[Security] Bump kerberos from 0.0.21 to 1.0.0

[dependabot-preview[bot]]

Bumps kerberos from 0.0.21 to 1.0.0. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

DLL Injection in kerberos Version of kerberos prior to 1.0.0 are vulnerable to DLL Injection. The package loads DLLs without specifying a full path. This may allow attackers to create a file with the same name in a folder that precedes the intended file in the DLL path search. Doing so would allow attackers to execute arbitrary code in the machine.

Recommendation

Upgrade to version 1.0.0 or later.

Affected versions: < 1.0.0

Changelog

Sourced from kerberos's changelog.

1.0.0 (2018-08-15)

Bug Fixes

• check-password: correctly validate parameters, fix test (b772dde)
• common: ensure nan is being included everywhere appropriately (7bddb24)
• context: add NewInstance methods, and make getters safer (fd4b852)
• gss: fix issue with memory corruption (ff4167e)
• kerberos: provide default gss flags (b365934)
• legacy: support legacy import expectations (615b23f)
• response: ensure null or client/server response is returned (083518f)
• server: use the correct internal method name for server init (8c8dd35)
• this: use the correct reference to this for object unwrapping (1acfb20)
• unique_ptr: ensure we include where required (e3d9afb)
• warnings: set clang compiler pragmas only when clang is detected (048479d)
• win32: windows -> win32 in bindings.gyp (0221c06)
• win32: cleanup client state in addon destructor (5394561)
• win32: initialize with a domain, if one is provided (309ba61)

Features

• async-worker: introduce a KerberosWorker using lambdas (1239ef7)
• checkPassword: add implementation for checking krb5 passwords (60f476e)
• clean: provide implementations for the clean methods (77a77ce)
• client: add final wrap/unwrap api endpoints (016222f)
• client: add implementation for client wrap/unwrap to win32 (994604c)
• gss: add new methods for constructing state tracking types (274cad6)
• jsdoc2md: add jsdoc2md support, and README template (60e1ee5)
• kerberos: add getters to check for context completeness (6a9a01d)
• kerberos: implement client/server init, move to worker file (1c857ea)
• kerberos: return value for step is the challenge response (e153d24)
• promises: allow to access all API by promise or callback (3b77430)
• serverPrincipalDetails: add server pricipal details method (385fcd1)
• src: begin to develop the new version of the module in src (f45da50)
• sspi: introduce client initialization for SSPI (6a40301)
• sspi: provide implementation for initializeClient (5943f1c)
• step: implement client and server step methods (5a4327c)

Commits

• c6ffd40 chore(release): 1.0.0
• 0088043 chore(travis): fix travis builds
• a3c7f3e chore(package): add prebuild-install to dependencies
• d6c64c5 chore(travis): update travis to run prebuild for all osx/linux envs
• f252c23 chore(prebuild): add support for prebuilt binaries to project
• b924f8a chore(appveyor): add appveyor configuration
• 4c48741 test(win32) provide basic script, skip manual tests
• 5b12fd4 chore(package): update dependencies
• d906fd9 style(*): fix linting errors across the project
• 8a60354 test(win32): add expectations for errors not existing
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by mbroadst, a new releaser for kerberos since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking Bump now in your Dependabot dashboard.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)