Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump the npm_and_yarn group across 1 directory with 5 updates #3

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump the npm_and_yarn group across 1 directory with 5 updates #3

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github May 2, 2024

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package From To
grunt 0.4.5 1.6.1
express 3.4.8 4.19.2
ejs 0.8.8 3.1.10
jsdom 0.8.11 24.0.0
xmldom 0.1.31 0.6.0

Updates grunt from 0.4.5 to 1.6.1

Release notes

Sourced from grunt's releases.

v1.6.1

  • Changelog updates 72f6f03
  • Merge pull request #1755 from gruntjs/rm-dep 8d4c183
  • Add recursive 1c7d483
  • Merge pull request #1756 from gruntjs/downgrade-glob 2d4fd38
  • Downgrade glob 902db7c
  • Fix syntax 494f243
  • remove mkdirp b01389e
  • remove dep on rimraf and mkdirp 0072510

gruntjs/grunt@v1.6.0...v1.6.1

v1.6.0

  • Merge pull request #1750 from gruntjs/dep-update-jan28 2805dc3
  • README updates 3f1e423
  • Bump to 16 8fd096d
  • Update more deps 42c5f95
  • Bump eslint and node version 1d88050

gruntjs/grunt@v1.5.3...v1.6.0

v1.5.3

  • Merge pull request #1745 from gruntjs/fix-copy-op 572d79b
  • Patch up race condition in symlink copying. 58016ff
  • Merge pull request #1746 from JamieSlome/patch-1 0749e1d
  • Create SECURITY.md 69b7c50

gruntjs/grunt@v1.5.2...v1.5.3

v1.5.2

  • Update Changelog 7f15fd5
  • Merge pull request #1743 from gruntjs/cleanup-link b0ec6e1
  • Clean up link handling 433f91b

gruntjs/grunt@v1.5.1...v1.5.2

v1.5.1

  • Merge pull request #1742 from gruntjs/update-symlink-test ad22608
  • Fix symlink test 0652305

gruntjs/grunt@v1.5.0...v1.5.1

v1.5.0

  • Updated changelog b2b2c2b
  • Merge pull request #1740 from gruntjs/update-deps-22-10 3eda6ae
  • Update testing matrix 47d32de
  • More updates 2e9161c
  • Remove console log 04b960e
  • Update dependencies, tests... aad3d45
  • Merge pull request #1736 from justlep/main fdc7056

... (truncated)

Changelog

Sourced from grunt's changelog.

v1.6.1 date: 2023-01-31 changes: - Downgrades to glob 7 for Windows compatability - Removes mkdirp and rimraf in favour of node.js APIs. v1.6.0 date: 2023-01-28 changes: - Requires node.js 16+. - template.date now uses dateformat ~4.6.2. - other dependency updates such as glob, rimraf, etc. v1.5.3 date: 2022-04-23 changes: - Patch up race condition in symlink copying. v1.5.2 date: 2022-04-12 changes: - Unlink symlinks when copy destination is a symlink. v1.5.1 date: 2022-04-11 changes: - Fixed symlink destination handling. v1.5.0 date: 2022-04-10 changes: - Updated dependencies. - Add symlink handling for copying files. v1.4.1 date: 2021-05-24 changes: - Fix --preload option to be a known option - Switch to GitHub Actions v1.4.0 date: 2021-04-21 changes: - Security fixes in production and dev dependencies - Liftup/Liftoff upgrade breaking change. Update your scripts to use --preload instead of --require. Ref: gulpjs/liftoff@e7a969d. v1.3.0 date: 2020-08-18 changes: - Switch to use safeLoad for loading YML files via file.readYAML. - Upgrade legacy-log to ~3.0.0. - Upgrade legacy-util to ~2.0.0. v1.2.1 date: 2020-07-07 changes: - Remove path-is-absolute dependency. (PR: gruntjs/grunt#1715) v1.2.0

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by vladikoff, a new releaser for grunt since your current version.


Updates express from 3.4.8 to 4.19.2

Release notes

Sourced from express's releases.

4.19.2

What's Changed

Full Changelog: expressjs/express@4.19.1...4.19.2

4.19.1

What's Changed

Full Changelog: expressjs/express@4.19.0...4.19.1

4.19.0

What's Changed

New Contributors

Full Changelog: expressjs/express@4.18.3...4.19.0

4.18.3

Main Changes

Other Changes

... (truncated)

Changelog

Sourced from express's changelog.

4.19.2 / 2024-03-25

  • Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

  • Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

4.18.3 / 2024-02-29

4.18.2 / 2022-10-08

4.18.1 / 2022-04-29

  • Fix hanging on large stack of sync routes

4.18.0 / 2022-04-25

  • Add "root" option to res.download
  • Allow options without filename in res.download
  • Deprecate string and non-integer arguments to res.status
  • Fix behavior of null/undefined as maxAge in res.cookie
  • Fix handling very large stacks of sync middleware
  • Ignore Object.prototype values in settings through app.set/app.get

... (truncated)

Commits
  • 04bc627 4.19.2
  • da4d763 Improved fix for open redirect allow list bypass
  • 4f0f6cc 4.19.1
  • a003cfa Allow passing non-strings to res.location with new encoding handling checks f...
  • a1fa90f fixed un-edited version in history.md for 4.19.0
  • 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
  • 084e365 4.19.0
  • 0867302 Prevent open redirect allow list bypass due to encodeurl
  • 567c9c6 Add note on how to update docs for new release (#5541)
  • 69a4cf2 deps: [email protected]
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.


Updates ejs from 0.8.8 to 3.1.10

Release notes

Sourced from ejs's releases.

v3.1.10

Version 3.1.10

v3.1.9

Version 3.1.9

v3.1.8

Version 3.1.8

v3.1.7

Version 3.1.7

v3.1.6

Version 3.1.6

v3.1.5

Version 3.1.5

v3.0.2

No release notes provided.

v2.7.4

Bug fixes

v2.7.3

Bug fixes

v2.7.2

Features

Bug Fixes

  • The error message when async != true now correctly mention the existence of the async option (#460, @​ExE-Boss)
  • Improved performance of HTML output generation (#470, @​nwoltman)

v2.7.1

Deprecated:

  • Added deprecation notice for use of require.extensions (@​mde)

v2.6.2

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by mde, a new releaser for ejs since your current version.


Updates jsdom from 0.8.11 to 24.0.0

Release notes

Sourced from jsdom's releases.

Version 24.0.0

This release reverts our selector engine back to nwsapi. As discussed in #3659, the performance regressions from @asamuzakjp/dom-selector turned out to be higher than anticipated. In the future, we can revisit @asamuzakjp/dom-selector after it reaches nwsapi's performance on the two real-world benchmarks provided by the community.

Since reverting to nwsapi causes several functionality regressions, e.g. removing :has() support, we've decided to make this a major version.

Additionally:

  • Small fixes to edge-case behavior of the following properties: input.maxLength, input.minLength, input.size, progress.max, tableCell.colSpan, tableCell.rowSpan, tableCol.span, textArea.cols, textArea.maxLength, textArea.minLength, textArea.rows.

Version 23.2.0

This release switches our CSS selector engine from nwsapi to @asamuzakjp/dom-selector. The new engine is more actively maintained, and supports many new selectors: see the package's documentation for the full list. It also works better with shadow trees.

There is a potential of a performance regression due to this change. In our stress test benchmark, which runs most of these 273 selectors against this 128 KiB document, the new engine completes the benchmark only 0.25x as fast. However, we're hopeful that in more moderate usage this will not be a significant issue. Any help speeding up @asamuzakjp/dom-selector is appreciated, and feel free to open an issue if this has had a significant impact on your project.

Version 23.1.0

  • Added an initial implementation of ElementInternals, including the shadowRoot getter and the string-valued ARIA properties. (zjffun)
  • Added the string-valued ARIA attribute-reflecting properties to Element.
  • Fixed history.pushState() and history.replaceState() to follow the latest specification, notably with regards to how they handle empty string inputs and what new URLs are possible.
  • Fixed the input.valueAsANumber setter to handle NaN correctly. (alexandertrefz)
  • Updated various dependencies, including cssstyle which contains several bug fixes.

Version 23.0.1

  • Fixed the incorrect canvas peer dependency introduced in v23.0.0.

Version 23.0.0

  • Node.js v18 is now the minimum supported version.
  • Updated various dependencies, including whatwg-url which integrates various additions to the URL and URLSearchParams objects.

Version 22.1.0

  • Added crypto.randomUUID(). (jamesbvaughan)
  • Added DOMRect and DOMRectReadOnly.
  • Added AbortSignal.timeout().
  • Added abortSignal.throwIfAborted().
  • Added support for the submitter argument to the FormData constructor. (jenseng)
  • Improved getComputedStyle()'s results for color-based properties, to resolve named colors and attempt to provide initial inheritance support. (hoekz-wwt)
  • Updated Window's event handler properties (e.g. oncopy, ontouchstart, etc.) to reflect the latest list from the standard.
  • Fixed DOMParser-created documents to inherit their URL from the creating document.

Version 22.0.0

Version 21.1.2

  • Fixed setRangeText() used on <input> and <textarea> elements to calculate the new end index correctly. (pmstss)
  • Fixed pageX, pageY, offsetX, and offsetY on MouseEvents during dispatch. (jenseng)
  • Upgraded nwsapi to v2.2.4, bringing along various fixes to our selector engine.

Version 21.1.1

  • Fixed jsdom.reconfigure() to also adjust the URL as seen by the history API, so that e.g. history.replaceState(null, "") would not mess up the URL. (jdufresne)
  • Fixed location.hash = "" to leave any # in location.href.

... (truncated)

Changelog

Sourced from jsdom's changelog.

24.0.0

This release reverts our selector engine back to nwsapi. As discussed in #3659, the performance regressions from @asamuzakjp/dom-selector turned out to be higher than anticipated. In the future, we can revisit @asamuzakjp/dom-selector after it reaches nwsapi's performance on the two real-world benchmarks provided by the community.

Since reverting to nwsapi causes several functionality regressions, e.g. removing :has() support, we've decided to make this a major version.

Additionally:

  • Small fixes to edge-case behavior of the following properties: input.maxLength, input.minLength, input.size, progress.max, tableCell.colSpan, tableCell.rowSpan, tableCol.span, textArea.cols, textArea.maxLength, textArea.minLength, textArea.rows.

23.2.0

This release switches our CSS selector engine from nwsapi to @asamuzakjp/dom-selector. The new engine is more actively maintained, and supports many new selectors: see the package's documentation for the full list. It also works better with shadow trees.

There is a potential of a performance regression due to this change. In our stress test benchmark, which runs most of these 273 selectors against this 128 KiB document, the new engine completes the benchmark only 0.25x as fast. However, we're hopeful that in more moderate usage this will not be a significant issue. Any help speeding up @asamuzakjp/dom-selector is appreciated, and feel free to open an issue if this has had a significant impact on your project.

23.1.0

  • Added an initial implementation of ElementInternals, including the shadowRoot getter and the string-valued ARIA properties. (zjffun)
  • Added the string-valued ARIA attribute-reflecting properties to Element.
  • Fixed history.pushState() and history.replaceState() to follow the latest specification, notably with regards to how they handle empty string inputs and what new URLs are possible.
  • Fixed the input.valueAsANumber setter to handle NaN correctly. (alexandertrefz)
  • Updated various dependencies, including cssstyle which contains several bug fixes.

23.0.1

  • Fixed the incorrect canvas peer dependency introduced in v23.0.0.

23.0.0

  • Node.js v18 is now the minimum supported version.
  • Updated various dependencies, including whatwg-url which integrates various additions to the URL and URLSearchParams objects.

22.1.0

  • Added crypto.randomUUID(). (jamesbvaughan)
  • Added DOMRect and DOMRectReadOnly.
  • Added AbortSignal.timeout().
  • Added abortSignal.throwIfAborted().
  • Added support for the submitter argument to the FormData constructor. (jenseng)
  • Improved getComputedStyle()'s results for color-based properties, to resolve named colors and attempt to provide initial inheritance support. (hoekz-wwt)
  • Updated Window's event handler properties (e.g. oncopy, ontouchstart, etc.) to reflect the latest list from the standard.
  • Fixed DOMParser-created documents to inherit their URL from the creating document.

22.0.0

21.1.2

... (truncated)

Commits
  • 2f8a730 Version 24.0.0
  • db0a4dc Implement the remaining types of numeric reflection
  • c1d7005 Implement full long reflection
  • ac815ff Revert back to nwsapi
  • 5b1a49e Fix changelog link to dom-selector
  • cf8b707 Version 23.2.0
  • 908f27d Update dom-selector and roll web platform tests
  • c039e52 Switch from nwsapi to dom-selector
  • b677627 Add new CSS selectors benchmark
  • 4b33d36 Enable WPT directories css/selectors and css/css-scoping
  • Additional commits viewable in compare view

Updates xmldom from 0.1.31 to 0.6.0

Release notes

Sourced from xmldom's releases.

0.6.0

0.6.0

Fixes

0.5.0

Fixes

  • Avoid misinterpretation of malicious XML input - GHSA-h6q6-9hqw-rwfv (CVE-2021-21366)

    • Improve error reporting; throw on duplicate attribute BREAKING CHANGE: It is currently not clear how to consistently deal with duplicate attributes, so it's also safer for our users to fail when detecting them. It's possible to configure the DOMParser.errorHandler before parsing, to handle those errors differently.

      To accomplish this and also be able to verify it in tests I needed to

      • create a new Error type ParseError and export it
      • Throw ParseError from errorHandler.fatalError and prevent those from being caught in XMLReader.
      • export DOMHandler constructor as __DOMHandler

    • Preserve quotes in DOCTYPE declaration Since the only purpose of parsing the DOCTYPE is to be able to restore it when serializing, we decided that it would be best to leave the parsed publicId and systemId as is, including any quotes. BREAKING CHANGE: If somebody relies on the actual unquoted values of those ids, they will need to take care of either single or double quotes and the right escaping. (Without this change this would not have been possible because the SAX parser already dropped the information about the quotes that have been used in the source.)

      https://www.w3.org/TR/2006/REC-xml11-20060816/#dtd https://www.w3.org/TR/2006/REC-xml11-20060816/#IDAX1KS (External Entity Declaration)

  • Fix breaking preprocessors' directives when parsing attributes [#171](https://github.com/xmldom/xmldom/issues/171)
  • fix(dom): Escape ]]&gt; when serializing CharData [#181](https://github.com/xmldom/xmldom/issues/181)
  • Switch to (only) MIT license (drop problematic LGPL license option) [#178](https://github.com/xmldom/xmldom/issues/178)
  • Export DOMException; remove custom assertions; etc. [#174](https://github.com/xmldom/xmldom/issues/174)

Docs

0.4.0

Fixes

Docs

... (truncated)

Changelog

Sourced from xmldom's changelog.

0.6.0

Commits

Fixes

0.5.0

Commits

Fixes

  • Avoid misinterpretation of malicious XML input - GHSA-h6q6-9hqw-rwfv (CVE-2021-21366)

    • Improve error reporting; throw on duplicate attribute
      BREAKING CHANGE: It is currently not clear how to consistently deal with duplicate attributes, so it's also safer for our users to fail when detecting them. It's possible to configure the DOMParser.errorHandler before parsing, to handle those errors differently.

      To accomplish this and also be able to verify it in tests I needed to

      • create a new Error type ParseError and export it
      • Throw ParseError from errorHandler.fatalError and prevent those from being caught in XMLReader.
      • export DOMHandler constructor as __DOMHandler

    • Preserve quotes in DOCTYPE declaration Since the only purpose of parsing the DOCTYPE is to be able to restore it when serializing, we decided that it would be best to leave the parsed publicId and systemId as is, including any quotes. BREAKING CHANGE: If somebody relies on the actual unquoted values of those ids, they will need to take care of either single or double quotes and the right escaping. (Without this change this would not have been possible because the SAX parser already dropped the information about the quotes that have been used in the source.)

      https://www.w3.org/TR/2006/REC-xml11-20060816/#dtd https://www.w3.org/TR/2006/REC-xml11-20060816/#IDAX1KS (External Entity Declaration)

  • Fix breaking preprocessors' directives when parsing attributes [#171](https://github.com/xmldom/xmldom/issues/171)

  • fix(dom): Escape ]]&gt; when serializing CharData [#181](https://github.com/xmldom/xmldom/issues/181)

  • Switch to (only) MIT license (drop problematic LGPL license option) [#178](https://github.com/xmldom/xmldom/issues/178)

  • Export DOMException; remove custom assertions; etc. [#174](https://github.com/xmldom/xmldom/issues/174)

Docs

0.4.0

Commits

Fixes

... (truncated)

Commits
  • c80a161 xmldon version 0.6.0
  • bc36efd chore: regenerate package-lock.json
  • 8a92704 Update eslint -> ^7.23.0 - devDependencies (#202)
  • b12106e Update @​stryker-mutator/core -> ^4.5.1 - devDependencies (#192)
  • af4642e docs: Update Changelog (#197)
  • 5869d76 test(stryker): Replace line numbers by error index (#201)
  • a681852 fix: Escape < when serializing attribute values (#199)
  • bb12247 Update eslint-config-prettier -> 8 - devDependencies (#187)
  • 48c51b3 Update eslint -> ^7.22.0 - devDependencies (#185)
  • 82b0481 refactor!: Avoid empty namespace value like xmlns:ds="" (#168)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by karfau, a new releaser for xmldom since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the npm_and_yarn group across 1 directory with 5 updates
62b7d29 
Bumps the npm_and_yarn group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [grunt](https://github.com/gruntjs/grunt) | `0.4.5` | `1.6.1` |
| [express](https://github.com/expressjs/express) | `3.4.8` | `4.19.2` |
| [ejs](https://github.com/mde/ejs) | `0.8.8` | `3.1.10` |
| [jsdom](https://github.com/jsdom/jsdom) | `0.8.11` | `24.0.0` |
| [xmldom](https://github.com/xmldom/xmldom) | `0.1.31` | `0.6.0` |



Updates `grunt` from 0.4.5 to 1.6.1
- [Release notes](https://github.com/gruntjs/grunt/releases)
- [Changelog](https://github.com/gruntjs/grunt/blob/main/CHANGELOG)
- [Commits](gruntjs/grunt@v0.4.5...v1.6.1)

Updates `express` from 3.4.8 to 4.19.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@3.4.8...4.19.2)

Updates `ejs` from 0.8.8 to 3.1.10
- [Release notes](https://github.com/mde/ejs/releases)
- [Commits](https://github.com/mde/ejs/commits/v3.1.10)

Updates `jsdom` from 0.8.11 to 24.0.0
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Changelog](https://github.com/jsdom/jsdom/blob/main/Changelog.md)
- [Commits](jsdom/jsdom@0.8.11...24.0.0)

Updates `xmldom` from 0.1.31 to 0.6.0
- [Release notes](https://github.com/xmldom/xmldom/releases)
- [Changelog](https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md)
- [Commits](xmldom/xmldom@v0.1.31...0.6.0)

---
updated-dependencies:
- dependency-name: grunt
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: express
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: ejs
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: jsdom
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: xmldom
  dependency-type: direct:development
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label May 2, 2024
@dependabot dependabot bot mentioned this pull request May 2, 2024
Closed
@socket-security Socket Security
Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/[email protected] eval, filesystem Transitive: environment, shell +15 1.35 MB mde
npm/[email protected] environment, filesystem, network Transitive: eval, unsafe +63 2.12 MB wesleytodd
npm/[email protected] Transitive: environment, eval, filesystem, shell +96 3.87 MB vladikoff
npm/[email protected] eval, filesystem, network, shell, unsafe Transitive: environment +40 7.21 MB domenic
npm/[email protected] None 0 91 kB karfau

🚮 Removed packages: npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants