Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade: , , , axios, commander, consola, koa-body, koa-router, lru-cache, luxon, mysql2, node-sql-parser, octokit, p-queue, pinyin, prom-client, reflect-metadata, tiny-async-pool #881

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

q1blue
Copy link
Collaborator

@q1blue q1blue commented Sep 22, 2024

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Name Versions Released on

@koa/cors
from 3.4.3 to 5.0.0 | 2 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 9 months ago
on 2023-12-11
@octokit/core
from 4.2.4 to 6.1.2 | 21 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 5 months ago
on 2024-04-09
@octokit/plugin-throttling
from 4.3.2 to 9.3.1 | 29 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 months ago
on 2024-07-14
axios
from 0.27.2 to 1.7.7 | 46 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 22 days ago
on 2024-08-31
commander
from 9.5.0 to 12.1.0 | 8 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 4 months ago
on 2024-05-18
consola
from 2.15.3 to 3.2.3 | 13 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | a year ago
on 2023-07-05
koa-body
from 5.0.0 to 6.0.1 | 2 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 years ago
on 2022-10-29
koa-router
from 10.1.1 to 12.0.1 | 5 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | a year ago
on 2023-10-12
lru-cache
from 7.18.3 to 11.0.0 | 28 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 months ago
on 2024-07-08
luxon
from 2.5.2 to 3.5.0 | 16 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 months ago
on 2024-08-03
mysql2
from 2.3.3 to 3.11.0 | 50 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 months ago
on 2024-07-27
node-sql-parser
from 4.18.0 to 5.3.1 | 5 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 months ago
on 2024-08-07
octokit
from 1.8.1 to 4.0.2 | 39 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 4 months ago
on 2024-05-08
p-queue
from 7.4.1 to 8.0.1 | 2 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 9 months ago
on 2023-12-14
pinyin
from 3.0.0-alpha.5 to 3.1.0 | 3 versions ahead of your current version | 10 months ago
on 2023-11-22
prom-client
from 14.2.0 to 15.1.3 | 7 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 3 months ago
on 2024-06-27
reflect-metadata
from 0.1.14 to 0.2.2 | 4 versions ahead of your current version | 6 months ago
on 2024-03-29
tiny-async-pool
from 1.3.0 to 2.1.0 | 3 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 years ago
on 2022-05-10

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Improper Handling of Exceptional Conditions
SNYK-JS-OCTOKIT-6129525
193 No Known Exploit
high severity Cross-site Request Forgery (CSRF)
SNYK-JS-AXIOS-6032459
193 Proof of Concept
high severity Origin Validation Error
SNYK-JS-KOACORS-6117545
193 No Known Exploit
high severity Prototype Pollution
SNYK-JS-MYSQL2-6861580
193 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-AXIOS-6124857
193 Proof of Concept
medium severity Prototype Poisoning
SNYK-JS-MYSQL2-6591084
193 Proof of Concept
critical severity Remote Code Execution (RCE)
SNYK-JS-MYSQL2-6591085
193 Proof of Concept
medium severity Use of Web Browser Cache Containing Sensitive Information
SNYK-JS-MYSQL2-6591300
193 Proof of Concept
critical severity Arbitrary Code Injection
SNYK-JS-MYSQL2-6670046
193 Proof of Concept
Release notes
Package name: @koa/cors from @koa/cors GitHub release notes
Package name: @octokit/core from @octokit/core GitHub release notes
Package name: @octokit/plugin-throttling
  • 9.3.1 - 2024-07-14

    9.3.1 (2024-07-14)

    Bug Fixes

  • 9.3.0 - 2024-04-29

    9.3.0 (2024-04-29)

    Features

  • 9.2.1 - 2024-04-23

    9.2.1 (2024-04-23)

    Bug Fixes

  • 9.2.0 - 2024-04-15

    9.2.0 (2024-04-15)

    Features

    • routes changed from repository_id to nwo and enterprise groups now includes the enterprise in route (#684) (734bcba)
  • 9.1.0 - 2024-04-03

    9.1.0 (2024-04-03)

    Features

  • 9.0.4 - 2024-04-03

    9.0.4 (2024-04-03)

    Bug Fixes

    • deps: update dependency @ octokit/types to v13 (8cc6eb9)
  • 9.0.3 - 2024-03-01

    9.0.3 (2024-03-01)

    Bug Fixes

  • 9.0.2 - 2024-02-27

    9.0.2 (2024-02-27)

    Bug Fixes

  • 9.0.1 - 2024-02-26

    9.0.1 (2024-02-26)

    Bug Fixes

    • add missing file extension on bottleneck import (#676) (1c64559)
  • 9.0.0 - 2024-02-25

    9.0.0 (2024-02-25)

    Features

    BREAKING CHANGES

    • package is now ESM
  • 8.2.0 - 2024-02-22
  • 8.1.3 - 2023-11-18
  • 8.1.2 - 2023-10-25
  • 8.1.1 - 2023-10-25
  • 8.1.0 - 2023-10-24
  • 8.0.1 - 2023-10-21
  • 8.0.0 - 2023-09-23
  • 7.0.0 - 2023-07-10
  • 6.1.0 - 2023-06-09
  • 6.0.1 - 2023-06-07
  • 6.0.0 - 2023-05-22
  • 5.2.3 - 2023-05-19
  • 5.2.2 - 2023-05-17
  • 5.2.1 - 2023-05-13
  • 5.2.0 - 2023-05-05
  • 5.1.1 - 2023-04-21
  • 5.1.0 - 2023-04-20
  • 5.0.1 - 2023-01-20
  • 5.0.0 - 2023-01-20
  • 4.3.2 - 2022-10-31
from @octokit/plugin-throttling GitHub release notes
Package name: axios
  • 1.7.7 - 2024-08-31

    Release notes:

    Bug Fixes

    • fetch: fix stream handling in Safari by fallback to using a stream reader instead of an async iterator; (#6584) (d198085)
    • http: fixed support for IPv6 literal strings in url (#5731) (364993f)

    Contributors to this release

  • 1.7.6 - 2024-08-30

    Release notes:

    Bug Fixes

    • fetch: fix content length calculation for FormData payload; (#6524) (085f568)
    • fetch: optimize signals composing logic; (#6582) (df9889b)

    Contributors to this release

  • 1.7.5 - 2024-08-23

    Release notes:

    Bug Fixes

    • adapter: fix undefined reference to hasBrowserEnv (#6572) (7004707)
    • core: add the missed implementation of AxiosError#status property; (#6573) (6700a8a)
    • core: fix ReferenceError: navigator is not defined for custom environments; (#6567) (fed1a4b)
    • fetch: fix credentials handling in Cloudflare workers (#6533) (550d885)

    Contributors to this release

  • 1.7.4 - 2024-08-13

    Release notes:

    Bug Fixes

    Contributors to this release

  • 1.7.3 - 2024-08-01

    Release notes:

    Bug Fixes

    • adapter: fix progress event emitting; (#6518) (e3c76fc)
    • fetch: fix withCredentials request config (#6505) (85d4d0e)
    • xhr: return original config on errors from XHR adapter (#6515) (8966ee7)

    Contributors to this release

  • 1.7.2 - 2024-05-21

    Release notes:

    Bug Fixes

    Contributors to this release

  • 1.7.1 - 2024-05-20

    Release notes:

    Bug Fixes

    • fetch: fixed ReferenceError issue when TextEncoder is not available in the environment; (#6410) (733f15f)

    Contributors to this release

  • 1.7.0 - 2024-05-19

    Release notes:

    Features

    Bug Fixes

    • core/axios: handle un-writable error stack (#6362) (81e0455)

    Contributors to this release

  • 1.7.0-beta.2 - 2024-05-19

    Release notes:

    Bug Fixes

    • fetch: capitalize HTTP method names; (#6395) (ad3174a)
    • fetch: fix & optimize progress capturing for cases when the request data has a nullish value or zero data length (#6400) (95a3e8e)
    • fetch: fix headers getting from a stream response; (#6401) (870e0a7)

    Contributors to this release

  • 1.7.0-beta.1 - 2024-05-07

    Release notes:

    Bug Fixes

    • core/axios: handle un-writable error stack (#6362) (81e0455)
    • fetch: fix cases when ReadableStream or Response.body are not available; (#6377) (d1d359d)
    • fetch: treat fetch-related TypeError as an AxiosError.ERR_NETWORK error; (#6380) (bb5f9a5)

    Contributors to this release

    Install

    npm i axios@next
    
  • 1.7.0-beta.0 - 2024-04-28
  • 1.6.8 - 2024-03-15
  • 1.6.7 - 2024-01-25
  • 1.6.6 - 2024-01-24
  • 1.6.5 - 2024-01-05
  • 1.6.4 - 2024-01-03
  • 1.6.3 - 2023-12-26
  • 1.6.2 - 2023-11-14
  • 1.6.1 - 2023-11-08
  • 1.6.0 - 2023-10-26
  • 1.5.1 - 2023-09-26
  • 1.5.0 - 2023-08-26
  • 1.4.0 - 2023-04-27
  • 1.3.6 - 2023-04-19
  • 1.3.5 - 2023-04-05
  • 1.3.4 - 2023-02-22
  • 1.3.3 - 2023-02-13
  • 1.3.2 - 2023-02-03
  • 1.3.1 - 2023-02-01
  • 1.3.0 - 2023-01-31
  • 1.2.6 - 2023-01-28
  • 1.2.5 - 2023-01-26
  • 1.2.4 - 2023-01-24
  • 1.2.3 - 2023-01-17
  • 1.2.2 - 2022-12-29
  • 1.2.1 - 2022-12-05
  • 1.2.0 - 2022-11-22
  • 1.2.0-alpha.1 - 2022-11-10
  • 1.1.3 - 2022-10-15
  • 1.1.2 - 2022-10-07
  • 1.1.1 - 2022-10-07
  • 1.1.0 - 2022-10-06
  • 1.0.0 - 2022-10-04
  • 1.0.0-alpha.1 - 2022-05-31
  • 0.28.1 - 2024-03-28
  • 0.28.0 - 2024-02-12
  • 0.27.2 - 2022-04-27
from axios GitHub release notes
Package name: commander
  • 12.1.0 - 2024-05-18

    Added

    • auto-detect special node flags node --eval and node --print when call .parse() with no arguments (#2164)

    Changed

    • prefix require of Node.js core modules with node: (#2170)
    • format source files with Prettier (#2180)
    • switch from StandardJS to directly calling ESLint for linting (#2153)
    • extend security support for previous major version of Commander (#2150)

    Removed

    • removed unimplemented Option.fullDescription from TypeScript definition (#2191)
  • 12.0.0 - 2024-02-03

    Added

    • .addHelpOption() as another way of configuring built-in help option (#2006)
    • .helpCommand() for configuring built-in help command (#2087)

    Fixed

    • Breaking: use non-zero exit code when spawned executable subcommand terminates due to a signal (#2023)
    • Breaking: check passThroughOptions constraints when using .addCommand and throw if parent command does not have .enablePositionalOptions() enabled (#1937)

    Changed

    • Breaking: Commander 12 requires Node.js v18 or higher (#2027)
    • Breaking: throw an error if add an option with a flag which is already in use (#2055)
    • Breaking: throw an error if add a command with name or alias which is already in use (#2059)
    • Breaking: throw error when calling .storeOptionsAsProperties() after setting an option value (#1928)
    • replace non-standard JSDoc of @ api private with documented @ private (#1949)
    • .addHelpCommand() now takes a Command (passing string or boolean still works as before but deprecated) (#2087)
    • refactor internal implementation of built-in help option (#2006)
    • refactor internal implementation of built-in help command (#2087)

    Deprecated

    • .addHelpCommand() passing string or boolean (use .helpCommand() or pass a Command) (#2087)

    Removed

    • Breaking: removed default export of a global Command instance from CommonJS (use the named program export instead) (#2017)

    Migration Tips

    global program

    If you are using the deprecated default import of the global Command object, you need to switch to using a named import (or create a new Command).

    // const program = require('commander');
    const { program } = require('commander');

    option and command clashes

    A couple of configuration problems now throw an error, which will pick up issues in existing programs:

    • adding an option which uses the same flag as a previous option
    • adding a command which uses the same name or alias as a previous command
  • 12.0.0-1 - 2024-01-19

    Added

    • .addHelpOption() as another way of configuring built-in help option (#2006)
    • .helpCommand() for configuring built-in help command (#2087)

    Changed

    • .addHelpCommand() now takes a Command (passing string or boolean still works as before but deprecated) (#2087)
    • refactor internal implementation of built-in help option (#2006)
    • refactor internal implementation of built-in help command (#2087)

    Deprecated

    • .addHelpCommand() passing string or boolean (use .helpCommand() or pass a Command) (#2087)
  • 12.0.0-0 - 2023-11-11

    Fixed

    • Breaking: use non-zero exit code when spawned executable subcommand terminates due to a signal (#2023)
    • Breaking: check passThroughOptions constraints when using .addCommand and throw if parent command does not have .enablePositionalOptions() enabled (#1937)

    Changed

    • Breaking: Commander 12 requires Node.js v18 or higher (#2027)
    • Breaking: throw an error if add an option with a flag which is already in use (#2055)
    • Breaking: throw an error if add a command with name or alias which is already in use (#2059)
    • Breaking: throw error when calling .storeOptionsAsProperties() after setting an option value (#1928)
    • replace non-standard JSDoc of @ api private with documented @ private (#1949)

    Removed

    • Breaking: removed default export of a global Command instance from CommonJS (use the named program export instead) (#2017)

    Migration Tips

    global program

    If you are using the deprecated default import of the global Command object, you need to switch to using a named import (or create a new Command).

    // const program = require('commander');
    const { program } = require('commander');

    option and command clashes

    A couple of configuration problems now throw an error, which will pick up issues in existing programs:

    • adding an option which uses the same flag as a previous option
    • adding a command which uses the same name or alias as a previous command
  • 11.1.0 - 2023-10-13

    Fixed

    • TypeScript: update OptionValueSource to allow any string, to match supported use of custom sources (#1983)
    • TypeScript: add that Command.version() can also be used as getter (#1982)
    • TypeScript: add null return type to Commands.executableDir(), for when not configured (#1965)
    • subcommands with an executable handler and only a short help flag are now handled correctly by the parent's help command (#1930)

    Added

    • registeredArguments property on Command with the array of defined Argument (like Command.options for Option) (#2010)
    • TypeScript declarations for Option properties: envVar, presetArg (#2019)
    • TypeScript declarations for Argument properties: argChoices, defaultValue, defaultValueDescription (#2019)
    • example file which shows how to configure help to display any custom usage in the list of subcommands (#1896)

    Changed

    • (developer) refactor TypeScript configs for multiple use-cases, and enable checks in JavaScript files in supporting editors (#1969)

    Deprecated

    • Command._args was private anyway, but now available as registeredArguments (

Snyk has created this PR to upgrade:
  - @koa/cors from 3.4.3 to 5.0.0.
    See this package in npm: https://www.npmjs.com/package/@koa/cors
  - @octokit/core from 4.2.4 to 6.1.2.
    See this package in npm: https://www.npmjs.com/package/@octokit/core
  - @octokit/plugin-throttling from 4.3.2 to 9.3.1.
    See this package in npm: https://www.npmjs.com/package/@octokit/plugin-throttling
  - axios from 0.27.2 to 1.7.7.
    See this package in npm: https://www.npmjs.com/package/axios
  - commander from 9.5.0 to 12.1.0.
    See this package in npm: https://www.npmjs.com/package/commander
  - consola from 2.15.3 to 3.2.3.
    See this package in npm: https://www.npmjs.com/package/consola
  - koa-body from 5.0.0 to 6.0.1.
    See this package in npm: https://www.npmjs.com/package/koa-body
  - koa-router from 10.1.1 to 12.0.1.
    See this package in npm: https://www.npmjs.com/package/koa-router
  - lru-cache from 7.18.3 to 11.0.0.
    See this package in npm: https://www.npmjs.com/package/lru-cache
  - luxon from 2.5.2 to 3.5.0.
    See this package in npm: https://www.npmjs.com/package/luxon
  - mysql2 from 2.3.3 to 3.11.0.
    See this package in npm: https://www.npmjs.com/package/mysql2
  - node-sql-parser from 4.18.0 to 5.3.1.
    See this package in npm: https://www.npmjs.com/package/node-sql-parser
  - octokit from 1.8.1 to 4.0.2.
    See this package in npm: https://www.npmjs.com/package/octokit
  - p-queue from 7.4.1 to 8.0.1.
    See this package in npm: https://www.npmjs.com/package/p-queue
  - pinyin from 3.0.0-alpha.5 to 3.1.0.
    See this package in npm: https://www.npmjs.com/package/pinyin
  - prom-client from 14.2.0 to 15.1.3.
    See this package in npm: https://www.npmjs.com/package/prom-client
  - reflect-metadata from 0.1.14 to 0.2.2.
    See this package in npm: https://www.npmjs.com/package/reflect-metadata
  - tiny-async-pool from 1.3.0 to 2.1.0.
    See this package in npm: https://www.npmjs.com/package/tiny-async-pool

See this project in Snyk:
https://app.snyk.io/org/q1blue-rxw/project/061589ad-3276-41ad-ab3d-5cb52331031e?utm_source=github&utm_medium=referral&page=upgrade-pr
Copy link

changeset-bot bot commented Sep 22, 2024

⚠️ No Changeset found

Latest commit: 7f690d1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/pinyin@3.1.0 Transitive: environment, eval, filesystem, network, shell, unsafe +117 271 MB hotoo

🚮 Removed packages: npm/pinyin@3.0.0-alpha.5

View full report↗︎

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[BUG]: No "exports" main defined in version 6.0.1
2 participants