Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade: node-fetch, , chai, cheerio, mime-types, get-image-colors, image-size, semver, inquirer, tinycolor2, jimp, json-stable-stringify, lint-staged, prettier, sharp, sinon #21

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

rizkimaung
Copy link
Owner

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

node-fetch
from 2.6.1 to 2.7.0 | 13 versions ahead of your current version | a year ago
on 2023-08-23
@octokit/rest
from 18.5.5 to 18.12.0 | 24 versions ahead of your current version | 3 years ago
on 2021-10-07
chai
from 4.3.4 to 4.5.0 | 9 versions ahead of your current version | 2 months ago
on 2024-07-25
cheerio
from 1.0.0-rc.9 to 1.0.0 | 4 versions ahead of your current version | a month ago
on 2024-08-09
mime-types
from 2.1.30 to 2.1.35 | 5 versions ahead of your current version | 2 years ago
on 2022-03-12
get-image-colors
from 4.0.0 to 4.0.1 | 1 version ahead of your current version | 3 years ago
on 2022-02-04
image-size
from 1.0.0 to 1.1.1 | 4 versions ahead of your current version | 8 months ago
on 2024-01-02
semver
from 5.7.1 to 5.7.2 | 1 version ahead of your current version | a year ago
on 2023-07-10
inquirer
from 8.1.0 to 8.2.6 | 12 versions ahead of your current version | a year ago
on 2023-08-02
tinycolor2
from 1.4.2 to 1.6.0 | 13 versions ahead of your current version | 2 years ago
on 2023-02-03
jimp
from 0.16.1 to 0.22.12 | 111 versions ahead of your current version | 7 months ago
on 2024-02-23
json-stable-stringify
from 1.0.1 to 1.1.1 | 3 versions ahead of your current version | 8 months ago
on 2024-01-16
lint-staged
from 11.0.0 to 11.2.6 | 14 versions ahead of your current version | 3 years ago
on 2021-10-26
prettier
from 2.3.0 to 2.8.8 | 20 versions ahead of your current version | a year ago
on 2023-04-23
sharp
from 0.28.3 to 0.33.5 | 47 versions ahead of your current version | a month ago
on 2024-08-16
sinon
from 11.1.1 to 11.1.2 | 1 version ahead of your current version | 3 years ago
on 2021-07-27

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-NTHCHECK-1586032
539 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-NTHCHECK-1586032
539 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795
539 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795
539 Proof of Concept
high severity Remote Code Execution (RCE)
SNYK-JS-SHELLQUOTE-1766506
539 No Known Exploit
high severity Information Exposure
SNYK-JS-SIMPLEGET-2361683
539 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-TRIMNEWLINES-1298042
539 No Known Exploit
high severity Denial of Service (DoS)
SNYK-JS-JPEGJS-2859218
539 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-JPEGJS-2859218
539 Proof of Concept
high severity Prototype Pollution
SNYK-JS-JSONSCHEMA-1920922
539 No Known Exploit
high severity Inefficient Regular Expression Complexity
SNYK-JS-MICROMATCH-6838728
539 No Known Exploit
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
539 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
539 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-DECODEURICOMPONENT-3149970
539 Proof of Concept
medium severity Information Exposure
SNYK-JS-NODEFETCH-2342118
539 No Known Exploit
medium severity Remote Code Execution (RCE)
SNYK-JS-SHARP-2848109
539 No Known Exploit
critical severity Heap-based Buffer Overflow
SNYK-JS-SHARP-5922108
539 Mature
high severity Prototype Poisoning
SNYK-JS-QS-3153490
539 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795
539 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
539 Proof of Concept
high severity Uncontrolled resource consumption
SNYK-JS-BRACES-6838727
539 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-GETFUNCNAME-5923417
539 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ISSVG-1085627
539 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ISSVG-1243891
539 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-XML2JS-5414874
539 Proof of Concept
medium severity Denial of Service (DoS)
SNYK-JS-JPEGJS-570039
539 No Known Exploit
medium severity Exposure of Sensitive Information to an Unauthorized Actor
SNYK-JS-PHIN-6598077
539 No Known Exploit
low severity Prototype Pollution
SNYK-JS-MINIMIST-2429795
539 Proof of Concept
Release notes
Package name: node-fetch from node-fetch GitHub release notes
Package name: @octokit/rest
  • 18.12.0 - 2021-10-07

    18.12.0 (2021-10-07)

    Features

    • .actions.downloadWorkflowRunAttemptLogs(), .actions.getWorkflowRunAttempt(), .repos.generateReleaseNotes(), .checks.rerequestRun(). Graduate nebula, zzzax, switcheroo, baptiste previews. Removes defunkt /repos/{owner}/{repo}/actions/runs/{run_id}/retry endpoint. Renames methods to have consistent AuthenticatedUser() suffix, deprecates previous method names (#125) (4daa9f3)
  • 18.11.4 - 2021-09-30

    18.11.4 (2021-09-30)

    Bug Fixes

    • removes defunkt endpoints: GET /repos/{owner}/{repo}/community/code_of_conduct, DELETE /reactions/{reaction_id}. encrypted_value and key_id parameters are required for .rest.actions.{createOrUpdateEnvironmentSecret,setSelectedReposForOrgSecret}(). access_token parameter is required for .rest.apps.deleteAuthorization(). Previews graduated: ant-man, flash, scarlet-witch, squirrel-girl (#122) (9c02e7d)
  • 18.11.3 - 2021-09-30

    18.11.3 (2021-09-30)

    Bug Fixes

    • deps: bump minimal version of @ octokit/plugin-paginate-rest to v2.16.4 to prevent typescript compile errors (#120) (fca1907)
  • 18.11.2 - 2021-09-27

    18.11.2 (2021-09-27)

    Bug Fixes

  • 18.11.1 - 2021-09-24

    18.11.1 (2021-09-24)

    Bug Fixes

    • typescript: graduate previews dorian, inertia, london, lydian, wyandotte (#116) (f1e2416)
  • 18.11.0 - 2021-09-22

    18.11.0 (2021-09-22)

    Features

    • octokit.rest.repos.{enable,disable}LfsForRepo(), octokit.rest.repos.mergeUpstream({ owner, repo, branch }) (916a8bb)
  • 18.10.0 - 2021-08-31

    18.10.0 (2021-08-31)

    Features

    • typescript: .packages.deletePackageForUser(), .packages.deletePackageVersionForUser(), .packages.restorePackageForUser(), .packages.restorePackageVersionForUser(), .secretScanning.listAlertsForOrg() (#105) (40aeaff)

    Bug Fixes

    • typescript: fix type for labels parameter in .issues.{add,set}Labels() (#105) (40aeaff)
  • 18.9.1 - 2021-08-16

    18.9.1 (2021-08-16)

    Bug Fixes

    • deps: update dependency @ octokit/plugin-rest-endpoint-methods to v5.8.0 (1b9ca1e)
  • 18.9.0 - 2021-08-03

    18.9.0 (2021-08-03)

    Features

    • typescript: allow_auto_merge parameter when creating / updating a repository. Search: owner in repository items may no longer be null (#95) (c26c4fe)
  • 18.8.0 - 2021-08-02

    18.8.0 (2021-08-02)

    Features

    • .rest.repos.createAutolink(), .rest.repos.listAutolinks(), .rest.repos.getAutolink(), .rest.repos.deleteAutolink() (#94) (13df9e7)
  • 18.7.2 - 2021-07-30
  • 18.7.1 - 2021-07-23
  • 18.7.0 - 2021-07-21
  • 18.6.8 - 2021-07-20
  • 18.6.7 - 2021-07-04
  • 18.6.6 - 2021-06-30
  • 18.6.5 - 2021-06-30
  • 18.6.4 - 2021-06-29
  • 18.6.3 - 2021-06-26
  • 18.6.2 - 2021-06-24
  • 18.6.1 - 2021-06-23
  • 18.6.0 - 2021-06-12
  • 18.5.6 - 2021-06-01
  • 18.5.6-beta.1 - 2021-06-01
  • 18.5.5 - 2021-05-28
from @octokit/rest GitHub release notes
Package name: chai from chai GitHub release notes
Package name: cheerio
  • 1.0.0 - 2024-08-09

    Cheerio 1.0 is here! 🎉

    Announcement Blog Post

    Breaking Changes

    • The minimum NodeJS version is now 18.17 or higher #3959

    • Import paths were simplified. For example, use cheerio/slim instead of
      cheerio/lib/slim. #3970

    • The deprecated default Cheerio instance and static methods were removed. #3974

      Before, it was possible to write code like this:

      import cheerio, { html } from 'cheerio';

      html(cheerio('<test></test>')); // ~ '<test></test>' -- NO LONGER WORKS

      Make sure to always load documents first:

      import * as cheerio from 'cheerio';

      cheerio.load('<test></test>').html();

    • Node types previously re-exported by Cheerio must now be imported directly
      from (domhandler)(https://github.com/fb55/domhandler). #3969

    • htmlparser2 options now reside exclusively under the xml key (#2916):

      const $ = cheerio.load('<html>', {
        xml: {
          withStartIndices: true,
        },
      });

    New Features

    • Add functions to load buffers, streams & URLs in NodeJS by @ fb55 in #2857
    • Add extract method by @ fb55 in #2750

    Fixes

    Other

    Full Changelog: v1.0.0-rc.12...v1.0.0

  • 1.0.0-rc.12 - 2022-06-26

    Bugfix release. Fixed issues:

    • Align prop undefined handling with jQuery by @ fb55 in #2557
    • Allow deep imports of cheerio/lib/utils by @ blixt in #2601

    New Contributors

    Full Changelog: v1.0.0-rc.11...v1.0.0-rc.12

  • 1.0.0-rc.11 - 2022-05-20

    cheerio@1.0.0-rc.11 is hopefully the last RC before the 1.0.0 release of Cheerio. There are two APIs that will be added for the next major release: An exract method (#2523) and NodeJS specific loader methods (#2051). These are still in flux and I'd appreciate feedback on the proposals.

