search

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.01k stars 337 forks source link

chore(deps): Bump the npm_and_yarn group across 1 directory with 35 updates #1047

Closed dependabot[bot] closed 1 week ago

dependabot[bot] commented 1 week ago

Bumps the npm_and_yarn group with 22 updates in the /internal/remediation/fixtures/santatracker directory:

Package From To
dat.gui 0.7.3 0.7.8
firebase 8.10.0 10.12.2
google-closure-library v20190909.0.0 20200315.0.0
jsdom 12.2.0 16.5.0
json5 2.1.0 2.2.2
mocha 5.2.0 10.4.0
mocha-headless-server 0.1.2 0.1.4
terser 3.10.11 4.8.1
yargs 12.0.2 17.7.2
@google-cloud/cloudbuild 2.6.0 4.5.0
semver 5.5.1 5.7.2
@babel/traverse 7.6.0 7.24.7
acorn 5.7.3 8.12.0
acorn 7.1.0 8.12.0
acorn 6.0.2 8.12.0
braces 3.0.2 3.0.3
get-func-name 2.0.0 2.0.2
google-p12-pem 3.1.2 3.1.4
json-schema 0.2.3 0.4.0
jsprim 1.4.1 1.4.2
lodash 4.17.20 4.17.21
path-parse 1.0.6 1.0.7
pathval 1.1.0 1.1.1
qs 6.5.2 6.5.3

Updates dat.gui from 0.7.3 to 0.7.8

Release notes

Sourced from dat.gui's releases.

0.7.8

  • Fix ReDos in CSS_RGB and CSS_RGBA #279

0.7.7

No release notes provided.

0.7.6

No release notes provided.

0.7.5

No release notes provided.

0.7.4

No release notes provided.

Commits
  • 6a444cc 0.7.8
  • 103be80 Removed CHANGELOG.md
  • f720c72 Merge pull request #279 from yetingli/master
  • 40f4fc1 Remove link to defunct tutorial.
  • 1e1aecb Fix ReDos in CSS_RGB and CSS_RGBA
  • 51d1a37 Merge pull request #274 from dataarts/dependabot/npm_and_yarn/lodash-4.17.19
  • 28b15c6 Bump lodash from 4.17.15 to 4.17.19
  • 071edeb Use primitive type instead of nullable boxed type
  • 92cebb3 Re-lint.
  • b290bf7 Update lint rules.
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by mrdoob, a new releaser for dat.gui since your current version.


Updates firebase from 8.10.0 to 10.12.2

Release notes

Sourced from firebase's releases.

firebase@10.12.2

For more detailed release notes, see Firebase JavaScript SDK Release Notes.

What's Changed

@​firebase/app@​0.10.5

Patch Changes

  • Update SDK_VERSION.

@​firebase/app-compat@​0.2.35

Patch Changes

  • Updated dependencies []:
  • @​firebase/app@​0.10.5

@​firebase/auth@​1.7.4

Patch Changes

@​firebase/auth-compat@​0.5.9

Patch Changes

firebase@10.12.2

Patch Changes

@​firebase/vertexai-preview@​0.0.2

Patch Changes

  • 3883133c3 #8256 - Change types paths to point to rolled-up public d.ts files. This fixes some TypeScript compiler errors users are seeing.

firebase@10.12.1

For more detailed release notes, see Firebase JavaScript SDK Release Notes.

... (truncated)

Commits


Updates google-closure-library from v20190909.0.0 to 20200315.0.0

Release notes

Sourced from google-closure-library's releases.

Closure Library v20200315

New Additions

  • Add SafeHtml.comment.

Security Fixes

  • Fixes CVE-2020-8910.

Backwards Incompatible Changes

  • Delete inlay css styles, which are not actually used by Closure.
  • Add non-nullable modifier to return type of functions never returning null.
  • Remove forwardDeclares from Closure Events Listenable by reducing the typing of the event key's src property to just Listenable, instead of Listenable|EventTarget. Note that EventTarget is the primary implementation of Listenable.

Other Changes

  • Added SafeUrl.fromMediaSource()
  • Fix authority parsing in Closure URI parser.
  • Document mode is now based on user agent on IE if not present in document
  • Add a define to module manager so that we can control module loading behaviors.
  • Add non-nullable modifier to return type of functions never returning null.
  • goog.isArray in deprecated in favor of Array.isArray
  • Update Thenable.then rejection handler JSDoc to reflect actual functionality.

Closure Library v20200224

New Additions

  • Create goog.debug.deepFreeze.
  • Added goog.async.promises.allMapsValues utility function

Backwards Incompatible Changes

  • AbstractRange.prototype.getTextRange(s) now return AbstractRange instead of the specific TextRange subclass

Other Changes

  • Remove some forwardDeclares from closure labs net.
  • Remove forwardDeclares from closure/graphics.
  • Remove forwardDeclare from closure/fs.
  • Linkify matching {} and () in URL like https://g\.com?res\{x=3\}
  • The functions allowed by the CSS sanitizer are now case insensitive.
  • Replace uses of goog.isArray in preparation for its removal
  • Remove special case for ie6-ie10 in nexttick.
  • Remove some forwardDeclares from closure/net.
  • Remove forwardDeclares from various Closure packages.

Closure Library v20200204

Note: the last two releases were not pushed to npm. To keep a complete changelog these release notes include the last two as well.

New Additions

  • Add TrustedResourceUrl.fromSafeScript().
  • New htmlsanitizer builder API addition.
  • Extract the version from Headless Chrome user-agent strings.

Backwards Incompatible Changes

  • goog.net.WebSocket no longer accepts direct autoReconnect and getNextReconnect arguments; specify these as fields in an options object instead.

... (truncated)

Commits
  • c6e4fe0 Bump version.
  • 2fb2c6d Migrate goog.forwardDeclare to goog.requireType.
  • ade336a Migrate goog.forwardDeclare to goog.requireType.
  • 964e8f3 RELNOTES[NEW]: Add SafeHtml.comment.
  • a93d568 RELNOTES: Add non-nullable modifier to return type of functions never returni...
  • 294fc00 Fix authority parsing in Closure URI parser.
  • 49624ab Add a define to module manager so that we can control module loading behaviors.
  • 5845fb1 Removed the legacy buffering-proxy detection (aka test-channel).
  • f4c4443 Add non-nullable modifier to return type of functions never returning null.
  • 60f4a9c Add non-nullable modifier to return type of functions never returning null.
  • Additional commits viewable in compare view


Updates jsdom from 12.2.0 to 16.5.0

Release notes

Sourced from jsdom's releases.

Version 16.5.0

  • Added window.queueMicrotask().
  • Added window.event.
  • Added inputEvent.inputType. (diegohaz)
  • Removed ondragexit from Window and friends, per a spec update.
  • Fixed the URL of about:blank iframes. Previously it was getting set to the parent's URL. (SimonMueller)
  • Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.
  • Fixed the hidden="" attribute to cause display: none per the user-agent stylesheet. (ph-fritsche)
  • Fixed the new File() constructor to no longer convert / to :, per a pending spec update.
  • Fixed mutation observer callbacks to be called with the MutationObserver instance as their this value.
  • Fixed <input type=checkbox> and <input type=radio> to be mutable even when disabled, per a spec update.
  • Fixed XMLHttpRequest to not fire a redundant final progress event if a progress event was previously fired with the same loaded value. This would usually occur with small files.
  • Fixed XMLHttpRequest to expose the Content-Length header on cross-origin responses.
  • Fixed xhr.response to return null for failures that occur during the middle of the download.
  • Fixed edge cases around passing callback functions or event handlers. (ExE-Boss)
  • Fixed edge cases around the properties of proxy-like objects such as localStorage or dataset. (ExE-Boss)
  • Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi)

Version 16.4.0

  • Added a not-implemented warning if you try to use the second pseudo-element argument to getComputedStyle(), unless you pass a ::part or ::slotted pseudo-element, in which case we throw an error per the spec. (ExE-Boss)
  • Improved the performance of repeated access to el.tagName, which also indirectly improves performance of selector matching and style computation. (eps1lon)
  • Fixed form.elements to respect the form="" attribute, so that it can contain non-descendant form controls. (ccwebdesign)
  • Fixed el.focus() to do nothing on disconnected elements. (eps1lon)
  • Fixed el.focus() to work on SVG elements. (zjffun)
  • Fixed removing the currently-focused element to move focus to the <body> element. (eps1lon)
  • Fixed imgEl.complete to return true for <img> elements with empty or unset src="" attributes. (strager)
  • Fixed imgEl.complete to return true if an error occurs loading the <img>, when canvas is enabled. (strager)
  • Fixed imgEl.complete to return false if the <img> element's src="" attribute is reset. (strager)
  • Fixed the valueMissing validation check for <input type="radio">. (zjffun)
  • Fixed translate="" and draggable="" attribute processing to use ASCII case-insensitivity, instead of Unicode case-insensitivity. (zjffun)

Version 16.3.0

  • Added firing of focusin and focusout when using el.focus() and el.blur(). (trueadm)
  • Fixed elements with the contenteditable="" attribute to be considered as focusable. (jamieliu386)
  • Fixed window.NodeFilter to be per-Window, instead of shared across all Windows. (ExE-Boss)
  • Fixed edge-case behavior involving use of objects with handleEvent properties as event listeners. (ExE-Boss)
  • Fixed a second failing image load sometimes firing a load event instead of an error event, when the canvas package is installed. (strager)
  • Fixed drawing an empty canvas into another canvas. (zjffun)

Version 16.2.2

  • Updated StyleSheetList for better spec compliance; notably it no longer inherits from Array.prototype. (ExE-Boss)
  • Fixed requestAnimationFrame() from preventing process exit. This likely regressed in v16.1.0.
  • Fixed setTimeout() to no longer leak the closures passed in to it. This likely regressed in v16.1.0. (AviVahl)
  • Fixed infinite recursion that could occur when calling click() on a <label> element, or one of its descendants.
  • Fixed getComputedStyle() to consider inline style="" attributes. (eps1lon)
  • Fixed several issues with <input type="number">'s stepUp() and stepDown() functions to be properly decimal-based, instead of floating point-based.
  • Fixed various issues where updating selectEl.value would not invalidate properties such as selectEl.selectedOptions. (ExE-Boss)
  • Fixed <input>'s src property, and <ins>/<del>'s cite property, to properly reflect as URLs.
  • Fixed window.addEventLister, window.removeEventListener, and window.dispatchEvent to properly be inherited from EventTarget, instead of being distinct functions. (ExE-Boss)
  • Fixed errors that would occur if attempting to use a DOM object, such as a custom element, as an argument to addEventListener.

... (truncated)

Changelog

Sourced from jsdom's changelog.

16.5.0

  • Added window.queueMicrotask().
  • Added window.event.
  • Added inputEvent.inputType. (diegohaz)
  • Removed ondragexit from Window and friends, per a spec update.
  • Fixed the URL of about:blank iframes. Previously it was getting set to the parent's URL. (SimonMueller)
  • Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.
  • Fixed the hidden="" attribute to cause display: none per the user-agent stylesheet. (ph-fritsche)
  • Fixed the new File() constructor to no longer convert / to :, per a pending spec update.
  • Fixed mutation observer callbacks to be called with the MutationObserver instance as their this value.
  • Fixed <input type=checkbox> and <input type=radio> to be mutable even when disabled, per a spec update.
  • Fixed XMLHttpRequest to not fire a redundant final progress event if a progress event was previously fired with the same loaded value. This would usually occur with small files.
  • Fixed XMLHttpRequest to expose the Content-Length header on cross-origin responses.
  • Fixed xhr.response to return null for failures that occur during the middle of the download.
  • Fixed edge cases around passing callback functions or event handlers. (ExE-Boss)
  • Fixed edge cases around the properties of proxy-like objects such as localStorage or dataset. (ExE-Boss)
  • Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi)

16.4.0

  • Added a not-implemented warning if you try to use the second pseudo-element argument to getComputedStyle(), unless you pass a ::part or ::slotted pseudo-element, in which case we throw an error per the spec. (ExE-Boss)
  • Improved the performance of repeated access to el.tagName, which also indirectly improves performance of selector matching and style computation. (eps1lon)
  • Fixed form.elements to respect the form="" attribute, so that it can contain non-descendant form controls. (ccwebdesign)
  • Fixed el.focus() to do nothing on disconnected elements. (eps1lon)
  • Fixed el.focus() to work on SVG elements. (zjffun)
  • Fixed removing the currently-focused element to move focus to the <body> element. (eps1lon)
  • Fixed imgEl.complete to return true for <img> elements with empty or unset src="" attributes. (strager)
  • Fixed imgEl.complete to return true if an error occurs loading the <img>, when canvas is enabled. (strager)
  • Fixed imgEl.complete to return false if the <img> element's src="" attribute is reset. (strager)
  • Fixed the valueMissing validation check for <input type="radio">. (zjffun)
  • Fixed translate="" and draggable="" attribute processing to use ASCII case-insensitivity, instead of Unicode case-insensitivity. (zjffun)

