search

SrDih / juice-shop

OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
https://owasp-juice.shop
MIT License
0 stars 1 forks source link

[Snyk] Upgrade i18n from 0.11.1 to 0.14.2 #5

Open snyk-bot opened 2 years ago

snyk-bot commented 2 years ago

Snyk has created this PR to upgrade i18n from 0.11.1 to 0.14.2.

:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Release notes
Package name: i18n
  • 0.14.2 - 2022-03-05

    Fixed

    Fixes #493 - using i18n with a combination of retry and sync settings lead to a 'Maximum call stack size exceeded' exception due to an infinite loop while writing phrases to all locale files.

    const i18n = new I18n({
    // [...]
    retryInDefaultLocale: true,
    syncFiles: true,
})
  • 0.14.1 - 2022-01-30

    Fixed

    • upgrade all dev dependencies without breaking changes
    • upgrade all dependencies without breaking changes

    This also updates to mocha 9.2.0 (mochajs/mocha#4814) which fixes GHSA-qrpm-p2h7-hrv2

  • 0.14.0 - 2022-01-23

    Changed

    • replaces sprintf-js with fast-printf #453
    • replaces deprecated messageformat with @ messageformat/core #472
    • drops node support <10
    • local dev defaults to node 16
  • 0.13.4 - 2021-12-29

    Fixed

    • upgrade all dev dependencies without breaking changes
    • upgrade all dependencies without breaking changes

    see aa60ac7, 3139881 and 4e6963f for details

    Added

    • test directory traversal (#486)
  • 0.13.3 - 2021-05-08

    Fixed

    • upgrade transitive dev dependency of eslint, mocha, zombie to lodash@4.17.21
    • upgrade transitive dev dependency of zombie to url-parse@1.5.1
    • upgrade transitive dev dependency of eslint-plugin-import to hosted-git-info@2.8.9
  • 0.13.2 - 2020-08-21

    Fixed

    • moved devDeps from dependencies to devDependencies #446
    • removed unused packages from all dependencies
  • 0.13.1 - 2020-08-20

    Fixed

    • npx npm-force-resolutions failed #445

    Details

    A preinstall script was added to force resolving specific versions of lodash and ajv. Those are sub-dependencies of zombie and its packages. Zombie is devDependency of i18n. But zombie still refers to older versions reported to vulnerable - so I decided to force fixed versions.

    Of course that preinstall should count on any npm install i18n, it's renamed to force-resolutions so I can still resolve audit issues in dev while also supporting clean installs.

    "scripts": {
  "preinstall": "npx npm-force-resolutions"
}

    now reads as

    "scripts": {
  "force-resolutions": "npx npm-force-resolutions"
}

    And doesn't get triggered by npm install.

  • 0.13.0 - 2020-08-20

    Added

    • new option retryInDefaultLocale as proposed by PR #206
    • new option header as proposed by PRs #390 and #407
    • pre-commit hooks to ensure code-style (even on contributions)

    Fixed

    • typos in README

    Changed

    • tooling: eslint with standard.js & prettier presets replaces jshint
  • 0.12.0 - 2020-08-16

    Added

    • backward compatible default to singleton with const i18n = require('i18n')
    • create an instance of i18n by const i18n = new I18n()

    Example:

    /**
 * require I18n with capital I as constructor
 */
const { I18n } = require("i18n");

/**
 * create a new instance with it's configuration
 */
const i18n = new I18n({
    locales:['en', 'de'],
    directory: __dirname + '/locales'
});
  • 0.11.1 - 2020-08-04

    Fixed

    • dependabot bumbed minimist

    Minimist is a sub-dependency of mocha and messageformat:

    $ npm ls minimist
i18n@0.11.0 
├─┬ messageformat@2.3.0
│ └─┬ make-plural@4.3.0
│   └── minimist@1.2.5
└─┬ mocha@7.1.2
  └─┬ mkdirp@0.5.5
    └── minimist@1.2.5  deduped
from i18n GitHub release notes
Commit messages
Package name: i18n
  • 1d956f3 fix #493 (call stack bug) & tests
  • 388642f Merge pull request #492 from mashpie/dependabot/npm_and_yarn/url-parse-1.5.10
  • bf5525f Bump url-parse from 1.5.7 to 1.5.10
  • ce26074 Merge pull request #491 from mashpie/dependabot/npm_and_yarn/url-parse-1.5.7
  • c9e4742 Bump url-parse from 1.5.3 to 1.5.7
  • 769b804 Merge tag '0.14.1'
  • 3dcc53b Merge branch 'release/0.14.1' into npm
  • 2c90fc4 pkg updates
  • 995392d version bump
  • 02dd49d tests: use arrow function
  • fa50268 eslint refactor var -> const,let
  • abb05ec refactor to arrow functions
  • 5855724 drop node support < 10
  • 9e6559a Merge branch 'gajus-master'
  • 234b94b (re-)added tests fast-printf #453
  • ef5675c Merge branch 'master' of git://github.com/gajus/i18n-node into gajus-master
  • 2461a97 typo
  • 737b67d refactored test to cover mf plurals
  • 42f12d3 Merge branch 'calmonr-fix-messageformat'
  • 0faeee0 Merge branch 'fix-messageformat' of https://github.com/calmonr/i18n-node into calmonr-fix-messageformat
  • 6018b9f Merge tag '0.13.4'
  • 9683cc6 Merge branch 'release/0.13.4' into npm
  • bdce606 v0.13.4
  • 4e6963f upgrade tested
Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

sonarcloud[bot] commented 2 years ago

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication