🚨 [security] Update tailwindcss 3.3.6 → 3.4.15 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ tailwindcss (3.3.6 → 3.4.15) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ postcss (8.4.32 → 8.4.49) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​jridgewell/gen-mapping (indirect, 0.3.3 → 0.3.5) · Repo

Release Notes

0.3.5

What's Changed

• Add ignoreList support: 9add0c2

Full Changelog: v0.3.4...v0.3.5

0.3.4

Full Changelog: v0.3.3...v0.3.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​jridgewell/resolve-uri (indirect, 3.1.0 → 3.1.2) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​jridgewell/set-array (indirect, 1.1.2 → 1.2.1) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​jridgewell/sourcemap-codec (indirect, 1.4.15 → 1.5.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​jridgewell/trace-mapping (indirect, 0.3.18 → 0.3.25) · Repo

Release Notes

0.3.24

What's Changed

• Add ignoreList (and x_google_ignoreList) support: 1027ce6

Full Changelog: v0.3.23...v0.3.24

0.3.23

Full Changelog: v0.3.22...v0.3.23

0.3.22

What's Changed

• Specify all exported types to unbreak TS v4.* by @jridgewell in #34

Full Changelog: v0.3.21...v0.3.22

0.3.21

What's Changed

• Use export type * by @jridgewell in #32

Full Changelog: v0.3.20...v0.3.21

0.3.20

What's Changed

• Fix handling of sectioned source maps missing 'names' array by @RandomByte in #29

New Contributors

• @RandomByte made their first contribution in #29

Full Changelog: v0.3.19...v0.3.20

0.3.19

What's Changed

• Unpins the @jridgewell/resolve-uri and @jridgewell/sourcemap-codec dependencies so they can be de-duped.

Full Changelog: v0.3.16...v0.3.17

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ braces (indirect, 3.0.2 → 3.0.3) · Repo · Changelog

Security Advisories 🚨

🚨 Uncontrolled resource consumption in braces

The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ chokidar (indirect, 3.5.1 → 3.6.0) · Repo · Changelog

Release Notes

3.6.0

What's Changed

• fix readyCount logic by @JLHwung in #1288
• handle MustScanSubDirs by @MarcCelani-at in #1197
• update fs.FSWatcher types to satisfy nodejs versions >= 16; fixes #1299 by @ben-polinsky in #1300

New Contributors

• @Mutahhar made their first contribution in #1226
• @zqianem made their first contribution in #1242
• @JLHwung made their first contribution in #1288
• @MarcCelani-at made their first contribution in #1197
• @ben-polinsky made their first contribution in #1300

Full Changelog: 3.5.3...3.6.0

3.5.2

"Update" glob-parent dependency from ~5.1.0 to ~5.1.2 to silence "vulnerability" warnings

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ fast-glob (indirect, 3.3.1 → 3.3.2) · Repo

Release Notes

3.3.2

Full Changelog: 3.3.1...3.3.2

🐛 Bug fixes

• Handle square brackets as a special character on Windows in escape functions (#425)
• Keep escaping after brace expansion (#422)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ fill-range (indirect, 7.0.1 → 7.1.1) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ function-bind (indirect, 1.1.1 → 1.1.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ is-core-module (indirect, 2.12.0 → 2.15.1) · Repo · Changelog

Release Notes

2.15.1 (from changelog)

Commits

• [Tests] add process.getBuiltinModule tests 28c7791
• [Fix] test/mock_loader is no longer exposed as of v22.7 68b08b0
• [Tests] replace aud with npm audit 32f8060
• [Dev Deps] update mock-property f7d3c8f
• [Dev Deps] add missing peer dep eaee885

2.15.0 (from changelog)

Commits

• [New] add node:sea 2819fb3

2.14.0 (from changelog)

Commits

• [Dev Deps] update @ljharb/eslint-config, aud, mock-property, npmignore, tape 0e43200
• [meta] add missing engines.node 4ea3af8
• [New] add test/mock_loader e9fbd29
• [Deps] update hasown 57f1940

2.13.1 (from changelog)

Commits

• [Refactor] use hasown instead of has 0e52096
• [Dev Deps] update mock-property, tape 8736b35

2.13.0 (from changelog)

Commits

• [Dev Deps] update @ljharb/eslint-config, aud, semver, tape c75b263
• [New] node:test/reporters and wasi/node:wasi are in v18.17 d76cbf8

2.12.1 (from changelog)

Commits

• [Fix] test/reporters now requires the node: prefix as of v20.2 12183d0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jiti (indirect, 1.20.0 → 1.21.6) · Repo · Changelog

Release Notes

1.21.6

compare changes

🩹 Fixes

• Use internal cached modules only if loaded (#247)

1.21.3

compare changes

🩹 Fixes

• Update to mlly@v1.7.1 (9adbcb3) (context)

1.21.0

compare changes

This release enables forward compatibility for jiti v2 (See roadmap)

🚀 Enhancements

• Add jiti.import function for async import (#170)
• Add forward compatible (stub) types for jiti.import (#175)

❤️ Contributors

• Pooya Parsa (@pi0)
• Anthony Fu anthonyfu117@hotmail.com

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ micromatch (indirect, 4.0.5 → 4.0.8) · Repo · Changelog

Security Advisories 🚨

🚨 Regular Expression Denial of Service (ReDoS) in micromatch

The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to #266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ picocolors (indirect, 1.0.0 → 1.1.1) · Repo · Changelog

Release Notes

1.1.1

What's new?

• Moved TypeScript declarations to a d.ts file #82
• Reworked color detection algorithm to properly work with empty strings in NO_COLOR and FORCE_COLOR env variables #87
• Eliminated require() call to make the package compatible with some tools #87

1.1.0

What's new?

• Added bright color variants #55

1.0.1

What's new?

• Updated color detection mechanism to work properly on Vercel Edge Runtime #64
• Remove use of recursion to avoid possible stack overflow for very long inputs #56

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ pirates (indirect, 4.0.5 → 4.0.6) · Repo

Release Notes

4.0.6

4.0.6 (2023-06-20)

Bug Fixes

• update package.json (#102) (ddcd6a5)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ postcss-load-config (indirect, 4.0.1 → 4.0.2) · Repo · Changelog

Release Notes

4.0.2 (from changelog)

Bug Fixes

• src/index: added support for .cts files (#252)
• deps: updated lilconfig (#253)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ postcss-nested (indirect, 6.0.1 → 6.2.0) · Repo · Changelog

Release Notes

6.2.0

• Added @starting-style to bubbling at-rules.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ readdirp (indirect, 3.5.0 → 3.6.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ resolve (indirect, 1.22.2 → 1.22.8) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ source-map-js (indirect, 1.0.2 → 1.2.1) · Repo · Changelog

Release Notes

1.2.1

• Fix TS2306 “not a module” errors in type definitions (#16) @andersk

• Ensure null source is respected (#26) @dragomirtitian

• Improve ts declarations to be null-safe (#27) @dragomirtitian

1.2.0

Allow to pass options to SourceMapGenerator using SourceMapGenerator.fromSourceMap as second argument

var generator = sourceMap.SourceMapGenerator.fromSourceMap(new SourceMapConsumer(), {
  ignoreInvalidMapping: true,
});

• Add generator options to fromSourceMap (#22) @ai

1.1.0

Add ignoreInvalidMapping option to SourceMapGenerator. If enabled, source-map-js will not throw an error on the incorrect previous source map. Instead, it will print warnings and ignore broken mappings.

var generator = new sourceMap.SourceMapGenerator({
  file: "my-generated-javascript-file.js",
  sourceRoot: "http://example.com/app/js/",
  ignoreInvalidMapping: true,
});

• Do not throw an error since broken prev map is popular issue #20 (#20) @ai
• Add ignoreInvalidMapping option (#21) @7rulnik

1.0.3

• Use sourceContents when non-null, even if it's an empty string (#17) @bshepherdson

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sucrase (indirect, 3.32.0 → 3.35.0) · Repo · Changelog

Release Notes

3.35.0 (from changelog)

• Upgrade glob to fix a security vulnerability in the inflight package. (#822) (Patrick Nappa)
  • Note that the sucrase CLI no longer works in Node.js versions before 14.7.
    • If you use the sucrase CLI, you should pin to Sucrase 3.34.0 until you're able to upgrade Node.js to a supported version. Note that all Node.js versions before 18 are end-of-life.
    • If you don't use the sucrase CLI, you may need to silence errors related to package.json engines, e.g. yarn --ignore-engines.
  • This change is being released in a semver-minor release since it fixes a security vulnerability and the breaking change impact is expected to be small. See this PR comment for a rationale on the release strategy.

3.34.0 (from changelog)

• Add CLI options for all remaining Sucrase options, e.g. --disable-es-transforms for disableESTransforms. (<<-ArS, Alan Pierce) (#670, #812)
• Add SUCRASE_OPTIONS environment variable for configuring sucrase/register, sucrase-node, and any programmatic require hook usages. The value must be a valid JSON object of Sucrase options that will be merged with the usual options. (#813)

3.33.0 (from changelog)

• Add an option keepUnusedImports that disables all automatic import/export elision, equivalent to the TypeScript option verbatimModuleSyntax. (#811, #615) (Kotaro Chikuba, Alan Pierce)
• Add support for the await using proposal and the updated import attributes proposal. Both are preserved in the output code, not transformed. (#798)
• Fix some issues with TypeScript automatic export elision in export {...} from statements. (#806)
  • Type names from the current file are no longer removed.
  • When all exports are type exports, the entire statement is now removed.
• Fix bug where fn(x < y, x >= y) was incorrectly parsed as type arguments. (#798)
• Fix a few bugs in enableLegacyBabel5ModuleInterop: properly handle as default, and properly ignore type exports. (#804, #807) (三咲智子 Kevin Deng, Alan Pierce)
• Fix bug where parameters inside function types could be misinterpreted as declarations and result in imports being incorrectly marked as unused. (#809)
• Fix bug where import {} and export {} statements were removed with the TypeScript transform disabled. (#810)
• Make the transform behavior more forgiving when code accidentally has a return type annotation on a constructor. (#800)

Does any of this look wrong? Please let us know.

↗️ yaml (indirect, 2.2.2 → 2.6.0) · Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 @​isaacs/cliui (added, 8.0.2)

🆕 @​pkgjs/parseargs (added, 0.11.0)

🆕 ansi-styles (added, 6.2.1)

🆕 color-convert (added, 2.0.1)

🆕 eastasianwidth (added, 0.2.0)

🆕 foreground-child (added, 3.3.0)

🆕 hasown (added, 2.0.2)

🆕 is-fullwidth-code-point (added, 3.0.0)

🆕 jackspeak (added, 3.4.3)

🆕 minipass (added, 7.1.2)

🆕 package-json-from-dist (added, 1.0.1)

🆕 path-scurry (added, 1.11.1)

🆕 signal-exit (added, 4.1.0)

🆕 string-width (added, 5.1.2)

🆕 string-width-cjs (added, npm:string-width@4.2.3)

🆕 strip-ansi-cjs (added, npm:strip-ansi@6.0.1)

🆕 wrap-ansi (added, 8.1.0)

🆕 wrap-ansi-cjs (added, npm:wrap-ansi@7.0.0)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[depfu]

Closed in favor of #282.