socket-security[bot]
commented
1 year ago Socket Security Pull Request Report
π No new dependency issues detected in pull request
Pull request report summary
| Issue | Status |
|---|---|
| Install scripts | β 0 issues |
| Native code | β 0 issues |
| Bin script confusion | β 0 issues |
| Bin script shell injection | β 0 issues |
| Unresolved require | β 0 issues |
| Invalid package.json | β 0 issues |
| HTTP dependency | β 0 issues |
| Git dependency | β 0 issues |
| Potential typo squat | β 0 issues |
| Known Malware | β 0 issues |
| Telemetry | β 0 issues |
| Protestware/Troll package | β 0 issues |
Bot Commands
To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@2.4.2
Ignoring: esbuild@0.17.8, jest@29.4.2, jest-cli@29.4.2
Powered by socket.dev
stipsan
github-actions[bot]
This PR contains the following updates:
^1.1.9->^1.1.10^0.17.5->^0.17.8^8.33.0->^8.34.0^5.3.0->^5.3.1^29.4.1->^29.4.2^29.4.1->^29.4.2^29.4.1->^29.4.2^2.8.3->^2.8.4^2.4.2->^2.4.3Release Notes
chancejs/chancejs
### [`v1.1.10`](https://togithub.com/chancejs/chancejs/compare/1.1.9...1.1.10) [Compare Source](https://togithub.com/chancejs/chancejs/compare/1.1.9...1.1.10)evanw/esbuild
### [`v0.17.8`](https://togithub.com/evanw/esbuild/blob/HEAD/CHANGELOG.md#0178) [Compare Source](https://togithub.com/evanw/esbuild/compare/v0.17.7...v0.17.8) - Fix a minification bug with non-ASCII identifiers ([#2910](https://togithub.com/evanw/esbuild/issues/2910)) This release fixes a bug with esbuild where non-ASCII identifiers followed by a keyword were incorrectly not separated by a space. This bug affected both the `in` and `instanceof` keywords. Here's an example of the fix: ```js // Original code Ο in a // Old output (with --minify --charset=utf8) Οin a; // New output (with --minify --charset=utf8) Ο in a; ``` - Fix a regression with esbuild's WebAssembly API in version 0.17.6 ([#2911](https://togithub.com/evanw/esbuild/issues/2911)) Version 0.17.6 of esbuild updated the Go toolchain to version 1.20.0. This had the unfortunate side effect of increasing the amount of stack space that esbuild uses (presumably due to some changes to Go's WebAssembly implementation) which could cause esbuild's WebAssembly-based API to crash with a stack overflow in cases where it previously didn't crash. One such case is the package `grapheme-splitter` which contains code that looks like this: ```js if ( (0x0300 <= code && code <= 0x036F) || (0x0483 <= code && code <= 0x0487) || (0x0488 <= code && code <= 0x0489) || (0x0591 <= code && code <= 0x05BD) || // ... many hundreds of lines later ... ) { return; } ``` This edge case involves a chain of binary operators that results in an AST over 400 nodes deep. Normally this wouldn't be a problem because Go has growable call stacks, so the call stack would just grow to be as large as needed. However, WebAssembly byte code deliberately doesn't expose the ability to manipulate the stack pointer, so Go's WebAssembly translation is forced to use the fixed-size WebAssembly call stack. So esbuild's WebAssembly implementation is vulnerable to stack overflow in cases like these. It's not unreasonable for this to cause a stack overflow, and for esbuild's answer to this problem to be "don't write code like this." That's how many other AST-manipulation tools handle this problem. However, it's possible to implement AST traversal using iteration instead of recursion to work around limited call stack space. This version of esbuild implements this code transformation for esbuild's JavaScript parser and printer, so esbuild's WebAssembly implementation is now able to process the `grapheme-splitter` package (at least when compiled with Go 1.20.0 and run with node's WebAssembly implementation). ### [`v0.17.7`](https://togithub.com/evanw/esbuild/blob/HEAD/CHANGELOG.md#0177) [Compare Source](https://togithub.com/evanw/esbuild/compare/v0.17.6...v0.17.7) - Change esbuild's parsing of TypeScript instantiation expressions to match TypeScript 4.8+ ([#2907](https://togithub.com/evanw/esbuild/issues/2907)) This release updates esbuild's implementation of instantiation expression erasure to match [microsoft/TypeScript#49353](https://togithub.com/microsoft/TypeScript/pull/49353). The new rules are as follows (copied from TypeScript's PR description): > When a potential type