search

twilio-professional-services / flex-project-template

A starting point for Twilio Flex projects, providing management strategies for various types of artifacts and distributed development
https://twilio-professional-services.github.io/flex-project-template/
Apache License 2.0
64 stars 71 forks source link

Bump the npm_and_yarn group across 5 directories with 5 updates #570

Closed dependabot[bot] closed 4 months ago

dependabot[bot] commented 5 months ago

Bumps the npm_and_yarn group with 1 update in the /addons/serverless-schedule-manager directory: braces. Bumps the npm_and_yarn group with 1 update in the /addons/twilio-video-demo-app directory: braces. Bumps the npm_and_yarn group with 1 update in the /docs directory: braces. Bumps the npm_and_yarn group with 2 updates in the /plugin-flex-ts-template-v2 directory: glob-parent and @twilio/flex-plugin-scripts. Bumps the npm_and_yarn group with 1 update in the /serverless-functions directory: braces.

Updates braces from 3.0.2 to 3.0.3

Commits


Updates braces from 3.0.2 to 3.0.3

Commits


Updates braces from 3.0.2 to 3.0.3

Commits


Updates glob-parent from 3.1.0 to 6.0.2

Release notes

Sourced from glob-parent's releases.

glob-parent v6.0.2

Bug Fixes

glob-parent v6.0.1

Bug Fixes

  • Resolve ReDoS vulnerability from CVE-2021-35065 (#49) (3e9f04a)

glob-parent v6.0.0

⚠ BREAKING CHANGES

  • Correct mishandled escaped path separators (#34)
  • upgrade scaffold, dropping node <10 support

Bug Fixes

  • Correct mishandled escaped path separators (#34) (32f6d52), closes #32

Miscellaneous Chores

  • upgrade scaffold, dropping node <10 support (e83d0c5)

v5.1.2

Bug Fixes

v5.1.1

Bug Fixes

v5.1.0

Features

... (truncated)

Changelog

Sourced from glob-parent's changelog.

6.0.2 (2021-09-29)

Bug Fixes

6.0.1 (2021-07-20)

Bug Fixes

  • Resolve ReDoS vulnerability from CVE-2021-35065 (#49) (3e9f04a)

6.0.0 (2021-05-03)

⚠ BREAKING CHANGES

  • Correct mishandled escaped path separators (#34)
  • upgrade scaffold, dropping node <10 support

Bug Fixes

  • Correct mishandled escaped path separators (#34) (32f6d52), closes #32

Miscellaneous Chores

  • upgrade scaffold, dropping node <10 support (e83d0c5)

5.1.1 (2021-01-27)

Bug Fixes

5.1.0 (2021-01-27)

Features

  • add flipBackslashes option to disable auto conversion of slashes (closes #24) (#25) (eecf91d)

5.0.0 (2021-01-27)

⚠ BREAKING CHANGES

  • Drop support for node <6 & bump dependencies

Miscellaneous Chores

  • Drop support for node <6 & bump dependencies (896c0c0)

4.0.0 (2021-01-27)

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by phated, a new releaser for glob-parent since your current version.


Updates @twilio/flex-plugin-scripts from 6.4.1 to 7.0.0

Commits
  • a66e029 Merge pull request #1000 from twilio/bump-version-7.0.0
  • e8a859a v7.0.0
  • 5bcfd7f Merge pull request #919 from twilio/FLEXY-4850
  • d054fac Updated Builder version to 7
  • 779c178 Removed alpha version from hg workflow
  • 52e9ced Increased puppeteer timeout to 120s
  • c892826 Modified gh workflow
  • ea5c898 Added alpha version to pr e2e workflow
  • 0634e39 Making e2e in different os sequential
  • bb74acd Added unit tests to improve coverage
  • Additional commits viewable in compare view


Updates node-forge from 0.10.0 to 1.3.1

Changelog

Sourced from node-forge's changelog.

1.3.1 - 2022-03-29

Fixes

  • RFC 3447 and RFC 8017 allow for optional DigestAlgorithm NULL parameters for sha* algorithms and require NULL paramters for md2 and md5 algorithms.

1.3.0 - 2022-03-17

Security

  • Three RSA PKCS#1 v1.5 signature verification issues were reported by Moosa Yahyazadeh (moosa-yahyazadeh@uiowa.edu).
  • HIGH: Leniency in checking digestAlgorithm structure can lead to signature forgery.
  • HIGH: Failing to check tailing garbage bytes can lead to signature forgery.
  • MEDIUM: Leniency in checking type octet.
    • DigestInfo is not properly checked for proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.
    • CVE ID: CVE-2022-24773
    • GHSA ID: GHSA-2r2c-g63r-vccr

Fixed

  • [asn1] Add fallback to pretty print invalid UTF8 data.
  • [asn1] fromDer is now more strict and will default to ensuring all input bytes are parsed or throw an error. A new option parseAllBytes can disable this behavior.
    • NOTE: The previous behavior is being changed since it can lead to security issues with crafted inputs. It is possible that code doing custom DER parsing may need to adapt to this new behavior and optional flag.
  • [rsa] Add and use a validator to check for proper structure of parsed ASN.1

... (truncated)

Commits


Updates webpack-dev-middleware from 3.7.3 to 5.3.4

Release notes

Sourced from webpack-dev-middleware's releases.

v5.3.4

5.3.4 (2024-03-20)

Bug Fixes

  • security: do not allow to read files above (#1779) (189c4ac)

v5.3.3

5.3.3 (2022-05-18)

Bug Fixes

v5.3.2

5.3.2 (2022-05-17)

Bug Fixes

  • node types (#1195) (d68ab36)
  • compatibility with Node.js 18

v5.3.1

5.3.1 (2022-02-01)

Bug Fixes

v5.3.0

5.3.0 (2021-12-16)

Features

v5.2.2

5.2.2 (2021-11-17)

Chore

  • update schema-utils package to 4.0.0 version

... (truncated)

Changelog

Sourced from webpack-dev-middleware's changelog.

5.3.4 (2024-03-20)

Bug Fixes

  • security: do not allow to read files above (#1779) (189c4ac)

5.3.3 (2022-05-18)

Bug Fixes

5.3.2 (2022-05-17)

Bug Fixes

5.3.1 (2022-02-01)

Bug Fixes

5.3.0 (2021-12-16)

Features

5.2.2 (2021-11-17)

Chore

  • update schema-utils package to 4.0.0 version

5.2.1 (2021-09-25)

  • internal release, no visible changes and features

5.2.0 (2021-09-24)

... (truncated)

Commits


Updates braces from 3.0.2 to 3.0.3

Commits


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/twilio-professional-services/flex-project-template/network/alerts).
github-actions[bot] commented 5 months ago

0 ESLint error(s) and 0 ESLint warning(s) found in pull request changed files. :white_check_mark: No issues found!

dremin commented 5 months ago

I suppose we need to block dependabot from pushing major version changes.

dependabot[bot] commented 5 months ago

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

dremin commented 4 months ago

@dependabot recreate

dependabot[bot] commented 4 months ago

Looks like this PR is closed. If you re-open it I'll rebase it as long as no-one else has edited it (you can use @dependabot reopen if the branch has been deleted).

dremin commented 4 months ago

@dependabot reopen

dependabot[bot] commented 4 months ago

Looks like these dependencies are no longer a dependency, so this is no longer needed.