π¨ Your current dependencies have known security vulnerabilities π¨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@βdepfu rebase
Rebases against your default branch and redoes this update
@βdepfu recreate
Recreates this PR, overwriting any edits that you've made to it
@βdepfu merge
Merges this PR once your tests are passing and conflicts are resolved
@βdepfu cancel merge
Cancels automatic merging of this PR
@βdepfu close
Closes this PR and deletes the branch
@βdepfu reopen
Restores the branch and reopens this PR (if it's closed)
@βdepfu pause
Ignores all future updates for this dependency and closes this PR
@βdepfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@βdepfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
depfu[bot]
commented
4 months ago
π¨ Your current dependencies have known security vulnerabilities π¨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
β³οΈ mocha (10.2.0 β 10.5.1) Β· Repo Β· Changelog
Release Notes
10.5.1
10.5.0
10.4.0
10.3.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 52 commits:
Release v10.5.1docs: add 10.5.1 to CHANGELOG.mdfix: Add error handling for nonexistent file case with --file option (#5086)Release v10.5.0Docs: add 10.5.0 to CHANGELOG.mdchore: rename 'master' to 'main' in docs and tooling (#5130)fix: include stack in browser uncaught error reporting (#5107)chore: switch two-column list styles to be opt-in (#5110)chore: allow blank issues (#5157)chore: remove `husky` for now (#5127)feat: add MOCHA_OPTIONS env variable (#4835)chore: allow using any 3.x chokidar dependencies (#5143)chore: fix some typos in comments (#5135)feat: use <progress> and <svg> for browser progress indicator instead of <canvas> (#5015)Release v10.4.0build(deps): bump the github-actions group with 2 updates (#5125)chore: activate dependabot for workflows (#5123)fix: harden error handling in `lib/cli/run.js` (#5074)fix: xunit integration test (#5122)docs: fix documentation concerning glob expansion on UNIX (#4869)feat: add file path to xunit reporter (#4985)fix: closes #5115 (#5116)feat: include `.cause` stacks in the error stack traces (#4829)chore: bump ESLint ecmaVersion to 2020 (#5104)chore: fix header generation and production build crashes (#5100)docs: fix CHANGELOG.md headings to start with a root-level h1 (#5083)chore: add 'status: in triage' label to issue templates and docs (#5093)docs: add sponsored to sponsorship link rels (#5097)chore: revert #5069 to restore Netlify builds (#5095)chore: migrate ESLint config to flat config (#5060)Release v10.3.0docs: add 10.3.0 to CHANGELOG.mdRelease v10.3.0-preminor.0chore: add mtfoley/pr-compliance-action (#5077)chore: fix link in pull request template (#5091)chore: remove unnecessary canvas dependency (#5069)chore: inline nyan reporter's write function (#5056)fix: add alt text to Built with Netlify badge (#5068)docs: touchups to labels and a template title post-revamp (#5050)docs: overhaul contributing and maintenance docs for end-of-year 2023 (#5038)docs: fix return jsdoc type of `titlePath` (#4886)docs: use mocha.js instead of mocha in the example run (#4927)docs: fix fragment ID for yargs.js `extends` docs (#4918)chore: remove stale workflow (#5029)chore: remove touch as dev dependency (#5023)chore: remove nanoid as dependency (#5024)chore: remove uuid dev dependency (#5022)update can-i-use (#5021)chore: fix the ci (#5020)chore(ci): add Node v19 to test matrix (#4974)chore(deps): update 'glob' to v8 (#4970)Fix deprecated warn gh actions (#4962)βοΈ binary-extensions (indirect, 2.2.0 β 2.3.0) Β· Repo
Release Notes
2.3.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 3 commits:
2.3.0Meta tweaksAdd `afdesign`, `afphoto`, and `afpub` (#30)βοΈ braces (indirect, 3.0.2 β 3.0.3) Β· Repo Β· Changelog
Security Advisories π¨
π¨ Uncontrolled resource consumption in braces
Commits
See the full diff on Github. The new version differs by 12 commits:
3.0.3update eslint. lint, fix unit tests.Snyk js braces 6838727 (#40)fix tests, skip 1 test in test/braces.expandreadme bumpMerge pull request #37 from coderaiser/fix/vulnerabilityfeature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/36#issuecomment-2110820796)fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)remove funding fileupdate keepEscaping doc (#27)Failing test cases for issue \#29 (#30)Create FUNDING.ymlβοΈ chokidar (indirect, 3.5.3 β 3.6.0) Β· Repo Β· Changelog
Release Notes
3.6.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 22 commits:
Release 3.6.0.Add github ci autopublishMerge pull request #1300 from ben-polinsky/fix-fswatcher-types-1299fix formattingupdate fs.FSWatcher types to satisfy node versions >= 16; fixes #1299Merge pull request #1197 from MarcCelani-at/handleMustScanSubDirsMerge pull request #1288 from JLHwung/fix-ready-countready call # is unfortunately platform specificfix readyCount logicAdjust funding field in pkgEnable GitHub SponsorsMerge pull request #1242 from zqianem/fix/testsFix test case using unsupported option for Node 8Fix `close` testsMerge pull request #1226 from Mutahhar/patch-1Update README.mdMerge pull request #1198 from XhmikosR/rm-unused-depsMerge pull request #1199 from XhmikosR/patch-1Update CI configRemove unused devDependenciesmove to constantshandle MustScanSubDirsβοΈ fill-range (indirect, 7.0.1 β 7.1.1) Β· Repo
Commits
See the full diff on Github. The new version differs by 7 commits:
7.1.1ensure that maxLen is passed down, to handle zero-paddingupdate eslint. lint.Delete FUNDING.ymlCreate FUNDING.yml7.0.1fix regressionsπ css-what (added, 2.1.3)
π json-schema (added, 0.2.3)
π nth-check (added, 1.0.2)
π postcss (added, 7.0.39)
π qs (added, 6.5.3)
π sanitize-html (added, 1.27.5)
ποΈ call-bind (removed)
ποΈ get-intrinsic (removed)
ποΈ has-proto (removed)
ποΈ has-symbols (removed)
ποΈ is-plain-object (removed)
ποΈ nanoid (removed)
ποΈ object-inspect (removed)
ποΈ side-channel (removed)
ποΈ source-map-js (removed)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands