🚨 [security] Update shellcheck 2.2.0 → 3.0.0 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ shellcheck (2.2.0 → 3.0.0) · Repo · Changelog

Release Notes

3.0.0

• no changes

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 38 commits:

• Merge pull request #133 from carlocorradini/env
• chore: bump to v3.0.0
• fix: prettier
• chore: bump version
• fix: prettier
• ci: added node 22
• feat: configuring logger level and release via environment variables, deprecated node.js < 18.12.0
• Merge pull request #80 from gunar/dependabot/npm_and_yarn/types/node-18.14.0
• chore(deps-dev): bump @types/node from 18.13.0 to 18.14.0
• Merge pull request #79 from carlocorradini/main
• docs: better readme programmatic example
• Merge pull request #78 from gunar/dependabot/npm_and_yarn/cspell/eslint-plugin-6.26.1
• chore(deps-dev): bump @cspell/eslint-plugin from 6.25.0 to 6.26.1
• Merge pull request #72 from gunar/dependabot/npm_and_yarn/typescript-eslint/parser-5.52.0
• chore(deps-dev): bump @typescript-eslint/parser from 5.51.0 to 5.52.0
• Merge pull request #73 from gunar/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.52.0
• Merge pull request #77 from gunar/dependabot/npm_and_yarn/cspell-6.26.1
• chore(deps-dev): bump cspell from 6.23.1 to 6.26.1
• Merge pull request #76 from gunar/dependabot/npm_and_yarn/cspell/eslint-plugin-6.25.0
• chore(deps-dev): bump @cspell/eslint-plugin from 6.23.1 to 6.25.0
• chore(deps-dev): bump @typescript-eslint/eslint-plugin
• Merge pull request #68 from gunar/dependabot/npm_and_yarn/eslint-8.34.0
• chore(deps-dev): bump eslint from 8.33.0 to 8.34.0
• Merge pull request #69 from gunar/dependabot/npm_and_yarn/cspell-6.23.1
• chore(deps-dev): bump cspell from 6.22.0 to 6.23.1
• Merge pull request #70 from gunar/dependabot/npm_and_yarn/cspell/eslint-plugin-6.23.1
• chore(deps-dev): bump @cspell/eslint-plugin from 6.22.0 to 6.23.1
• Merge pull request #67 from gunar/dependabot/npm_and_yarn/types/node-18.13.0
• chore(deps-dev): bump @types/node from 18.11.18 to 18.13.0
• Merge pull request #65 from gunar/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.51.0
• Merge pull request #66 from gunar/dependabot/npm_and_yarn/typescript-eslint/parser-5.51.0
• chore(deps-dev): bump @typescript-eslint/parser from 5.50.0 to 5.51.0
• chore(deps-dev): bump @typescript-eslint/eslint-plugin
• Merge pull request #63 from gunar/dependabot/npm_and_yarn/cspell-6.22.0
• chore(deps-dev): bump cspell from 6.21.0 to 6.22.0
• Merge pull request #64 from gunar/dependabot/npm_and_yarn/cspell/eslint-plugin-6.22.0
• chore(codeowners): add carlocorradini
• chore(deps-dev): bump @cspell/eslint-plugin from 6.21.0 to 6.22.0

↗️ define-properties (indirect, 1.1.4 → 1.2.1) · Repo · Changelog

Release Notes

1.2.1 (from changelog)

Commits

• [Refactor] use define-data-property e7782a7
• [actions] use reusable rebase action cd249c3
• [Dev Deps] update @ljharb/eslint-config, aud, tape 8205f97

1.2.0 (from changelog)

Commits

• [New] if the predicate is boolean true, it compares the existing value with === as the predicate d8dd6fc
• [meta] add auto-changelog 7ebe2b0
• [meta] use npmignore to autogenerate an npmignore file 647478a
• [Dev Deps] update @ljharb/eslint-config, aud, tape e620d70
• [Dev Deps] update aud, tape f1e5072
• [actions] update checkout action 628b3af

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 11 commits:

• v1.2.1
• [actions] use reusable rebase action
• [Refactor] use `define-data-property`
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `tape`
• v1.2.0
• [New] if the predicate is boolean `true`, it compares the existing value with `===` as the predicate
• [meta] add `auto-changelog`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `tape`
• [Dev Deps] update `aud`, `tape`
• [actions] update checkout action

↗️ function-bind (indirect, 1.1.1 → 1.1.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 26 commits:

• v1.1.2
• [meta] add `auto-changelog`
• [Robustness] remove runtime dependency on all builtins except `.apply`
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `tape`
• [meta] add `funding` field; create FUNDING.yml
• [Tests] use `aud` instead of `npm audit`
• [meta] update `.gitignore`
• [Tests] switch to nyc for coverage
• [meta] add `safe-publish-latest`
• [Dev Deps] update `@ljharb/eslint-config`, `tape`
• [actions] fix permissions
• Revert "Point to the correct file"
• Merge pull request #16 from svedova/patch-1
• Point to the correct file
• [readme] update badges
• [meta] use `npmignore` to autogenerate an npmignore file
• [Tests] migrate tests to Github Actions
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `tape`
• [meta] create SECURITY.md
• [Tests] fix eslint errors from #15
• [Dev Deps] update `@ljharb/eslint‑config`, `eslint`, `tape`
• [Tests] up to `node` `v11.10`, `v10.15`, `v9.11`, `v8.15`, `v6.16`, `v4.9`; use `nvm install-latest-npm`; run audit script in tests
• [Tests] add `npm run audit`
• [Tests] remove `jscs`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `covert`, `tape`
• Docs: enable badges; update wording

↗️ get-intrinsic (indirect, 1.2.0 → 1.2.4) · Repo · Changelog

Release Notes

1.2.4 (from changelog)

Commits

• [Refactor] use all 7 <+ ES6 Errors from es-errors bcac811

1.2.3 (from changelog)

Commits

• [Refactor] use es-errors, so things that only need those do not need get-intrinsic f11db9c
• [Dev Deps] update aud, es-abstract, mock-property, npmignore b7ac7d1
• [meta] simplify exports faa0cc6
• [meta] add missing engines.node 774dd0b
• [Dev Deps] update tape 5828e8e
• [Robustness] use null objects for lookups eb9a11f
• [meta] add sideEffects flag 89bcc7a

1.2.2 (from changelog)

Commits

• [Dev Deps] update @ljharb/eslint-config, aud, call-bind, es-abstract, mock-property, object-inspect, tape f51bcf2
• [Refactor] use hasown instead of has 18d14b7
• [Deps] update function-bind 6e109c8

1.2.1 (from changelog)

Commits

• [Fix] avoid a crash in envs without __proto__ 7bad8d0
• [Dev Deps] update es-abstract c60e6b7

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 17 commits:

• v1.2.4
• [Refactor] use all 7 <+ ES6 Errors from `es-errors`
• v1.2.3
• [Refactor] use `es-errors`, so things that only need those do not need `get-intrinsic`
• [Dev Deps] update `tape`
• [meta] add missing `engines.node`
• [Robustness] use null objects for lookups
• [Dev Deps] update `aud`, `es-abstract`, `mock-property`, `npmignore`
• [meta] simplify `exports`
• [meta] add `sideEffects` flag
• v1.2.2
• [Refactor] use `hasown` instead of `has`
• [Deps] update `function-bind`
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `call-bind`, `es-abstract`, `mock-property`, `object-inspect`, `tape`
• v1.2.1
• [Fix] avoid a crash in envs without `__proto__`
• [Dev Deps] update `es-abstract`

↗️ globalthis (indirect, 1.0.3 → 1.0.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 9 commits:

• v1.0.4
• [Dev Deps] add missing `npmignore` dep
• [actions] remove redundant finisher
• [Refactor] use `gopd`
• [Deps] update `define-properties`
• [Dev Deps] update `@es-shims/api`, `@ljharb/eslint-config`, `aud`, `tape`
• [Deps] update `define-properties`
• [Dev Deps] update `aud`, `tape`
• [actions] update rebase action to use reusable workflow

↗️ graceful-fs (indirect, 4.2.10 → 4.2.11) · Repo

Commits

See the full diff on Github. The new version differs by 3 commits:

• 4.2.11
• Add EBUSY to handled error codes for windows directory rename
• update and improve tests somewhat

↗️ readable-stream (indirect, 2.3.7 → 2.3.8) · Repo

Release Notes

2.3.8

What's Changed

• fix undefined global for browser / service worker (v2.x branch) by @smeng9 in #499

Full Changelog: v2.3.7...v2.3.8

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• bumped v2.3.8
• regenerate build for Node v8.17.0
• fix undefined global (#499)

↗️ semver (indirect, 7.3.8 → 7.6.2) · Repo · Changelog

Security Advisories 🚨

🚨 semver vulnerable to Regular Expression Denial of Service

Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Release Notes

7.6.2

7.6.2 (2024-05-09)

Bug Fixes

• 6466ba9 #713 lru: use map.delete() directly (#713) (@negezor, @lukekarrys)

7.6.1

7.6.1 (2024-05-04)

Bug Fixes

• c570a34 #704 linting: no-unused-vars (@wraithgar)
• ad8ff11 #704 use internal cache implementation (@mbtools)
• ac9b357 #682 typo in compareBuild debug message (#682) (@mbtools)

Dependencies

• 988a8de #709 uninstall lru-cache (#709)
• 3fabe4d #704 remove lru-cache

Chores

• dd09b60 #705 bump @npmcli/template-oss to 4.22.0 (@lukekarrys)
• ec49cdc #701 chore: chore: postinstall for dependabot template-oss PR (@lukekarrys)
• b236c3d #696 add benchmarks (#696) (@H4ad)
• 692451b #688 various improvements to README (#688) (@mbtools)
• 5feeb7f #705 postinstall for dependabot template-oss PR (@lukekarrys)
• 074156f #701 bump @npmcli/template-oss from 4.21.3 to 4.21.4 (@dependabot[bot])

7.6.0

7.6.0 (2024-01-31)

Features

• a7ab13a #671 preserve pre-release and build parts of a version on coerce (#671) (@madtisa, madtisa, @wraithgar)

Chores

• 816c7b2 #667 postinstall for dependabot template-oss PR (@lukekarrys)
• 0bd24d9 #667 bump @npmcli/template-oss from 4.21.1 to 4.21.3 (@dependabot[bot])
• e521932 #652 postinstall for dependabot template-oss PR (@lukekarrys)
• 8873991 #652 chore: chore: postinstall for dependabot template-oss PR (@lukekarrys)
• f317dc8 #652 bump @npmcli/template-oss from 4.19.0 to 4.21.0 (@dependabot[bot])
• 7303db1 #658 add clean() test for build metadata (#658) (@jethrodaniel)
• 6240d75 #656 add missing quotes in README.md (#656) (@zyxkad)
• 14d263f #625 postinstall for dependabot template-oss PR (@lukekarrys)
• 7c34e1a #625 bump @npmcli/template-oss from 4.18.1 to 4.19.0 (@dependabot[bot])
• 123e0b0 #622 postinstall for dependabot template-oss PR (@lukekarrys)
• 737d5e1 #622 bump @npmcli/template-oss from 4.18.0 to 4.18.1 (@dependabot[bot])
• cce6180 #598 postinstall for dependabot template-oss PR (@lukekarrys)
• b914a3d #598 bump @npmcli/template-oss from 4.17.0 to 4.18.0 (@dependabot[bot])

7.5.4

7.5.4 (2023-07-07)

Bug Fixes

• cc6fde2 #588 trim each range set before parsing (@lukekarrys)
• 99d8287 #583 correctly parse long build ids as valid (#583) (@lukekarrys)

7.5.3

7.5.3 (2023-06-22)

Bug Fixes

• abdd93d #571 set max lengths in regex for numeric and build identifiers (#571) (@lukekarrys)

Documentation

• bf53dd8 #569 add example for > comparator (#569) (@mbtools)

7.5.2

7.5.2 (2023-06-15)

Bug Fixes

• 58c791f #566 diff when detecting major change from prerelease (#566) (@lukekarrys)
• 5c8efbc #565 preserve build in raw after inc (#565) (@lukekarrys)
• 717534e #564 better handling of whitespace (#564) (@lukekarrys)

7.5.1

7.5.1 (2023-05-12)

Bug Fixes

• d30d25a #559 show type on invalid semver error (#559) (@tjenkinson)

7.5.0

7.5.0 (2023-04-17)

Features

• 503a4e5 #548 allow identifierBase to be false (#548) (@lsvalina)

Bug Fixes

• e219bb4 #552 throw on bad version with correct error message (#552) (@wraithgar)
• fc2f3df #546 incorrect results from diff sometimes with prerelease versions (#546) (@tjenkinson)
• 2781767 #547 avoid re-instantiating SemVer during diff compare (#547) (@macno)

7.4.0

7.4.0 (2023-04-10)

Features

• 113f513 #532 identifierBase parameter for .inc (#532) (@wraithgar, @b-bly)
• 48d8f8f #530 export new RELEASE_TYPES constant (@hcharley)

Bug Fixes

• 940723d #538 intersects with v0.0.0 and v0.0.0-0 (#538) (@wraithgar)
• aa516b5 #535 faster parse options (#535) (@H4ad)
• 61e6ea1 #536 faster cache key factory for range (#536) (@H4ad)
• f8b8b61 #541 optimistic parse (#541) (@H4ad)
• 796cbe2 #533 semver.diff prerelease to release recognition (#533) (@wraithgar, @dominique-blockchain)
• 3f222b1 #537 reuse comparators on subset (#537) (@H4ad)
• f66cc45 #539 faster diff (#539) (@H4ad)

Documentation

• c5d29df #530 Add "Constants" section to README (@hcharley)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sprintf-js (indirect, 1.1.2 → 1.1.3) · Repo · Changelog

Release Notes

1.1.3 (from changelog)

• fix LICENSE name

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 11 commits:

• Merge pull request #227 from alexei/feat-new_release
• fix: update deps, bump version for a new release
• Merge pull request #226 from alexei/fix-licensing
• fix(license): update license name in README
• Merge pull request #212 from BigBlueHat/patch-1
• Make bower.json declaration match LICENSE
• Merge pull request #197 from alexei/fix-typo
• fix: typo
• Merge pull request #195 from timgates42/bugfix_typo_precede
• Update CONTRIBUTORS.md
• docs: Fix simple typo, preceed -> precede

🆕 define-data-property (added, 1.1.4)

🆕 envalid (added, 8.0.0)

🆕 es-define-property (added, 1.0.0)

🆕 es-errors (added, 1.3.0)

🆕 gopd (added, 1.0.1)

🆕 has-proto (added, 1.0.3)

🆕 hasown (added, 2.0.2)

🆕 tslib (added, 2.6.2)

🗑️ has (removed)

🗑️ lru-cache (removed)

🗑️ yallist (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)