argument list is followed by > > - a line break, > - an `(` token, > - a template literal string, or > - any token except `<` or `>` that isn't the start of an expression, > > we consider that construct to be a type argument list. Otherwise we consider the construct to be a `<` relational expression followed by a `>` relational expression. - Ignore `sideEffects: false` for imported CSS files ([#1370](https://togithub.com/evanw/esbuild/issues/1370), [#1458](https://togithub.com/evanw/esbuild/pull/1458), [#2905](https://togithub.com/evanw/esbuild/issues/2905)) This release ignores the `sideEffects` annotation in `package.json` for CSS files that are imported into JS files using esbuild's `css` loader. This means that these CSS files are no longer be tree-shaken. Importing CSS into JS causes esbuild to automatically create a CSS entry point next to the JS entry point containing the bundled CSS. Previously packages that specified some form of `"sideEffects": false` could potentially cause esbuild to consider one or more of the JS files on the import path to the CSS file to be side-effect free, which would result in esbuild removing that CSS file from the bundle. This was problematic because the removal of that CSS is outwardly observable, since all CSS is global, so it was incorrect for previous versions of esbuild to tree-shake CSS files imported into JS files. - Add constant folding for certain additional equality cases ([#2394](https://togithub.com/evanw/esbuild/issues/2394), [#2895](https://togithub.com/evanw/esbuild/issues/2895)) This release adds constant folding for expressions similar to the following: ```js // Original input console.log( null === 'foo', null === undefined, null == undefined, false === 0, false == 0, 1 === true, 1 == true, ) // Old output console.log( null === "foo", null === void 0, null == void 0, false === 0, false == 0, 1 === true, 1 == true ); // New output console.log( false, false, true, false, true, false, true ); ``` ### [`v0.17.6`](https://togithub.com/evanw/esbuild/blob/HEAD/CHANGELOG.md#0176) [Compare Source](https://togithub.com/evanw/esbuild/compare/v0.17.5...v0.17.6) - Fix a CSS parser crash on invalid CSS ([#2892](https://togithub.com/evanw/esbuild/issues/2892)) Previously the following invalid CSS caused esbuild's parser to crash: ```css @media screen ``` The crash was caused by trying to construct a helpful error message assuming that there was an opening `{` token, which is not the case here. This release fixes the crash. - Inline TypeScript enums that are referenced before their declaration Previously esbuild inlined enums within a TypeScript file from top to bottom, which meant that references to TypeScript enum members were only inlined within the same file if they came after the enum declaration. With this release, esbuild will now inline enums even when they are referenced before they are declared: ```ts // Original input export const foo = () => Foo.FOO const enum Foo { FOO = 0 } // Old output (with --tree-shaking=true) export const foo = () => Foo.FOO; var Foo = /* @__PURE__ */ ((Foo2) => { Foo2[Foo2["FOO"] = 0] = "FOO"; return Foo2; })(Foo || {}); // New output (with --tree-shaking=true) export const foo = () => 0 /* FOO */; ``` This makes esbuild's TypeScript output smaller and faster when processing code that does this. I noticed this issue when I ran the TypeScript compiler's source code through esbuild's bundler. Now that the TypeScript compiler is going to be bundled with esbuild in the upcoming TypeScript 5.0 release, improvements like this will also improve the TypeScript compiler itself! - Fix esbuild installation on Arch Linux ([#2785](https://togithub.com/evanw/esbuild/issues/2785), [#2812](https://togithub.com/evanw/esbuild/issues/2812), [#2865](https://togithub.com/evanw/esbuild/issues/2865)) Someone made an unofficial `esbuild` package for Linux that adds the `ESBUILD_BINARY_PATH=/usr/bin/esbuild` environment variable to the user's default environment. This breaks all npm installations of esbuild for users with this unofficial Linux package installed, which has affected many people. Most (all?) people who encounter this problem haven't even installed this unofficial package themselves; instead it was installed for them as a dependency of another Linux package. The problematic change to add the `ESBUILD_BINARY_PATH` environment variable was reverted in the latest version of this unofficial package. However, old versions of this unofficial package are still there and will be around forever. With this release, `ESBUILD_BINARY_PATH` is now ignored by esbuild's install script when it's set to the value `/usr/bin/esbuild`. This should unbreak using npm to install `esbuild` in these problematic Linux environments. Note: The `ESBUILD_BINARY_PATH` variable is an undocumented way to override the location of esbuild's binary when esbuild's npm package is installed, which is necessary to substitute your own locally-built esbuild binary when debugging esbuild's npm package. It's only meant for very custom situations and should absolutely not be forced on others by default, especially without their knowledge. I may remove the code in esbuild's installer that reads `ESBUILD_BINARY_PATH` in the future to prevent these kinds of issues. It will unfortunately make debugging esbuild harder. If `ESBUILD_BINARY_PATH` is ever removed, it will be done in a "breaking change" release.eslint/eslint
### [`v8.34.0`](https://togithub.com/eslint/eslint/releases/tag/v8.34.0) [Compare Source](https://togithub.com/eslint/eslint/compare/v8.33.0...v8.34.0) #### Features - [`9b2fcf7`](https://togithub.com/eslint/eslint/commit/9b2fcf7e928fc92ac6d43617bdee1bda250b7491) feat: `array-callback-return` supports `Array.prototype.toSorted` ([#16845](https://togithub.com/eslint/eslint/issues/16845)) (SUZUKI Sosuke) #### Bug Fixes - [`923f61d`](https://togithub.com/eslint/eslint/commit/923f61d8fc82d83b912c6ba95abb5a509c4d7b52) fix: false positive with assignment in `no-extra-parens` ([#16872](https://togithub.com/eslint/eslint/issues/16872)) (Francesco Trotta) #### Documentation - [`f0a9883`](https://togithub.com/eslint/eslint/commit/f0a988384ea1a262150e70d83abd8a5e50c46fa7) docs: split rules documentation ([#16797](https://togithub.com/eslint/eslint/issues/16797)) (Ben Perlmutter) - [`67aa37b`](https://togithub.com/eslint/eslint/commit/67aa37b583f059226b9c959672400f04ed6a56b5) docs: fix typo in command-line-interface.md ([#16871](https://togithub.com/eslint/eslint/issues/16871)) (Kevin Rouchut) - [`337f7ed`](https://togithub.com/eslint/eslint/commit/337f7ed96131d873be7ae6b010739476d0ad15e9) docs: fix width of language input ([#16849](https://togithub.com/eslint/eslint/issues/16849)) (Tanuj Kanti) - [`71349a1`](https://togithub.com/eslint/eslint/commit/71349a1f709baa361bd656a7ce4a7d35d857a9a8) docs: Configure a Parser page ([#16803](https://togithub.com/eslint/eslint/issues/16803)) (Ben Perlmutter) - [`de7e925`](https://togithub.com/eslint/eslint/commit/de7e925d03764f3681269b30bb60b92ee463c10f) docs: remove extra line numbers in example ([#16848](https://togithub.com/eslint/eslint/issues/16848)) (jonz94) - [`ad38d77`](https://togithub.com/eslint/eslint/commit/ad38d77102d6fe30cfa92c831174f178bb35c88b) docs: Update README (GitHub Actions Bot) #### Chores - [`9dbe06d`](https://togithub.com/eslint/eslint/commit/9dbe06d0ad875e6d5964497e2975e8d789e763d0) chore: add `type` property to array-element-newline schema ([#16877](https://togithub.com/eslint/eslint/issues/16877)) (MHO) - [`a061527`](https://togithub.com/eslint/eslint/commit/a061527a0332f0edf559acfc2902a327cae098d9) chore: Remove unused functions ([#16868](https://togithub.com/eslint/eslint/issues/16868)) (Nicholas C. Zakas)luin/ioredis
### [`v5.3.1`](https://togithub.com/luin/ioredis/blob/HEAD/CHANGELOG.md#531-httpsgithubcomluiniorediscomparev530v531-2023-02-12) [Compare Source](https://togithub.com/luin/ioredis/compare/v5.3.0...v5.3.1) ##### Bug Fixes - Fix commands not resend on reconnect in edge cases ([#1720](https://togithub.com/luin/ioredis/issues/1720)) ([fe52ff1](https://togithub.com/luin/ioredis/commit/fe52ff1c6f4cb1beb0c9e999299248ba380d5cde)), closes [#1718](https://togithub.com/luin/ioredis/issues/1718) - Fix db parameter not working with auto pipelining ([#1721](https://togithub.com/luin/ioredis/issues/1721)) ([d9b1bf1](https://togithub.com/luin/ioredis/commit/d9b1bf1a2868344eaff71cc39c790e98043fff53))facebook/jest
### [`v29.4.2`](https://togithub.com/facebook/jest/blob/HEAD/CHANGELOG.md#2942) [Compare Source](https://togithub.com/facebook/jest/compare/v29.4.1...v29.4.2) ##### Features - `[@jest/core]` Instrument significant lifecycle events with [`performance.mark()`](https://nodejs.org/docs/latest-v16.x/api/perf_hooks.html#performancemarkname-options) ([#13859](https://togithub.com/facebook/jest/pull/13859)) ##### Fixes - `[expect, @jest/expect]` Provide type of `actual` as a generic argument to `Matchers` to allow better-typed extensions ([#13848](https://togithub.com/facebook/jest/pull/13848)) - `[jest-circus]` Added explicit mention of test failing because `done()` is not being called in error message ([#13847](https://togithub.com/facebook/jest/pull/13847)) - `[jest-runtime]` Handle CJS re-exports of node core modules from ESM ([#13856](https://togithub.com/facebook/jest/pull/13856)) - `[jest-transform]` Downgrade `write-file-atomic` to v4 ([#13853](https://togithub.com/facebook/jest/pull/13853)) - `[jest-worker]` Ignore IPC messages not intended for Jest ([#13543](https://togithub.com/facebook/jest/pull/13543)) ##### Chore & Maintenance - `[*]` make sure to exclude `.eslintcache` from published module ([#13832](https://togithub.com/facebook/jest/pull/13832)) - `[docs]` Cleanup incorrect links in CHANGELOG.md ([#13857](https://togithub.com/facebook/jest/pull/13857))prettier/prettier
### [`v2.8.4`](https://togithub.com/prettier/prettier/blob/HEAD/CHANGELOG.md#284) [Compare Source](https://togithub.com/prettier/prettier/compare/2.8.3...2.8.4) [diff](https://togithub.com/prettier/prettier/compare/2.8.3...2.8.4) ##### Fix leading comments in mapped types with `readonly` ([#13427](https://togithub.com/prettier/prettier/pull/13427) by [@thorn0](https://togithub.com/thorn0), [@sosukesuzuki](https://togithub.com/sosukesuzuki)) ```tsx // Input type Type = { // comment readonly [key in Foo]; }; // Prettier 2.8.3 type Type = { readonly // comment [key in Foo]; }; // Prettier 2.8.4 type Type = { // comment readonly [key in Foo]; }; ``` ##### Group params in opening block statements ([#14067](https://togithub.com/prettier/prettier/pull/14067) by [@jamescdavis](https://togithub.com/jamescdavis)) This is a follow-up to [#13930](https://togithub.com/prettier/prettier/issues/13930) to establish wrapping consistency between opening block statements and else blocks by grouping params in opening blocks. This causes params to break to a new line together and not be split across lines unless the length of params exceeds the print width. This also updates the else block wrapping to behave exactly the same as opening blocks. ```hbs {{! Input }} {{#block param param param param param param param param param param as |blockParam|}} Hello {{else block param param param param param param param param param param as |blockParam|}} There {{/block}} {{! Prettier 2.8.3 }} {{#block param param param param param param param param param param as |blockParam| }} Hello {{else block param param param param param param param param param param}} There {{/block}} {{! Prettier 2.8.4 }} {{#block param param param param param param param param param param as |blockParam| }} Hello {{else block param param param param param param param param param param as |blockParam| }} There {{/block}} ``` ##### Ignore files in `.sl/` ([#14206](https://togithub.com/prettier/prettier/pull/14206) by [@bolinfest](https://togithub.com/bolinfest)) In [Sapling SCM](https://sapling-scm.com/), `.sl/` is the folder where it stores its state, analogous to `.git/` in Git. It should be ignored in Prettier like the other SCM folders. ##### Recognize `@satisfies` in Closure-style type casts ([#14262](https://togithub.com/prettier/prettier/pull/14262) by [@fisker](https://togithub.com/fisker)) ```jsx // Input const a = /** @satisfies {Recordmatzkoh/prettier-plugin-packagejson
### [`v2.4.3`](https://togithub.com/matzkoh/prettier-plugin-packagejson/releases/tag/v2.4.3) [Compare Source](https://togithub.com/matzkoh/prettier-plugin-packagejson/compare/v2.4.2...v2.4.3) ##### Bug Fixes - **deps:** update dependency sort-package-json to v2.4.1 ([758ac0b](https://togithub.com/matzkoh/prettier-plugin-packagejson/commit/758ac0b0add272813371c475cab701018cb596dc))Configuration
π Schedule: Branch creation - "before 3am on the first day of the month" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π» Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate using a preset from