    A big thank you to everyone that contributed to this release! This includes code contributors, as well as the amazing financial support on GitHub Sponsors!

    Under the hood, a lot of work for this release went into updating parse5, cheerio's default HTML parser. Have a look at parse5's release notes to see what has changed there.

    Breaking

    • Cheerio is now a dual CommonJS and ESM module. That means that deep imports will now fail in newer versions of Node. #2508
    • script and style contents are added again in .text() #2509
      • To keep the old behavior, switch .text() to .prop('innerText')
    • The TypeScript types inherited from upstream dependencies have changed. #2503
      • Node types are now using tagged unions, which will make consumption a bit easier.

    Features

    • Relevant options are now forwarded to cheerio-select #2511
    • For the .prop() method:
      • Add textContent and innerText props #2214
      • Users can now specify a baseURI option, which will lead to href and src props to be resolved as URLs. #2510
    • Added a slim export, which will always use htmlparser2 #1960

    Fixes

    • Have text turn passed values to strings #2047
    • Include undefined in the return type of get by @ glen-84 in #2392
    • Recognise comments as HTML #2504
    • Add missing undefined return value #2505
    • Export missing static methods #2506
    • Have style parsing add malformed fields to previous field #2521

    Refactor

    • Use domutils module directly #1928
    • Hand-roll isHTML #1935
    • Move initialization logic to load #1951
    • Only return elements in closest #2057
    • Remove unnecessary code, be more explicit #2279
    • Use stricter TS, ESLint configs #2507
    • Update exported values #2512

    Development Experience

    Docs

    New Contributors

    Full Changelog: v1.0.0-rc.10...v1.0.0-rc.11

  • 1.0.0-rc.10 - 2021-06-08

    Fixes:

    Documentation:

    • Document how to define TS types for Plug-Ins (#1915, fixes #1778) 880fd2c
    • Remove obsolete Testing section

Snyk has created this PR to upgrade:
  - node-fetch from 2.6.1 to 2.7.0.
    See this package in npm: https://www.npmjs.com/package/node-fetch
  - @octokit/rest from 18.5.5 to 18.12.0.
    See this package in npm: https://www.npmjs.com/package/@octokit/rest
  - chai from 4.3.4 to 4.5.0.
    See this package in npm: https://www.npmjs.com/package/chai
  - cheerio from 1.0.0-rc.9 to 1.0.0.
    See this package in npm: https://www.npmjs.com/package/cheerio
  - mime-types from 2.1.30 to 2.1.35.
    See this package in npm: https://www.npmjs.com/package/mime-types
  - get-image-colors from 4.0.0 to 4.0.1.
    See this package in npm: https://www.npmjs.com/package/get-image-colors
  - image-size from 1.0.0 to 1.1.1.
    See this package in npm: https://www.npmjs.com/package/image-size
  - semver from 5.7.1 to 5.7.2.
    See this package in npm: https://www.npmjs.com/package/semver
  - inquirer from 8.1.0 to 8.2.6.
    See this package in npm: https://www.npmjs.com/package/inquirer
  - tinycolor2 from 1.4.2 to 1.6.0.
    See this package in npm: https://www.npmjs.com/package/tinycolor2
  - jimp from 0.16.1 to 0.22.12.
    See this package in npm: https://www.npmjs.com/package/jimp
  - json-stable-stringify from 1.0.1 to 1.1.1.
    See this package in npm: https://www.npmjs.com/package/json-stable-stringify
  - lint-staged from 11.0.0 to 11.2.6.
    See this package in npm: https://www.npmjs.com/package/lint-staged
  - prettier from 2.3.0 to 2.8.8.
    See this package in npm: https://www.npmjs.com/package/prettier
  - sharp from 0.28.3 to 0.33.5.
    See this package in npm: https://www.npmjs.com/package/sharp
  - sinon from 11.1.1 to 11.1.2.
    See this package in npm: https://www.npmjs.com/package/sinon

See this project in Snyk:
https://app.snyk.io/org/rizkihorangi/project/65cb260a-f2de-4e5d-abef-5ffd83ca0c9d?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment