Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency color-string to version 1.5.5 馃専 #16362

Merged
merged 2 commits into from May 6, 2021

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 6, 2021

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
color-string 1.5.4 -> 1.5.5 age adoption passing confidence

Release Notes

Qix-/color-string

v1.5.5

Compare Source

Release notes copied verbatim from the commit message, which can be found here: 0789e21

Discovered by Yeting Li, c/o Colin Ife via Snyk.io.

A ReDos (Regular Expression Denial of Service) vulnerability
was responsibly disclosed to me via email by Colin on
Mar 5 2021 regarding an exponential time complexity for
linearly increasing input lengths for `hwb()` color strings.

Strings reaching more than 5000 characters would see several
milliseconds of processing time; strings reaching more than
50,000 characters began seeing 1500ms (1.5s) of processing time.

The cause was due to a the regular expression that parses
hwb() strings - specifically, the hue value - where
the integer portion of the hue value used a 0-or-more quantifier
shortly thereafter followed by a 1-or-more quantifier.

This caused excessive backtracking and a cartesian scan,
resulting in exponential time complexity given a linear
increase in input length.

Thank you Yeting Li and Colin Ife for bringing this to my
attention in a secure, responsible and professional manner.

A CVE will not be assigned for this vulnerability.

Configuration

馃搮 Schedule: "before 3am on the first day of the month" in timezone America/New_York.

馃殾 Automerge: Disabled by config. Please merge this manually once you are satisfied.

鈾伙笍 Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

馃敃 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot requested a review from a team as a code owner May 6, 2021 10:20
@renovate renovate bot added renovate Triggered by renovatebot type: dependencies labels May 6, 2021
@renovate renovate bot requested review from flotwig and chrisbreiding and removed request for a team May 6, 2021 10:20
@renovate
Copy link
Contributor Author

renovate bot commented May 6, 2021

鈿狅笍 Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

鈾伙笍 Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you check the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock
warning Resolution field "pretty-format@26.4.0" is incompatible with requested version "pretty-format@^24.9.0"
warning Resolution field "pretty-format@26.4.0" is incompatible with requested version "pretty-format@^24.9.0"
warning Resolution field "pretty-format@26.4.0" is incompatible with requested version "pretty-format@^24.9.0"
warning Resolution field "pretty-format@26.4.0" is incompatible with requested version "pretty-format@^24.9.0"
warning Resolution field "pretty-format@26.4.0" is incompatible with requested version "pretty-format@^24.9.0"
warning Resolution field "pretty-format@26.4.0" is incompatible with requested version "pretty-format@^24.9.0"
warning Resolution field "pretty-format@26.4.0" is incompatible with requested version "pretty-format@^24.9.0"
warning Resolution field "pretty-format@26.4.0" is incompatible with requested version "pretty-format@^24.9.0"
warning Resolution field "pretty-format@26.4.0" is incompatible with requested version "pretty-format@^26.6.2"
warning Resolution field "pretty-format@26.4.0" is incompatible with requested version "pretty-format@^26.6.2"
warning Resolution field "pretty-format@26.4.0" is incompatible with requested version "pretty-format@^26.6.2"
warning Resolution field "socket.io-parser@4.0.4" is incompatible with requested version "socket.io-parser@~3.4.0"
warning Resolution field "socket.io-parser@4.0.4" is incompatible with requested version "socket.io-parser@~3.3.0"
warning Resolution field "pretty-format@26.4.0" is incompatible with requested version "pretty-format@^23.0.1"
warning Resolution field "pretty-format@26.4.0" is incompatible with requested version "pretty-format@^26.6.2"
warning Pattern ["source-map@^0.7.3"] is trying to unpack in the same destination "/home/ubuntu/.cache/yarn/v6/npm-source-map-fast-0.7.3-5302f8169031735226544092e64981f751750383-integrity/node_modules/source-map-fast" as pattern ["source-map@~0.7.2"]. This could result in non-deterministic behavior, skipping.
warning Pattern ["source-map@0.7.3"] is trying to unpack in the same destination "/home/ubuntu/.cache/yarn/v6/npm-source-map-fast-0.7.3-5302f8169031735226544092e64981f751750383-integrity/node_modules/source-map-fast" as pattern ["source-map@~0.7.2"]. This could result in non-deterministic behavior, skipping.
warning Pattern ["@definitelytyped/typescript-versions@latest"] is trying to unpack in the same destination "/home/ubuntu/.cache/yarn/v6/npm-@definitelytyped-typescript-versions-0.0.71-08c791e3bf3c2861611edee8f28c72d2db0fb02e-integrity/node_modules/@definitelytyped/typescript-versions" as pattern ["@definitelytyped/typescript-versions@^0.0.71","@definitelytyped/typescript-versions@^0.0.71","@definitelytyped/typescript-versions@^0.0.71"]. This could result in non-deterministic behavior, skipping.
error An unexpected error occurred: "https://registry.yarnpkg.com/@percy/cli-build/-/cli-build-1.0.0-beta.48.tgz: Request failed \"404 Not Found\"".

@cypress-bot
Copy link
Contributor

cypress-bot bot commented May 6, 2021

See the guidelines for reviewing dependency updates for info on how to review dependency update PRs.

@cypress
Copy link

cypress bot commented May 6, 2021



Test summary

13758 0 164 5Flakiness 2


Run details

Project cypress
Status Passed
Commit dffe096
Started May 6, 2021 8:00 PM
Ended May 6, 2021 8:12 PM
Duration 11:36 馃挕
OS Linux Debian - 10.8
Browser Multiple

View run in Cypress Dashboard 鉃★笍


Flakiness

cypress/integration/retries.ui.spec.js 2聽Flakiness
1 runner/cypress retries.ui.spec > opens attempt on each attempt failure for the screenshot, and closes after test passes
2 runner/cypress retries.ui.spec > opens attempt on each attempt failure for the screenshot, and closes after test passes

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. You can manage this integration in this project's settings in the Cypress Dashboard

@jennifer-shehane jennifer-shehane requested review from jennifer-shehane and removed request for flotwig and chrisbreiding May 6, 2021 19:36
Copy link
Member

@jennifer-shehane jennifer-shehane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

vulnerability fix

@jennifer-shehane jennifer-shehane merged commit a929e4e into develop May 6, 2021
tgriesser added a commit that referenced this pull request May 7, 2021
* develop:
  chore: Remove extra renovate.json file (#16385)
  Do not print 'uploading' stdout when --quiet mode is passed (#16271)
  fix(deps): update dependency color-string to version 1.5.5 馃専 (#16362)
  fix(deps): update dependency cypress-real-events to version 1.4.0 馃専 (#16363)
  tests: use the proper keys for selecting framework
  fix: Prevent Firefox from opening custom search when pressing / (#16372)
  fix: vueCli and webpack key vue@2 fix when guessing
  tests: update snapshots
  fix: add return config for vueCli and vueWebpack
  fix: add return config for vitejs templates
  chore: release @cypress/vue-v2.2.2
  chore: release @cypress/react-v5.5.0
  fix: remove all of rollup, not supported anymore
  fix: typo in the final message (run vs run-ct)
tgriesser added a commit that referenced this pull request May 7, 2021
* develop: (28 commits)
  fix: XHR event listener AUT redirect bug (#15995)
  chore: fix typo (#16345)
  chore(design-system): Added missing exports and index.ts (#16351)
  chore: Remove extra renovate.json file (#16385)
  Do not print 'uploading' stdout when --quiet mode is passed (#16271)
  fix(deps): update dependency color-string to version 1.5.5 馃専 (#16362)
  fix(deps): update dependency cypress-real-events to version 1.4.0 馃専 (#16363)
  tests: use the proper keys for selecting framework
  fix: Prevent Firefox from opening custom search when pressing / (#16372)
  fix(socket): update serialization for circular binary socket messages (#16311)
  fix: vueCli and webpack key vue@2 fix when guessing
  tests: update snapshots
  fix: add return config for vueCli and vueWebpack
  chore(deps): update dependency classnames to version 2.3.1 馃専 (#8337)
  fix: add return config for vitejs templates
  chore: release @cypress/vue-v2.2.2
  chore: release @cypress/react-v5.5.0
  fix: remove all of rollup, not supported anymore
  fix: typo in the final message (run vs run-ct)
  fix: use close event when asking the browser for its version (#16312)
  ...
agg23 added a commit that referenced this pull request May 7, 2021
fix(deps): update dependency cypress-real-events to version 1.4.0 馃専 (#16363)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

fix: typo in the final message (run vs run-ct)

fix: remove all of rollup, not supported anymore

fix: add return config for vitejs templates

fix: add return config for vueCli and vueWebpack

tests: update snapshots

fix: vueCli and webpack key vue@2 fix when guessing

tests: use the proper keys for selecting framework

chore: release @cypress/react-v5.5.0

[skip ci]

chore: release @cypress/vue-v2.2.2

[skip ci]

fix(deps): update dependency color-string to version 1.5.5 馃専 (#16362)

Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: Jennifer Shehane <jennifer@cypress.io>

Do not print 'uploading' stdout when --quiet mode is passed (#16271)

chore: Remove extra renovate.json file (#16385)

chore(design-system): Added missing exports and index.ts (#16351)

chore: fix typo (#16345)

Co-authored-by: Jennifer Shehane <jennifer@cypress.io>

fix: XHR event listener AUT redirect bug (#15995)

Fixes incorrect redirect when location.href is set to a relative path within the call stack of an XHR event handler, which set the user's AUT to /__/ rather than the correct path

Linting after merge
@renovate renovate bot deleted the renovate/color-string-1.x branch May 8, 2021 12:56
@cypress-bot
Copy link
Contributor

cypress-bot bot commented May 10, 2021

Released in 7.3.0.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v7.3.0, please open a new issue.

@cypress-bot cypress-bot bot locked as resolved and limited conversation to collaborators May 10, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
renovate Triggered by renovatebot type: dependencies
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants