Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates #617

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates #617

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github Jun 4, 2024

Bumps the npm_and_yarn group with 2 updates in the /packages/app directory: ses and jsdom.

Updates ses from 0.12.7 to 1.5.0

Changelog

Sourced from ses's changelog.

1.5.0 (2024-05-07)

Features

  • ses: add COMPARTMENT_LOAD_ERRORS env option to print verbose output for module loading errors (eca5f23)
  • ses: add ImportNowHook to CompartmentOptions (e0300ba)
  • ses: importNowHook PoC (e20c135)
  • ses: redefine SharedSymbol to bypass Hermes prototype bug on obj literal short-hand methods (#2206) (59bb9ba)

Bug Fixes

1.4.1 (2024-04-04)

Note: Version bump only for package ses

1.4.0 (2024-03-20)

Features

  • ses-ava: import test from @​endo/ses-ava/prepare-endo.js (#2133) (9d3a7ce)
  • ses: tolerate omitted species (#2108) (70c85ef)

1.3.0 (2024-02-23)

Features

  • ses: permit Promise.any, AggregateError (6a8c4d8)

Bug Fixes

... (truncated)

Commits

Updates jsdom from 11.12.0 to 24.1.0

Release notes

Sourced from jsdom's releases.

Version 24.1.0

  • Added the getSetCookie() method to the Headers class. (ushiboy)
  • Fixed the creation and parsing of elements with names from Object.prototype, like "constructor" or "toString".
  • Updated rweb-cssom, which can now parse additional CSS constructs.

Version 24.0.0

This release reverts our selector engine back to nwsapi. As discussed in #3659, the performance regressions from @asamuzakjp/dom-selector turned out to be higher than anticipated. In the future, we can revisit @asamuzakjp/dom-selector after it reaches nwsapi's performance on the two real-world benchmarks provided by the community.

Since reverting to nwsapi causes several functionality regressions, e.g. removing :has() support, we've decided to make this a major version.

Additionally:

  • Small fixes to edge-case behavior of the following properties: input.maxLength, input.minLength, input.size, progress.max, tableCell.colSpan, tableCell.rowSpan, tableCol.span, textArea.cols, textArea.maxLength, textArea.minLength, textArea.rows.

Version 23.2.0

This release switches our CSS selector engine from nwsapi to @asamuzakjp/dom-selector. The new engine is more actively maintained, and supports many new selectors: see the package's documentation for the full list. It also works better with shadow trees.

There is a potential of a performance regression due to this change. In our stress test benchmark, which runs most of these 273 selectors against this 128 KiB document, the new engine completes the benchmark only 0.25x as fast. However, we're hopeful that in more moderate usage this will not be a significant issue. Any help speeding up @asamuzakjp/dom-selector is appreciated, and feel free to open an issue if this has had a significant impact on your project.

Version 23.1.0

  • Added an initial implementation of ElementInternals, including the shadowRoot getter and the string-valued ARIA properties. (zjffun)
  • Added the string-valued ARIA attribute-reflecting properties to Element.
  • Fixed history.pushState() and history.replaceState() to follow the latest specification, notably with regards to how they handle empty string inputs and what new URLs are possible.
  • Fixed the input.valueAsANumber setter to handle NaN correctly. (alexandertrefz)
  • Updated various dependencies, including cssstyle which contains several bug fixes.

Version 23.0.1

  • Fixed the incorrect canvas peer dependency introduced in v23.0.0.

Version 23.0.0

  • Node.js v18 is now the minimum supported version.
  • Updated various dependencies, including whatwg-url which integrates various additions to the URL and URLSearchParams objects.

Version 22.1.0

  • Added crypto.randomUUID(). (jamesbvaughan)
  • Added DOMRect and DOMRectReadOnly.
  • Added AbortSignal.timeout().
  • Added abortSignal.throwIfAborted().
  • Added support for the submitter argument to the FormData constructor. (jenseng)
  • Improved getComputedStyle()'s results for color-based properties, to resolve named colors and attempt to provide initial inheritance support. (hoekz-wwt)
  • Updated Window's event handler properties (e.g. oncopy, ontouchstart, etc.) to reflect the latest list from the standard.
  • Fixed DOMParser-created documents to inherit their URL from the creating document.

Version 22.0.0

Version 21.1.2

  • Fixed setRangeText() used on <input> and <textarea> elements to calculate the new end index correctly. (pmstss)
  • Fixed pageX, pageY, offsetX, and offsetY on MouseEvents during dispatch. (jenseng)

... (truncated)

Changelog

Sourced from jsdom's changelog.

24.1.0

  • Added the getSetCookie() method to the Headers class. (ushiboy)
  • Fixed the creation and parsing of elements with names from Object.prototype, like "constructor" or "toString".
  • Updated rweb-cssom, which can now parse additional CSS constructs.

