[Snyk] Upgrade core-js-compat from 3.37.1 to 3.38.0

[Vin757]

Snyk has created this PR to upgrade core-js-compat from 3.37.1 to 3.38.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 1 version ahead of your current version.

• The recommended version was released on 22 days ago.

Release notes

Package name: core-js-compat

• 3.38.0 - 2024-08-04
  
  • Changes v3.37.1...v3.38.0
  • RegExp.escape proposal:
    • Built-ins:
      • RegExp.escape
    • Moved to stage 3, June 2024 and July 2024 TC39 meetings
    • Updated the way of escaping, regex-escaping/77
    • Throw an error on non-strings, regex-escaping/58
    • Added /actual/ namespace entries, unconditional forced replacement changed to feature detection
  • Promise.try proposal:
    • Built-ins:
      • Promise.try
    • Moved to stage 3, June 2024 TC39 meeting
    • Added /actual/ namespace entries, unconditional forced replacement changed to feature detection
  • Uint8Array to / from base64 and hex stage 3 proposal:
    • Built-ins:
      • Uint8Array.fromBase64
      • Uint8Array.fromHex
      • Uint8Array.prototype.setFromBase64
      • Uint8Array.prototype.setFromHex
      • Uint8Array.prototype.toBase64
      • Uint8Array.prototype.toHex
    • Added Uint8Array.prototype.{ setFromBase64, setFromHex } methods
    • Added Uint8Array.fromBase64 and Uint8Array.prototype.setFromBase64 lastChunkHandling option, proposal-arraybuffer-base64/33
    • Added Uint8Array.prototype.toBase64 omitPadding option, proposal-arraybuffer-base64/60
    • Added throwing a TypeError on arrays backed by detached buffers
    • Unconditional forced replacement changed to feature detection
  • Fixed RegExp named capture groups polyfill in combination with non-capturing groups, #1352, thanks @ Ulop
  • Improved some cases of environment detection
  • Uses process.getBuiltinModule for getting built-in NodeJS modules where it's available
  • Uses https instead of http in URL constructor feature detection to avoid extra notifications from some overly vigilant security scanners, #1345
  • Some minor optimizations
  • Updated browserslist in core-js-compat dependencies that fixes an upstream issue with incorrect interpretation of some browserslist queries, #1344, browserslist/829, browserslist/836
  • Compat data improvements:
    • Added Safari 18.0 compat data:
      • Fixed Object.groupBy and Map.groupBy to work for non-objects
      • Fixed throwing a RangeError if Set methods are called on an object with negative size property
      • Fixed Set.prototype.symmetricDifference to call this.has in each iteration
      • Fixed Array.fromAsync to not call the Array constructor twice
      • Added URL.parse
    • Math.f16round and DataView.prototype.{ getFloat16, setFloat16 } marked as shipped from FF129
    • Symbol.asyncDispose added and marked as supported from V8 ~ Chromium 127
    • Promise.try added and marked as supported from V8 ~ Chromium 128
    • Added Deno 1.44 and 1.45 compat data mapping
    • self descriptor is broken in Deno 1.45.3 (again)
    • Added Electron 32 and 33 compat data mapping
    • Added Opera Android 83 compat data mapping
    • Added Samsung Internet 27 compat data mapping
    • Added Oculus Quest Browser 34 compat data mapping
• 3.37.1 - 2024-05-14
  
  • Changes v3.37.0...v3.37.1
  • Fixed URL.parse feature detection for some specific cases
  • Compat data improvements:
    • Set methods proposal added and marked as supported from FF 127
    • Symbol.dispose added and marked as supported from V8 ~ Chromium 125
    • Math.f16round and DataView.prototype.{ getFloat16, setFloat16 } added and marked as supported from Deno 1.43
    • URL.parse added and marked as supported from Chromium 126
    • URL.parse added and marked as supported from NodeJS 22.0
    • URL.parse added and marked as supported from Deno 1.43
    • Added Rhino 1.7.15 compat data, many features marked as supported
    • Added NodeJS 22.0 compat data mapping
    • Added Deno 1.43 compat data mapping
    • Added Electron 31 compat data mapping
    • Updated Opera Android 82 compat data mapping
    • Added Samsung Internet 26 compat data mapping
    • Added Oculus Quest Browser 33 compat data mapping

from core-js-compat GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@eslint-community/eslint-plugin-eslint-comments@4.3.0	None	+2	98.2 kB	eslint-community-bot
npm/@eslint/compat@1.1.0	None	0	45.7 kB	eslintbot
npm/@stylistic/eslint-plugin-js@2.2.2	None	+3	660 kB	eslint-stylistic-bot
npm/confusing-browser-globals@1.0.11	None	0	3.87 kB	iansu
npm/eslint-plugin-array-func@5.0.1	None	0	32.3 kB	freaktechnik
npm/eslint-plugin-canonical@4.18.1	environment, filesystem Transitive: unsafe	+90	17.1 MB	gajus
npm/eslint-plugin-es-x@7.7.0	Transitive: filesystem	+4	1.3 MB	eslint-community-bot
npm/eslint-plugin-import-x@0.5.1	Transitive: environment, filesystem, unsafe	+22	3.78 MB	jounqin
npm/eslint-plugin-jsonc@2.16.0	environment, filesystem	+5	1.61 MB	ota-meshi
npm/eslint-plugin-n@17.9.0	filesystem Transitive: unsafe	+4	1000 kB	weiran.zsd
npm/eslint-plugin-promise@6.2.0	None	0	69.6 kB	eslint-community-bot
npm/eslint-plugin-qunit@8.1.1	None	+2	561 kB	bmishkin
npm/eslint-plugin-redos@4.5.0-beta.6	filesystem	0	14.8 kB	makenowjust
npm/eslint-plugin-regexp@2.6.0	None	+5	2.28 MB	ota-meshi
npm/eslint-plugin-sonarjs@1.0.3	None	0	227 kB	sonartech
npm/eslint-plugin-unicorn@54.0.0	Transitive: environment, filesystem, unsafe	+19	4.47 MB	sindresorhus
npm/eslint@9.5.0	environment Transitive: filesystem, unsafe	+33	7.14 MB	eslintbot
npm/globals@15.6.0	None	0	170 kB	sindresorhus

🚮 Removed packages: npm/@babel/plugin-proposal-duplicate-named-capturing-groups-regex@7.24.7), npm/@babel/plugin-transform-arrow-functions@7.24.7), npm/@babel/plugin-transform-block-scoped-functions@7.24.7), npm/@babel/plugin-transform-block-scoping@7.24.7), npm/@babel/plugin-transform-class-properties@7.24.7), npm/@babel/plugin-transform-class-static-block@7.24.7), npm/@babel/plugin-transform-classes@7.24.7), npm/@babel/plugin-transform-computed-properties@7.24.7), npm/@babel/plugin-transform-destructuring@7.24.7), npm/@babel/plugin-transform-exponentiation-operator@7.24.7), npm/@babel/plugin-transform-for-of@7.24.7), npm/@babel/plugin-transform-literals@7.24.7), npm/@babel/plugin-transform-logical-assignment-operators@7.24.7), npm/@babel/plugin-transform-member-expression-literals@7.24.7), npm/@babel/plugin-transform-modules-commonjs@7.24.7), npm/@babel/plugin-transform-new-target@7.24.7), npm/@babel/plugin-transform-nullish-coalescing-operator@7.24.7), npm/@babel/plugin-transform-numeric-separator@7.24.7), npm/@babel/plugin-transform-object-rest-spread@7.24.7), npm/@babel/plugin-transform-object-super@7.24.7), npm/@babel/plugin-transform-optional-catch-binding@7.24.7), npm/@babel/plugin-transform-optional-chaining@7.24.7), npm/@babel/plugin-transform-parameters@7.24.7), npm/@babel/plugin-transform-private-methods@7.24.7), npm/@babel/plugin-transform-private-property-in-object@7.24.7), npm/@babel/plugin-transform-property-literals@7.24.7), npm/@babel/plugin-transform-reserved-words@7.24.7), npm/@babel/plugin-transform-shorthand-properties@7.24.7), npm/@babel/plugin-transform-spread@7.24.7), npm/@babel/plugin-transform-template-literals@7.24.7), npm/@babel/plugin-transform-unicode-regex@7.24.7)

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	CI
Install scripts	npm/core-js-pure@3.37.1	Install script: postinstall Source: node -e "try{require('./postinstall')}catch(e){}"	🚫

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/core-js-pure@3.37.1