search

netzwerg / react-svg-timeline

React event timeline component based on SVG
Other
93 stars 26 forks source link

Bump ts-deepmerge from 1.0.7 to 2.0.2 #97

Closed dependabot[bot] closed 2 years ago

dependabot[bot] commented 2 years ago

Bumps ts-deepmerge from 1.0.7 to 2.0.2.

Release notes

Sourced from ts-deepmerge's releases.

Safeguard against prototype pollution

This version adds a safeguard against prototype pollution - sufficient unit test coverage has been added to cover the scenario.

Fix IObject type to allow named interfaces but not arrays

No release notes provided.

Fix arg types

This function is only designed to have objects provided to it as args. This version fixes it so that it won't allow unsupported args such as arrays.

Add .withOptions functionality

This version adds the .withOptions functionality, with a mergeArrays option, to optionally turn off the deep array merging behaviour.

Update dependencies

No release notes provided.

Commits
  • 9be5148 prevent against prototype pollution
  • cc56cc8 Bump tmpl from 1.0.4 to 1.0.5 (#10)
  • 3e45ab5 Bump minimist from 1.2.5 to 1.2.6 (#14)
  • cd27bf7 fix IObject type to allow named interfaces but disallow arrays
  • c820205 fix broken arg type - don't allow arrays
  • 5ad525d amend README.md
  • d24cd86 add .withOptions functionality
  • f94e9b6 Bump ws from 7.4.5 to 7.4.6 (#7)
  • 5f47743 Bump hosted-git-info from 2.8.8 to 2.8.9 (#6)
  • 02f2693 Add npm badge (#8)
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/netzwerg/react-svg-timeline/network/alerts).
linus345 commented 2 years ago

@netzwerg Hi, any plans to merge this and release a new version? Versions prior to 2.0.2 has a critical vulnerability CVE-2022-25907.

netzwerg commented 2 years ago

@linus345 Thanks for the heads up! I've just released v0.23.4 πŸš€

linus345 commented 2 years ago

Thanks for the fast response πŸ‘ πŸ˜„