fix(deps): update dependency ua-parser-js to v0.7.33 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
ua-parser-js	0.7.21 -> 0.7.33

GitHub Vulnerability Alerts

CVE-2021-27292

ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

CVE-2020-7733

The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.

CVE-2020-7793

The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).

CVE-2022-25927

Description:

A regular expression denial of service (ReDoS) vulnerability has been discovered in ua-parser-js.

Impact:

This vulnerability bypass the library's MAX_LENGTH input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition.

Affected Versions:

All versions of the library prior to version 0.7.33 / 1.0.33.

Patches:

A patch has been released to remove the vulnerable regular expression, update to version 0.7.33 / 1.0.33 or later.

References:

Regular expression Denial of Service - ReDoS

Credits:

Thanks to @​Snyk who first reported the issue.

---

Release Notes

faisalman/ua-parser-js (ua-parser-js)

v0.7.33

Compare Source

• Add new browser : Cobalt
• Identify Macintosh as an Apple device
• Fix ReDoS vulnerability

v0.7.32

Compare Source

• Add new browser : DuckDuckGo, Huawei Browser, LinkedIn
• Add new OS : HarmonyOS
• Add some Huawei models
• Add Sharp Aquos TV
• Improve detection Xiaomi Mi CC9
• Fix Sony Xperia 1 III misidentified as Acer tablet
• Fix Detect Sony BRAVIA as SmartTV
• Fix Detect Xiaomi Mi TV as SmartTV
• Fix Detect Galaxy Tab S8 as tablet
• Fix WeGame mistakenly identified as WeChat
• Fix included commas in Safari / Mobile Safari version
• Increase UA_MAX_LENGTH to 350

v0.7.31

Compare Source

• Fix OPPO Reno A5 incorrect detection
• Fix TypeError Bug
• Use AST to extract regexes and verify them with safe-regex

v0.7.30

Compare Source

• Add new browser : Obigo, UP.Browser, Klar
• Add new device : Oculus, Roku
• Add new OS: Maemo, HP-UX, Android-x86, Deepin, elementary OS, GhostBSD, Linspire, Manjaro, Sabayon
• Improve detection for Sony Xperia 1ii, LG Android TV, and some more devices
• Improve detection for ARM64 CPU
• Improve detection for Windows Mobile, Netscape, Mac on PowerPC
• Categorize PDA as mobile
• Fix Sharp devices misjudged as Huawei
• Fix trailing comma for ES3 compatibility
• Some code refactor

v0.7.28

Compare Source

v0.7.27

Compare Source

v0.7.26

Compare Source

v0.7.25

Compare Source

v0.7.24

Compare Source

v0.7.23

Compare Source

v0.7.22

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[vercel]

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/innei/candy/ujkRiTzMqffKQxQ1rgXst9XKCMup
✅ Preview: Failed

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
candy	❌ Failed (Inspect)			Jun 3, 2023 3:23am