Update dependency ua-parser-js to v1.0.33 [SECURITY] #559
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
🦋 Changeset detectedLatest commit: 6b153f4 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. ⚠ Warning: custom changes will be lost. |
lukasIO
approved these changes
Jan 25, 2023
Merged
lukasIO
added a commit
that referenced
this pull request
Mar 16, 2023
* Allow for background timers to be overriden (#556) * Allow for background timers to be overriden for platform specific implementations * Add changeset * Formatting * More timers converted and renamed to CriticalTimers * Avoid using class scope for timers (#558) * avoid using class scope for timers * fix copy paste error * protocol * Update dependency ua-parser-js to v1.0.33 (#559) * Update dependency ua-parser-js to v1.0.33 [SECURITY] * Create tall-cycles-judge.md Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: lukasIO <mail@lukasseiler.de> * Version Packages (#554) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * Export CheckStatus type (#566) * Export CheckStatus * Create afraid-plants-grab.md --------- Co-authored-by: lukasIO <lukas.seiler@neesh.de> * Add getDisplayMedia support check (#562) * Add getDisplayMedia support check * Create friendly-trainers-yawn.md --------- Co-authored-by: lukasIO <lukas.seiler@neesh.de> * Handle unknown signal messages from the server (#568) When we switched to using oneof in generated protobufs, it broke the ability to handle unknown signal messages from the server. This is due to the protobuf parser returning undefined for message field, versus a new value for $case. * Drop local participant updates with wrong sid (#570) * drop participant updates with wrong sid * Create smooth-students-poke.md * Remove redundant sid check (#571) * Update devDependencies (non-major) (#563) * Update devDependencies (non-major) * rerun prettier after update --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Lukas <mail@lukasseiler.de> * Emit `Participant.PermissionChanged` event also for remote participants (#569) * emit Participant.PermissionChanged event also for remote participants * fix typo * cleanup * update protocol with source permissions * better compare * Create angry-pugs-repair.md * Version Packages (#567) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * Add reconnect reason and signal rtt calculation (#573) * Add reconnect reason and signal rtt caculation * changeset * Reset ping when receiving pong instead of clearing (#578) * Provide more context to ConnectionError when connecting to a room (#575) * Provide more context to ConnectionError when connecting to a room * Fix prettier issues * Create mighty-boats-wonder.md --------- Co-authored-by: lukasIO <lukas.seiler@neesh.de> * Only restart track after permission change if not muted (#581) * only restart track after permission change if not muted * fix implicit restart case * Create rotten-bottles-work.md * restart audio track on unmute if readyState is ended * Version Packages (#577) * Update docstring for RecordingStatusChanged (#583) * Prevent concurrent setParameter call to avoid exception (#585) if multiple get/setParameter are called concurrently, certain timing of events could lead to the browser throwing an exception in `setParameter`, due to a missing `getParameter` call. * Version Packages (#591) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * Update devDependencies (non-major) (#586) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update dependency rollup-plugin-filesize to v10 (#588) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update dependency gh-pages to v5 (#587) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Disable red encoding by default for stereo track (#593) * Disable red encoding by default for stereo track * changeset * prettier * Update src/room/track/options.ts Co-authored-by: David Zhao <dz@livekit.io> * Update src/room/track/options.ts Co-authored-by: David Zhao <dz@livekit.io> --------- Co-authored-by: David Zhao <dz@livekit.io> * Track.streamState defaults to active (#596) StreamState is used to communicate when congestion controller pauses. It does not make sense to initialize this value to paused since in most cases, congestion controller has not paused the track and we'd want it to avoid flickering. * Fixed incorrect state with resume then reconnect (#595) When a resume sequence fails, a full reconnect is attempted. There were a few issues there with that sequence - We did not always fire EngineEvent.Restarting, so Room missed tearing down existing participants - With selective subscriptions, when existing `isDesired` isn't cleared, it will not send a subscribe request when requested - New tracks were not republished successfully when reconnected (due to sender not being reset early enough) * Always fire EngineEvent.Resuming (#600) * always fire EngineEvent.Resuming * changed RTCEngine.connectedServerAddress to an async getter getConnectedServerAddress() * Version Packages (#594) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * Add support for experimental getDisplayMedia options (#592) * add support for experimental getDisplayMedia options * reset formatting * Create .changeset/bright-dancers-worry.md * Replace terser plugin with official rollup terser plugin (#603) * Update to ReconnectReason enum (#606) * update REASON to RR enum * update protocol * update proto stubs * Update outdated slack community link (#607) * Receive remote participant disconnected updates while reconnecting (#605) * Add support for topics on data messages (#597) * Add support for setting topics on data messages * make destination comment clearer * update protocol to current main * update REASON to RR enum * Create .changeset/metal-otters-give.md * Defer publishing of tracks during reconnection (#608) * defer track publishing during reconnection * keep track of pending publications * Create .changeset/cuddly-pumpkins-tie.md * make sure pending promise is always deleted * guard against multiple reconnect events emitted * Version Packages (#601) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * Reject publish future if engine disconnects (#609) * Reject publish future if engine disconnects * Create .changeset/gold-tips-complain.md * set future to undefined * Fix wrong videoSimulcastLayer default in docstring (#613) * Allow to specify exact constraint for device switch (#612) * Only trigger AudioPlaybackFailed when it's `NotAllowed` (#615) Other errors could be raised when playing back an audio track. For example: a user could attach to another track, aborting the current attempt. In those cases, we do not want to fire AudioPlaybackFailed incorrectly. * dont ratchet automatically within cryptor * fix import key * add salt as constant * Version Packages (#610) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * use string key * map rtp payload type to codec * try to detect h264 frames and fallback to vp8 * avoid unnecessary steps * log sdp answer * use key material in keyprovider * expose method to ratchet key on keyProvider * move worker files into dedicated folder * build e2ee worker in separate build step --------- Co-authored-by: davidliu <davidliu@deviange.net> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: otakueadwine <otaku.eadwine@gmail.com> Co-authored-by: Daniel Kilimnik <mail@kilimnik.de> Co-authored-by: David Zhao <dz@livekit.io> Co-authored-by: cnderrauber <zengjie9004@gmail.com> Co-authored-by: Herman Bilous <herman.belous@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.0.2->1.0.33GitHub Vulnerability Alerts
CVE-2022-25927
Description:
A regular expression denial of service (ReDoS) vulnerability has been discovered in
ua-parser-js.Impact:
This vulnerability bypass the library's
MAX_LENGTHinput limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition.Affected Versions:
All versions of the library prior to version
0.7.33/1.0.33.Patches:
A patch has been released to remove the vulnerable regular expression, update to version
0.7.33/1.0.33or later.References:
Regular expression Denial of Service - ReDoS
Credits:
Thanks to @Snyk who first reported the issue.
Release Notes
faisalman/ua-parser-js
v1.0.33Compare Source
v1.0.32Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.