24.0.0

This release reverts our selector engine back to nwsapi. As discussed in #3659, the performance regressions from @asamuzakjp/dom-selector turned out to be higher than anticipated. In the future, we can revisit @asamuzakjp/dom-selector after it reaches nwsapi's performance on the two real-world benchmarks provided by the community.

Since reverting to nwsapi causes several functionality regressions, e.g. removing :has() support, we've decided to make this a major version.

Additionally:

  • Small fixes to edge-case behavior of the following properties: input.maxLength, input.minLength, input.size, progress.max, tableCell.colSpan, tableCell.rowSpan, tableCol.span, textArea.cols, textArea.maxLength, textArea.minLength, textArea.rows.

23.2.0

This release switches our CSS selector engine from nwsapi to @asamuzakjp/dom-selector. The new engine is more actively maintained, and supports many new selectors: see the package's documentation for the full list. It also works better with shadow trees.

There is a potential of a performance regression due to this change. In our stress test benchmark, which runs most of these 273 selectors against this 128 KiB document, the new engine completes the benchmark only 0.25x as fast. However, we're hopeful that in more moderate usage this will not be a significant issue. Any help speeding up @asamuzakjp/dom-selector is appreciated, and feel free to open an issue if this has had a significant impact on your project.

23.1.0

  • Added an initial implementation of ElementInternals, including the shadowRoot getter and the string-valued ARIA properties. (zjffun)
  • Added the string-valued ARIA attribute-reflecting properties to Element.
  • Fixed history.pushState() and history.replaceState() to follow the latest specification, notably with regards to how they handle empty string inputs and what new URLs are possible.
  • Fixed the input.valueAsANumber setter to handle NaN correctly. (alexandertrefz)
  • Updated various dependencies, including cssstyle which contains several bug fixes.

23.0.1

  • Fixed the incorrect canvas peer dependency introduced in v23.0.0.

23.0.0

  • Node.js v18 is now the minimum supported version.
  • Updated various dependencies, including whatwg-url which integrates various additions to the URL and URLSearchParams objects.

22.1.0

  • Added crypto.randomUUID(). (jamesbvaughan)
  • Added DOMRect and DOMRectReadOnly.
  • Added AbortSignal.timeout().
  • Added abortSignal.throwIfAborted().
  • Added support for the submitter argument to the FormData constructor. (jenseng)
  • Improved getComputedStyle()'s results for color-based properties, to resolve named colors and attempt to provide initial inheritance support. (hoekz-wwt)
  • Updated Window's event handler properties (e.g. oncopy, ontouchstart, etc.) to reflect the latest list from the standard.
  • Fixed DOMParser-created documents to inherit their URL from the creating document.

... (truncated)

Commits
  • 4555914 Version 24.1.0
  • a693107 Fix elements with names from Object.prototype
  • 8738255 Add regression test for comma selector
  • a343932 Implement the getSetCookie() method of Headers
  • f2fa507 Update URLs and fix grammar error
  • 7dc7ab9 Fix getComputedStyle() not-implemented message
  • f5f2468 Update dependencies and most dev dependencies
  • b32d82b Fix wpt failure in overwritten-customElements-global.html
  • 2f8a730 Version 24.0.0
  • db0a4dc Implement the remaining types of numeric reflection
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump the npm_and_yarn group across 1 directory with 2 up…
a9ac8e8 
…dates

Bumps the npm_and_yarn group with 2 updates in the /packages/app directory: [ses](https://github.com/endojs/endo/tree/HEAD/packages/ses) and [jsdom](https://github.com/jsdom/jsdom).


Updates `ses` from 0.12.7 to 1.5.0
- [Changelog](https://github.com/endojs/endo/blob/master/packages/ses/CHANGELOG.md)
- [Commits](https://github.com/endojs/endo/commits/ses@1.5.0/packages/ses)

Updates `jsdom` from 11.12.0 to 24.1.0
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Changelog](https://github.com/jsdom/jsdom/blob/main/Changelog.md)
- [Commits](jsdom/jsdom@11.12.0...24.1.0)

---
updated-dependencies:
- dependency-name: ses
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: jsdom
  dependency-type: direct:development
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Jun 4, 2024
@dependabot dependabot bot requested a review from a team as a code owner June 4, 2024 00:48
@socket-security Socket Security
Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/jsdom@24.1.0 eval, filesystem, network, shell, unsafe +15 3.96 MB domenic
npm/ses@1.5.0 None +1 3.38 MB kriskowal

🚮 Removed packages: npm/jsdom@11.12.0, npm/ses@0.12.7, npm/ws@5.2.3

View full report↗︎

@socket-security Socket Security
Copy link

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSource
Network access npm/agent-base@7.1.1
Network access npm/agent-base@7.1.1
Network access npm/agent-base@7.1.1

View full report↗︎

Next steps

What is network access?

This module accesses the network.

Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

  • @SocketSecurity ignore npm/agent-base@7.1.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants