SocialGouv / dashlord-actions

GitHub actions for DashLord
Apache License 2.0
2 stars 13 forks source link

fix(deps): update dependency yaml to v2.2.2 [security] - autoclosed #263

Closed renovate[bot] closed 1 year ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence Type Update
yaml (source) ^1.10.2 -> ^2.0.0 age adoption passing confidence dependencies major
yaml 1.10.2 -> 2.2.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-2251

Uncaught Exception in GitHub repository eemeli/yaml prior to 2.2.2.


Release Notes

eemeli/yaml ### [`v2.2.2`](https://togithub.com/eemeli/yaml/releases/tag/v2.2.2) [Compare Source](https://togithub.com/eemeli/yaml/compare/v2.2.1...v2.2.2) This patch release includes a fix for an error that could be thrown in `parseDocument` for degenerate input. Otherwise, it's a patch release uplifting a few fixes from the ongoing v2.3 work to v2.2: - Use correct argument order when stringifying flow collection comments ([#​443](https://togithub.com/eemeli/yaml/issues/443)) - First-line folding for block scalars ([#​422](https://togithub.com/eemeli/yaml/issues/422)) - Corner case failure in error pretty-printer ([CVE-2023-2251](https://huntr.dev/bounties/4b494e99-5a3e-40d9-8678-277f3060e96c/)) ### [`v2.2.1`](https://togithub.com/eemeli/yaml/releases/tag/v2.2.1) [Compare Source](https://togithub.com/eemeli/yaml/compare/v2.2.0...v2.2.1) - Quote top-level map keys containing document markers ([#​431](https://togithub.com/eemeli/yaml/issues/431)) ### [`v2.2.0`](https://togithub.com/eemeli/yaml/releases/tag/v2.2.0) [Compare Source](https://togithub.com/eemeli/yaml/compare/v2.1.3...v2.2.0) ##### New Features - Add `flowCollectionPadding` toString option ([#​420](https://togithub.com/eemeli/yaml/issues/420)) - Use indicator line for props on block collection values of mappings ([#​425](https://togithub.com/eemeli/yaml/issues/425)) ##### Bugfixes - Minor relaxation of types for custom tags ([#​429](https://togithub.com/eemeli/yaml/issues/429)) ### [`v2.1.3`](https://togithub.com/eemeli/yaml/releases/tag/v2.1.3) [Compare Source](https://togithub.com/eemeli/yaml/compare/v2.1.2...v2.1.3) - Set correct node-end position for block collections with comments ([#​413](https://togithub.com/eemeli/yaml/issues/413)) ### [`v2.1.2`](https://togithub.com/eemeli/yaml/releases/tag/v2.1.2) [Compare Source](https://togithub.com/eemeli/yaml/compare/v2.1.1...v2.1.2) - Set correct node-end position for empty values with comments ([#​413](https://togithub.com/eemeli/yaml/issues/413)) ### [`v2.1.1`](https://togithub.com/eemeli/yaml/releases/tag/v2.1.1) [Compare Source](https://togithub.com/eemeli/yaml/compare/v2.1.0...v2.1.1) No changes in executable code, only TS types. - Revert "Use TS named tuple for range ([#​385](https://togithub.com/eemeli/yaml/issues/385))" -- see [#​393](https://togithub.com/eemeli/yaml/issues/393) - Fix types for compatibility with TS 4.2 and 4.7 - Add CI workflow for testing published type in a range of TS versions ### [`v2.1.0`](https://togithub.com/eemeli/yaml/releases/tag/v2.1.0) [Compare Source](https://togithub.com/eemeli/yaml/compare/v2.0.1...v2.1.0) Fixes for TypeScript users. Arguably this could've been a patch release as well. - Improve/specify/fix TS types for Document & collection access methods ([#​383](https://togithub.com/eemeli/yaml/issues/383)) - Use TS named tuple for range ([#​385](https://togithub.com/eemeli/yaml/issues/385)) - Rename internal Document option as `_directives` to resolve type conflict with ToString options ([#​389](https://togithub.com/eemeli/yaml/issues/389)) - Update tsc target to ES2020 to match Node.js support - Update dev dependencies, including jest 28 ### [`v2.0.1`](https://togithub.com/eemeli/yaml/releases/tag/v2.0.1) [Compare Source](https://togithub.com/eemeli/yaml/compare/v2.0.0...v2.0.1) - Fix tags and anchors on map keys ([#​378](https://togithub.com/eemeli/yaml/issues/378)) ### [`v2.0.0`](https://togithub.com/eemeli/yaml/releases/tag/v2.0.0) [Compare Source](https://togithub.com/eemeli/yaml/compare/v1.10.2...v2.0.0) This update has been in the works for the last year and a half. Its prerelease versions have been thoroughly tested by a wide number of users, and I think it's finally ready for "actual" release, for use in the mythical "production". The breaking changes introduced here are mostly originating from the v1 CST parser having become a rather difficult beast to work with. So it's here rewritten pretty much completely, now with a lexer as a first stage. Along the way, the whole project was rewritten in TypeScript and the export paths and options refactored pretty deeply. If you've been using the library just via its `parse()`, `parseDocument()` and `stringify()` functions, then it's quite likely that none of the changes affect your experience in any way. However, if you've been doing something more involved, then I would strongly recommend that you review the library's [documentation site](https://eemeli.org/yaml/) for the v2 docs. Going forward, it's finally time to start experimenting with new YAML spec features that may eventually be included in [YAML 1.3 and later](https://togithub.com/yaml/yaml-spec/). Those will be made available by specifying the `version: 'next'` option. However, beware! Any features available this way may be removed or have their API broken by any **minor** release of this library, and no compatibility guarantees with other libraries are given. In general, semver compatibility is guaranteed for features that are explicitly included in the documentation; everything else should be considered as internal implementation details. The following is an overview of the breaking changes and new features introduced in each of the prerelease steps leading up to this release; the individual releases' notes and the PRs will contain more detail, along with specific migration guides. ##### BREAKING CHANGES ##### [v2.0.0-0](https://togithub.com/eemeli/yaml/releases/tag/v2.0.0-0) - Drop deprecated end points, members, options & defaults ([#​171](https://togithub.com/eemeli/yaml/issues/171)) - Breaking changes to Document & createNode APIs ([#​186](https://togithub.com/eemeli/yaml/issues/186)) - When creating a mapping from a JS Object, drop undefined values ([#​173](https://togithub.com/eemeli/yaml/issues/173)) - Retain existing nodes when using `set()` in mappings & sequences ([#​185](https://togithub.com/eemeli/yaml/issues/185)) ##### [v2.0.0-1](https://togithub.com/eemeli/yaml/releases/tag/v2.0.0-1) - Improve JSON compatibility ([#​189](https://togithub.com/eemeli/yaml/issues/189)) - Refactor tag `resolve()` API ([#​201](https://togithub.com/eemeli/yaml/issues/201)) ##### [v2.0.0-3](https://togithub.com/eemeli/yaml/releases/tag/v2.0.0-3) - Drop `'yaml/parse-cst'` endpoint ([#​223](https://togithub.com/eemeli/yaml/issues/223)) - Update build configs & minimum supported versions ([#​224](https://togithub.com/eemeli/yaml/issues/224)) ##### [v2.0.0-4](https://togithub.com/eemeli/yaml/releases/tag/v2.0.0-4) - Refactor options ([#​235](https://togithub.com/eemeli/yaml/issues/235)) - Refactor parsing completely ([#​203](https://togithub.com/eemeli/yaml/issues/203)) - Merge all of `'yaml/types'` and some of `'yaml/util'` into `'yaml'` ([#​234](https://togithub.com/eemeli/yaml/issues/234)) - Refactor node identification ([#​233](https://togithub.com/eemeli/yaml/issues/233)) - Drop `type` property from all but Scalar nodes ([#​240](https://togithub.com/eemeli/yaml/issues/240)) - Refactor as TypeScript ([#​233](https://togithub.com/eemeli/yaml/issues/233)) ##### [v2.0.0-5](https://togithub.com/eemeli/yaml/releases/tag/v2.0.0-5) - Make anchor & alias resolution lazier ([#​248](https://togithub.com/eemeli/yaml/issues/248)) - Split flow collections into items in Parser ([#​249](https://togithub.com/eemeli/yaml/issues/249)) - Make Pair not extend NodeBase; drop its prop forwarding ([#​245](https://togithub.com/eemeli/yaml/issues/245), [#​250](https://togithub.com/eemeli/yaml/issues/250)) - Rename the `tokens` namespace as `CST` ([#​252](https://togithub.com/eemeli/yaml/issues/252)) - Turn the Lexer, Parser & Composer into generators ([#​253](https://togithub.com/eemeli/yaml/issues/253)) - Refactor Node range as `[start, value-end, node-end]` ([#​259](https://togithub.com/eemeli/yaml/issues/259)) - Replace `error.offset` with `error.pos: [number, number]` ([#​260](https://togithub.com/eemeli/yaml/issues/260)) ##### [v2.0.0-6](https://togithub.com/eemeli/yaml/releases/tag/v2.0.0-6) - Fix empty lines & trailing comments ([#​278](https://togithub.com/eemeli/yaml/issues/278)) - Drop Node.js 10 support ##### [v2.0.0-9](https://togithub.com/eemeli/yaml/releases/tag/v2.0.0-9) - Allow disabling single & block quotes completely ([#​326](https://togithub.com/eemeli/yaml/issues/326)) ##### [v2.0.0-10](https://togithub.com/eemeli/yaml/releases/tag/v2.0.0-10) - The TS type of `doc.directives` now indicates it as optional ([#​344](https://togithub.com/eemeli/yaml/issues/344)) ##### [v2.0.0-11](https://togithub.com/eemeli/yaml/releases/tag/v2.0.0-11) - `YAML.defaultOptions` is removed ([#​346](https://togithub.com/eemeli/yaml/issues/346)) - `directives.marker` is renamed as `directives.docStart` ([#​371](https://togithub.com/eemeli/yaml/issues/371)) ##### v2.0.0 - Drop Node.js 12 support (end-of-life 2022-04-30) ##### New Features ##### [v2.0.0-0](https://togithub.com/eemeli/yaml/releases/tag/v2.0.0-0) - Resolve known tags in core schema ([#​172](https://togithub.com/eemeli/yaml/issues/172)) - Create intermediates for `set()` & `setIn()` on doc with empty contents ([#​174](https://togithub.com/eemeli/yaml/issues/174)) - Fix intermediate collection creation for parsed documents ([#​174](https://togithub.com/eemeli/yaml/issues/174)) - Improve quoted string flexibility ([#​177](https://togithub.com/eemeli/yaml/issues/177)) - Add `defaultKeyType` option for finer control of scalar output ([#​179](https://togithub.com/eemeli/yaml/issues/179)) ##### [v2.0.0-1](https://togithub.com/eemeli/yaml/releases/tag/v2.0.0-1) - Remember source string for null scalars ([#​193](https://togithub.com/eemeli/yaml/issues/193)) - Support `asBigInt` option for sexagesimal integer values ##### [v2.0.0-3](https://togithub.com/eemeli/yaml/releases/tag/v2.0.0-3) - Refactor logging control, adding `logLevel` option ([#​215](https://togithub.com/eemeli/yaml/issues/215)) - Add `visit(node, visitor)` to `'yaml'` ([#​225](https://togithub.com/eemeli/yaml/issues/225)) ##### [v2.0.0-4](https://togithub.com/eemeli/yaml/releases/tag/v2.0.0-4) - Stringify top-level block scalars with header on marker line - Add a couple of things to `'yaml/util'` that weren't exposed before ##### [v2.0.0-5](https://togithub.com/eemeli/yaml/releases/tag/v2.0.0-5) - Add Collection, Value & Node visitor aliases - Add error codes - Always include offset in CST tokens - Add CST tools ([#​252](https://togithub.com/eemeli/yaml/issues/252)) ##### [v2.0.0-6](https://togithub.com/eemeli/yaml/releases/tag/v2.0.0-6) - Check key uniqueness; add `uniqueKeys` option ([#​271](https://togithub.com/eemeli/yaml/issues/271)) - Drop special-casing `COMMENT_SPACE` error; use `MISSING_CHAR` for it instead ##### [v2.0.0-7](https://togithub.com/eemeli/yaml/releases/tag/v2.0.0-7) - Support immediate map values for `<<` merge keys, in addition to alias values ##### [v2.0.0-8](https://togithub.com/eemeli/yaml/releases/tag/v2.0.0-8) - Add a new createNode option `aliasDuplicateObjects` ([#​299](https://togithub.com/eemeli/yaml/issues/299)) - Add `clone()` methods to Document, Directives, Schema and all Nodes ([#​304](https://togithub.com/eemeli/yaml/issues/304)) ##### [v2.0.0-9](https://togithub.com/eemeli/yaml/releases/tag/v2.0.0-9) - Add `keepSoureToken` parse option, adding `srcToken` values to Nodes ([#​309](https://togithub.com/eemeli/yaml/issues/309)) - Allow for custom schema id, provided that `customTags` is defined ([#​325](https://togithub.com/eemeli/yaml/issues/325)) - Expose tags & types required by custom composers ([#​325](https://togithub.com/eemeli/yaml/issues/325)) ##### [v2.0.0-10](https://togithub.com/eemeli/yaml/releases/tag/v2.0.0-10) - Add a compatibility checker ([#​335](https://togithub.com/eemeli/yaml/issues/335)) - Support for Non-YAML Schemas ([#​336](https://togithub.com/eemeli/yaml/issues/336), [#​337](https://togithub.com/eemeli/yaml/issues/337), [#​343](https://togithub.com/eemeli/yaml/issues/343), [#​344](https://togithub.com/eemeli/yaml/issues/344)) ##### [v2.0.0-11](https://togithub.com/eemeli/yaml/releases/tag/v2.0.0-11) - Add warning for aliases & anchors ending with a colon ([#​370](https://togithub.com/eemeli/yaml/issues/370)) - Add `directives.docEnd`, for `...` marker ([#​371](https://togithub.com/eemeli/yaml/issues/371)) - Add `YAML.visitAsync()` ([#​372](https://togithub.com/eemeli/yaml/issues/372)) ##### v2.0.0 - Allow for a `'next'` YAML version

Configuration

๐Ÿ“… Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

๐Ÿšฆ Automerge: Disabled by config. Please merge this manually once you are satisfied.

โ™ป Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

๐Ÿ”• Ignore: Close this PR and you won't be reminded about these updates again.



This PR has been generated by Mend Renovate. View repository job log here.

sonarcloud[bot] commented 1 year ago

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

socket-security[bot] commented 1 year ago

New dependency changes detected. Learn more about Socket for GitHub โ†—๏ธŽ


๐Ÿ‘ No new dependency issues detected in pull request

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

Pull request alert summary
Issue Status
Install scripts โœ… 0 issues
Native code โœ… 0 issues
Bin script shell injection โœ… 0 issues
Unresolved require โœ… 0 issues
Invalid package.json โœ… 0 issues
HTTP dependency โœ… 0 issues
Git dependency โœ… 0 issues
Potential typo squat โœ… 0 issues
Known Malware โœ… 0 issues
Telemetry โœ… 0 issues
Protestware/Troll package โœ… 0 issues

๐Ÿ“Š Modified Dependency Overview:

โฌ†๏ธ Updated Package Version Diff Added Capability Access +/- Transitive Count Publisher
yaml@2.2.2 1.10.2...2.2.2 environment +0/-0 eemeli