search

jetstreamapp / jetstream

A better way to work on Salesforce
https://getjetstream.app/
Other
77 stars 18 forks source link

Bump the npm_and_yarn group across 2 directories with 24 updates #974

Closed dependabot[bot] closed 1 month ago

dependabot[bot] commented 1 month ago

Bumps the npm_and_yarn group with 19 updates in the / directory:

Package From To
@grpc/grpc-js 1.10.6 1.10.9
axios 1.6.8 1.7.0
quill 1.3.7 2.0.0
socket.io 4.5.1 4.6.2
postcss 8.4.38 8.4.39
vite 5.1.4 5.1.7
@adobe/css-tools 4.2.0 4.4.0
@sideway/formula 3.0.0 3.0.1
braces 3.0.2 3.0.3
ejs 3.1.8 3.1.10
get-func-name 2.0.0 2.0.2
http-cache-semantics 4.1.0 4.1.1
loader-utils 1.4.0 1.4.2
semver 5.7.1 5.7.2
tar 6.1.15 6.2.1
terser 5.14.1 5.31.1
webpack-dev-middleware 5.3.3 5.3.4
word-wrap 1.2.3 1.2.5
ws 6.2.2 6.2.3

Bumps the npm_and_yarn group with 8 updates in the /apps/docs directory:

Package From To
express 4.18.2 4.19.2
postcss 8.4.27 8.4.39
@babel/traverse 7.22.8 7.24.7
braces 3.0.2 3.0.3
follow-redirects 1.15.2 1.15.6
terser 5.19.2 5.31.1
webpack-dev-middleware 5.3.3 5.3.4
ws 7.5.9 7.5.10

Updates @grpc/grpc-js from 1.10.6 to 1.10.9

Release notes

Sourced from @​grpc/grpc-js's releases.

@​grpc/grpc-js 1.10.9

  • Avoid buffering significantly more than grpc.max_receive_message_size per received message.

@​grpc/grpc-js 1.10.8

  • Fix a bug that caused channels with unix: targets to not reconnect after the channel goes idle (#2750)

@​grpc/grpc-js 1.10.7

  • Improve reporting of HTTP error codes (#2723)
  • Update dependency on @grpc/proto-loader to the latest version (#2732)
Commits
  • 674f4e3 Merge pull request from GHSA-7v5v-9h63-cj86
  • 7ecaa2d grpc-js: Bump to 1.10.9
  • e64d816 grpc-js: Avoid buffering significantly more than max_receive_message_size per...
  • 45e5fe5 Merge pull request #2750 from murgatroid99/grpc-js_idle_uds_fix
  • 87a3541 grpc-js: Fix UDS channels not reconnecting after going idle
  • 3105791 Merge pull request #2740 from sergiitk/backport-1.10-psm-interop-common-prod-...
  • fec135a Merge pull request #2729 from sergiitk/psm-interop-common-prod-tests
  • 76fe802 Merge pull request #2739 from murgatroid99/backport-1.10-grpc-js_linkify-it_fix
  • d5edf49 Merge pull request #2735 from murgatroid99/grpc-js_linkify-it_fix
  • 23c05fc Merge pull request #2732 from murgatroid99/grpc-js_proto-loader_update
  • Additional commits viewable in compare view


Updates axios from 1.6.8 to 1.7.0

Release notes

Sourced from axios's releases.

Release v1.7.0

Release notes:

Features

Bug Fixes

  • core/axios: handle un-writable error stack (#6362) (81e0455)

Contributors to this release

Release v1.7.0-beta.2

Release notes:

Bug Fixes

  • fetch: capitalize HTTP method names; (#6395) (ad3174a)
  • fetch: fix & optimize progress capturing for cases when the request data has a nullish value or zero data length (#6400) (95a3e8e)
  • fetch: fix headers getting from a stream response; (#6401) (870e0a7)

Contributors to this release

Release v1.7.0-beta.1

Release notes:

Bug Fixes

  • core/axios: handle un-writable error stack (#6362) (81e0455)
  • fetch: fix cases when ReadableStream or Response.body are not available; (#6377) (d1d359d)
  • fetch: treat fetch-related TypeError as an AxiosError.ERR_NETWORK error; (#6380) (bb5f9a5)

Contributors to this release

Install

npm i axios@next

Release v1.7.0-beta.0

Release notes:

Features

... (truncated)

Changelog

Sourced from axios's changelog.

1.7.0 (2024-05-19)

Features

Bug Fixes

  • core/axios: handle un-writable error stack (#6362) (81e0455)

Contributors to this release

1.7.0-beta.2 (2024-05-19)

Bug Fixes

  • fetch: capitalize HTTP method names; (#6395) (ad3174a)
  • fetch: fix & optimize progress capturing for cases when the request data has a nullish value or zero data length (#6400) (95a3e8e)
  • fetch: fix headers getting from a stream response; (#6401) (870e0a7)

Contributors to this release

1.7.0-beta.1 (2024-05-07)

Bug Fixes

  • core/axios: handle un-writable error stack (#6362) (81e0455)
  • fetch: fix cases when ReadableStream or Response.body are not available; (#6377) (d1d359d)
  • fetch: treat fetch-related TypeError as an AxiosError.ERR_NETWORK error; (#6380) (bb5f9a5)

Contributors to this release

1.7.0-beta.0 (2024-04-28)

Features

... (truncated)

Commits
  • 3041c61 [Release] v1.7.0 (#6408)
  • 18b13cb chore(docs): add fetch adapter docs; (#6407)
  • e62099b fix(fetch): fixed a possible memory leak in the AbortController for the strea...
  • b49aa8e chore(release): v1.7.0-beta.2 (#6403)
  • d57f03a chore(ci): bump create-pull-request version to fix a bug; (#6405)
  • 097b0d1 chore(ci): add tag resolution for npm releases based on package version; (#6404)
  • 870e0a7 fix(fetch): fix headers getting from a stream response; (#6401)
  • 95a3e8e fix(fetch): fix & optimize progress capturing for cases when the request data...
  • ad3174a fix(fetch): capitalize HTTP method names; (#6395)
  • b9f4848 chore(release): v1.7.0-beta.1 (#6383)
  • Additional commits viewable in compare view


Updates quill from 1.3.7 to 2.0.0

Release notes

Sourced from quill's releases.

Version 2.0.0

We are thrilled to announce the release of Quill 2.0! Please check out the announcement post.

Major Improvements

  • Quill is now a valid ESM package for better ecosystem (e.g. bundlers) and tree-shaking support
  • Nested Quill support #3590
  • Improved IME and spell corrector support #3807
  • Semantic cleanups for TEXT_CHANGE event #3778
  • History: Record selection in history module #3823
  • Auto detect scrolling container #3840
  • Clipboard: Improve support for pasting from Google Docs and Microsoft Word

Performance Improvements

Quill 2.0 includes many performance optimizations, the most important of which is the improved rendering speed for large content.

  • Improve inserting performance #3815
  • Avoid fetching selections when possible #3538
  • No need to setContents when container is empty #3539

Code Modernization

  • Migrated to TypeScript
  • Provided official TypeScript declarations
  • Migrated to Vitest for unit testing
  • Migrated to Playwright for E2E testing
  • Migrated website to Gatsby

All Changes

... (truncated)

Changelog

Sourced from quill's changelog.

v2.0.0 (2024-04-17)

We are thrilled to announce the release of Quill 2.0! Please check out the announcement post.

Major Improvements

  • Quill is now a valid ESM package for better ecosystem (e.g. bundlers) and tree-shaking support
  • Nested Quill support #3590
  • Improved IME and spell corrector support #3807
  • Semantic cleanups for TEXT_CHANGE event #3778
  • History: Record selection in history module #3823
  • Auto detect scrolling container #3840
  • Clipboard: Improve support for pasting from Google Docs and Microsoft Word

Performance Improvements

Quill 2.0 includes many performance optimizations, the most important of which is the improved rendering speed for large content.

  • Improve inserting performance #3815
  • Avoid fetching selections when possible #3538
  • No need to setContents when container is empty #3539

Code Modernization

  • Migrated to TypeScript
  • Provided official TypeScript declarations
  • Migrated to Vitest for unit testing
  • Migrated to Playwright for E2E testing
  • Migrated website to Gatsby

All changes

v2.0.0-rc.5 (2024-04-04)

  • Clipboard Add support for Quill v1 list attributes
  • Fix overload declarations for quill.formatText() and other methods
  • Expose Bounds type for getBounds()
  • Expose Range type
  • Allow ref for insertBefore to be null

All changes

v2.0.0-rc.4 (2024-03-24)

  • Include source maps for Parchment
  • Clipboard Support pasting links copied from iOS share sheets
  • Fix config parsing where undefined values were kept
  • Expose types for Quill options
  • Remove empty .css.js files generated by bundlers

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by luin, a new releaser for quill since your current version.


Updates socket.io from 4.5.1 to 4.6.2

Release notes

Sourced from socket.io's releases.

4.6.2

Bug Fixes

  • exports: move types condition to the top (#4698) (3d44aae)

Links

4.6.1

Bug Fixes

  • properly handle manually created dynamic namespaces (0d0a7a2)
  • types: fix nodenext module resolution compatibility (#4625) (d0b22c6)

Links

4.6.0

Bug Fixes

  • add timeout method to remote socket (#4558) (0c0eb00)
  • typings: properly type emits with timeout (f3ada7d)

Features

Promise-based acknowledgements

This commit adds some syntactic sugar around acknowledgements:

  • emitWithAck()
try {
  const responses = await io.timeout(1000).emitWithAck("some-event");
  console.log(responses); // one response per client
} catch (e) {
  // some clients did not acknowledge the event in the given delay
}

io.on("connection", async (socket) => {

// without timeout

</tr></table>

... (truncated)

Changelog

Sourced from socket.io's changelog.

4.6.2 (2023-05-31)

Bug Fixes

  • exports: move types condition to the top (#4698) (3d44aae)

Dependencies

4.6.1 (2023-02-20)

Bug Fixes

  • properly handle manually created dynamic namespaces (0d0a7a2)
  • types: fix nodenext module resolution compatibility (#4625) (d0b22c6)

Dependencies

4.6.0 (2023-02-07)

Bug Fixes

  • add timeout method to remote socket (#4558) (0c0eb00)
  • typings: properly type emits with timeout (f3ada7d)

Features

Promise-based acknowledgements

This commit adds some syntactic sugar around acknowledgements:

  • emitWithAck()
try {
</tr></table>

... (truncated)

Commits
  • faf914c chore(release): 4.6.2
  • 15af22f refactor: add a noop handler for the error event
  • d365894 chore: bump socket.io-parser to version 4.2.3
  • 12b0de4 chore: bump engine.io to version 6.4.2
  • 3d44aae fix(exports): move types condition to the top (#4698)
  • cbf0362 docs(examples): bump dependencies for the private messaging example
  • 59280da docs(examples): update examples to docker compose v2
  • 50a4d37 docs(changelog): add version of transitive dependencies
  • 6458b2b docs(example): basic WebSocket-only client
  • b56da8a docs(examples): upgrade to React 18
  • Additional commits viewable in compare view


Updates postcss from 8.4.38 to 8.4.39

Release notes

Sourced from postcss's releases.

8.4.39

Changelog

Sourced from postcss's changelog.

8.4.39

Commits


Updates vite from 5.1.4 to 5.1.7

Changelog

Sourced from vite's changelog.

5.1.7 (2024-03-24)

5.1.6 (2024-03-11)

  • chore(deps): update all non-major dependencies (#16131) (a862ecb), closes #16131
  • fix: check for publicDir before checking if it is a parent directory (#16046) (b6fb323), closes #16046
  • fix: escape single quote when relative base is used (#16060) (8f74ce4), closes #16060
  • fix: handle function property extension in namespace import (#16113) (f699194), closes #16113
  • fix: server middleware mode resolve (#16122) (8403546), closes #16122
  • fix(esbuild): update tsconfck to fix bug that could cause a deadlock (#16124) (fd9de04), closes #16124
  • fix(worker): hide "The emitted file overwrites" warning if the content is same (#16094) (60dfa9e), closes #16094
  • fix(worker): throw error when circular worker import is detected and support self referencing worker (eef9da1), closes #16103
  • style(utils): remove null check (#16112) (0d2df52), closes #16112
  • refactor(runtime): share more code between runtime and main bundle (#16063) (93be84e), closes #16063

5.1.5 (2024-03-04)

Commits
  • e710c2f release: v5.1.7
  • 5a056dd fix: fs.deny with globs with directories (#16250)
  • 6f7466e release: v5.1.6
  • a862ecb chore(deps): update all non-major dependencies (#16131)
  • 8403546 fix: server middleware mode resolve (#16122)
  • b6fb323 fix: check for publicDir before checking if it is a parent directory (#16046)
  • fd9de04 fix(esbuild): update tsconfck to fix bug that could cause a deadlock (#16124)
  • f699194 fix: handle function property extension in namespace import (#16113)
  • 0d2df52 style(utils): remove null check (#16112)
  • eef9da1 fix(worker): throw error when circular worker import is detected and support ...
  • Additional commits viewable in compare view


Updates @adobe/css-tools from 4.2.0 to 4.4.0

Changelog

Sourced from @​adobe/css-tools's changelog.

4.4.0 / 2024-06-05

4.3.3 / 2024-01-24

  • Update export property #271

4.3.2 / 2023-11-28

  • Fix redos vulnerability with specific crafted css string - CVE-2023-48631
  • Fix Problem parsing with :is() and nested :nth-child() #211

4.3.1 / 2023-03-14

  • Fix redos vulnerability with specific crafted css string - CVE-2023-26364

4.3.0 / 2023-03-07

  • Update build tools
  • Update exports path and files
Commits


Updates @sideway/formula from 3.0.0 to 3.0.1

Commits
Maintainer changes

This version was pushed to npm by marsup, a new releaser for @​sideway/formula since your current version.


Updates braces from 3.0.2 to 3.0.3

Commits


Updates ejs from 3.1.8 to 3.1.10

Release notes

Sourced from ejs's releases.

v3.1.10

Version 3.1.10

v3.1.9

Version 3.1.9

Commits


Updates engine.io from 6.2.1 to 6.4.2

Release notes

Sourced from engine.io's releases.

6.4.2

:warning: This release contains an important security fix :warning:

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
  at Server.onWebSocket (build/server.js:515:67)

Please upgrade as soon as possible.

Bug Fixes

  • include error handling for Express middlewares (#674) (9395782)
  • prevent crash when provided with an invalid query param (fc480b4)
  • typings: make clientsCount public (#675) (bd6d471)
  • uws: prevent crash when using with middlewares (8b22162)

Credits

Huge thanks to @​tyilo and @​cieldeville for helping!

Links

6.4.1

This release contains 6e78489, which exports the BaseServer class in order to restore the compatibility with the nodenext module resolution strategy of TypeScript.

Reference: https://www.typescriptlang.org/tsconfig/#moduleResolution

Related: socketio/socket.io#4621

Links

6.4.0

Features

  • add support for Express middlewares (24786e7)

This commit implements middlewares at the Engine.IO level, because Socket.IO middlewares are meant for namespace authorization and are not executed during a classic HTTP request/response cycle.

... (truncated)

Changelog

Sourced from engine.io's changelog.

6.4.2 (2023-05-02)

:warning: This release contains an important security fix :warning:

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
  at Server.onWebSocket (build/server.js:515:67)

Please upgrade as soon as possible.

Bug Fixes

  • include error handling for Express middlewares (#674) (9395782)
  • prevent crash when provided with an invalid query param (fc480b4)
  • typings: make clientsCount public (#675) (bd6d471)
  • uws: prevent crash when using with middlewares (8b22162)

Credits

Huge thanks to @​tyilo and @​cieldeville for helping!

Dependencies

6.4.1 (2023-02-20)

This release contains 6e78489, which exports the BaseServer class in order to restore the compatibility with the nodenext module resolution strategy of TypeScript.

Reference: https://www.typescriptlang.org/tsconfig/#moduleResolution

Related: socketio/socket.io#4621

Dependencies

6.4.0 (2023-02-06)

... (truncated)

Commits
  • 95e2153 chore(release): 6.4.2
  • fc480b4 fix: prevent crash when provided with an invalid query param
  • 0141951 refactor(types): ensure compatibility with Express middlewares
  • 8b22162 fix(uws): prevent crash when using with middlewares
  • 9395782 fix: include error handling for Express middlewares (#674)
  • 911d0e3 refactor: return HTTP 400 upon invalid request overlap
  • bd6d471 fix(typings): make clientsCount public (#675)
  • 7033c0e chore(release): 6.4.1
  • 6e78489 refactor: export BaseServer class (#669)
  • 535b068 docs: add upgrade event in the documentation
  • Additional commits viewable in compare view


Updates follow-redirects from 1.15.1 to 1.15.6

Commits
socket-security[bot] commented 1 month ago

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSourceCI
Install scripts npm/esbuild@0.17.19
  • orphan: npm/esbuild@0.17.19
🚫
Install scripts npm/esbuild@0.18.20
  • orphan: npm/esbuild@0.18.20
🚫
Install scripts npm/@prisma/client@5.9.1
  • Install script: postinstall
  • Source: node scripts/postinstall.js
 🚫
Install scripts npm/@prisma/engines@5.9.1
  • Install script: postinstall
  • Source: node scripts/postinstall.js
  • orphan: npm/@prisma/engines@5.9.1
🚫

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

  • @SocketSecurity ignore npm/esbuild@0.17.19
  • @SocketSecurity ignore npm/esbuild@0.18.20
  • @SocketSecurity ignore npm/@prisma/client@5.9.1
  • @SocketSecurity ignore npm/@prisma/engines@5.9.1
dependabot[bot] commented 1 month ago

Superseded by #979.