Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency ua-parser-js to v0.7.33 [security] #25561

Merged
merged 6 commits into from
Jan 25, 2023
Merged

chore(deps): update dependency ua-parser-js to v0.7.33 [security] #25561

merged 6 commits into from
Jan 25, 2023

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 25, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
ua-parser-js 0.7.24 -> 0.7.33 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-25927

Description:

A regular expression denial of service (ReDoS) vulnerability has been discovered in ua-parser-js.

Impact:

This vulnerability bypass the library's MAX_LENGTH input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition.

Affected Versions:

All versions of the library prior to version 0.7.33 / 1.0.33.

Patches:

A patch has been released to remove the vulnerable regular expression, update to version 0.7.33 / 1.0.33 or later.

References:

Regular expression Denial of Service - ReDoS

Credits:

Thanks to @​Snyk who first reported the issue.

Release Notes

faisalman/ua-parser-js

v0.7.33

Compare Source

  • Add new browser : Cobalt
  • Identify Macintosh as an Apple device
  • Fix ReDoS vulnerability

v0.7.32

Compare Source

  • Add new browser : DuckDuckGo, Huawei Browser, LinkedIn
  • Add new OS : HarmonyOS
  • Add some Huawei models
  • Add Sharp Aquos TV
  • Improve detection Xiaomi Mi CC9
  • Fix Sony Xperia 1 III misidentified as Acer tablet
  • Fix Detect Sony BRAVIA as SmartTV
  • Fix Detect Xiaomi Mi TV as SmartTV
  • Fix Detect Galaxy Tab S8 as tablet
  • Fix WeGame mistakenly identified as WeChat
  • Fix included commas in Safari / Mobile Safari version
  • Increase UA_MAX_LENGTH to 350

v0.7.31

Compare Source

  • Fix OPPO Reno A5 incorrect detection
  • Fix TypeError Bug
  • Use AST to extract regexes and verify them with safe-regex

v0.7.30

Compare Source

v0.7.28

Compare Source

v0.7.27

Compare Source

v0.7.26

Compare Source

v0.7.25

Compare Source

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added renovate Triggered by renovatebot type: dependencies labels Jan 25, 2023
@cypress
Copy link

cypress bot commented Jan 25, 2023
edited
Loading

46 flaky tests on run #43445 ↗︎

0 26600 1274 0 Flakiness 46

Details:

[run ci]
Project: cypress Commit: 69cbb18f3a
Status: Passed Duration: 20:00 💡
Started: Jan 25, 2023 8:38 PM Ended: Jan 25, 2023 8:58 PM
Flakiness  global-mode.cy.ts • 1 flaky test • launchpad-e2e

View Output Video

Test
Launchpad: Global Mode > when projects have been added > updates most-recently opened project list when returning from next step Screenshot
Flakiness  create-from-component.cy.ts • 1 flaky test • app-e2e

View Output Video

Test
... > runs generated spec Screenshot
Flakiness  specs_list_latest_runs.cy.ts • 1 flaky test • app-e2e

View Output Video

Test
App/Cloud Integration - Latest runs and Average duration > when no runs are recorded > shows placeholders for all visible specs Screenshot
Flakiness  commands/net_stubbing.cy.ts • 1 flaky test • 5x-driver-firefox

View Output Video

Test
network stubbing > intercepting request > can delay and throttle a StaticResponse
Flakiness  cypress-in-cypress-run-mode.cy.ts • 3 flaky tests • app-e2e

View Output Video

Test
Cypress In Cypress - run mode > e2e run mode spec runner header is correct Screenshot
Cypress In Cypress - run mode > component testing run mode spec runner header is correct Screenshot
Cypress In Cypress - run mode > hides reporter when NO_COMMAND_LOG is set in run mode Screenshot

The first 5 failed specs are shown, see all 0 specs in Cypress Cloud.

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings.

@AtofStryker AtofStryker self-requested a review January 25, 2023 14:50
@renovate renovate bot force-pushed the renovate/npm-ua-parser-js-vulnerability branch from 84e67a2 to c747eb2 Compare January 25, 2023 19:38
@renovate
Copy link
Contributor Author

renovate bot commented Jan 25, 2023

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.
You can manually request rebase by checking the rebase/retry box above.

Warning: custom changes will be lost.

@AtofStryker AtofStryker merged commit 8d3a6ee into develop Jan 25, 2023
@AtofStryker AtofStryker deleted the renovate/npm-ua-parser-js-vulnerability branch January 25, 2023 21:05
tgriesser added a commit that referenced this pull request Jan 26, 2023
@tgriesser
Merge branch 'develop' into tgriesser/spike/spike
33493ee 
* develop: (27 commits)
  refactor: remove unused cloud routes (#25584)
  chore: fix issue template formatting issue (#25587)
  fix: fixed issue with CT + electron + run mode not exiting properly (#25585)
  chore(deps): update dependency ua-parser-js to v0.7.33 [security] (#25561)
  fix: add alternative binary names for edge-beta (#25456)
  chore: add batch execution to CloudDataSource (#22457)
  chore: End a/b campaigns for aci smart banners (#25504)
  chore: release @cypress/schematic-v2.5.0
  fix(cypress-schematic): do not disable e2e support file (#25400)
  chore: adding memory issue template (#25559)
  feat: Add Angular CT Schematic (#24374)
  chore: enforce changelog entries on PR reviews (#25459)
  chore: bump package.json to 12.4.0 [run ci] (#25556)
  feat: Add 'type' option to `.as` to store aliases by value (#25251)
  chore: release @cypress/webpack-dev-server-v3.2.3
  feat: Display line break in cy.log (#25467)
  chore: update types (#25538)
  fix: Revert "fix: adding emergency garbage collection for chromium-based browsers" (#25546)
  fix: percy - wait to take snapshot until previous tooltips are gone (#25522)
  feat: support data-qa selector in selector playground (#25475)
  ...
@cypress-bot
Copy link
Contributor

cypress-bot bot commented Jan 27, 2023

Released in 12.4.1.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v12.4.1, please open a new issue.

@cypress-bot cypress-bot bot locked as resolved and limited conversation to collaborators Jan 27, 2023
@AtofStryker AtofStryker removed their assignment Mar 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@flotwig flotwig flotwig approved these changes

@AtofStryker AtofStryker AtofStryker approved these changes

Assignees
No one assigned
Labels
renovate Triggered by renovatebot type: dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@flotwig @AtofStryker