search

pressbooks / pressbooks-book

McLuhan is the default book theme for Pressbooks.
https://pressbooks.org
GNU General Public License v3.0
20 stars 16 forks source link

chore(deps): bump the npm_and_yarn group with 9 updates #1231

Closed dependabot[bot] closed 2 months ago

dependabot[bot] commented 3 months ago

Bumps the npm_and_yarn group with 9 updates:

Package From To
@babel/traverse 7.20.10 7.24.7
browserify-sign 4.2.1 4.2.3
express 4.18.2 4.19.2
follow-redirects 1.15.2 1.15.6
socket.io 4.6.1 4.7.5
webpack-dev-middleware 5.3.3 5.3.4
ws 8.11.0 8.17.1
socket.io-client 4.6.1 4.7.5
socket.io-adapter 2.5.2 2.5.5

Updates @babel/traverse from 7.20.10 to 7.24.7

Release notes

Sourced from @​babel/traverse's releases.

v7.24.7 (2024-06-05)

:bug: Bug Fix

:house: Internal

  • babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

Committers: 7

v7.24.6 (2024-05-24)

Thanks @​amjed-98, @​blakewilson, @​coelhucas, and @​SukkaW for your first PRs!

:bug: Bug Fix

  • babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties
  • babel-core, babel-generator, babel-plugin-transform-modules-commonjs
  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3
    • #16483 Fix: throw TypeError if addInitializer is called after finished (@​JLHwung)
  • babel-parser, babel-plugin-transform-typescript

:house: Internal

  • babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • babel-helpers
  • babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • babel-parser, babel-traverse
  • Other

... (truncated)

Changelog

Sourced from @​babel/traverse's changelog.

v7.24.7 (2024-06-05)

:bug: Bug Fix

:house: Internal

  • babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

v7.24.6 (2024-05-24)

:bug: Bug Fix

  • babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties
  • babel-core, babel-generator, babel-plugin-transform-modules-commonjs
  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3
    • #16483 Fix: throw TypeError if addInitializer is called after finished (@​JLHwung)
  • babel-parser, babel-plugin-transform-typescript

:house: Internal

  • babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • babel-helpers
  • babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • babel-parser, babel-traverse
  • Other

v7.24.5 (2024-04-29)

:bug: Bug Fix

  • babel-plugin-transform-classes, babel-traverse
  • babel-helpers, babel-plugin-proposal-explicit-resource-management, babel-runtime-corejs3

:nail_care: Polish

  • babel-parser

... (truncated)

Commits


Updates browserify-sign from 4.2.1 to 4.2.3

Changelog

Sourced from browserify-sign's changelog.

v4.2.3 - 2024-03-05

Commits

v4.2.2 - 2023-10-25

Fixed

Commits

  • Only apps should have lockfiles 09a8995
  • [eslint] switch to eslint 83fe463
  • [meta] add npmignore and auto-changelog 4418183
  • [meta] fix package.json indentation 9ac5a5e
  • [Tests] migrate from travis to github actions d845d85
  • [Fix] sign: throw on unsupported padding scheme 8767739
  • [Fix] properly check the upper bound for DSA signatures 85994cd
  • [Tests] handle openSSL not supporting a scheme f5f17c2
  • [Deps] update bn.js, browserify-rsa, elliptic, parse-asn1, readable-stream, safe-buffer a67d0eb
  • [Dev Deps] update nyc, standard, tape cc5350b
  • [Tests] always run coverage; downgrade nyc 75ce1d5
  • [meta] add safe-publish-latest dcf49ce
  • [Tests] add npm run posttest 75dd8fd
  • [Dev Deps] update tape 3aec038
  • [Tests] skip unsupported schemes 703c83e
  • [Tests] node < 6 lacks array includes 3aa43cf
  • [Dev Deps] fix eslint range 98d4e0d
Commits
  • bf2c3ec v4.2.3
  • 9247adf [patch] widen support to 0.12
  • f427270 [Deps] update `parse-asn1
  • 87f3a35 [Dev Deps] update aud, npmignore, tape
  • fb261ce [Deps] update elliptic
  • 4d0ee49 [patch] drop minimum node support to v1
  • 9e2bf12 [Deps] pin hash-base to ~3.0, due to a breaking change
  • 168e16f [Deps] pin elliptic due to a breaking change
  • 37a4758 [actions] remove redundant finisher
  • 4af5a90 v4.2.2
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ljharb, a new releaser for browserify-sign since your current version.


Updates express from 4.18.2 to 4.19.2

Release notes

Sourced from express's releases.

4.19.2

What's Changed

Full Changelog: https://github.com/expressjs/express/compare/4.19.1...4.19.2

4.19.1

What's Changed

Full Changelog: https://github.com/expressjs/express/compare/4.19.0...4.19.1

4.19.0

What's Changed

New Contributors

Full Changelog: https://github.com/expressjs/express/compare/4.18.3...4.19.0

4.18.3

Main Changes

  • Fix routing requests without method
  • deps: body-parser@1.20.2
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: raw-body@2.5.2

Other Changes

... (truncated)

Changelog

Sourced from express's changelog.

4.19.2 / 2024-03-25

  • Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

  • Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

  • Prevent open redirect allow list bypass due to encodeurl
  • deps: cookie@0.6.0

4.18.3 / 2024-02-29

  • Fix routing requests without method
  • deps: body-parser@1.20.2
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: raw-body@2.5.2
  • deps: cookie@0.6.0
    • Add partitioned option
Commits
  • 04bc627 4.19.2
  • da4d763 Improved fix for open redirect allow list bypass
  • 4f0f6cc 4.19.1
  • a003cfa Allow passing non-strings to res.location with new encoding handling checks f...
  • a1fa90f fixed un-edited version in history.md for 4.19.0
  • 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
  • 084e365 4.19.0
  • 0867302 Prevent open redirect allow list bypass due to encodeurl
  • 567c9c6 Add note on how to update docs for new release (#5541)
  • 69a4cf2 deps: cookie@0.6.0
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.


Updates follow-redirects from 1.15.2 to 1.15.6

Commits
  • 35a517c Release version 1.15.6 of the npm package.
  • c4f847f Drop Proxy-Authorization across hosts.
  • 8526b4a Use GitHub for disclosure.
  • b1677ce Release version 1.15.5 of the npm package.
  • d8914f7 Preserve fragment in responseUrl.
  • 6585820 Release version 1.15.4 of the npm package.
  • 7a6567e Disallow bracketed hostnames.
  • 05629af Prefer native URL instead of deprecated url.parse.
  • 1cba8e8 Prefer native URL instead of legacy url.resolve.
  • 72bc2a4 Simplify _processResponse error handling.
  • Additional commits viewable in compare view


Updates socket.io from 4.6.1 to 4.7.5

Release notes

Sourced from socket.io's releases.

4.7.5

Bug Fixes

  • close the adapters when the server is closed (bf64870)
  • remove duplicate pipeline when serving bundle (e426f3e)

Links

4.7.4

Bug Fixes

  • typings: calling io.emit with no arguments incorrectly errored (cb6d2e0), closes #4914

Links

4.7.3

Bug Fixes

  • return the first response when broadcasting to a single socket (#4878) (df8e70f)
  • typings: allow to bind to a non-secure Http2Server (#4853) (8c9ebc3)

Links

4.7.2

Bug Fixes

  • clean up child namespace when client is rejected in middleware (#4773) (0731c0d)
  • webtransport: properly handle WebTransport-only connections (3468a19)
  • webtransport: add proper framing (a306db0)

Links

... (truncated)

Changelog

Sourced from socket.io's changelog.

4.7.5 (2024-03-14)

Bug Fixes

  • close the adapters when the server is closed (bf64870)
  • remove duplicate pipeline when serving bundle (e426f3e)

Dependencies

4.7.4 (2024-01-12)

Bug Fixes

  • typings: calling io.emit with no arguments incorrectly errored (cb6d2e0), closes #4914

Dependencies

4.7.3 (2024-01-03)

Bug Fixes

  • return the first response when broadcasting to a single socket (#4878) (df8e70f)
  • typings: allow to bind to a non-secure Http2Server (#4853) (8c9ebc3)

Dependencies

4.7.2 (2023-08-02)

... (truncated)

Commits
  • 5017681 chore(release): 4.7.5
  • bf64870 fix: close the adapters when the server is closed
  • 748e18c ci: test with older TypeScript version
  • b9ce6a2 refactor: create specific adapter for parent namespaces (#4950)
  • 54dabe5 ci: upgrade to actions/checkout@4 and actions/setup-node@4
  • e426f3e fix: remove duplicate pipeline when serving bundle
  • e36062c docs: update the webtransport example
  • 0bbe8ae docs: only execute the passport middleware once
  • 914a8bd docs: add example with JWT
  • d943c3e docs: update the Passport.js example
  • Additional commits viewable in compare view


Updates webpack-dev-middleware from 5.3.3 to 5.3.4

Release notes

Sourced from webpack-dev-middleware's releases.

v5.3.4

5.3.4 (2024-03-20)

Bug Fixes

  • security: do not allow to read files above (#1779) (189c4ac)
Changelog

Sourced from webpack-dev-middleware's changelog.

5.3.4 (2024-03-20)

Bug Fixes

  • security: do not allow to read files above (#1779) (189c4ac)
Commits


Updates ws from 8.11.0 to 8.17.1

Release notes

Sourced from ws's releases.

8.17.1

Bug fixes

  • Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;


for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;


for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';

  if (++count === 2000) break;
}



}


headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';


const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});


request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

  1. Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size][] and/or the [maxHeaderSize][] options so that no more headers than the server.maxHeadersCount limit can be sent.

... (truncated)

Commits
  • 3c56601 [dist] 8.17.1
  • e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
  • 6a00029 [test] Increase code coverage
  • ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
  • b73b118 [dist] 8.17.0
  • 29694a5 [test] Use the highWaterMark variable
  • 934c9d6 [ci] Test on node 22
  • 1817bac [ci] Do not test on node 21
  • 96c9b3d [major] Flip the default value of allowSynchronousEvents (#2221)
  • e5f32c7 [fix] Emit at most one event per event loop iteration (#2218)
  • Additional commits viewable in compare view


Updates socket.io-client from 4.6.1 to 4.7.5

Release notes

Sourced from socket.io-client's releases.

4.7.5

Bug Fixes

  • discard acknowledgements upon disconnection (34cbfbb)

Links

4.7.4

There were some minor bug fixes on the server side, which mandate a client bump.

Links

4.7.3

Bug Fixes

  • improve compatibility with node16 module resolution (#1595) (605de78)
  • typings: accept string | undefined as init argument (5a3eafe)
  • typings: fix the type of the socket#id attribute (f9c16f2)

Links

4.7.2

Some bug fixes are included from the engine.io-client package:

  • webtransport: add proper framing (d55c39e)
  • webtransport: honor the binaryType attribute (8270e00)

Links

4.7.1

... (truncated)

Changelog

Sourced from socket.io-client's changelog.

4.7.5 (2024-03-14)

Bug Fixes

  • discard acknowledgements upon disconnection (34cbfbb)

Dependencies

4.7.4 (2024-01-12)

There were some minor bug fixes on the server side, which mandate a client bump.

Dependencies

4.7.3 (2024-01-03)

Bug Fixes

  • improve compatibility with node16 module resolution (#1595) (605de78)
  • typings: accept string | undefined as init argument (5a3eafe)
  • typings: fix the type of the socket#id attribute (f9c16f2)

Dependencies

4.7.2 (2023-08-02)

Some bug fixes are included from the engine.io-client package:

  • webtransport: add proper framing (d55c39e)
  • webtransport: honor the binaryType attribute (8270e00)

... (truncated)

Commits
  • 4f6030f chore(release): 4.7.5
  • 34cbfbb fix: discard acknowledgements upon disconnection
  • 8cfea8c chore(release): 4.7.4
  • ca5d50e chore(release): 4.7.3
  • f9c16f2 fix(typings): fix the type of the socket#id attribute
  • b3f0cab ci: add Node.js 20 in the test matrix
  • 5a3eafe fix(typings): accept string | undefined as init argument
  • 605de78 fix: improve compatibility with node16 module resolution (#1595)
  • d00ccd2 ci: bump appiumVersion for Android tests in SauceLabs
  • 928d76d chore(release): 4.7.2
  • Additional commits viewable in compare view


Updates socket.io-adapter from 2.5.2 to 2.5.5

Release notes

Sourced from socket.io-adapter's releases.

2.5.4

Bug Fixes

  • ensure the order of the commands (a13f35f)
  • types: ensure compatibility with TypeScript < 4.5 (ca397f3)

Links

2.5.3

Two abstract classes were imported from the Redis adapter repository:

  • the ClusterAdapter class, which manages the messages sent between the server instances of the cluster
  • the ClusterAdapterWithHeartbeat class, which extends the ClusterAdapter and adds a heartbeat mechanism in order to check the healthiness of the other instances

Other adapters can then just extend those classes and only have to implement the pub/sub mechanism (and not the internal chit-chat protocol):

class MyAdapter extends ClusterAdapterWithHeartbeat {
  constructor(nsp, pubSub, opts) {
    super(nsp, opts);
    this.pubSub = pubSub;
    pubSub.subscribe("main-channel", (message) => this.onMessage(message));
    pubSub.subscribe("specific-channel#" + this.uid, (response) => this.onResponse(response));
  }

doPublish(message) {
return this.pubSub.publish("main-channel", message);
}


doPublishResponse(requesterUid, response) {
return this.pubSub.publish("specific-channel#" + requesterUid, response);
}
}

Besides, the number of "timeout reached: only x responses received out of y" errors (which can happen when a server instance leaves the cluster) should be greatly reduced by this commit.

Bug Fixes

  • cluster: fix count in fetchSockets() method (80af4e9)
  • cluster: notify the other nodes when closing (0e23ff0)

Performance Improvements

  • cluster: use timer.refresh() (d99a71b)

... (truncated)

Changelog

Sourced from socket.io-adapter's changelog.

2.5.5 (2024-06-18)

This release contains a bump of the ws dependency, which includes an important security fix.

Advisory: https://github.com/advisories/GHSA-3h5v-q93c-6h6q

2.5.4 (2024-02-22)

Bug Fixes

  • ensure the order of the commands (a13f35f)
  • types: ensure compatibility with TypeScript < 4.5 (ca397f3)

2.5.3 (2024-02-21)

Two abstract classes were imported from the Redis adapter repository:

  • the ClusterAdapter class, which manages the messages sent between the server instances of the cluster
  • the ClusterAdapterWithHeartbeat class, which extends the ClusterAdapter and adds a heartbeat mechanism in order to check the healthiness of the other instances

Other adapters can then just extend those classes and only have to implement the pub/sub mechanism (and not the internal chit-chat protocol):

class MyAdapter extends ClusterAdapterWithHeartbeat {
  constructor(nsp, pubSub, opts) {
    super(nsp, opts);
    this.pubSub = pubSub;
    pubSub.subscribe("main-channel", (message) => this.onMessage(message));
    pubSub.subscribe("specific-channel#" + this.uid, (response) => this.onResponse(response));
  }

doPublish(message) {
return this.pubSub.publish("main-channel", message);
}


doPublishResponse(requesterUid, response) {
return this.pubSub.publish("specific-channel#" + requesterUid, response);
}
}

Besides, the number of "timeout reached: only x responses received out of y" errors (which can happen when a server instance leaves the cluster) should be greatly reduced by this commit.

Bug Fixes

... (truncated)

Commits
  • 05a190a chore(release): 6.5.5
  • 93fe190 chore(deps): bump ws from 8.11.0 to 8.17.1 (#93)
  • 5eae5a0 chore(release): 2.5.4
  • 005d546 ci: test with older TypeScript version
  • © Githubissues.
  • Githubissues is a development platform for aggregating issues.