1
  • 68d91ce ✍️ : Adds missing letter "m" in importmap example.
  • 0b1d4cf ✍️ : Fix path for module-map example (missing dot)
  • See full diff in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
socket-security[bot] commented 2 months ago

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@tweenjs/tween.js@25.0.0 None 0 224 kB trusktr
npm/canvas@2.11.2 filesystem Transitive: environment +1 688 kB calebhearon

🚮 Removed packages: npm/@tweenjs/tween.js@23.1.3, npm/vblob@1.0.2

View full report↗︎

socket-security[bot] commented 2 months ago

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSourceCI
Install scripts npm/canvas@2.11.2
  • Install script: install
  • Source: node-pre-gyp install --fallback-to-build --update-binary
 🚫

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

  • @SocketSecurity ignore npm/canvas@2.11.2