Closed dependabot[bot] closed 5 months ago
Bumps the npm_and_yarn group with 7 updates in the / directory:
1.5.0
1.6.0
4.18.1
4.19.2
14.0.0
14.1.1
0.30.5
0.32.6
3.0.2
3.0.3
1.15.3
1.15.6
2.0.6
2.0.7
Bumps the npm_and_yarn group with 6 updates in the /functions directory:
0.21.2
0.28.0
4.18.2
1.8.17
1.8.22
1.15.0
9.0.0
9.0.2
Updates axios from 1.5.0 to 1.6.0
axios
Sourced from axios's releases.
Release v1.6.0 Release notes: Bug Fixes CSRF: fixed CSRF vulnerability CVE-2023-45857 (#6028) (96ee232) dns: fixed lookup function decorator to work properly in node v20; (#6011) (5aaff53) types: fix AxiosHeaders types; (#5931) (a1c8ad0) PRs CVE 2023 45857 ( #6028 ) ⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 Contributors to this release Dmitriy Mozgovoy Valentin Panov Rinku Chaudhari Release v1.5.1 Release notes: Bug Fixes adapters: improved adapters loading logic to have clear error messages; (#5919) (e410779) formdata: fixed automatic addition of the Content-Type header for FormData in non-browser environments; (#5917) (bc9af51) headers: allow content-encoding header to handle case-insensitive values (#5890) (#5892) (4c89f25) types: removed duplicated code (9e62056) Contributors to this release Dmitriy Mozgovoy David Dallas Sean Sattler Mustafa Ateş Uzun Przemyslaw Motacki Michael Di Prisco
⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459
Content-Type
content-encoding
Sourced from axios's changelog.
1.6.0 (2023-10-26) Bug Fixes CSRF: fixed CSRF vulnerability CVE-2023-45857 (#6028) (96ee232) dns: fixed lookup function decorator to work properly in node v20; (#6011) (5aaff53) types: fix AxiosHeaders types; (#5931) (a1c8ad0) PRs CVE 2023 45857 ( #6028 ) ⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 Contributors to this release Dmitriy Mozgovoy Valentin Panov Rinku Chaudhari 1.5.1 (2023-09-26) Bug Fixes adapters: improved adapters loading logic to have clear error messages; (#5919) (e410779) formdata: fixed automatic addition of the Content-Type header for FormData in non-browser environments; (#5917) (bc9af51) headers: allow content-encoding header to handle case-insensitive values (#5890) (#5892) (4c89f25) types: removed duplicated code (9e62056) Contributors to this release Dmitriy Mozgovoy David Dallas Sean Sattler Mustafa Ateş Uzun Przemyslaw Motacki Michael Di Prisco PRs CVE 2023 45857 ( #6028 ) ⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459
f7adacd
9917e67
96ee232
7d45ab2
keep-alive
5aaff53
a48a63a
a1c8ad0
2ac731d
88fb52b
e410779
Updates express from 4.18.1 to 4.19.2
express
Sourced from express's releases.
4.19.2 What's Changed Improved fix for open redirect allow list bypass Full Changelog: https://github.com/expressjs/express/compare/4.19.1...4.19.2 4.19.1 What's Changed Fix ci after location patch by @wesleytodd in expressjs/express#5552 fixed un-edited version in history.md for 4.19.0 by @wesleytodd in expressjs/express#5556 Full Changelog: https://github.com/expressjs/express/compare/4.19.0...4.19.1 4.19.0 What's Changed fix typo in release date by @UlisesGascon in expressjs/express#5527 docs: nominating @wesleytodd to be project captian by @wesleytodd in expressjs/express#5511 docs: loosen TC activity rules by @wesleytodd in expressjs/express#5510 Add note on how to update docs for new release by @crandmck in expressjs/express#5541 Prevent open redirect allow list bypass due to encodeurl Release 4.19.0 by @wesleytodd in expressjs/express#5551 New Contributors @crandmck made their first contribution in expressjs/express#5541 Full Changelog: https://github.com/expressjs/express/compare/4.18.3...4.19.0 4.18.3 Main Changes Fix routing requests without method deps: body-parser@1.20.2 Fix strict json error message on Node.js 19+ deps: content-type@~1.0.5 deps: raw-body@2.5.2 Other Changes Use https: protocol instead of deprecated git: protocol by @vcsjones in expressjs/express#5032 build: Node.js@16.18 and Node.js@18.12 by @abenhamdine in expressjs/express#5034 ci: update actions/checkout to v3 by @armujahid in expressjs/express#5027 test: remove unused function arguments in params by @raksbisht in expressjs/express#5124 Remove unused originalIndex from acceptParams by @raksbisht in expressjs/express#5119 Fixed typos by @raksbisht in expressjs/express#5117 examples: remove unused params by @raksbisht in expressjs/express#5113 fix: parameter str is not described in JSDoc by @raksbisht in expressjs/express#5130 fix: typos in History.md by @raksbisht in expressjs/express#5131 build : add Node.js@19.7 by @abenhamdine in expressjs/express#5028 test: remove unused function arguments in params by @raksbisht in expressjs/express#5137
Full Changelog: https://github.com/expressjs/express/compare/4.19.1...4.19.2
@wesleytodd
Full Changelog: https://github.com/expressjs/express/compare/4.19.0...4.19.1
@UlisesGascon
@crandmck
Full Changelog: https://github.com/expressjs/express/compare/4.18.3...4.19.0
@vcsjones
@abenhamdine
@armujahid
@raksbisht
... (truncated)
Sourced from express's changelog.
4.19.2 / 2024-03-25 Improved fix for open redirect allow list bypass 4.19.1 / 2024-03-20 Allow passing non-strings to res.location with new encoding handling checks 4.19.0 / 2024-03-20 Prevent open redirect allow list bypass due to encodeurl deps: cookie@0.6.0 4.18.3 / 2024-02-29 Fix routing requests without method deps: body-parser@1.20.2 Fix strict json error message on Node.js 19+ deps: content-type@~1.0.5 deps: raw-body@2.5.2 deps: cookie@0.6.0 Add partitioned option 4.18.2 / 2022-10-08 Fix regression routing a large stack in a single route deps: body-parser@1.20.1 deps: qs@6.11.0 perf: remove unnecessary object clone deps: qs@6.11.0
partitioned
04bc627
da4d763
4f0f6cc
a003cfa
a1fa90f
11f2b1d
084e365
0867302
567c9c6
69a4cf2
This version was pushed to npm by wesleytodd, a new releaser for express since your current version.
Updates next from 14.0.0 to 14.1.1
next
5f59ee5
f48b90b
7f789f4
ab71c4c
75f60d9
74b3f0f
a6946b6
4002f4b
7dbf6f8
3efc842
Updates sharp from 0.30.5 to 0.32.6
sharp
Sourced from sharp's changelog.
v0.32.6 - 18th September 2023 Upgrade to libvips v8.14.5 for upstream bug fixes. Ensure composite tile images are fully decoded (regression in 0.32.0). #3767 Ensure withMetadata can add ICC profiles to RGB16 output. #3773 Ensure withMetadata does not reduce 16-bit images to 8-bit (regression in 0.32.5). #3773 TypeScript: Add definitions for block and unblock. #3799 @ldrick v0.32.5 - 15th August 2023 Upgrade to libvips v8.14.4 for upstream bug fixes. TypeScript: Add missing WebpPresetEnum to definitions. #3748 @pilotso11 Ensure compilation using musl v1.2.4. #3755 @kleisauke Ensure resize with a fit of inside respects 90/270 degree rotation. #3756 TypeScript: Ensure minSize property of WebpOptions is boolean. #3758 @sho-xizz Ensure withMetadata adds default sRGB profile. #3761 v0.32.4 - 21st July 2023 Upgrade to libvips v8.14.3 for upstream bug fixes. Expose ability to (un)block low-level libvips operations by name. Prebuilt binaries: restore support for tile-based output. #3581 v0.32.3 - 14th July 2023
Upgrade to libvips v8.14.5 for upstream bug fixes.
Ensure composite tile images are fully decoded (regression in 0.32.0). #3767
Ensure withMetadata can add ICC profiles to RGB16 output. #3773
withMetadata
Ensure withMetadata does not reduce 16-bit images to 8-bit (regression in 0.32.5). #3773
TypeScript: Add definitions for block and unblock. #3799 @ldrick
@ldrick
Upgrade to libvips v8.14.4 for upstream bug fixes.
TypeScript: Add missing WebpPresetEnum to definitions. #3748 @pilotso11
WebpPresetEnum
@pilotso11
Ensure compilation using musl v1.2.4. #3755 @kleisauke
@kleisauke
Ensure resize with a fit of inside respects 90/270 degree rotation. #3756
fit
inside
TypeScript: Ensure minSize property of WebpOptions is boolean. #3758 @sho-xizz
minSize
WebpOptions
@sho-xizz
Ensure withMetadata adds default sRGB profile. #3761
Upgrade to libvips v8.14.3 for upstream bug fixes.
Expose ability to (un)block low-level libvips operations by name.
Prebuilt binaries: restore support for tile-based output. #3581
eefaa99
dbce6fa
af0fcb3
c6f54e5
846563e
9c217ab
e7381e5
4340d60
7f64d46
67e927b
Updates braces from 3.0.2 to 3.0.3
braces
74b2db2
88f1429
415d660
190510f
716eb9f
a5851e5
2092bd1
9f5b4cf
98414f9
665ab5d
Updates follow-redirects from 1.15.3 to 1.15.6
follow-redirects
35a517c
c4f847f
8526b4a
b1677ce
d8914f7
6585820
7a6567e
05629af
1cba8e8
72bc2a4
Updates jose from 2.0.6 to 2.0.7
jose
Sourced from jose's releases.
v2.0.7 Fixes add a maxOutputLength option to zlib inflate (02a6579), fixes CVE-2024-28176
Sourced from jose's changelog.
2.0.7 (2024-03-07) Bug Fixes add a maxOutputLength option to zlib inflate (02a6579)
0fbe2e6
02a6579
Updates postcss from 8.4.13 to 8.4.31
postcss
Sourced from postcss's releases.
8.4.31 Fixed \r parsing to fix CVE-2023-44270. 8.4.30 Improved source map performance (by @romainmenke). 8.4.29 Fixed Node#source.offset (by @idoros). Fixed docs (by @coliff). 8.4.28 Fixed Root.source.end for better source map (by @romainmenke). Fixed Result.root types when process() has no parser. 8.4.27 Fixed Container clone methods types. 8.4.26 Fixed clone methods types. 8.4.25 Improve stringify performance (by @romainmenke). Fixed docs (by @vikaskaliramna07). 8.4.24 Fixed Plugin types. 8.4.23 Fixed warnings in TypeDoc. 8.4.22 Fixed TypeScript support with node16 (by @remcohaszing). 8.4.21 Fixed Input#error types (by @hudochenkov). 8.4.20 Fixed source map generation for childless at-rules like @layer. 8.4.19 Fixed whitespace preserving after AST transformations (by @romainmenke). 8.4.18 Fixed an error on absolute: true with empty sourceContent (by @KingSora). 8.4.17 Fixed Node.before() unexpected behavior (by @romainmenke). Added TOC to docs (by @muddv). 8.4.16
\r
@romainmenke
Node#source.offset
@idoros
@coliff
Root.source.end
Result.root
process()
Container
@vikaskaliramna07
Plugin
node16
@remcohaszing
Input#error
@hudochenkov
@layer
absolute: true
sourceContent
@KingSora
Node.before()
@muddv
Sourced from postcss's changelog.
8.4.31 Fixed \r parsing to fix CVE-2023-44270. 8.4.30 Improved source map performance (by Romain Menke). 8.4.29 Fixed Node#source.offset (by Ido Rosenthal). Fixed docs (by Christian Oliff). 8.4.28 Fixed Root.source.end for better source map (by Romain Menke). Fixed Result.root types when process() has no parser. 8.4.27 Fixed Container clone methods types. 8.4.26 Fixed clone methods types. 8.4.25 Improve stringify performance (by Romain Menke). Fixed docs (by @vikaskaliramna07). 8.4.24 Fixed Plugin types. 8.4.23 Fixed warnings in TypeDoc. 8.4.22 Fixed TypeScript support with node16 (by Remco Haszing). 8.4.21 Fixed Input#error types (by Aleks Hudochenkov). 8.4.20 Fixed source map generation for childless at-rules like @layer. 8.4.19 Fixed whitespace preserving after AST transformations (by Romain Menke). 8.4.18 Fixed an error on absolute: true with empty sourceContent (by Rene Haas). 8.4.17 Fixed Node.before() unexpected behavior (by Romain Menke). Added TOC to docs (by Mikhail Dedov). 8.4.16
90208de
58cc860
4fff8e4
cd43ed1
caa916b
8972f76
11a5286
45c5501
bc3c341
b2be58a
Updates axios from 0.21.2 to 0.28.0
Updates express from 4.18.2 to 4.19.2
Updates @grpc/grpc-js from 1.8.17 to 1.8.22
@grpc/grpc-js
Sourced from @grpc/grpc-js's releases.
@grpc/grpc-js
@grpc/grpc-js 1.8.22 Avoid buffering significantly more than grpc.max_receive_message_size per received message. @grpc/grpc-js@1.8.21 Fix propagation of UNIMPLEMENTED error messages (#2528) @grpc/grpc-js 1.8.20 Fix a crash when the channel option grpc.keepalive_permit_without_calls is set (#2519) @grpc/grpc-js 1.8.19 Update keepalive behavior to more correctly handle short calls and long periods of inactivity (#2513) @grpc/grpc-js 1.8.18 Fix reporting of call stacks in unary request errors (#2503) Fix reporting of proxy info in channelz socket responses (#2503)
grpc.max_receive_message_size
@1
grpc.keepalive_permit_without_calls
a8a0203
3b110cd
8e62222
9d83947
00f348c
36d105b
969e305
d78216f
f38966a
ffefff2
Updates follow-redirects from 1.15.0 to 1.15.6
Bumps the npm_and_yarn group with 7 updates in the / directory:
1.5.01.6.04.18.14.19.214.0.014.1.10.30.50.32.63.0.23.0.31.15.31.15.62.0.62.0.7Bumps the npm_and_yarn group with 6 updates in the /functions directory:
0.21.20.28.04.18.24.19.21.8.171.8.221.15.01.15.62.0.62.0.79.0.09.0.2Updates
axiosfrom 1.5.0 to 1.6.0Release notes
Sourced from axios's releases.
Changelog
Sourced from axios's changelog.
Commits
f7adacdchore(release): v1.6.0 (#6031)9917e67chore(ci): fix release-it arg; (#6032)96ee232fix(CSRF): fixed CSRF vulnerability CVE-2023-45857 (#6028)7d45ab2chore(tests): fixed tests to pass in node v19 and v20 withkeep-aliveenabl...5aaff53fix(dns): fixed lookup function decorator to work properly in node v20; (#6011)a48a63achore(docs): added AxiosHeaders docs; (#5932)a1c8ad0fix(types): fix AxiosHeaders types; (#5931)2ac731dchore(docs): update readme.md (#5889)88fb52bchore(release): v1.5.1 (#5920)e410779fix(adapters): improved adapters loading logic to have clear error messages; ...Updates
expressfrom 4.18.1 to 4.19.2Release notes
Sourced from express's releases.
... (truncated)
Changelog
Sourced from express's changelog.
Commits
04bc6274.19.2da4d763Improved fix for open redirect allow list bypass4f0f6cc4.19.1a003cfaAllow passing non-strings to res.location with new encoding handling checks f...a1fa90ffixed un-edited version in history.md for 4.19.011f2b1dbuild: fix build due to inconsistent supertest behavior in older versions084e3654.19.00867302Prevent open redirect allow list bypass due to encodeurl567c9c6Add note on how to update docs for new release (#5541)69a4cf2deps: cookie@0.6.0Maintainer changes
This version was pushed to npm by wesleytodd, a new releaser for express since your current version.
Updates
nextfrom 14.0.0 to 14.1.1Commits
5f59ee5v14.1.1f48b90beven more7f789f4more timeoutab71c4cupdate timeout75f60d9update trigger release workflow74b3f0fServer Action tests (#62655)a6946b6Backport metadata fixes (#62663)4002f4bFix draft mode invariant (#62121)7dbf6f8fix: babel usage with next/image (#61835)3efc842Fix next/server apit push alias for ESM pkg (#61721)Updates
sharpfrom 0.30.5 to 0.32.6Changelog
Sourced from sharp's changelog.
... (truncated)
Commits
eefaa99Release v0.32.6dbce6faUpgrade to libvips v8.14.5af0fcb3Docs: changelog for #3799c6f54e5Bump devDeps846563eTypeScript: add definitions for block and unblock (#3799)9c217abEnsure withMetadata can add RGB16 profiles #3773e7381e5Alternative fix for 4340d60, uses existing StaySequential4340d60Ensure composite tile images fully decoded #37677f64d46Docs: add missing returns property to raw67e927bDocs: ensure all functions include method signature #3777Updates
bracesfrom 3.0.2 to 3.0.3Commits
74b2db23.0.388f1429update eslint. lint, fix unit tests.415d660Snyk js braces 6838727 (#40)190510ffix tests, skip 1 test in test/braces.expand716eb9freadme bumpa5851e5Merge pull request #37 from coderaiser/fix/vulnerability2092bd1feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...9f5b4cffix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)98414f9remove funding file665ab5dupdate keepEscaping doc (#27)Updates
follow-redirectsfrom 1.15.3 to 1.15.6Commits
35a517cRelease version 1.15.6 of the npm package.c4f847fDrop Proxy-Authorization across hosts.8526b4aUse GitHub for disclosure.b1677ceRelease version 1.15.5 of the npm package.d8914f7Preserve fragment in responseUrl.6585820Release version 1.15.4 of the npm package.7a6567eDisallow bracketed hostnames.05629afPrefer native URL instead of deprecated url.parse.1cba8e8Prefer native URL instead of legacy url.resolve.72bc2a4Simplify _processResponse error handling.Updates
josefrom 2.0.6 to 2.0.7Release notes
Sourced from jose's releases.
Changelog
Sourced from jose's changelog.
Commits
0fbe2e6chore(release): 2.0.702a6579fix: add a maxOutputLength option to zlib inflateUpdates
postcssfrom 8.4.13 to 8.4.31Release notes
Sourced from postcss's releases.
... (truncated)
Changelog
Sourced from postcss's changelog.
... (truncated)
Commits
90208deRelease 8.4.31 version58cc860Fix carrier return parsing4fff8e4Improve pnpm test outputcd43ed1Update dependenciescaa916bUpdate dependencies8972f76Typo11a5286Typo45c5501Release 8.4.30 versionbc3c341Update linterb2be58aMerge pull request #1881 from romainmenke/improve-sourcemap-performance--phil...Updates
axiosfrom 0.21.2 to 0.28.0Release notes
Sourced from axios's releases.
Changelog
Sourced from axios's changelog.
Commits
f7adacdchore(release): v1.6.0 (#6031)9917e67chore(ci): fix release-it arg; (#6032)96ee232fix(CSRF): fixed CSRF vulnerability CVE-2023-45857 (#6028)7d45ab2chore(tests): fixed tests to pass in node v19 and v20 withkeep-aliveenabl...5aaff53fix(dns): fixed lookup function decorator to work properly in node v20; (#6011)a48a63achore(docs): added AxiosHeaders docs; (#5932)a1c8ad0fix(types): fix AxiosHeaders types; (#5931)2ac731dchore(docs): update readme.md (#5889)88fb52bchore(release): v1.5.1 (#5920)e410779fix(adapters): improved adapters loading logic to have clear error messages; ...Updates
expressfrom 4.18.2 to 4.19.2Release notes
Sourced from express's releases.
... (truncated)
Changelog
Sourced from express's changelog.
Commits
04bc6274.19.2da4d763Improved fix for open redirect allow list bypass4f0f6cc4.19.1a003cfaAllow passing non-strings to res.location with new encoding handling checks f...a1fa90ffixed un-edited version in history.md for 4.19.011f2b1dbuild: fix build due to inconsistent supertest behavior in older versions084e3654.19.00867302Prevent open redirect allow list bypass due to encodeurl567c9c6Add note on how to update docs for new release (#5541)69a4cf2deps: cookie@0.6.0Maintainer changes
This version was pushed to npm by wesleytodd, a new releaser for express since your current version.
Updates
@grpc/grpc-jsfrom 1.8.17 to 1.8.22Release notes
Sourced from
@grpc/grpc-js's releases.Commits
a8a0203Merge pull request from GHSA-7v5v-9h63-cj863b110cdgrpc-js: Bump to 1.8.228e62222grpc-js: Avoid buffering significantly more than max_receive_message_size per...9d83947Merge pull request #2742 from sergiitk/backport-1.8-psm-interop-common-prod-t...00f348cMerge pull request #2729 from sergiitk/psm-interop-common-prod-tests36d105bMerge pull request #2737 from murgatroid99/backport-1.8-grpc-js_linkify-it_fix969e305Merge pull request #2735 from murgatroid99/grpc-js_linkify-it_fixd78216fMerge pull request #2715 from sergiitk/backport-1.8-psm-interop-pkg-devf38966aMerge pull request #2712 from sergiitk/psm-interop-pkg-devffefff2Merge pull request #2640 from XuanWang-Amos/backport-1.8-psm-interop-shared-b...Updates
follow-redirectsfrom 1.15.0 to 1.15.6Commits
35a517cRelease version 1.15.6 of the npm package.c4f847fDrop Proxy-Authorization across hosts.8526b4aUse GitHub for disclosure.b1677ceRelease version 1.15.5 of the npm package.