This is a backport of the minor ReDos vulnerability in ansi-regex@<6.0.1, as requested in #38.
Fix ReDoS in certain cases (#37)
You are only really affected if you run the regex on untrusted user input in a server context, which it's very unlikely anyone is doing, since this regex is mainly used in command-line tools.
I've formatted this as a FAQ, please feel free to open an issue for any additional question and I'll add the response here.
Q: What impact will this have on me?
In most cases, you shouldn't notice any change.
The only exception I can think of is if you pull code directly from https://github.com/visionmedia/debug, e.g. via a "debug": "visionmedia/debug"-type version entry in your package.json - in which case, you should still be fine due to the automatic redirection Github sets up, but you should also update any references as soon as possible.
Q: What are the security implications of this change?
If you pull code directly from the old URL, you should update the URL to https://github.com/debug-js/debug as soon as possible. The old organization has many approved owners and thus a new repository could (in theory) be created at the old URL, circumventing Github's automatic redirect that is in place now and serving malicious code. I (@qix-) also wouldn't have access to that repository, so while I don't think it would happen, it's still something to consider.
Even in such a case, however, the officially released package on npm (debug) would not be affected. That package is still very much under control (even more than it used to be).
Q: What should I do if I encounter an issue related to the migration?
Search the issues first to see if someone has already reported it, and then open a new issue if someone has not.
Q: Why was this done as a 'patch' release? Isn't this breaking?
No, it shouldn't be breaking. The package on npm shouldn't be affected (aside from this patch release) and any references to the old repository should automatically redirect.
Thus, according to all of the "APIs" (loosely put) involved, nothing should have broken.
Fixed jsdom's handling of when code running inside the jsdom throws null or undefined as an exception. (@mbest)
Removed the dependency on the deprecated request package, in the process fixing several issues with the XMLHttpRequest implementation around header processing. Thanks go to @tobyhinloopen, @andrewaylett, and especially @vegardbb, for completing this months-long effort!
Version 16.5.3
Fixed infinite recursion when using MutationObservers to observe elements inside a MutationObserver callback.
Version 16.5.2
Fixed Access-Control-Allow-Headers: * to work with XMLHttpRequest. (silviot)
Fixed xhr.response to strip any leading BOM when xhr.responseType is "json".
Fixed new Text() and new Comment() constructors to properly set the resulting node's ownerDocument.
Fixed customElements.whenDefined() to resolve its returned promise with the custom element constructor, per recent spec updates. (ExE-Boss)
Fixed parsing to ensure that <svg>\<template></template></svg> does not throw an exception, but instead correctly produces a SVG-namespace \<template> element.
Fixed domParser.parseFromString() to treat <noscript> elements appropriately.
Fixed form control validity checking when the control was outside the <form> element and instead associated using the form="" attribute.
Fixed legendEl.form to return the correct result based on its parent <fieldset>.
Fixed optionEl.text to exclude <script> descendants.
Fixed radio buttons and checkboxes to not fire input and change events when disconnected.
Fixed inputEl.indeterminate to reset to its previous value when canceling a click event on a checkbox or radio button.
Fixed the behavior of event handler attributes (e.g. onclick="...code...") when there were global variables named element or formOwner. (ExE-Boss)
On Node.js v14.6.0+ where WeakRefs are available, fixed NodeIterator to no longer stop working when more than ten NodeIterator instances are created, and to use less memory due to inactive NodeIterators sticking around. (ExE-Boss)
Version 16.5.1
Fixed a regression that broke customElements.get() in v16.5.0. (fdesforges)
Fixed window.event to have a setter which overwrites the window.event property with the given value, per the specification. This fixes an issue where after upgrading to jsdom v16.5.0 you would no longer be able to set a global variable named event in the jsdom context.
Version 16.5.0
Added window.queueMicrotask().
Added window.event.
Added inputEvent.inputType. (diegohaz)
Removed ondragexit from Window and friends, per a spec update.
Fixed the URL of about:blank iframes. Previously it was getting set to the parent's URL. (SimonMueller)
Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.
Fixed the hidden="" attribute to cause display: none per the user-agent stylesheet. (ph-fritsche)
Fixed the new File() constructor to no longer convert / to :, per a pending spec update.
Fixed mutation observer callbacks to be called with the MutationObserver instance as their this value.
Fixed <input type=checkbox> and <input type=radio> to be mutable even when disabled, per a spec update.
Fixed XMLHttpRequest to not fire a redundant final progress event if a progress event was previously fired with the same loaded value. This would usually occur with small files.
Fixed XMLHttpRequest to expose the Content-Length header on cross-origin responses.
Fixed xhr.response to return null for failures that occur during the middle of the download.
Fixed edge cases around passing callback functions or event handlers. (ExE-Boss)
Fixed edge cases around the properties of proxy-like objects such as localStorage or dataset. (ExE-Boss)
Fixed some bad cascade computation in getComputedStyle(). (romain-trotard)
16.6.0
Added parentNode.replaceChildren(). (ninevra)
Fixed jsdom's handling of when code running inside the jsdom throws null or undefined as an exception. (mbest)
Removed the dependency on the deprecated request package, in the process fixing several issues with the XMLHttpRequest implementation around header processing. Special thanks to vegardbb for completing this months-long effort!
16.5.3
Fixed infinite recursion when using MutationObservers to observe elements inside a MutationObserver callback.
16.5.2
Fixed Access-Control-Allow-Headers: * to work with XMLHttpRequest. (silviot)
Fixed xhr.response to strip any leading BOM when xhr.responseType is "json".
Fixed new Text() and new Comment() constructors to properly set the resulting node's ownerDocument.
Fixed customElements.whenDefined() to resolve its returned promise with the custom element constructor, per recent spec updates. (ExE-Boss)
Fixed parsing to ensure that <svg>\<template></template></svg> does not throw an exception, but instead correctly produces a SVG-namespace \<template> element.
Fixed domParser.parseFromString() to treat <noscript> elements appropriately.
Fixed form control validity checking when the control was outside the <form> element and instead associated using the form="" attribute.
Fixed legendEl.form to return the correct result based on its parent <fieldset>.
Fixed optionEl.text to exclude <script> descendants.
Fixed radio buttons and checkboxes to not fire input and change events when disconnected.
Fixed inputEl.indeterminate to reset to its previous value when canceling a click event on a checkbox or radio button.
Fixed the behavior of event handler attributes (e.g. onclick="...code...") when there were global variables named element or formOwner. (ExE-Boss)
On Node.js v14.6.0+ where WeakRefs are available, fixed NodeIterator to no longer stop working when more than ten NodeIterator instances are created, and to use less memory due to inactive NodeIterators sticking around. (ExE-Boss)
16.5.1
Fixed a regression that broke customElements.get() in v16.5.0. (fdesforges)
Fixed window.event to have a setter which overwrites the window.event property with the given value, per the specification. This fixes an issue where after upgrading to jsdom v16.5.0 you would no longer be able to set a global variable named event in the jsdom context.
16.5.0
Added window.queueMicrotask().
Added window.event.
Added inputEvent.inputType. (diegohaz)
Removed ondragexit from Window and friends, per a spec update.
Fixed the URL of about:blank iframes. Previously it was getting set to the parent's URL. (SimonMueller)
Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.
Fixed the hidden="" attribute to cause display: none per the user-agent stylesheet. (ph-fritsche)
Fixed the new File() constructor to no longer convert / to :, per a pending spec update.
Fixed mutation observer callbacks to be called with the MutationObserver instance as their this value.
Bumps the npm_and_yarn group with 15 updates in the /examples/ecmascript directory:
7.11.07.24.15.0.05.0.14.1.14.3.40.2.00.2.22.8.82.8.95.7.15.7.216.3.016.7.04.17.194.17.213.0.43.1.21.2.51.2.87.0.28.0.226.2.226.6.21.0.61.0.71.0.41.0.54.0.04.0.3Updates
@babel/traversefrom 7.11.0 to 7.24.1Release notes
Sourced from
@babel/traverse's releases.... (truncated)
Changelog
Sourced from
@babel/traverse's changelog.... (truncated)
Commits
822b025v7.24.1fc0d5adUpdate typescript and lint tools (#16351)69e7928Consider well-known and registered symbols as literals (#16342)40110e9Update source map deps (#16327)ce59160v7.24.0bd5abd5fix: avoidpopContexton unvisited node paths (#16305)08a057cUseObject.hasOwnwhen available (#16248)a0dd614v7.23.91200542fix: Don't throw ingetTypeAnnotationwhen using TS+inference (#15383)e428a6dv7.23.7Updates
ansi-regexfrom 5.0.0 to 5.0.1Release notes
Sourced from ansi-regex's releases.
Commits
a9babce5.0.14657833fix incorrect formatc3c0b3fFix potential ReDoS (#37)178363bMove to GitHub Actions (#35)0755e66Add@Qix- to funding.ymlUpdates
debugfrom 4.1.1 to 4.3.4Release notes
Sourced from debug's releases.
... (truncated)
Commits
da66c864.3.49b33412replace deprecated String.prototype.substr() (#876)c0805ccadd section about configuring JS console to show debug messages (#866)043d3cd4.3.34079aaeupdate license and more maintainership information19b36c0update repository location + maintainership informationf851b00adds README section regarding usage in child procs (#850)d177f2bRemove accidental epizeuxise47f96d4.3.21e9d38ccache enabled status per-logger (#799)Maintainer changes
This version was pushed to npm by qix, a new releaser for debug since your current version.
Updates
decode-uri-componentfrom 0.2.0 to 0.2.2Release notes
Sourced from decode-uri-component's releases.
Commits
a0eea460.2.2980e0bfPrevent overwriting previously decoded tokens3c8a3730.2.176abc93Switch to GitHub workflows746ca5dFix issue where decode throws - fixes #6486d7e2Update license (#1)a650457Tidelift tasks66e1c28Meta tweaksUpdates
hosted-git-infofrom 2.8.8 to 2.8.9Changelog
Sourced from hosted-git-info's changelog.
Commits
8d4b369chore(release): 2.8.929adfe5fix: backport regex fix from #76Maintainer changes
This version was pushed to npm by nlf, a new releaser for hosted-git-info since your current version.
Updates
semverfrom 5.7.1 to 5.7.2Release notes
Sourced from semver's releases.
Changelog
Sourced from semver's changelog.
Commits
f8cc313chore: release 5.7.22f8fd41fix: better handling of whitespace (#585)deb5ad5chore:@npmcli/template-oss@4.16.0Maintainer changes
This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.
Updates
jsdomfrom 16.3.0 to 16.7.0Release notes
Sourced from jsdom's releases.
... (truncated)
Changelog
Sourced from jsdom's changelog.
... (truncated)
Commits
1aa3cbcVersion 16.7.0df1f551Don't run WebSocketStream testseb105b2Fix browser tests by enabling SharedArrayBuffer0dedfc0Fix some bad cascade computation in getComputedStyle()8021a56Fix "configuation" typo (#3213)a7febe3Fix typo in level2/html.js (#3222)c9896c0Return x, y properties from Element.getBoundingClientRect (#3187)346ea98Update web-platform tests (#3203)364c77dBump to ws 7.4.693ba6a0We are now on Matrix (#3207)Updates
lodashfrom 4.17.19 to 4.17.21Commits
f299b52Bump to v4.17.21c4847ebImprove performance oftoNumber,trimandtrimEndon large input strings3469357Prevent command injection through_.template'svariableoptionded9bc6Bump to v4.17.20.63150efDocumentation fixes.00f0f62test.js: Remove trailing comma.846e434Temporarily use a custom fork oflodash-cli.5d046f3Re-enable Travis tests on4.17branch.aa816b3Remove/npm-package.Maintainer changes
This version was pushed to npm by bnjmnt4n, a new releaser for lodash since your current version.
Updates
minimatchfrom 3.0.4 to 3.1.2Commits
699c4593.1.22f2b5fffix: trim pattern25d7c0d3.1.155dda29fix: treat nocase:true as always having magic5e1fb8d3.1.0f8145c5Add 'allowWindowsEscape' option570e8b1add publishConfig for v3 publishes5b7cd333.0.620b4b56[fix] revert all breaking syntax changes2ff0388document, expose, and test 'partial:true' optionUpdates
minimistfrom 1.2.5 to 1.2.8Changelog
Sourced from minimist's changelog.