🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
It serializes URL objects as follows since this version. The result of serialization may be changed if you are passing URL object values into the serialize-javascript.
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
You don't seem to have any Continuous Integration service set up!
Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the
service we're trying to provide down to a point where it is more or less meaningless.
This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:
* [Circle CI](https://circleci.com), [Semaphore ](https://semaphoreci.com) and [Github Actions](https://docs.github.com/actions) are all excellent options.
* If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github.
* If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with `depfu/`.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu cancel merge
Cancels automatic merging of this PR
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ webpack (5.39.1 → 5.93.0) · Repo
Security Advisories 🚨
🚨 Cross-realm object access in Webpack 5
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ @types/eslint (indirect, 7.2.13 → 8.56.10) · Repo
Sorry, we couldn't find anything useful about this release.
↗️ @types/estree (indirect, 0.0.47 → 1.0.5) · Repo
Sorry, we couldn't find anything useful about this release.
↗️ @types/json-schema (indirect, 7.0.7 → 7.0.15) · Repo
Sorry, we couldn't find anything useful about this release.
↗️ acorn (indirect, 8.4.0 → 8.12.1) · Repo
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ browserslist (indirect, 4.16.6 → 4.23.2) · Repo · Changelog
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ caniuse-lite (indirect, 1.0.30001238 → 1.0.30001641) · Repo · Changelog
↗️ electron-to-chromium (indirect, 1.3.752 → 1.4.827) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 2 commits:
1.4.827
generate new version
↗️ es-module-lexer (indirect, 0.4.1 → 1.5.4) · Repo · Changelog
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ escalade (indirect, 3.1.1 → 3.1.2) · Repo
Release Notes
3.1.2
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 4 commits:
3.1.2
fix: add "types" conditions (#10)
fix(ci): update versions
chore: add licenses badge
↗️ graceful-fs (indirect, 4.2.6 → 4.2.11) · Repo
Commits
See the full diff on Github. The new version differs by 24 commits:
4.2.11
Add EBUSY to handled error codes for windows directory rename
update and improve tests somewhat
4.2.10
fix spurious ENOTEMPTY in test on windows ci
avoid spurious EBUSY in windows CI tests
ci: output raw tap from test
actually fix memory leak test failing spuriously
fix memory leak test failing spuriously
do not try to patch missing fs functions
Avoid setPrototypeOf if prototype is undefined
install with npm 8
fix: fs.readdir() on ancient nodes that don't know about options
chore: add copyright year to license
ci: makework
4.2.9
fix(stat): support throwIfNoEntry for `statSync`
4.2.8
fix: start retrying immediately, stop after 60 seconds
4.2.7
fix: start retrying immediately, stop after 10 attempts
chore: refactor readdir to be consistent
Fix copyFile wrapper when retry hits EMFILE again
Clarify README.md regarding sync methods (#207)
↗️ jest-worker (indirect, 27.0.2 → 27.5.1) · Repo · Changelog
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ node-releases (indirect, 1.1.73 → 2.0.14) · Repo
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ punycode (indirect, 2.1.1 → 2.3.1) · Repo
Commits
See the full diff on Github. The new version differs by 25 commits:
Release v2.3.1
Prepare v2.3.1 release
Update `version`
ci(deps): update GitHub Actions workflows to run on Node.js 20 (LTS) (#130)
Update dependencies (#128)
Fix broken reference
Add README section for maintainers
Release v2.3.0
Rename package.json#name before publishing `punycode.js`
Release v2.2.2
Update repo URL
Add jsDelivr hits badge (#69)
Update mocha dependency (#103)
Set up GitHub Actions
Add test for #115
Do not encode DEL (#115)
Update browser support section in README (#118)
Replace `let` with `const` where applicable (#93)
Release v2.2.1
Do not decode non-ASCII-alphanumerics in Punycode labels (#124)
Release v2.2.0
fix: upstream node.js changes (#121)
fix: update jsdoc definitions (#120)
Fix usage instructions in README (#113)
Add LTS Node.js version to CI settings (#92)
↗️ schema-utils (indirect, 3.0.0 → 3.3.0) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 26 commits:
chore(release): 3.3.0
feat: added API to disable and enable validation (#183)
fix(perf): cache compiled schema (#182)
chore(release): 3.2.0
feat: implement `undefinedAsNull` keyword for `enum` type (#176)
chore(release): 3.1.2
fix(perf): reduced initial start time (#170)
chore(release): 3.1.1
fix: update error message for `integer` (#136)
chore: update deps (#137)
ci: use `actions/setup-node@v2` (#135)
chore(release): 3.1.0
refactor: added `link` to other formats (#134)
feat: added the `link` property in validation error
build(deps): bump handlebars from 4.7.6 to 4.7.7 (#124)
build(deps): bump lodash from 4.17.20 to 4.17.21 (#125)
chore: update deps (#132)
chore: add scripts for fixing lint (#129)
chore: update prettier config (#130)
chore: update dev-deps (#128)
chore: update nodejs.yml (#127)
build(deps): bump browserslist from 4.16.3 to 4.16.6 (#126)
chore: deps and tests (#122)
chore(deps): update (#120)
chore: fix typo in ISSUE_TEMPLATE (#117)
fix: non-empty validation error message (#116)
↗️ serialize-javascript (indirect, 5.0.1 → 6.0.2) · Repo
Release Notes
6.0.2
6.0.1
6.0.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 46 commits:
6.0.2
fix: serialize URL string contents to prevent XSS (#173)
Bump @babel/traverse from 7.10.1 to 7.23.7 (#171)
docs: update readme with URL support (#146)
chore: update node version and lock file
fix typo (#164)
Release v6.0.1 (#157)
Fix serialization issue for 0n. (#156)
Bump json5 from 2.1.3 to 2.2.3 (#155)
Bump mocha from 10.1.0 to 10.2.0 (#153)
Bump minimatch from 3.0.4 to 3.1.2 (#152)
ci: bump GitHub Actions
Bump chai from 4.3.6 to 4.3.7 (#150)
Bump mocha from 10.0.0 to 10.1.0 (#149)
Bump mocha from 9.2.2 to 10.0.0 (#145)
Bump minimist from 1.2.5 to 1.2.6 (#144)
Bump mocha from 9.2.0 to 9.2.2 (#143)
Bump ansi-regex from 5.0.0 to 5.0.1 (#141)
Bump chai from 4.3.4 to 4.3.6 (#140)
Bump mocha from 9.1.4 to 9.2.0 (#138)
Bump mocha from 9.1.3 to 9.1.4 (#137)
Bump mocha from 9.1.2 to 9.1.3 (#133)
Bump mocha from 9.1.1 to 9.1.2 (#132)
Bump mocha from 9.1.0 to 9.1.1 (#131)
Bump mocha from 9.0.3 to 9.1.0 (#130)
Bump path-parse from 1.0.6 to 1.0.7 (#129)
Bump mocha from 9.0.2 to 9.0.3 (#127)
Bump mocha from 9.0.1 to 9.0.2 (#126)
v6.0.0
Add support for URL's (#123)
Bump mocha from 9.0.0 to 9.0.1 (#124)
Bump mocha from 8.4.0 to 9.0.0 (#121)
Update Node.js CI matrix (#122)
Bump mocha from 8.3.2 to 8.4.0 (#120)
Bump lodash from 4.17.19 to 4.17.21 (#119)
Bump y18n from 4.0.0 to 4.0.1 (#116)
Bump chai from 4.3.3 to 4.3.4 (#115)
Bump mocha from 8.3.1 to 8.3.2 (#114)
Bump mocha from 8.3.0 to 8.3.1 (#113)
Bump chai from 4.3.1 to 4.3.3 (#112)
Bump chai from 4.2.0 to 4.3.1 (#111)
Bump mocha from 8.2.1 to 8.3.0 (#109)
Bump mocha from 8.1.3 to 8.2.1 (#105)
Drop Travis CI settings (#100)
Change default branch name to main (#99)
GitHub Aactions (#98)
↗️ source-map-support (indirect, 0.5.19 → 0.5.21) · Repo
Commits
See the full diff on Github. The new version differs by 11 commits:
0.5.21
Merge pull request #257 from brettz9/register-hook-require
0.5.20
Update built files
Add back missing unlink call
Merge pull request #297 from tapjs/isaacs/do-not-break-on-missing-global-process
fix: do not crash if process is not set
fix(test): fix writeFileSync on newer node versions
fix: replace build.js curl call with node https
Merge pull request #282 from evanw/dependabot/npm_and_yarn/http-proxy-1.18.1
Bump http-proxy from 1.17.0 to 1.18.1
↗️ terser (indirect, 5.7.0 → 5.31.2) · Repo · Changelog
Security Advisories 🚨
🚨 Terser insecure use of regular expressions leads to ReDoS
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ terser-webpack-plugin (indirect, 5.1.3 → 5.3.10) · Repo · Changelog
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ watchpack (indirect, 2.2.0 → 2.4.1) · Repo
Release Notes
2.4.1
2.4.0
2.3.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 48 commits:
chore(release): 2.4.1
fix: do not report directory as initial missing on the second watch
test: more
fix: logic
refactor: remove debug code
fix: do not report directory as initial missing on the second watch
chore(deps): regenerate lock file
refactor: update scripts
style: fix
chore(deps): regenerate lock file
docs: fix badge
docs: fix badge
ci: migrate on github actions
docs: update readme
ci: fix codecov token
ci: migrate on github actions
2.4.0
Merge pull request #215 from markjm/markjm/repsect-fs-accuracy
respect FS_ACCURACY
2.3.1
Merge pull request #212 from webpack/bugfix/context-time-info
add test case
set file info for directories too
report time info for directories correctly
2.3.0
Merge pull request #211 from webpack/bugfix/missing-info
fix missing time info in files
Merge pull request #205 from markjm/markjm/split
Merge pull request #210 from webpack/ci/no-macos-polling
Merge branch 'main' into markjm/split
Merge pull request #197 from markjm/markjm/watch-change
provide additional method instead of changing existing one
disable testing polling for macos ci
Merge pull request #208 from webpack/perf/update-watchers
rename branch to main
improve watcher update performance
fix typo
avoid RegexpLike in favor of a function
Merge pull request #203 from rishabh3112/patch-1
Merge pull request #207 from webpack/bugfix/ignore-permission-warnings
Merge pull request #206 from markjm/markjm/stabilize-tests
avoid EACCES permission errors
test: fix instability in polling tests
Support splitting of files and directories in getTimeInfoEntries
Allow function in watchOptions.ignored
chore: add node v17 in CI
Merge pull request #191 from webpack/dependabot/npm_and_yarn/handlebars-4.7.7
Merge pull request #192 from webpack/dependabot/npm_and_yarn/lodash-4.17.21
↗️ webpack-sources (indirect, 2.3.0 → 3.2.3) · Repo
Release Notes
3.2.2
3.2.1
3.2.0
3.1.2
3.0.4
3.0.2
3.0.1
3.0.0
2.3.1
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
🆕 @jridgewell/gen-mapping (added, 0.3.5)
🆕 @jridgewell/resolve-uri (added, 3.1.2)
🆕 @jridgewell/set-array (added, 1.2.1)
🆕 @jridgewell/source-map (added, 0.3.6)
🆕 @jridgewell/sourcemap-codec (added, 1.5.0)
🆕 @jridgewell/trace-mapping (added, 0.3.25)
🆕 acorn-import-attributes (added, 1.9.5)
🆕 json-parse-even-better-errors (added, 2.3.1)
🆕 picocolors (added, 1.0.1)
🆕 update-browserslist-db (added, 1.1.0)
🗑️ colorette (removed)
🗑️ json-parse-better-errors (removed)
🗑️ source-list-map (removed)
🗑️ yocto-queue (removed)
👉 No CI detected
You don't seem to have any Continuous Integration service set up!
Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.
This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:
* [Circle CI](https://circleci.com), [Semaphore ](https://semaphoreci.com) and [Github Actions](https://docs.github.com/actions) are all excellent options. * If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github. * If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with `depfu/`.Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase
.All Depfu comment commands