🤖 Dependency update

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
node		major	12.18.3 -> 18.15.0
		lockFileMaintenance	All locks refreshed
@types/node (source)	devDependencies	major	14.14.28 -> 18.15.10
@types/react (source)	devDependencies	major	17.0.2 -> 18.0.29
@types/react-copy-to-clipboard (source)	devDependencies	patch	5.0.0 -> 5.0.4
@types/styled-components (source)	devDependencies	patch	5.1.7 -> 5.1.26
axios (source)	dependencies	major	0.21.1 -> 1.3.4
babel-plugin-styled-components (source)	devDependencies	major	1.12.0 -> 2.0.7
circleci/node	docker	major	12.18.3 -> 17.2.0
eslint (source)	devDependencies	major	7.20.0 -> 8.36.0
eslint-config-airbnb	devDependencies	major	18.2.1 -> 19.0.4
eslint-config-prettier	devDependencies	major	7.2.0 -> 8.8.0
eslint-plugin-import	devDependencies	minor	2.22.1 -> 2.27.5
eslint-plugin-jest	devDependencies	major	24.1.3 -> 27.2.1
eslint-plugin-jsx-a11y	devDependencies	minor	6.4.1 -> 6.7.1
eslint-plugin-prettier	devDependencies	major	3.3.1 -> 4.2.1
eslint-plugin-react	devDependencies	minor	7.22.0 -> 7.32.2
jest (source)	devDependencies	major	26.6.3 -> 29.5.0
next (source)	dependencies	major	10.0.6 -> 12.1.0
node	engines	major	12.20.1 -> 18.15.0
prettier (source)	dependencies	minor	2.2.1 -> 2.8.7
prettier (source)	devDependencies	minor	2.2.1 -> 2.8.7
prop-types (source)	dependencies	minor	15.7.2 -> 15.8.1
react (source)	dependencies	major	17.0.1 -> 18.2.0
react-copy-to-clipboard	dependencies	minor	5.0.3 -> 5.1.0
react-dom (source)	dependencies	major	17.0.1 -> 18.2.0
react-dropzone	dependencies	major	11.3.1 -> 14.2.3
svgo	dependencies	major	1.3.2 -> 3.0.2
styled-components (source)	dependencies	minor	5.2.1 -> 5.3.9
typescript (source)	devDependencies	major	4.1.5 -> 5.0.2

GitHub Vulnerability Alerts

CVE-2021-39178

Impact

• Affected: All of the following must be true to be affected
  • Next.js between version 10.0.0 and 11.1.0
  • The next.config.js file has images.domains array assigned
  • The image host assigned in images.domains allows user-provided SVG
• Not affected: The next.config.js file has images.loader assigned to something other than default
• Not affected: Deployments on Vercel are not affected

Patches

Next.js v11.1.1

CVE-2022-23646

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change next.config.js to use a different loader configuration other than the default.

Impact

• Affected: All of the following must be true to be affected
  • Next.js between version 10.0.0 and 12.0.10
  • The next.config.js file has images.domains array assigned
  • The image host assigned in images.domains allows user-provided SVG
• Not affected: The next.config.js file has images.loader assigned to something other than default

Patches

Next.js 12.1.0

Workarounds

Change next.config.js to use a different loader configuration other than the default, for example:

module.exports = {
  images: {
    loader: 'imgix',
    path: 'https://example.com/myaccount/',
  },
}

Or if you want to use the loader prop on the component, you can use custom:

module.exports = {
  images: {
    loader: 'custom',
  },
}

---

Release Notes

nodejs/node

v18.15.0: 2023-03-07, Version 18.15.0 'Hydrogen' (LTS), @​BethGriggs prepared by @​juanarbol

Compare Source

Notable Changes

• [63563f8a7a] - doc,lib,src,test: rename --test-coverage (Colin Ihrig) #​46017
• [28a775b32f] - test_runner: add initial code coverage support (Colin Ihrig) #​46017
• [4d50db14b3] - (SEMVER-MINOR) test_runner: add reporters (Moshe Atlow) #​45712
• [643545ab79] - (SEMVER-MINOR) fs: add statfs() functions (Colin Ihrig) #​46358
• [110ead9abb] - (SEMVER-MINOR) vm: expose cachedDataRejected for vm.compileFunction (Anna Henningsen) #​46320
• [02632b42cf] - (SEMVER-MINOR) v8: support gc profile (theanarkh) #​46255
• [f09b838408] - (SEMVER-MINOR) src,lib: add constrainedMemory API for process (theanarkh) #​46218
• [cb5bb12422] - (SEMVER-MINOR) buffer: add isAscii method (Yagiz Nizipli) #​46046

Commits

• [6f91c8e2ae] - benchmark: add trailing commas (Antoine du Hamel) #​46370
• [d0b9be21eb] - benchmark: remove buffer benchmarks redundancy (Brian White) #​45735
• [6468f30d0d] - benchmark: introduce benchmark combination filtering (Brian White) #​45735
• [cb5bb12422] - (SEMVER-MINOR) buffer: add isAscii method (Yagiz Nizipli) #​46046
• [ec61bb04c0] - build: export more OpenSSL symbols on Windows (Mohamed Akram) #​45486
• [7bae4333ce] - build: fix MSVC 2022 Release compilation (Vladimir Morozov (REDMOND)) #​46228
• [0f5f2d4470] - crypto: include hmac.h in crypto_util.h (Adam Langley) #​46279
• [91ece4161b] - crypto: avoid hang when no algorithm available (Richard Lau) #​46237
• [492fc95bdf] - deps: V8: cherry-pick 90be99f (Michaël Zasso) #​46646
• [732c77e3d9] - deps: update acorn to 8.8.2 (Node.js GitHub Bot) #​46363
• [8582f99ffb] - deps: update to uvwasi 0.0.15 (Colin Ihrig) #​46253
• [5453cd9940] - deps: V8: cherry-pick bf0bd48 (Michaël Zasso) #​45908
• [3ea53c5dc8] - deps: V8: cherry-pick c875e86 (sepehrst) #​46501
• [c04808de4b] - doc: correct the sed command for macOS in release process docs (Juan José) #​46397
• [8113220690] - doc: pass string to textEncoder.encode as input (Deokjin Kim) #​46421
• [129dccf5d2] - doc: add tip for session.post function (theanarkh) #​46354
• [919e581732] - doc: add documentation for socket.destroySoon() (Luigi Pinca) #​46337
• [fc15ac95a5] - doc: fix commit message using test instead of deps (Tony Gorez) #​46313
• [d153a93200] - doc: add v8 fast api contribution guidelines (Yagiz Nizipli) #​46199
• [dbf082d082] - doc: fix small typo error (0xflotus) #​46186
• [94421b4cfe] - doc: mark some parameters as optional in webstreams (Deokjin Kim) #​46269
• [5adb743511] - doc: update output of example in events.getEventListeners (Deokjin Kim) #​46268
• [63563f8a7a] - doc,lib,src,test: rename --test-coverage (Colin Ihrig) #​46017
• [4e88c7c813] - esm: delete preload mock test (Geoffrey Booth) #​46402
• [643545ab79] - (SEMVER-MINOR) fs: add statfs() functions (Colin Ihrig) #​46358
• [5019b5473f] - http: res.setHeaders first implementation (Marco Ippolito) #​46109
• [76622c4c60] - inspector: allow opening inspector when NODE_V8_COVERAGE is set (Moshe Atlow) #​46113
• [92f0747e03] - meta: update AUTHORS (Node.js GitHub Bot) #​46399
• [795251bc6f] - meta: update AUTHORS (Node.js GitHub Bot) #​46303
• [8865424c31] - meta: add .mailmap entry (Rich Trott) #​46303
• [5ed679407b] - meta: move evanlucas to emeritus (Evan Lucas) #​46274
• [403df210ac] - module: move test reporter loading (Geoffrey Booth) #​45923
• [2f7319e387] - readline: fix detection of carriage return (Antoine du Hamel) #​46306
• [73a8f46c4d] - Revert "src: let http2 streams end after session close" (Santiago Gimeno) #​46721
• [30d783f91a] - src: stop tracing agent before shutting down libuv (Santiago Gimeno) #​46380
• [1508d90fda] - src: get rid of fp arithmetic in ParseIPv4Host (Tobias Nießen) #​46326
• [bdb793a082] - src: use UNREACHABLE instead of CHECK(falsy) (Tobias Nießen) #​46317
• [116a33649b] - src: add support for ETW stack walking (José Dapena Paz) #​46203
• [b06298c98e] - src: refactor EndsInANumber in node_url.cc and adds IsIPv4NumberValid (Miguel Teixeira) #​46227
• [26f41b041c] - src: fix c++ exception on bad command line arg (Ben Noordhuis) #​46290
• [14da89f41a] - src: remove unreachable UNREACHABLE (Tobias Nießen) #​46281
• [18c4dd004b] - src: replace custom ASCII validation with simdutf one (Anna Henningsen) #​46271
• [cde375510f] - src: replace unreachable code with static_assert (Tobias Nießen) #​46250
• [f389b2f3fc] - src: use explicit C++17 fallthrough (Tobias Nießen) #​46251
• [8adaa1333c] - src: use CreateEnvironment instead of inlining its code where possible (Anna Henningsen) #​45886
• [f09b838408] - (SEMVER-MINOR) src,lib: add constrainedMemory API for process (theanarkh) #​46218
• [63e92eae63] - stream: remove brandchecks from stream duplexify (Debadree Chatterjee) #​46315
• [3acfe9bf92] - stream: fix readable stream as async iterator function (Erick Wendel) #​46147
• [de64315ccb] - test: fix WPT title when no META title is present (Filip Skokan) #​46804
• [162e3400ff] - test: fix default WPT titles (Filip Skokan) #​46778
• [5f422c4d70] - test: add WPTRunner support for variants and generating WPT reports (Filip Skokan) #​46498
• [4f5aff2557] - test: fix tap parser fails if a test logs a number (Pulkit Gupta) #​46056
• [32b020cf84] - test: fix tap escaping with and without --test (Pulkit Gupta) #​46311
• [f2bba1bcdb] - test: add trailing commas in test/node-api (Antoine du Hamel) #​46384
• [f2ebe66fda] - test: add trailing commas in test/message (Antoine du Hamel) #​46372
• [ed564a9985] - test: add trailing commas in test/pseudo-tty (Antoine du Hamel) #​46371
• [e4437dd409] - test: set common.bits to 64 for loong64 (Shi Pujin) #​45383
• [9d40aef736] - test: s390x zlib test case fixes (Adam Majer) #​46367
• [ed3fb52716] - test: fix logInTimeout is not function (theanarkh) #​46348
• [d05b0771be] - test: avoid trying to call sysctl directly (Adam Majer) #​46366
• [041aac3bbd] - test: avoid left behind child processes (Richard Lau) #​46276
• [837ddcb322] - test: add failing test for readline with carriage return (Alec Mev) #​46075
• [75b8db41c6] - test: reduce fs-write-optional-params flakiness (LiviaMedeiros) #​46238
• [c0d3fdaf63] - test,crypto: add CFRG curve vectors to wrap/unwrap tests (Filip Skokan) #​46406
• [f328f7b15e] - test,crypto: update WebCryptoAPI WPT (Filip Skokan) #​46267
• [1ef3c53e24] - test_runner: better handle async bootstrap errors (Colin Ihrig) #​46720
• [0a690efb76] - test_runner: add describe.only and it.only shorthands (Richie McColl) #​46604
• [28a1317efe] - test_runner: bootstrap reporters before running tests (Moshe Atlow) #​46737
• [cd3aaa8fac] - test_runner: emit test-only diagnostic warning (Richie McColl) #​46540
• [c19fa45a65] - test_runner: centralize CLI option handling (Colin Ihrig) #​46707
• [0898145e37] - test_runner: display skipped tests in spec reporter output (Richie McColl) #​46651
• [894d7117fa] - test_runner: parse non-ascii character correctly (Mert Can Altın) #​45736
• [5b3c606626] - test_runner: flatten TAP output when running using --test (Moshe Atlow) #​46440
• [391ff0dba4] - test_runner: allow nesting test within describe (Moshe Atlow) #​46544
• [ba784e87b4] - test_runner: fix missing test diagnostics (Moshe Atlow) #​46450
• [c5f16fb5fb] - test_runner: top-level diagnostics not ommited when running with --test (Pulkit Gupta) #​46441
• [28a775b32f] - test_runner: add initial code coverage support (Colin Ihrig) #​46017
• [0d999e373a] - test_runner: make built in reporters internal (Colin Ihrig) #​46092
• [79f4b426fe] - test_runner: report file in test runner events (Moshe Atlow) #​46030
• [4d50db14b3] - (SEMVER-MINOR) test_runner: add reporters (Moshe Atlow) #​45712
• [5fdf374c74] - test_runner: avoid swallowing of asynchronously thrown errors (MURAKAMI Masahiko) #​45264
• [23b875806c] - test_runner: update comment to comply with eslint no-fallthrough rule (Antoine du Hamel) #​46258
• [00c5495aa3] - tools: update eslint to 8.33.0 (Node.js GitHub Bot) #​46400
• [37a6ce1120] - tools: update doc to unist-util-select@4.0.3 unist-util-visit@4.1.2 (Node.js GitHub Bot) #​46364
• [1eaafc7db4] - tools: update lint-md-dependencies to rollup@3.12.0 (Node.js GitHub Bot) #​46398
• [a97774603b] - tools: require more trailing commas (Antoine du Hamel) #​46346
• [03e244a59b] - tools: update lint-md-dependencies (Node.js GitHub Bot) #​46302
• [60d714e0c3] - tools: allow icutrim.py to run on python2 (Michael Dawson) #​46263
• [b7950f50de] - tools: update eslint to 8.32.0 (Node.js GitHub Bot) #​46258
• [08bafc84f6] - url: refactor to use more primordials (Antoine du Hamel) #​45966
• [02632b42cf] - (SEMVER-MINOR) v8: support gc profile (theanarkh) #​46255
• [110ead9abb] - (SEMVER-MINOR) vm: expose cachedDataRejected for vm.compileFunction (Anna Henningsen) #​46320

v18.14.2: 2023-02-21, Version 18.14.2 'Hydrogen' (LTS), @​MylesBorins

Compare Source

Notable Changes

• [f864bef32a] - deps: upgrade npm to 9.5.0 (npm team) #​46673

Commits

• [880a65d7ff] - build: delete snapshot.blob file from the project (Juan José Arboleda) #​46626
• [cbea56efda] - deps: update undici to 5.20.0 (Node.js GitHub Bot) #​46711
• [f864bef32a] - deps: upgrade npm to 9.5.0 (npm team) #​46673
• [648041d568] - deps: upgrade npm to 9.4.0 (npm team) #​46353
• [5e1f213f3c] - deps: patch V8 to 10.2.154.26 (Michaël Zasso) #​46446

v18.14.1: 2023-02-16, Version 18.14.1 'Hydrogen' (LTS), @​RafaelGSS prepared by @​juanarbol

Compare Source

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

• CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High)
• CVE-2023-23919: Node.js OpenSSL error handling issues in nodejs crypto library (Medium)
• CVE-2023-23936: Fetch API in Node.js did not protect against CRLF injection in host headers (Medium)
• CVE-2023-24807: Regular Expression Denial of Service in Headers in Node.js fetch API (Low)
• CVE-2023-23920: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low)

More detailed information on each of the vulnerabilities can be found in February 2023 Security Releases blog post.

This security release includes OpenSSL security updates as outlined in the recent
OpenSSL security advisory.

Commits

• [8393ebc72d] - build: build ICU with ICU_NO_USER_DATA_OVERRIDE (RafaelGSS) nodejs-private/node-private#​379
• [004e34d046] - crypto: clear OpenSSL error on invalid ca cert (RafaelGSS) #​46572
• [5e0142a852] - deps: cherry-pick Windows ARM64 fix for openssl (Richard Lau) #​46572
• [f71fe278a6] - deps: update archs files for quictls/openssl-3.0.8+quic (RafaelGSS) #​46572
• [2c6817e42b] - deps: upgrade openssl sources to quictls/openssl-3.0.8+quic (RafaelGSS) #​46572
• [f0afa0bfe5] - deps: update undici to 5.19.1 (Node.js GitHub Bot) #​46634
• [c26a34c13e] - deps: update undici to 5.18.0 (Node.js GitHub Bot) #​46634
• [db93ee4a15] - deps: update undici to 5.17.1 (Node.js GitHub Bot) #​46634
• [b4e49fb02c] - deps: update undici to 5.16.0 (Node.js GitHub Bot) #​46634
• [90994e6a2c] - deps: update undici to 5.15.1 (Node.js GitHub Bot) #​46634
• [00302fc7ac] - deps: update undici to 5.15.0 (Node.js GitHub Bot) #​46634
• [0e3b796cc5] - lib: makeRequireFunction patch when experimental policy (RafaelGSS) nodejs-private/node-private#​371
• [7cccd5565f] - policy: makeRequireFunction on mainModule.require (RafaelGSS) nodejs-private/node-private#​371

v18.14.0: 2023-02-02, Version 18.14.0 'Hydrogen' (LTS), @​BethGriggs prepared by @​juanarbol

Compare Source

Notable changes

Updated npm to 9.3.1

Based on the list of guidelines we've established on integrating npm and node,
here is a grouped list of the breaking changes with the reasoning as to why they
fit within the guidelines linked above. Note that all the breaking changes were
made in 9.0.0.
All subsequent minor and patch releases after npm@9.0.0 do not contain any
breaking changes.

Engines

Explanation: the node engines supported by npm@9 make it safe to allow npm@9 as the default in any LTS version of 14 or 16, as well as anything later than or including 18.0.0

• npm is now compatible with the following semver range for node: ^14.17.0 || ^16.13.0 || >=18.0.0

Filesystem

Explanation: when run as root previous versions of npm attempted to manage file ownership automatically on the user's behalf. this behavior was problematic in many cases and has been removed in favor of allowing users to manage their own filesystem permissions

• npm will no longer attempt to modify ownership of files it creates.

Auth

Explanation: any errors thrown from users having unsupported auth configurations will show npm config fix in the remediation instructions, which will allow the user to automatically have their auth config fixed.

• The presence of auth related settings that are not scoped to a specific
  registry found in a config file is no longer supported and will throw errors.

Login

Explanation: the default auth-type has changed and users can opt back into the old behavior with npm config set auth-type=legacy. login and adduser have also been seperated making each command more closely match it's name instead of being aliases for each other.

• Legacy auth types sso, saml & legacy have been consolidated into "legacy".
• auth-type defaults to "web"
• login and adduser are now separate commands that send different data to the registry.
• auth-type config values web and legacy only try their respective methods,
  npm no longer tries them all and waits to see which one doesn't fail.

Tarball Packing

Explanation: previously using multiple ignore/allow lists when packing was an undefined behavior, and now the order of operations is strictly defined when packing a tarball making it easier to follow and should only affect users relying on the previously undefined behavior.

• npm pack now follows a strict order of operations when applying ignore rules.
  If a files array is present in the package.json, then rules in .gitignore
  and .npmignore files from the root will be ignored.

Display/Debug/Timing Info

Explanation: these changes center around the display of information to the terminal including timing and debug log info. We do not anticipate these changes breaking any existing workflows.

• Links generated from git urls will now use HEAD instead of master as the default ref.
• timing has been removed as a value for --loglevel.
• --timing will show timing information regardless of --loglevel, except when --silent.
• When run with the --timing flag, npm now writes timing data to a file
  alongside the debug log data, respecting the logs-dir option and falling
  back to <CACHE>/_logs/ dir, instead of directly inside the cache directory.
• The timing file data is no longer newline delimited JSON, and instead each run
  will create a uniquely named <ID>-timing.json file, with the <ID> portion
  being the same as the debug log.
• npm now outputs some json errors on stdout. Previously npm would output
  all json formatted errors on stderr, making it difficult to parse as the
  stderr stream usually has logs already written to it.

Config/Command Deprecations or Removals

Explanation: install-links is the only config or command in the list that has an effect on package installs. We fixed a number of issues that came up during prereleases with this change. It will also only be applied to new package trees created without a package-lock.json file. Any install with an existing lock file will not be changed.

• Deprecate boolean install flags in favor of --install-strategy.
• npm config set will no longer accept deprecated or invalid config options.
• install-links config defaults to "true".
• node-version config has been removed.
• npm-version config has been removed.
• npm access subcommands have been renamed.
• npm birthday has been removed.
• npm set-script has been removed.
• npm bin has been removed (use npx or npm exec to execute binaries).

Other notable changes

• doc:
  • add parallelism note to os.cpus() (Colin Ihrig) #​45895
• http:
  • join authorization headers (Marco Ippolito) #​45982
  • improved timeout defaults handling (Paolo Insogna) #​45778
• stream:
  • implement finished() for ReadableStream and WritableStream (Debadree Chatterjee) #​46205

Commits

• [1352f08778] - assert: remove assert.snapshot (Moshe Atlow) #​46112
• [4ee3238643] - async_hooks: refactor to use validateObject (Deokjin Kim) [#​46004](https://

---

Configuration

📅 Schedule: Branch creation - "before 5am on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated
svg2jsx	❌ Failed (Inspect)		Mar 27, 2023 at 0:31AM (UTC)