Skip to content

chore(deps): bump the npm_and_yarn group across 1 directories with 8 updates#1

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/npm_and_yarn-security-group-0165ef648a
Open

chore(deps): bump the npm_and_yarn group across 1 directories with 8 updates#1
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/npm_and_yarn-security-group-0165ef648a

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Feb 29, 2024

Bumps the npm_and_yarn group with 8 updates in the / directory:

Package From To
angular 1.3.9 1.8.3
bcrypt 3.0.8 5.1.1
bootstrap 4.0.0 4.3.1
express-fileupload 1.1.7-alpha.4 1.4.0
jquery 1.11.1 3.5.0
jsonwebtoken 8.5.1 9.0.2
xml2js 0.4.23 0.6.2
xmldom 0.4.0 0.6.0

Updates angular from 1.3.9 to 1.8.3

Changelog

Sourced from angular's changelog.

1.8.3 ultimate-farewell (2022-04-07)

One final release of AngularJS in order to update package README files on npm.

1.8.2 meteoric-mining (2020-10-21)

Bug Fixes

  • $sceDelegate: ensure that resourceUrlWhitelist() is identical to trustedResourceUrlList() (e41f01, #17090)

1.8.1 mutually-supporting (2020-09-30)

Bug Fixes

  • $sanitize: do not trigger CSP alert/report in Firefox and Chrome (2fab3d)

Refactorings

  • SanitizeUriProvider: remove usages of whitelist (76738102)
  • httpProvider: remove usages of whitelist and blacklist (c953af6b)
  • sceDelegateProvider: remove usages of whitelist and blacklist (a206e267)

Deprecation Notices

For the purposes of backward compatibility, the previous symbols are aliased to their new symbol.

1.8.0 nested-vaccination (2020-06-01)

_This release contains a breaking change to resolve a security issue which was discovered by Krzysztof Kotowicz(@​koto); and independently by Esben Sparre Andreasen (@​esbena) while

... (truncated)

Commits
  • cf16b24 docs(changelog): add release notes for 1.8.3
  • 757d56e docs(*): update end-of-life messages (#17177)
  • f362437 docs(eol): add EOL options text and link to template header used in every page
  • fb04e42 test(Angular): fix angularInit() tests on Safari v15+
  • 6a52c4f test(input): fix tests on Firefox v93+
  • ed30c4d docs(README.md): add wiki link to MVC
  • 4032655 chore(deps): bump js-yaml from 3.5.5 to 3.14.1
  • 47f8c65 chore(deps): bump normalize-url from 4.5.0 to 4.5.1
  • 56b0ee3 chore(e2e): run tests against Chrome 91 on macOS Catalina
  • 58cd897 chore(e2e): run tests against Firefox 85 on macOS Catalina
  • Additional commits viewable in compare view

Updates bcrypt from 3.0.8 to 5.1.1

Release notes

Sourced from bcrypt's releases.

v5.1.1

What's Changed

New Contributors

Full Changelog: kelektiv/node.bcrypt.js@v5.1.0...v5.1.1

v5.1.0

What's Changed

New Contributors

Full Changelog: kelektiv/node.bcrypt.js@v5.0.1...v5.1.0

v5.0.1

Update node-pre-gyp to 1.0.0

v5.0.0

  • Fix the bcrypt "wrap-around" bug. It affects passwords with lengths >= 255. It is uncommon but it's a bug nevertheless. Previous attempts to fix the bug was unsuccessful.
  • Experimental support for z/OS
  • Fix a bug related to NUL in password input
  • Update node-pre-gyp to 0.15.0

v4.0.1

bcrypt 4.0.1

... (truncated)

Changelog

Sourced from bcrypt's changelog.

5.1.0 (2022-10-06)

  • Update node-pre-gyp to 1.0.11

5.1.0 (2022-10-06)

  • Update node-pre-gyp to 1.0.10
  • Replace nodeunit with jest as the testing library

5.0.1 (2021-02-22)

  • Update node-pre-gyp to 1.0.0

5.0.0 (2020-06-02)

  • Fix the bcrypt "wrap-around" bug. It affects passwords with lengths >= 255. It is uncommon but it's a bug nevertheless. Previous attempts to fix the bug was unsuccessful.
  • Experimental support for z/OS
  • Fix a bug related to NUL in password input
  • Update node-pre-gyp to 0.15.0

4.0.1 (2020-02-27)

  • Fix compilation errors in Alpine linux

4.0.0 (2020-02-17)

  • Switch to NAPI bcrypt
  • Drop support for NodeJS 8
Commits

Updates bootstrap from 4.0.0 to 4.3.1

Release notes

Sourced from bootstrap's releases.

v4.3.1

  • Security: Fixed an XSS vulnerability (CVE-2019-8331) in our tooltip and popover plugins by implementing a new HTML sanitizer
  • Fixed a small issue with our RFS (responsive font sizes) mixins

v4.3.0

Highlights

  • New: Added .stretched-link utility to make any anchor the size of it's nearest position: relative parent, perfect for entirely clickable cards!
  • New: Added .text-break utility for applying word-break: break-word
  • New: Added .rounded-sm and .rounded-lg for small and large border-radius.
  • New: Added .modal-dialog-scrollable modifier class for scrolling content within a modal.
  • New: Added responsive .list-group-horizontal modifier classes for displaying list groups as a horizontal row.
  • Improved: Reduced our compiled CSS by using null for variables that by default inherit their values from other elements (e.g., $headings-color was inherit and is now null until you modifier it in your custom CSS).
  • Improved: Badge focus styles now match their background-color like our buttons.
  • Fixed: Silenced bad selectors in our JS plugins for the href HTML attribute to avoid JavaScript errors. Please try to use valid selectors or the data-target HTML attribute/target option where available.
  • Fixed: Reverted v4.2.1's change to the breakpoint and grid container Sass maps that blocked folks from upgrading when modifying those default variables.
  • Fixed: Restored white-space: nowrap to .dropdown-toggle (before v4.2.1 it was on all .btns) so carets don't wrap to new lines.
  • Deprecated: img-retina, invisible, float, and size mixins are now deprecated and will be removed in v5.

Links

v4.2.1

Bump to v4.2.1 to republish package on npm. See v4.2.0 release notes for changes introduced in v4.2.

v4.2.0

Here are the highlights of what's new and updated in v4.2.

  • New: Added a new spinner loading component.
  • New: Added new toast component for displaying notifications.
  • New: Added a new iOS style switch (a modifier class to our custom checkboxes).
  • New: Added touch support in our carousel component.
  • New: Added .font-weight-lighter and .font-weight-bolder utilities.
  • New: Added .text-decoration-none utility class.
  • New: Added .modal-xl modifier class for our modals.
  • New: Added new negative margin utility classes (e.g., .mb-n3). These rad new classes not only allow you more control over your general spacing needs, but also allow you to create responsive grid gutters at each breakpoint.
  • New: Validated form fields now have feedback icons on :invalid and :valid fields. Disable them with the $enable-validation-icons boolean Sass variable (defaults to true).
  • New: Added a new versions page to our docs
  • New: Tooltips/Popovers work with Shadow DOM
  • Updated: Redesigned the custom checkboxes and radios for more obvious states.
  • Updated: bootstrap-grid.css now includes our margin and padding utilities for full control of our grid system.
  • Updated: Changed auto columns (e.g., .col-auto) from max-width: none to max-width: 100% to prevent content from causing a column to overflow the parent.
  • Updated: Improved rendering of custom selects, ranges, file input, and more.

Checkout the full v4.2.0 ship list and GitHub project for the full details. Up next is v4.3 with some bugfixes, a few new modifier classes and variables, and some new utilities.

Head to to the v4.2.x docs to see the latest in action. The full release has been published to npm and will soon appear on the Bootstrap CDN and Rubygems.

v4.1.3

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by xhmikosr, a new releaser for bootstrap since your current version.


Updates express-fileupload from 1.1.7-alpha.4 to 1.4.0

Release notes

Sourced from express-fileupload's releases.

v1.4.0

What's Changed

New Contributors

Full Changelog: richardgirges/express-fileupload@v1.3.1...v1.4.0

1.3.1

Updates

  • Have promiseCallback make callbacks and promises behave the same (#302)
  • Fix prototype pollution in utilities.js (#301)
  • Switch to CircleCI (ddf553060a1041c1f36a696b1ae8b52d24083140)
  • End support for Node versions < 12 (ab3d252a28c8eb1c003528fecc5e1ef38f8954c3)

1.2.1

Updates:

  • (Fix) Stopped additional responses from being sent if a limit handler exists (#264)
  • Unhandled promise rejection warning (#257)
  • Changed example (#255)
  • Passing a Buffer body will pollute req.body when used along with processNested (#291)

1.2.0

Bug Fixes

#241 Cleanup temporary files - @​nusu

1.1.10

Updates:

Additional prototype-pollution security fix when using processNested (#239)

1.1.9

Updates:

Second prototype pollution security vulnerability fix when using processNested (#236)

1.1.8

Updates:

Fixed prototype pollution security vulnerability when using processNested (#236)

Commits
  • 4f81fc8 1.4.0
  • 78a66c1 Merge pull request #315 from duterte/master
  • 310a382 Merge branch 'richardgirges:master' into master
  • f57198b fix linting error
  • ce713c2 add workflow job filters
  • e47cc7d trigger ci
  • 74a0830 Refactor: upgrade to busboy 1.6.0
  • d1d6c66 Refactor busboy is no longer a constructor, its a function
  • 30d8535 Merge pull request #310 from richardgirges/dependabot/npm_and_yarn/minimist-1...
  • e6948f9 Bump minimist from 1.2.5 to 1.2.6
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by richardgirges, a new releaser for express-fileupload since your current version.


Updates jquery from 1.11.1 to 3.5.0

Release notes

Sourced from jquery's releases.

jQuery 3.5.0 Released!

See the blog post: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ and the upgrade guide: https://jquery.com/upgrade-guide/3.5/

NOTE: Despite being a minor release, this update includes a breaking change that we had to make to fix a security issue ( CVE-2020-11022). Please follow the blog post & the upgrade guide for more details.

Commits
  • 7a0a850 3.5.0
  • 8570a08 Release: Update AUTHORS.txt
  • da3dd85 Ajax: Do not execute scripts for unsuccessful HTTP responses
  • 065143c Ajax: Overwrite s.contentType with content-type header value, if any
  • 1a4f10d Tests: Blacklist one focusin test in IE
  • 9e15d6b Event: Use only one focusin/out handler per matching window & document
  • 966a709 Manipulation: Skip the select wrapper for <option> outside of IE 9
  • 1d61fd9 Manipulation: Make jQuery.htmlPrefilter an identity function
  • 04bf577 Selector: Update Sizzle from 2.3.4 to 2.3.5
  • 7506c9c Build: Resolve Travis config warnings
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by mgol, a new releaser for jquery since your current version.


Updates jsonwebtoken from 8.5.1 to 9.0.2

Changelog

Sourced from jsonwebtoken's changelog.

9.0.2 - 2023-08-30

  • security: updating semver to 7.5.4 to resolve CVE-2022-25883, closes #921.
  • refactor: reduce library size by using lodash specific dependencies, closes #878.

9.0.1 - 2023-07-05

  • fix(stubs): allow decode method to be stubbed

9.0.0 - 2022-12-21

Breaking changes: See Migration from v8 to v9

Breaking changes

  • Removed support for Node versions 11 and below.
  • The verify() function no longer accepts unsigned tokens by default. ([834503079514b72264fd13023a3b8d648afd6a16]auth0/node-jsonwebtoken@8345030)
  • RSA key size must be 2048 bits or greater. ([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]auth0/node-jsonwebtoken@ecdf6cc)
  • Key types must be valid for the signing / verification algorithm

Security fixes

  • security: fixes Arbitrary File Write via verify function - CVE-2022-23529
  • security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
  • security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
  • security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539
Commits
Maintainer changes

This version was pushed to npm by charlesrea, a new releaser for jsonwebtoken since your current version.


Updates xml2js from 0.4.23 to 0.6.2

Commits

Updates xmldom from 0.4.0 to 0.6.0

Release notes

Sourced from xmldom's releases.

0.6.0

0.6.0

Fixes

0.5.0

Fixes

  • Avoid misinterpretation of malicious XML input - GHSA-h6q6-9hqw-rwfv (CVE-2021-21366)

    • Improve error reporting; throw on duplicate attribute BREAKING CHANGE: It is currently not clear how to consistently deal with duplicate attributes, so it's also safer for our users to fail when detecting them. It's possible to configure the DOMParser.errorHandler before parsing, to handle those errors differently.

      To accomplish this and also be able to verify it in tests I needed to

      • create a new Error type ParseError and export it
      • Throw ParseError from errorHandler.fatalError and prevent those from being caught in XMLReader.
      • export DOMHandler constructor as __DOMHandler

    • Preserve quotes in DOCTYPE declaration Since the only purpose of parsing the DOCTYPE is to be able to restore it when serializing, we decided that it would be best to leave the parsed publicId and systemId as is, including any quotes. BREAKING CHANGE: If somebody relies on the actual unquoted values of those ids, they will need to take care of either single or double quotes and the right escaping. (Without this change this would not have been possible because the SAX parser already dropped the information about the quotes that have been used in the source.)

      https://www.w3.org/TR/2006/REC-xml11-20060816/#dtd https://www.w3.org/TR/2006/REC-xml11-20060816/#IDAX1KS (External Entity Declaration)

  • Fix breaking preprocessors' directives when parsing attributes [#171](https://github.com/xmldom/xmldom/issues/171)
  • fix(dom): Escape ]]&gt; when serializing CharData [#181](https://github.com/xmldom/xmldom/issues/181)
  • Switch to (only) MIT license (drop problematic LGPL license option) [#178](https://github.com/xmldom/xmldom/issues/178)
  • Export DOMException; remove custom assertions; etc. [#174](https://github.com/xmldom/xmldom/issues/174)

Docs

Changelog

Sourced from xmldom's changelog.

0.6.0

Commits

Fixes

0.5.0

Commits

Fixes

  • Avoid misinterpretation of malicious XML input - GHSA-h6q6-9hqw-rwfv (CVE-2021-21366)

    • Improve error reporting; throw on duplicate attribute
      BREAKING CHANGE: It is currently not clear how to consistently deal with duplicate attributes, so it's also safer for our users to fail when detecting them. It's possible to configure the DOMParser.errorHandler before parsing, to handle those errors differently.

      To accomplish this and also be able to verify it in tests I needed to

      • create a new Error type ParseError and export it
      • Throw ParseError from errorHandler.fatalError and prevent those from being caught in XMLReader.
      • export DOMHandler constructor as __DOMHandler

    • Preserve quotes in DOCTYPE declaration Since the only purpose of parsing the DOCTYPE is to be able to restore it when serializing, we decided that it would be best to leave the parsed publicId and systemId as is, including any quotes. BREAKING CHANGE: If somebody relies on the actual unquoted values of those ids, they will need to take care of either single or double quotes and the right escaping. (Without this change this would not have been possible because the SAX parser already dropped the information about the quotes that have been used in the source.)

      https://www.w3.org/TR/2006/REC-xml11-20060816/#dtd https://www.w3.org/TR/2006/REC-xml11-20060816/#IDAX1KS (External Entity Declaration)

  • Fix breaking preprocessors' directives when parsing attributes [#171](https://github.com/xmldom/xmldom/issues/171)

  • fix(dom): Escape ]]&gt; when serializing CharData [#181](https://github.com/xmldom/xmldom/issues/181)

  • Switch to (only) MIT license (drop problematic LGPL license option) [#178](https://github.com/xmldom/xmldom/issues/178)

  • Export DOMException; remove custom assertions; etc. [#174](https://github.com/xmldom/xmldom/issues/174)

Docs

Commits
  • c80a161 xmldon version 0.6.0
  • bc36efd chore: regenerate package-lock.json
  • 8a92704 Update eslint -> ^7.23.0 - devDependencies (#202)
  • b12106e Update @​stryker-mutator/core -> ^4.5.1 - devDependencies (#192)
  • af4642e docs: Update Changelog (#197)
  • 5869d76 test(stryker): Replace line numbers by error index (#201)
  • a681852 fix: Escape < when serializing attribute values (#199)
  • bb12247 Update eslint-config-prettier -> 8 - devDependencies (#187)
  • 48c51b3 Update eslint -> ^7.22.0 - devDependencies (#185)
  • 82b0481 refactor!: Avoid empty namespace value like xmlns:ds="" (#168)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by karfau, a new releaser for xmldom since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump the npm_and_yarn group across 1 directories with 8 …
f7b2d30 
…updates

Bumps the npm_and_yarn group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [angular](https://github.com/angular/angular.js) | `1.3.9` | `1.8.3` |
| [bcrypt](https://github.com/kelektiv/node.bcrypt.js) | `3.0.8` | `5.1.1` |
| [bootstrap](https://github.com/twbs/bootstrap) | `4.0.0` | `4.3.1` |
| [express-fileupload](https://github.com/richardgirges/express-fileupload) | `1.1.7-alpha.4` | `1.4.0` |
| [jquery](https://github.com/jquery/jquery) | `1.11.1` | `3.5.0` |
| [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) | `8.5.1` | `9.0.2` |
| [xml2js](https://github.com/Leonidas-from-XIV/node-xml2js) | `0.4.23` | `0.6.2` |
| [xmldom](https://github.com/xmldom/xmldom) | `0.4.0` | `0.6.0` |


Updates `angular` from 1.3.9 to 1.8.3
- [Changelog](https://github.com/angular/angular.js/blob/master/CHANGELOG.md)
- [Commits](angular/angular.js@v1.3.9...v1.8.3)

Updates `bcrypt` from 3.0.8 to 5.1.1
- [Release notes](https://github.com/kelektiv/node.bcrypt.js/releases)
- [Changelog](https://github.com/kelektiv/node.bcrypt.js/blob/master/CHANGELOG.md)
- [Commits](kelektiv/node.bcrypt.js@v3.0.8...v5.1.1)

Updates `bootstrap` from 4.0.0 to 4.3.1
- [Release notes](https://github.com/twbs/bootstrap/releases)
- [Commits](twbs/bootstrap@v4.0.0...v4.3.1)

Updates `express-fileupload` from 1.1.7-alpha.4 to 1.4.0
- [Release notes](https://github.com/richardgirges/express-fileupload/releases)
- [Commits](richardgirges/express-fileupload@1.1.7-alpha.4...v1.4.0)

Updates `jquery` from 1.11.1 to 3.5.0
- [Release notes](https://github.com/jquery/jquery/releases)
- [Commits](jquery/jquery@1.11.1...3.5.0)

Updates `jsonwebtoken` from 8.5.1 to 9.0.2
- [Changelog](https://github.com/auth0/node-jsonwebtoken/blob/master/CHANGELOG.md)
- [Commits](auth0/node-jsonwebtoken@v8.5.1...v9.0.2)

Updates `xml2js` from 0.4.23 to 0.6.2
- [Commits](https://github.com/Leonidas-from-XIV/node-xml2js/commits/0.6.2)

Updates `xmldom` from 0.4.0 to 0.6.0
- [Release notes](https://github.com/xmldom/xmldom/releases)
- [Changelog](https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md)
- [Commits](xmldom/xmldom@0.4.0...0.6.0)

---
updated-dependencies:
- dependency-name: angular
  dependency-type: direct:production
  dependency-group: npm_and_yarn-security-group
- dependency-name: bcrypt
  dependency-type: direct:production
  dependency-group: npm_and_yarn-security-group
- dependency-name: bootstrap
  dependency-type: direct:production
  dependency-group: npm_and_yarn-security-group
- dependency-name: express-fileupload
  dependency-type: direct:production
  dependency-group: npm_and_yarn-security-group
- dependency-name: jquery
  dependency-type: direct:production
  dependency-group: npm_and_yarn-security-group
- dependency-name: jsonwebtoken
  dependency-type: direct:production
  dependency-group: npm_and_yarn-security-group
- dependency-name: xml2js
  dependency-type: direct:production
  dependency-group: npm_and_yarn-security-group
- dependency-name: xmldom
  dependency-type: direct:production
  dependency-group: npm_and_yarn-security-group
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Feb 29, 2024
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-security-group-0165ef648a branch from febf502 to f7b2d30 Compare February 29, 2024 12:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants