chore(deps): update dependency ua-parser-js to v0.7.33 [security] (release/core-contracts/6) - autoclosed

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
ua-parser-js	0.7.28 -> 0.7.33

---

[!WARNING] Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

ReDoS Vulnerability in ua-parser-js version

CVE-2022-25927 / GHSA-fhg7-m89q-25r3

More information

#### Details ##### Description: A regular expression denial of service (ReDoS) vulnerability has been discovered in `ua-parser-js`. ##### Impact: This vulnerability bypass the library's `MAX_LENGTH` input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition. ##### Affected Versions: All versions of the library prior to version `0.7.33` / `1.0.33`. ##### Patches: A patch has been released to remove the vulnerable regular expression, update to version `0.7.33` / `1.0.33` or later. ##### References: [Regular expression Denial of Service - ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) ##### Credits: Thanks to @​Snyk who first reported the issue. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://github.com/faisalman/ua-parser-js/security/advisories/GHSA-fhg7-m89q-25r3](https://togithub.com/faisalman/ua-parser-js/security/advisories/GHSA-fhg7-m89q-25r3) - [https://nvd.nist.gov/vuln/detail/CVE-2022-25927](https://nvd.nist.gov/vuln/detail/CVE-2022-25927) - [https://github.com/faisalman/ua-parser-js/commit/a6140a17dd0300a35cfc9cff999545f267889411](https://togithub.com/faisalman/ua-parser-js/commit/a6140a17dd0300a35cfc9cff999545f267889411) - [https://github.com/faisalman/ua-parser-js](https://togithub.com/faisalman/ua-parser-js) - [https://security.snyk.io/vuln/SNYK-JS-UAPARSERJS-3244450](https://security.snyk.io/vuln/SNYK-JS-UAPARSERJS-3244450) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-fhg7-m89q-25r3) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).

---

Release Notes

faisalman/ua-parser-js (ua-parser-js)

### [`v0.7.33`](https://togithub.com/faisalman/ua-parser-js/blob/HEAD/CHANGELOG.md#Version-0733--1033) [Compare Source](https://togithub.com/faisalman/ua-parser-js/compare/0.7.32...0.7.33) - Add new browser : Cobalt - Identify Macintosh as an Apple device - Fix ReDoS vulnerability ### [`v0.7.32`](https://togithub.com/faisalman/ua-parser-js/blob/HEAD/changelog.md#Version-0732--1032) [Compare Source](https://togithub.com/faisalman/ua-parser-js/compare/0.7.31...0.7.32) - Add new browser : DuckDuckGo, Huawei Browser, LinkedIn - Add new OS : HarmonyOS - Add some Huawei models - Add Sharp Aquos TV - Improve detection Xiaomi Mi CC9 - Fix Sony Xperia 1 III misidentified as Acer tablet - Fix Detect Sony BRAVIA as SmartTV - Fix Detect Xiaomi Mi TV as SmartTV - Fix Detect Galaxy Tab S8 as tablet - Fix WeGame mistakenly identified as WeChat - Fix included commas in Safari / Mobile Safari version - Increase UA_MAX_LENGTH to 350 ### [`v0.7.31`](https://togithub.com/faisalman/ua-parser-js/blob/HEAD/CHANGELOG.md#Version-0731--102) [Compare Source](https://togithub.com/faisalman/ua-parser-js/compare/0.7.30...0.7.31) - Fix OPPO Reno A5 incorrect detection - Fix TypeError Bug - Use AST to extract regexes and verify them with safe-regex ### [`v0.7.30`](https://togithub.com/faisalman/ua-parser-js/blob/HEAD/CHANGELOG.md#Version-0730--101) [Compare Source](https://togithub.com/faisalman/ua-parser-js/compare/0.7.28...0.7.30) - Add new browser : Obigo, UP.Browser, Klar - Add new device : Oculus, Roku - Add new OS: Maemo, HP-UX, Android-x86, Deepin, elementary OS, GhostBSD, Linspire, Manjaro, Sabayon - Improve detection for Sony Xperia 1ii, LG Android TV, and some more devices - Improve detection for ARM64 CPU - Improve detection for Windows Mobile, Netscape, Mac on PowerPC - Categorize PDA as mobile - Fix Sharp devices misjudged as Huawei - Fix trailing comma for ES3 compatibility - Some code refactor

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[socket-security[bot]]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/ua-parser-js@0.7.33	None	0	104 kB	faisalman

🚮 Removed packages: npm/ua-parser-js@0.7.28

View full report↗︎