16.3.0

  • Added firing of focusin and focusout when using el.focus() and el.blur(). (trueadm)
  • Fixed elements with the contenteditable="" attribute to be considered as focusable. (jamieliu386)
  • Fixed window.NodeFilter to be per-Window, instead of shared across all Windows. (ExE-Boss)
  • Fixed edge-case behavior involving use of objects with handleEvent properties as event listeners. (ExE-Boss)
  • Fixed a second failing image load sometimes firing a load event instead of an error event, when the canvas package is installed. (strager)
  • Fixed drawing an empty canvas into another canvas. (zjffun)

16.2.2

  • Updated StyleSheetList for better spec compliance; notably it no longer inherits from Array.prototype. (ExE-Boss)
  • Fixed requestAnimationFrame() from preventing process exit. This likely regressed in v16.1.0.
  • Fixed setTimeout() to no longer leak the closures passed in to it. This likely regressed in v16.1.0. (AviVahl)
  • Fixed infinite recursion that could occur when calling click() on a <label> element, or one of its descendants.
  • Fixed getComputedStyle() to consider inline style="" attributes. (eps1lon)
  • Fixed several issues with <input type="number">'s stepUp() and stepDown() functions to be properly decimal-based, instead of floating point-based.

... (truncated)

Commits
  • 2d82763 Version 16.5.0
  • 9741311 Fix loading of subresources with Unicode filenames
  • 5e46553 Use domenic's ESLint config as the base
  • 19b35da Fix the URL of about:blank iframes
  • 017568e Support inputType on InputEvent
  • 29f4fdf Upgrade dependencies
  • e2f7639 Refactor create‑event‑accessor.js to remove code duplication
  • ff69a75 Convert JSDOM to use callback functions
  • 19df6bc Update links in contributing guidelines
  • 1e34ff5 Test triage
  • Additional commits viewable in compare view


Updates json5 from 2.1.0 to 2.2.2

Release notes

Sourced from json5's releases.

v2.2.2

  • Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1

  • Fix: Removed dependence on minimist to patch CVE-2021-44906. (#266)

v2.2.0

  • New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)

v2.1.3 [code, diff]

  • Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)

v2.1.2

  • Fix: Bump minimist to v1.2.5. (#222)

v2.1.1

  • New: package.json and package.json5 include a module property so bundlers like webpack, rollup and parcel can take advantage of the ES Module build. (#208)
  • Fix: stringify outputs \0 as \\x00 when followed by a digit. (#210)
  • Fix: Spelling mistakes have been fixed. (#196)
Changelog

Sourced from json5's changelog.

v2.2.2 [code, diff]

  • Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1 [code, diff]

  • Fix: Removed dependence on minimist to patch CVE-2021-44906. (#266)

v2.2.0 [code, diff]

  • New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)

v2.1.3 [code, diff]

  • Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)

v2.1.2 [code, diff]

  • Fix: Bump minimist to v1.2.5. (#222)

v2.1.1 [code, diff]

  • New: package.json and package.json5 include a module property so bundlers like webpack, rollup and parcel can take advantage of the ES Module build. (#208)
  • Fix: stringify outputs \0 as \\x00 when followed by a digit. (#210)
  • Fix: Spelling mistakes have been fixed. (#196)
Commits
  • 14f8cb1 2.2.2
  • 10cc7ca docs: update CHANGELOG for v2.2.2
  • 7774c10 fix: add proto to objects and arrays
  • edde30a Readme: slight tweak to intro
  • 97286f8 Improve example in readme
  • d720b4f Improve readme (e.g. explain JSON5 better!) (#291)
  • 910ce25 docs: fix spelling of Aseem
  • 2aab4dd test: require tap as t in cli tests
  • 6d42686 test: remove mocha syntax from tests
  • 4798b9d docs: update installation and usage for modules
  • Additional commits viewable in compare view


Updates mocha from 5.2.0 to 10.4.0

Release notes

Sourced from mocha's releases.

v10.4.0

10.4.0 / 2024-03-26

:tada: Enhancements

:bug: Fixes

:nut_and_bolt: Other

v10.3.0

This is a stable release equivalent to v10.3.0-preminor.0.

What's Changed

... (truncated)

Changelog

Sourced from mocha's changelog.

10.4.0 / 2024-03-26

:tada: Enhancements

:bug: Fixes

:nut_and_bolt: Other

10.3.0 / 2024-02-08

This is a stable release equivalent to 10.30.0-prerelease.

10.3.0-prerelease / 2024-01-18

This is a prerelease version to test our ability to release. Other than removing or updating dependencies, it contains no intended user-facing changes.

:nut_and_bolt: Other

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by voxpelli, a new releaser for mocha since your current version.


Updates mocha-headless-server from 0.1.2 to 0.1.4

Commits


Updates terser from 3.10.11 to 4.8.1

Changelog

Sourced from terser's changelog.

v4.8.1 (backport)

  • Security fix for RegExps that should not be evaluated (regexp DDOS)

v4.8.0

  • Support for numeric separators (million = 1_000_000) was added.
  • Assigning properties to a class is now assumed to be pure.
  • Fixed bug where yield wasn't considered a valid property key in generators.

v4.7.0

  • A bug was fixed where an arrow function would have the wrong size
  • arguments object is now considered safe to retrieve properties from (useful for length, or 0) even when pure_getters is not set.
  • Fixed erroneous const declarations without value (which is invalid) in some corner cases when using collapse_vars.

v4.6.13

  • Fixed issue where ES5 object properties were being turned into ES6 object properties due to more lax unicode rules.
  • Fixed parsing of BigInt with lowercase e in them.

v4.6.12

  • Fixed subtree comparison code, making it see that [1,[2, 3]] is different from [1, 2, [3]]
  • Printing of unicode identifiers has been improved

v4.6.11

  • Read unused classes' properties and method keys, to figure out if they use other variables.
  • Prevent inlining into block scopes when there are name collisions
  • Functions are no longer inlined into parameter defaults, because they live in their own special scope.
  • When inlining identity functions, take into account the fact they may be used to drop this in function calls.
  • Nullish coalescing operator (x ?? y), plus basic optimization for it.
  • Template literals in binary expressions such as + have been further optimized

v4.6.10

  • Do not use reduce_vars when classes are present

v4.6.9

  • Check if block scopes actually exist in blocks

v4.6.8

  • Take into account "executed bits" of classes like static properties or computed keys, when checking if a class evaluation might throw or have side effects.

v4.6.7

  • Some new performance gains through a AST_Node.size() method which measures a node's source code length without printing it to a string first.

... (truncated)

Commits


Updates yargs from 12.0.2 to 17.7.2

Release notes

Sourced from yargs's releases.

yargs yargs-v16.2.1

Bug Fixes

Changelog

Sourced from yargs's changelog.

17.7.2 (2023-04-27)

Bug Fixes

  • do not crash completion when having negated options (#2322) (7f42848)

17.7.1 (2023-02-21)

Bug Fixes

  • address display bug with default sub-commands (#2303) (9aa2490)

17.7.0 (2023-02-13)

Features

  • add method to hide option extras (#2156) (2c144c4)
  • convert line break to whitespace for the description of the option (#2271) (4cb41dc)

Bug Fixes

  • copy the description of the option to its alias in completion (#2269) (f37ee6f)

17.6.2 (2022-11-03)

Bug Fixes

  • deps: update dependency yargs-parser to v21.1.1 (#2231) (75b4d52)
  • lang: typo in Finnish unknown argument singular form (#2222) (a6dfd0a)

17.6.1 (2022-11-02)

Bug Fixes

  • lang: fix "Not enough non-option arguments" message for the Czech language (#2242) (3987b13)

17.6.0 (2022-10-01)

Features

... (truncated)

Commits
  • 3566b84 chore(main): release 17.7.2 (#2323)
  • 7f42848 fix: do not crash completion when having negated options (#2322)
  • 2b6ba31 chore(main): release 17.7.1 (#2304)
  • 9aa2490 fix: address display bug with default sub-commands (#2303)
  • 663c1b6 chore(main): release 17.7.0 (#2285)
  • 4cb41dc feat: convert line break to whitespace for the description of the option (#2271)
  • 7dc1086 test: mock additional hasColors method introduced in Node 16 (#2297)
  • f37ee6f fix: copy the description of the option to its alias in completion (#2269)
  • andrewpollock commented 1 week ago

    These are test fixtures and not meant to be updated.

dependabot[bot] commented 1 week ago

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml