fix(deps): update dependency eta to v2 [security]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
eta (source)	1.12.3 -> 2.0.0

GitHub Vulnerability Alerts

CVE-2023-23630

Impact

XSS attack - anyone using the Express API is impacted

Patches

The problem has been resolved. Users should upgrade to version 2.0.0.

Workarounds

Don't pass user supplied data directly to res.renderFile.

References

Are there any links users can visit to find out more? See https://github.com/eta-dev/eta/releases/tag/v2.0.0

CVE-2022-25967

Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. Note: This is exploitable only for users who are rendering templates with user-defined data.

---

Release Notes

eta-dev/eta (eta)

### [`v2.0.0`](https://togithub.com/eta-dev/eta/releases/tag/v2.0.0): Version 2.0.0 [Compare Source](https://togithub.com/eta-dev/eta/compare/v1.14.2...v2.0.0) #### TL;DR This commit includes fixes for several security vulnerabilities. Specifically, in version 1, Eta merged the `data` parameter of `renderFile()` into `config` -- meaning that malicious untrusted user data, passed through in a very specific way, could potentially modify the values of `varName`, `include`, `includeFile`, and `useWith`, and thus insert arbitrary code into user template functions. With this release, such behavior is removed. Configuration cannot be passed through the `data` parameter to `eta.renderFile()`. Most users will be able to update from version 1 to version 2 without changing any code. All users are encouraged to update as soon as possible. #### Practical Implications - Configuration must be passed to `renderFile` explicitly, rather than merged with the `data` parameter - Using Express.js `app.set()` to modify `views` and `view cache` will no longer change Eta's configuration of `views` and `cache`. - However, since Express still uses its own `views` and `view cache` options under the hood, users should configure both Eta and Express with desired values (example below) - Eta no longer recognizes the legacy Express.js `settings["view options"]` property **Example Code Changes** ```js // Change THIS: renderFile(filePath, { cache: true }) // This worked in v1 but does not work in v2 // To THIS: renderFile(filePath, {}, { cache: true }) // This works in v1 and v2 // Change THIS: var eta = require("eta") app.set("view engine", "eta") app.set("views", "./views") app.set("view cache", true) // To THIS: var eta = require("eta") app.engine("eta", eta.renderFile) eta.configure({ views: "./views", cache: true }) // configure eta app.set("views", "./views") // configure Express app.set("view cache", true) // configure Express app.set("view engine", "eta") ``` #### Commits - Don't use data object for Eta configuration ([#​214](https://togithub.com/eta-dev/eta/issues/214)) [`5651392`](https://togithub.com/eta-dev/eta/commit/5651392) ### [`v1.14.2`](https://togithub.com/eta-dev/eta/releases/tag/v1.14.2): Version 1.14.2 [Compare Source](https://togithub.com/eta-dev/eta/compare/v1.14.1...v1.14.2) #### TL;DR - Fixed "types" field in package.json #### Commits - fix type declaration ([#​213](https://togithub.com/eta-dev/eta/issues/213)) [`f9994ad`](https://togithub.com/eta-dev/eta/commit/f9994ad) ### [`v1.14.1`](https://togithub.com/eta-dev/eta/releases/tag/v1.14.1): Version 1.14.1 [Compare Source](https://togithub.com/eta-dev/eta/compare/v1.14.0...v1.14.1) #### TL;DR - Fixed package.json `exports` and `type` fields #### Commits - Rebuild README.md [`403121c`](https://togithub.com/eta-dev/eta/commit/403121c) - docs: add gurgunday as a contributor for code ([#​212](https://togithub.com/eta-dev/eta/issues/212)) [`308bfb4`](https://togithub.com/eta-dev/eta/commit/308bfb4) - Fix outputs ([#​211](https://togithub.com/eta-dev/eta/issues/211)) [`d7c68b3`](https://togithub.com/eta-dev/eta/commit/d7c68b3) ### [`v1.14.0`](https://togithub.com/eta-dev/eta/releases/tag/v1.14.0): Version 1.14.0 [Compare Source](https://togithub.com/eta-dev/eta/compare/v1.13.0...v1.14.0) #### TL;DR - Refactored Eta's build process to make it more maintainable - Improved NodeNext support #### Commits - Switch build process to use microbundle ([#​209](https://togithub.com/eta-dev/eta/issues/209)) [`3442ceb`](https://togithub.com/eta-dev/eta/commit/3442ceb) ### [`v1.13.0`](https://togithub.com/eta-dev/eta/releases/tag/v1.13.0): Version 1.13.0 [Compare Source](https://togithub.com/eta-dev/eta/compare/v1.12.3...v1.13.0) #### TL;DR - Improved return types through TS function overloading - Fixed the "types" field in package.json #### Commits - Rebuild [`197eb04`](https://togithub.com/eta-dev/eta/commit/197eb04) - docs: add nhaef as a contributor for code ([#​206](https://togithub.com/eta-dev/eta/issues/206)) [`c954bfe`](https://togithub.com/eta-dev/eta/commit/c954bfe) - Rebuild and format [`1cae832`](https://togithub.com/eta-dev/eta/commit/1cae832) - Improve return types for `render`, `renderAsync`, `renderFile` and `renderFileAsync` ([#​199](https://togithub.com/eta-dev/eta/issues/199)) [`242e9fc`](https://togithub.com/eta-dev/eta/commit/242e9fc) - Fix types specification in package.json ([#​193](https://togithub.com/eta-dev/eta/issues/193)) [`7190909`](https://togithub.com/eta-dev/eta/commit/7190909) - Fix types specification in package.json ([#​193](https://togithub.com/eta-dev/eta/issues/193)) [`fe26ba1`](https://togithub.com/eta-dev/eta/commit/fe26ba1) - Fix types specification in package.json ([#​193](https://togithub.com/eta-dev/eta/issues/193)) [`812825d`](https://togithub.com/eta-dev/eta/commit/812825d) - Nit: change eslint file type ([#​204](https://togithub.com/eta-dev/eta/issues/204)) [`8c82f3c`](https://togithub.com/eta-dev/eta/commit/8c82f3c) - chore(deps): bump dot-prop and [@​commitlint/config-conventional](https://togithub.com/commitlint/config-conventional) ([#​203](https://togithub.com/eta-dev/eta/issues/203)) [`9e22984`](https://togithub.com/eta-dev/eta/commit/9e22984) - Update dependencies ([#​202](https://togithub.com/eta-dev/eta/issues/202)) [`749b197`](https://togithub.com/eta-dev/eta/commit/749b197) - Merge pull request [#​188](https://togithub.com/eta-dev/eta/issues/188) from gitBaiano/patch-1 [`2eb2d9f`](https://togithub.com/eta-dev/eta/commit/2eb2d9f) - Update Benchmark modules [`35a7d8d`](https://togithub.com/eta-dev/eta/commit/35a7d8d) - Merge pull request [#​179](https://togithub.com/eta-dev/eta/issues/179) from eta-dev/dependabot/npm_and_yarn/terser-4.8.1 [`4c23380`](https://togithub.com/eta-dev/eta/commit/4c23380) - chore(deps): bump terser from 4.8.0 to 4.8.1 [`15fd2b9`](https://togithub.com/eta-dev/eta/commit/15fd2b9) - Merge pull request [#​160](https://togithub.com/eta-dev/eta/issues/160) from