Open renovate[bot] opened 1 year ago
The latest updates on your projects. Learn more about Vercel for Git โ๏ธ
Name | Status | Preview | Comments | Updated (UTC) |
---|---|---|---|---|
chirpy | โ Ready (Inspect) | Visit Preview | ๐ฌ Add feedback | Mar 4, 2024 6:41am |
Latest commit: 539c2b297509b60a8937f981b80a5be11328c521
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
285daff(current) vs e32b68c main#1410(baseline)
:warning: Bundle contains 3 duplicate packages
Metrics (1 change)
โโโโโโโโโโ | โโโโโโCurrent Job #1411 |
โโโโโBaseline Job #1410 |
---|---|---|
Initial JS | 1.9MiB |
1.9MiB |
Initial CSS | 85.7KiB |
85.7KiB |
Cache Invalidation | 0% |
59.72% |
Chunks | 56 |
56 |
Assets | 75 |
75 |
Modules | 1821 |
1821 |
Duplicate Modules | 237 |
237 |
Duplicate Code | 5.53% |
5.53% |
Packages | 148 |
148 |
Duplicate Packages | 3 |
3 |
View job #1411 reportโView refs/pull/562/merge branch activity
2 | 4 | 0 | 1 | 0 |
Details:
fix(deps): update dependency eta to v2 [security] | |||
Project: chirpy | Commit: 8211e748ee |
||
Status: Failed | Duration: 02:40 ๐ก | ||
Started: Jul 8, 2023 1:55 AM | Ended: Jul 8, 2023 1:58 AM |
View
Output
Video
Test | Artifacts | |
---|---|---|
Header > should show user menu |
Output
Screenshots
Video
|
View
Output
Video
Test | Artifacts | |
---|---|---|
Project > should show integration doc |
Output
Screenshots
Video
|
This comment has been generated by cypress-bot as a result of this project's GitHub integration settings.
./apps/main
โ An unexpected error occurred. For more details, check console
Error: The process '/opt/hostedtoolcache/node/16.20.1/x64/bin/npx' failed with exit code 1
Branches coverage not met for global: expected >=1%, but got 0% | St.:grey_question: |
Category | Percentage | Covered / Total |
---|---|---|---|---|
๐ด | Statements | 1.14% | 6/525 | |
๐ด | Branches | 0% | 0/101 | |
๐ด | Functions | 1.25% | 1/80 | |
๐ด | Lines | 1.28% | 6/468 |
Report generated by ๐งชjest coverage report action from 8211e748eec6616261041094688361905f783269
This PR contains the following updates:
1.12.3
->2.0.0
GitHub Vulnerability Alerts
CVE-2023-23630
Impact
XSS attack - anyone using the Express API is impacted
Patches
The problem has been resolved. Users should upgrade to version 2.0.0.
Workarounds
Don't pass user supplied data directly to
res.renderFile
.References
Are there any links users can visit to find out more? See https://github.com/eta-dev/eta/releases/tag/v2.0.0
CVE-2022-25967
Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. Note: This is exploitable only for users who are rendering templates with user-defined data.
Release Notes
eta-dev/eta (eta)
### [`v2.0.0`](https://togithub.com/eta-dev/eta/releases/tag/v2.0.0): Version 2.0.0 [Compare Source](https://togithub.com/eta-dev/eta/compare/v1.14.2...v2.0.0) #### TL;DR This commit includes fixes for several security vulnerabilities. Specifically, in version 1, Eta merged the `data` parameter of `renderFile()` into `config` -- meaning that malicious untrusted user data, passed through in a very specific way, could potentially modify the values of `varName`, `include`, `includeFile`, and `useWith`, and thus insert arbitrary code into user template functions. With this release, such behavior is removed. Configuration cannot be passed through the `data` parameter to `eta.renderFile()`. Most users will be able to update from version 1 to version 2 without changing any code. All users are encouraged to update as soon as possible. #### Practical Implications - Configuration must be passed to `renderFile` explicitly, rather than merged with the `data` parameter - Using Express.js `app.set()` to modify `views` and `view cache` will no longer change Eta's configuration of `views` and `cache`. - However, since Express still uses its own `views` and `view cache` options under the hood, users should configure both Eta and Express with desired values (example below) - Eta no longer recognizes the legacy Express.js `settings["view options"]` property **Example Code Changes** ```js // Change THIS: renderFile(filePath, { cache: true }) // This worked in v1 but does not work in v2 // To THIS: renderFile(filePath, {}, { cache: true }) // This works in v1 and v2 // Change THIS: var eta = require("eta") app.set("view engine", "eta") app.set("views", "./views") app.set("view cache", true) // To THIS: var eta = require("eta") app.engine("eta", eta.renderFile) eta.configure({ views: "./views", cache: true }) // configure eta app.set("views", "./views") // configure Express app.set("view cache", true) // configure Express app.set("view engine", "eta") ``` #### Commits - Don't use data object for Eta configuration ([#214](https://togithub.com/eta-dev/eta/issues/214)) [`5651392`](https://togithub.com/eta-dev/eta/commit/5651392) ### [`v1.14.2`](https://togithub.com/eta-dev/eta/releases/tag/v1.14.2): Version 1.14.2 [Compare Source](https://togithub.com/eta-dev/eta/compare/v1.14.1...v1.14.2) #### TL;DR - Fixed "types" field in package.json #### Commits - fix type declaration ([#213](https://togithub.com/eta-dev/eta/issues/213)) [`f9994ad`](https://togithub.com/eta-dev/eta/commit/f9994ad) ### [`v1.14.1`](https://togithub.com/eta-dev/eta/releases/tag/v1.14.1): Version 1.14.1 [Compare Source](https://togithub.com/eta-dev/eta/compare/v1.14.0...v1.14.1) #### TL;DR - Fixed package.json `exports` and `type` fields #### Commits - Rebuild README.md [`403121c`](https://togithub.com/eta-dev/eta/commit/403121c) - docs: add gurgunday as a contributor for code ([#212](https://togithub.com/eta-dev/eta/issues/212)) [`308bfb4`](https://togithub.com/eta-dev/eta/commit/308bfb4) - Fix outputs ([#211](https://togithub.com/eta-dev/eta/issues/211)) [`d7c68b3`](https://togithub.com/eta-dev/eta/commit/d7c68b3) ### [`v1.14.0`](https://togithub.com/eta-dev/eta/releases/tag/v1.14.0): Version 1.14.0 [Compare Source](https://togithub.com/eta-dev/eta/compare/v1.13.0...v1.14.0) #### TL;DR - Refactored Eta's build process to make it more maintainable - Improved NodeNext support #### Commits - Switch build process to use microbundle ([#209](https://togithub.com/eta-dev/eta/issues/209)) [`3442ceb`](https://togithub.com/eta-dev/eta/commit/3442ceb) ### [`v1.13.0`](https://togithub.com/eta-dev/eta/releases/tag/v1.13.0): Version 1.13.0 [Compare Source](https://togithub.com/eta-dev/eta/compare/v1.12.3...v1.13.0) #### TL;DR - Improved return types through TS function overloading - Fixed the "types" field in package.json #### Commits - Rebuild [`197eb04`](https://togithub.com/eta-dev/eta/commit/197eb04) - docs: add nhaef as a contributor for code ([#206](https://togithub.com/eta-dev/eta/issues/206)) [`c954bfe`](https://togithub.com/eta-dev/eta/commit/c954bfe) - Rebuild and format [`1cae832`](https://togithub.com/eta-dev/eta/commit/1cae832) - Improve return types for `render`, `renderAsync`, `renderFile` and `renderFileAsync` ([#199](https://togithub.com/eta-dev/eta/issues/199)) [`242e9fc`](https://togithub.com/eta-dev/eta/commit/242e9fc) - Fix types specification in package.json ([#193](https://togithub.com/eta-dev/eta/issues/193)) [`7190909`](https://togithub.com/eta-dev/eta/commit/7190909) - Fix types specification in package.json ([#193](https://togithub.com/eta-dev/eta/issues/193)) [`fe26ba1`](https://togithub.com/eta-dev/eta/commit/fe26ba1) - Fix types specification in package.json ([#193](https://togithub.com/eta-dev/eta/issues/193)) [`812825d`](https://togithub.com/eta-dev/eta/commit/812825d) - Nit: change eslint file type ([#204](https://togithub.com/eta-dev/eta/issues/204)) [`8c82f3c`](https://togithub.com/eta-dev/eta/commit/8c82f3c) - chore(deps): bump dot-prop and [@commitlint/config-conventional](https://togithub.com/commitlint/config-conventional) ([#203](https://togithub.com/eta-dev/eta/issues/203)) [`9e22984`](https://togithub.com/eta-dev/eta/commit/9e22984) - Update dependencies ([#202](https://togithub.com/eta-dev/eta/issues/202)) [`749b197`](https://togithub.com/eta-dev/eta/commit/749b197) - Merge