adrien2p / medusa-extender

:syringe: Medusa on steroid, take your medusa project to the next level with some badass features :rocket:
https://adrien2p.github.io/medusa-extender/
MIT License
320 stars 40 forks source link

chore(deps): bump jsonwebtoken and @medusajs/medusa #198

Closed dependabot[bot] closed 1 year ago

dependabot[bot] commented 1 year ago

Bumps jsonwebtoken to 9.0.0 and updates ancestor dependency @medusajs/medusa. These dependencies need to be updated together.

Updates jsonwebtoken from 8.5.1 to 9.0.0

Changelog

Sourced from jsonwebtoken's changelog.

9.0.0 - 2022-12-21

Breaking changes: See Migration from v8 to v9

Breaking changes

Security fixes

  • security: fixes Arbitrary File Write via verify function - CVE-2022-23529
  • security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
  • security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
  • security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539
Commits
  • e1fa9dc Merge pull request from GHSA-8cf7-32gw-wr33
  • 5eaedbf chore(ci): remove github test actions job (#861)
  • cd4163e chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
  • ecdf6cc fix!: Prevent accidental use of insecure key sizes & misconfiguration of secr...
  • 8345030 fix(sign&verify)!: Remove default none support from sign and verify met...
  • 7e6a86b Upload OpsLevel YAML (#849)
  • 74d5719 docs: update references vercel/ms references (#770)
  • d71e383 docs: document "invalid token" error
  • 3765003 docs: fix spelling in README.md: Peak -> Peek (#754)
  • a46097e docs: make decode impossible to discover before verify
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jsonwebtoken since your current version.


Updates @medusajs/medusa from 1.7.6 to 1.12.0

Release notes

Sourced from @​medusajs/medusa's releases.

v1.12.0

Highlights

Breaking changes In our quest to improve performance, a public method in the PriceSelectionStrategy has been updated to support bulk calculations of variant prices. Specifically, the following signatures have changed:

// Before
calculateVariantPrice(variantId: string, context: PriceSelectionContext): Promise<PriceSelectionResult>
// Now
calculateVariantPrice(data: { variantId: string; quantity?: number; }[], context: PriceSelectionContext): Promise<Map<string, PriceSelectionResult>>

Additionally (non-breaking), the following DB indexes have been added:

idx_money_amount_variant_id ON money_amount (variant_id);
idx_money_amount_region_id ON money_amount (region_id);
idx_product_option_value_variant_id ON product_option_value (variant_id);
idx_product_option_value_option_id ON product_option_value (option_id);

idx_gin_product_title ON product USING gin (title gin_trgm_ops); idx_gin_product_description ON product USING gin (description gin_trgm_ops); idx_gin_product_variant_title ON product_variant USING gin (title gin_trgm_ops); idx_gin_product_variant_sku ON product_variant USING gin (sku gin_trgm_ops); idx_gin_product_collection ON product_collection USING gin (title gin_trgm_ops);

The packages class-validator and class-transformer have been removed from @medusajs/utils.

The TransactionBaseService has been removed from @medusajs/utils. This class should be imported from @medusajs/medusa.

The utilities build-query, db-aware-column, base-entity, and soft-deletable-entity have been removed from @medusajs/utils. These should be imported from @medusajs/medusa.

Support for SQLite dropped SQLite support was initially added to reduce friction for developers trying Medusa for the first time. It runs on most operating systems without installation, allowing you to start a Medusa starter without preparing a Postgres database.

Though, as we've added features that use more advanced database concepts, we've seen that SQLite has started to cause more harm than good. And frankly, we've not prioritized maintaining the support, as removing it was always part of our plans. SQLite still allows developers to get started very quickly. However, as soon as you start using our admin system or set up the storefront starter, issues caused by the limitations of SQLite arise. These issues are primarily centered around transaction management. A concept used extensively in our core and poorly supported by SQLite.

Therefore, as of this release, SQLite is no longer supported. The pros simply do not outweigh the cons at this point.

What does this mean for your setup?

In the highly unlikely case that you are using SQLite, this will be a breaking change. So, you'll need to set up Postgres for your Medusa server as part of bumping to this version. You can find a guide in our documentation on how to do this.

If you are not using SQLite, these changes will not affect your setup.

Reservation management With the introduction of our Inventory Module, we added the notion of reservations. Right now, reservations are, from a store administrator perspective, limited to order items and cannot really be used outside the context of an order - unless you consume the API directly.

... (truncated)

Changelog

Sourced from @​medusajs/medusa's changelog.

1.12.0

Minor Changes

Patch Changes

1.11.0

Minor Changes

Patch Changes

... (truncated)

Commits
  • 8f8f633 chore: Version Packages (#4114)
  • 0f87d3d chore(medusa,admin-ui): Add reservations FF (#4184)
  • 6998666 fix(medusa): Upserting tax rates (#4189)
  • e3cfbcd fix(medusa): migrations cli should also pull from ${plugin}/dist (#3956)
  • db41995 chore(utils): clean util package deps (#4146)
  • 92f01ce fix(medusa): downgrade papaparse version (#4174)
  • 0a35f21 feat(medusa, inventory): Search inventory items by title and description (#4154)
  • 3a38c84 feat(medusa,inventory,types): Expand list-reservation capabilities (#3979)
  • 4f3c8f5 feat(admin-ui,medusa): Reservations management (#4081)
  • 0476f52 Feat(medusa, admin-ui): Update edit allocation modal (#4071)
  • Additional commits viewable in compare view


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/adrien2p/medusa-extender/network/alerts).
dependabot[bot] commented 1 year ago

OK, I won't notify you again about this release, but will get in touch when a new version is available.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.