eta-dev/dependabot/npm_and_yarn/node-fetch-2.6.7 [`064f776`](https://togithub.com/eta-dev/eta/commit/064f776) - chore(deps): bump node-fetch from 2.6.1 to 2.6.7 [`60263b0`](https://togithub.com/eta-dev/eta/commit/60263b0) - Merge pull request [#​174](https://togithub.com/eta-dev/eta/issues/174) from eta-dev/dependabot/npm_and_yarn/jsdom-16.7.0 [`ff801ea`](https://togithub.com/eta-dev/eta/commit/ff801ea) - chore(deps): bump jsdom from 16.4.0 to 16.7.0 [`14aedfb`](https://togithub.com/eta-dev/eta/commit/14aedfb) - Merge pull request [#​170](https://togithub.com/eta-dev/eta/issues/170) from Tobbe/patch-1 [`9c8e426`](https://togithub.com/eta-dev/eta/commit/9c8e426) - README.ms: Fix rawgit links [`12005a5`](https://togithub.com/eta-dev/eta/commit/12005a5) - Merge pull request [#​167](https://togithub.com/eta-dev/eta/issues/167) from ralphwetzel/patch-1 [`912c2e3`](https://togithub.com/eta-dev/eta/commit/912c2e3) - Update README.md [`5512169`](https://togithub.com/eta-dev/eta/commit/5512169) - Merge pull request [#​156](https://togithub.com/eta-dev/eta/issues/156) from eta-dev/dependabot/npm_and_yarn/shelljs-0.8.5 [`663556c`](https://togithub.com/eta-dev/eta/commit/663556c) - Merge pull request [#​158](https://togithub.com/eta-dev/eta/issues/158) from benasher44/patch-1 [`1f1f321`](https://togithub.com/eta-dev/eta/commit/1f1f321) - Merge pull request [#​157](https://togithub.com/eta-dev/eta/issues/157) from eta-dev/dependabot/npm_and_yarn/nanoid-3.2.0 [`b1026d3`](https://togithub.com/eta-dev/eta/commit/b1026d3) - Merge pull request [#​154](https://togithub.com/eta-dev/eta/issues/154) from shadowtime2000/issue-146 [`aedaab7`](https://togithub.com/eta-dev/eta/commit/aedaab7) - Update README.md [`34628da`](https://togithub.com/eta-dev/eta/commit/34628da) - Update benchmarks link [`d5e25ab`](https://togithub.com/eta-dev/eta/commit/d5e25ab) - Merge pull request [#​155](https://togithub.com/eta-dev/eta/issues/155) from benasher44/master [`694976f`](https://togithub.com/eta-dev/eta/commit/694976f) - chore(deps): bump nanoid from 3.1.12 to 3.2.0 [`21234a1`](https://togithub.com/eta-dev/eta/commit/21234a1) - chore(deps-dev): bump shelljs from 0.8.4 to 0.8.5 [`f28b718`](https://togithub.com/eta-dev/eta/commit/f28b718) - Compile templates before render for benchmarks [`d469b4c`](https://togithub.com/eta-dev/eta/commit/d469b4c) - fix(146): add browser es versions [`408d59c`](https://togithub.com/eta-dev/eta/commit/408d59c) - Merge pull request [#​145](https://togithub.com/eta-dev/eta/issues/145) from eta-dev/dependabot/npm_and_yarn/tmpl-1.0.5 [`0bdf07e`](https://togithub.com/eta-dev/eta/commit/0bdf07e) - chore(deps): bump tmpl from 1.0.4 to 1.0.5 [`e1101a9`](https://togithub.com/eta-dev/eta/commit/e1101a9) - Merge pull request [#​133](https://togithub.com/eta-dev/eta/issues/133) from eta-dev/dependabot/npm_and_yarn/path-parse-1.0.7 [`a0072e8`](https://togithub.com/eta-dev/eta/commit/a0072e8) - chore(deps): bump path-parse from 1.0.6 to 1.0.7 [`48d9857`](https://togithub.com/eta-dev/eta/commit/48d9857) - v1.12.3 [`304b9e2`](https://togithub.com/eta-dev/eta/commit/304b9e2)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel[bot]]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
chirpy	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Mar 4, 2024 6:41am

[changeset-bot[bot]]

⚠️ No Changeset found

Latest commit: 539c2b297509b60a8937f981b80a5be11328c521

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[relativeci[bot]]

Job #1411: Bundle Size — 2.36MiB (0%).

285daff(current) vs e32b68c main#1410(baseline)

:warning: Bundle contains 3 duplicate packages

Metrics (1 change)

	Current Job #1411	Baseline Job #1410
Initial JS	1.9MiB	1.9MiB
Initial CSS	85.7KiB	85.7KiB
Cache Invalidation	0%	59.72%
Chunks	56	56
Assets	75	75
Modules	1821	1821
Duplicate Modules	237	237
Duplicate Code	5.53%	5.53%
Packages	148	148
Duplicate Packages	3	3

Total size by type (no changes)

|            |       Current
[Job #1411](https://app.relative-ci.com/projects/rYoEVFddayylGRgFiBEd/jobs/1411-A4mIJYarHoiX2q5cIcrT?utm_source=github&utm_medium=pr-report "View job report") |      Baseline
[Job #1410](https://app.relative-ci.com/projects/rYoEVFddayylGRgFiBEd/jobs/1410-JxqvfXwAwk9VJo7J0tU9?utm_source=github&utm_medium=pr-report "View baseline job report") | |:--|--:|--:| | [CSS](https://app.relative-ci.com/projects/rYoEVFddayylGRgFiBEd/jobs/1411-A4mIJYarHoiX2q5cIcrT/assets?ba=%7B%22filters%22%3A%7B%22ft.CSS%22%3Atrue%2C%22ft.JS%22%3Afalse%2C%22ft.IMG%22%3Afalse%2C%22ft.MEDIA%22%3Afalse%2C%22ft.FONT%22%3Afalse%2C%22ft.HTML%22%3Afalse%2C%22ft.OTHER%22%3Afalse%7D%7D "View all CSS assets") | `85.7KiB` | `85.7KiB` | | [Fonts](https://app.relative-ci.com/projects/rYoEVFddayylGRgFiBEd/jobs/1411-A4mIJYarHoiX2q5cIcrT/assets?ba=%7B%22filters%22%3A%7B%22ft.CSS%22%3Afalse%2C%22ft.JS%22%3Afalse%2C%22ft.IMG%22%3Afalse%2C%22ft.MEDIA%22%3Afalse%2C%22ft.FONT%22%3Atrue%2C%22ft.HTML%22%3Afalse%2C%22ft.OTHER%22%3Afalse%7D%7D "View all Fonts assets") | `177.08KiB` | `177.08KiB` | | [HTML](https://app.relative-ci.com/projects/rYoEVFddayylGRgFiBEd/jobs/1411-A4mIJYarHoiX2q5cIcrT/assets?ba=%7B%22filters%22%3A%7B%22ft.CSS%22%3Afalse%2C%22ft.JS%22%3Afalse%2C%22ft.IMG%22%3Afalse%2C%22ft.MEDIA%22%3Afalse%2C%22ft.FONT%22%3Afalse%2C%22ft.HTML%22%3Atrue%2C%22ft.OTHER%22%3Afalse%7D%7D "View all HTML assets") | `0B` | `0B` | | [IMG](https://app.relative-ci.com/projects/rYoEVFddayylGRgFiBEd/jobs/1411-A4mIJYarHoiX2q5cIcrT/assets?ba=%7B%22filters%22%3A%7B%22ft.CSS%22%3Afalse%2C%22ft.JS%22%3Afalse%2C%22ft.IMG%22%3Atrue%2C%22ft.MEDIA%22%3Afalse%2C%22ft.FONT%22%3Afalse%2C%22ft.HTML%22%3Afalse%2C%22ft.OTHER%22%3Afalse%7D%7D "View all IMG assets") | `1.26KiB` | `1.26KiB` | | [JS](https://app.relative-ci.com/projects/rYoEVFddayylGRgFiBEd/jobs/1411-A4mIJYarHoiX2q5cIcrT/assets?ba=%7B%22filters%22%3A%7B%22ft.CSS%22%3Afalse%2C%22ft.JS%22%3Atrue%2C%22ft.IMG%22%3Afalse%2C%22ft.MEDIA%22%3Afalse%2C%22ft.FONT%22%3Afalse%2C%22ft.HTML%22%3Afalse%2C%22ft.OTHER%22%3Afalse%7D%7D "View all JS assets") | `2.09MiB` | `2.09MiB` | | [Media](https://app.relative-ci.com/projects/rYoEVFddayylGRgFiBEd/jobs/1411-A4mIJYarHoiX2q5cIcrT/assets?ba=%7B%22filters%22%3A%7B%22ft.CSS%22%3Afalse%2C%22ft.JS%22%3Afalse%2C%22ft.IMG%22%3Afalse%2C%22ft.MEDIA%22%3Atrue%2C%22ft.FONT%22%3Afalse%2C%22ft.HTML%22%3Afalse%2C%22ft.OTHER%22%3Afalse%7D%7D "View all Media assets") | `0B` | `0B` | | [Other](https://app.relative-ci.com/projects/rYoEVFddayylGRgFiBEd/jobs/1411-A4mIJYarHoiX2q5cIcrT/assets?ba=%7B%22filters%22%3A%7B%22ft.CSS%22%3Afalse%2C%22ft.JS%22%3Afalse%2C%22ft.IMG%22%3Afalse%2C%22ft.MEDIA%22%3Afalse%2C%22ft.FONT%22%3Afalse%2C%22ft.HTML%22%3Afalse%2C%22ft.OTHER%22%3Atrue%7D%7D "View all Other assets") | `15.16KiB` | `15.16KiB` |

---

View job #1411 report View refs/pull/562/merge branch activity

[cypress[bot]]

2 failed tests on run #1941 ↗︎

2

4

0

1

0

Details:

fix(deps): update dependency eta to v2 [security]
Project: chirpy	Commit: 8211e748ee
Status: Failed	Duration: 02:40 💡
Started: Jul 8, 2023 1:55 AM	Ended: Jul 8, 2023 1:58 AM

  home/header.spec.ts • 1 failed test • Cypress Actions

View Output Video

Test		Artifacts
Header > should show user menu		Output Screenshots Video

  dashboard/project.spec.ts • 1 failed test • Cypress Actions

View Output Video

Test		Artifacts
Project > should show integration doc		Output Screenshots Video

_{This comment has been generated by cypress-bot as a result of this project's GitHub integration settings.}

[github-actions[bot]]

Coverage report for ./apps/main

❌ An unexpected error occurred. For more details, check console

Error: The process '/opt/hostedtoolcache/node/16.20.1/x64/bin/npx' failed with exit code 1

Branches coverage not met for global: expected >=1%, but got 0%	St.:grey_question:	Category	Percentage	Covered / Total
🔴	Statements	1.14%	6/525
🔴	Branches	0%	0/101
🔴	Functions	1.25%	1/80
🔴	Lines	1.28%	6/468

Test suite run failed

Failed tests: 0/1. Failed suites: 1/2.

``` ● Test suite failed to run Jest encountered an unexpected token Jest failed to parse a file. This happens e.g. when your code or its dependencies use non-standard JavaScript syntax, or when Jest is not configured to support such syntax. Out of the box Jest supports Babel, which will be used to transform your files into valid JS based on your Babel configuration. By default "node_modules" folder is ignored by transformers. Here's what you can do: • If you are trying to use ECMAScript Modules, see https://jestjs.io/docs/ecmascript-modules for how to enable it. • If you are trying to use TypeScript, see https://jestjs.io/docs/getting-started#using-typescript • To have some of your "node_modules" files transformed, you can specify a custom "transformIgnorePatterns" in your config. • If you need a custom transformation specify a "transform" option in your config. • If you simply want to mock your non-JS modules (e.g. binary assets) you can stub them out with the "moduleNameMapper" config option. You'll find more details and examples of these config options in the docs: https://jestjs.io/docs/configuration For information about custom transformations, see: https://jestjs.io/docs/code-transformation Details: /home/runner/work/chirpy/chirpy/node_modules/.pnpm/github-slugger@2.0.0/node_modules/github-slugger/index.js:1 ({"Object.":function(module,exports,require,__dirname,__filename,jest){import { regex } from './regex.js' ^^^^^^ SyntaxError: Cannot use import statement outside a module at Runtime.createScriptFromCode (../../node_modules/.pnpm/jest-runtime@29.6.1/node_modules/jest-runtime/build/index.js:1496:14) at Object. (src/server/common/constants.ts:371:66) at Object. (src/server/mdx/files.ts:1127:27) at Object. (src/server/mdx/__tests__/files.test.ts:23:16) ```

Report generated by 🧪jest coverage report action from 8211e748eec6616261041094688361905f783269