pull request [#188](https://togithub.com/eta-dev/eta/issues/188) from gitBaiano/patch-1 [`2eb2d9f`](https://togithub.com/eta-dev/eta/commit/2eb2d9f) - Update Benchmark modules [`35a7d8d`](https://togithub.com/eta-dev/eta/commit/35a7d8d) - Merge pull request [#179](https://togithub.com/eta-dev/eta/issues/179) from eta-dev/dependabot/npm_and_yarn/terser-4.8.1 [`4c23380`](https://togithub.com/eta-dev/eta/commit/4c23380) - chore(deps): bump terser from 4.8.0 to 4.8.1 [`15fd2b9`](https://togithub.com/eta-dev/eta/commit/15fd2b9) - Merge pull request [#160](https://togithub.com/eta-dev/eta/issues/160) from eta-dev/dependabot/npm_and_yarn/node-fetch-2.6.7 [`064f776`](https://togithub.com/eta-dev/eta/commit/064f776) - chore(deps): bump node-fetch from 2.6.1 to 2.6.7 [`60263b0`](https://togithub.com/eta-dev/eta/commit/60263b0) - Merge pull request [#174](https://togithub.com/eta-dev/eta/issues/174) from eta-dev/dependabot/npm_and_yarn/jsdom-16.7.0 [`ff801ea`](https://togithub.com/eta-dev/eta/commit/ff801ea) - chore(deps): bump jsdom from 16.4.0 to 16.7.0 [`14aedfb`](https://togithub.com/eta-dev/eta/commit/14aedfb) - Merge pull request [#170](https://togithub.com/eta-dev/eta/issues/170) from Tobbe/patch-1 [`9c8e426`](https://togithub.com/eta-dev/eta/commit/9c8e426) - README.ms: Fix rawgit links [`12005a5`](https://togithub.com/eta-dev/eta/commit/12005a5) - Merge pull request [#167](https://togithub.com/eta-dev/eta/issues/167) from ralphwetzel/patch-1 [`912c2e3`](https://togithub.com/eta-dev/eta/commit/912c2e3) - Update README.md [`5512169`](https://togithub.com/eta-dev/eta/commit/5512169) - Merge pull request [#156](https://togithub.com/eta-dev/eta/issues/156) from eta-dev/dependabot/npm_and_yarn/shelljs-0.8.5 [`663556c`](https://togithub.com/eta-dev/eta/commit/663556c) - Merge pull request [#158](https://togithub.com/eta-dev/eta/issues/158) from benasher44/patch-1 [`1f1f321`](https://togithub.com/eta-dev/eta/commit/1f1f321) - Merge pull request [#157](https://togithub.com/eta-dev/eta/issues/157) from eta-dev/dependabot/npm_and_yarn/nanoid-3.2.0 [`b1026d3`](https://togithub.com/eta-dev/eta/commit/b1026d3) - Merge pull request [#154](https://togithub.com/eta-dev/eta/issues/154) from shadowtime2000/issue-146 [`aedaab7`](https://togithub.com/eta-dev/eta/commit/aedaab7) - Update README.md [`34628da`](https://togithub.com/eta-dev/eta/commit/34628da) - Update benchmarks link [`d5e25ab`](https://togithub.com/eta-dev/eta/commit/d5e25ab) - Merge pull request [#155](https://togithub.com/eta-dev/eta/issues/155) from benasher44/master [`694976f`](https://togithub.com/eta-dev/eta/commit/694976f) - chore(deps): bump nanoid from 3.1.12 to 3.2.0 [`21234a1`](https://togithub.com/eta-dev/eta/commit/21234a1) - chore(deps-dev): bump shelljs from 0.8.4 to 0.8.5 [`f28b718`](https://togithub.com/eta-dev/eta/commit/f28b718) - Compile templates before render for benchmarks [`d469b4c`](https://togithub.com/eta-dev/eta/commit/d469b4c) - fix(146): add browser es versions [`408d59c`](https://togithub.com/eta-dev/eta/commit/408d59c) - Merge pull request [#145](https://togithub.com/eta-dev/eta/issues/145) from eta-dev/dependabot/npm_and_yarn/tmpl-1.0.5 [`0bdf07e`](https://togithub.com/eta-dev/eta/commit/0bdf07e) - chore(deps): bump tmpl from 1.0.4 to 1.0.5 [`e1101a9`](https://togithub.com/eta-dev/eta/commit/e1101a9) - Merge pull request [#133](https://togithub.com/eta-dev/eta/issues/133) from eta-dev/dependabot/npm_and_yarn/path-parse-1.0.7 [`a0072e8`](https://togithub.com/eta-dev/eta/commit/a0072e8) - chore(deps): bump path-parse from 1.0.6 to 1.0.7 [`48d9857`](https://togithub.com/eta-dev/eta/commit/48d9857) - v1.12.3 [`304b9e2`](https://togithub.com/eta-dev/eta/commit/304b9e2)Configuration
๐ Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
๐ฆ Automerge: Disabled by config. Please merge this manually once you are satisfied.
โป Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
๐ Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.