Bump node-forge and parcel

[dependabot]

Removes node-forge. It's no longer used after updating ancestor dependency parcel. These dependencies need to be updated together.

Removes node-forge

Updates parcel from 1.12.4 to 2.8.0

Release notes

Sourced from parcel's releases.

v2.8.0

Blog post: https://parceljs.org/blog/v2-8-0/

Added

• Core
  • Code splitting across reexports using symbol data by splitting dependencies – Details
  • Update without bundling for non-dependency related changes – Details
  • Improve performance of incremental bundling – Details
  • Only serialize and send shared references to workers that need them – Details
  • Improve performance of HMR by not waiting for packaging – Details
• JavaScript
  • Verify version when resolving Node builtin polyfills – Details
  • Add loadBundleConfig method to Packager plugins – Details
• SVG
  • Generate typescript for SVGs when using svgr and typescript option – Details
• Bundler
  • Move experimental bundler to default – Details

Fixed

• Core
  • Fix verbose warning: reexport all doesn't include default – Details
  • Support multiple edge types in Graph.hasEdge – Details
  • Ensure edge exists before removal in Graph.removeEdge – Details
  • Disable splitting dependencies on symbols for non-scope hoisted bundles – Details
  • Fix TypeScript definitions for Parcel config API – Details
  • Use traverseAssets in packager to improve performance – Details
  • Make uniqueKey undefined by default – Details
  • Catch uncaught promise build abort race – Details
  • Bump parcel dependencies – Details
• JavaScript
  • Bump SWC - Details, Details
  • Fix Chrome Android browserslist support check – Details
  • Fix CommonJS symbol collection without scope hoisting – Details
  • Make React Refresh debounce call on the leading edge – Details
  • Retain correct dependency order between imports and reexports without scopehoisting – Details
• Bundler
  • Consider sibling in available assets to younger sibling for parallel deps – Details
  • Don't merge isolated child assets – Details
  • Do not merge isolated bundles in experimental bundler – Details
  • Implement min bundles configuration – Details
• Dev server
  • Include Content-Length header in HEAD requests – Details
• Vue
  • Fix errors displaying errors when compiling Vue SFCs – Details
  • Add file path to error code frames – Details
  • Fix location of errors – Details
• Image
  • Upgrade sharp – Details

... (truncated)

Changelog

Sourced from parcel's changelog.

[2.8.0] - 2022-11-09

Added

• Core
  • Code splitting across reexports using symbol data by splitting dependencies – Details
  • Update without bundling for non-dependency related changes – Details
  • Improve performance of incremental bundling – Details
  • Only serialize and send shared references to workers that need them – Details
  • Improve performance of HMR by not waiting for packaging – Details
• JavaScript
  • Verify version when resolving Node builtin polyfills – Details
  • Add loadBundleConfig method to Packager plugins – Details
• SVG
  • Generate typescript for SVGs when using svgr and typescript option – Details
• Bundler
  • Move experimental bundler to default – Details

Fixed

• Core
  • Fix verbose warning: reexport all doesn't include default – Details
  • Support multiple edge types in Graph.hasEdge – Details
  • Ensure edge exists before removal in Graph.removeEdge – Details
  • Disable splitting dependencies on symbols for non-scope hoisted bundles – Details
  • Fix TypeScript definitions for Parcel config API – Details
  • Use traverseAssets in packager to improve performance – Details
  • Make uniqueKey undefined by default – Details
  • Catch uncaught promise build abort race – Details
  • Bump parcel dependencies – Details
• JavaScript
  • Bump SWC - Details, Details
  • Fix Chrome Android browserslist support check – Details
  • Fix CommonJS symbol collection without scope hoisting – Details
  • Make React Refresh debounce call on the leading edge – Details
  • Retain correct dependency order between imports and reexports without scopehoisting – Details
• Bundler
  • Consider sibling in available assets to younger sibling for parallel deps – Details
  • Don't merge isolated child assets – Details
  • Do not merge isolated bundles in experimental bundler – Details
  • Implement min bundles configuration – Details
• Dev server
  • Include Content-Length header in HEAD requests – Details
• Vue
  • Fix errors displaying errors when compiling Vue SFCs – Details
  • Add file path to error code frames – Details
  • Fix location of errors – Details
• Image
  • Upgrade sharp – Details
• TypeScript

... (truncated)

Commits

• c3bbe0a v2.8.0
• d53e0f1 Changelog for v2.8.0
• a5cd0ec Bump parcel dependencies (#8611)
• 20fed1f Move experimental bundler to default (#8607)
• cf3a752 Fix #8500 by not adding offset to line numbers (#8501)
• bf4dc4d Bump minimist from 1.2.5 to 1.2.7 in /packages/utils/parcelforvscode (#8551)
• a5cca74 Bump @​xmldom/xmldom from 0.7.5 to 0.7.6 (#8570)
• 932b6bd Retain correct dependency order between imports and reexports without scopeho...
• 27569c5 Implement min bundles (#8599)
• 29b054c Catch uncaught promise build abort race (#8600)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Socket Security Pull Request Report

Dependency issues detected. If you merge this pull request, you will not be alerted to the instances of these issues again.

📜 Install scripts

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Package	Script field	Source
@parcel/watcher@2.1.0 (upgraded)	binding.gyp	package.json
lmdb@2.5.2 (added)	binding.gyp	package.json
msgpackr-extract@2.2.0 (added)	binding.gyp	package.json
lmdb@2.5.2 (added)	install	package.json
msgpackr-extract@2.2.0 (added)	install	package.json
@parcel/watcher@2.1.0 (upgraded)	install	package.json

🫣 Native code

Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.

Ensure that native code bindings are expected. Consumers may consider pure JS and functionally similar alternatives to avoid the challenges and risks associated with native code bindings.

Package	Location	Source
@parcel/watcher@2.1.0 (upgraded)	binding.gyp	package.json
lmdb@2.5.2 (added)	binding.gyp	package.json
msgpackr-extract@2.2.0 (added)	binding.gyp	package.json

Pull request report summary

Issue	Status
Install scripts	⚠️ 6 issues
Native code	⚠️ 3 issues
Bin script confusion	✅ 0 issues
Bin script shell injection	✅ 0 issues
Unresolved require	✅ 0 issues
Invalid package.json	✅ 0 issues
HTTP dependency	✅ 0 issues
Git dependency	✅ 0 issues
Potential typo squat	✅ 0 issues
Known Malware	✅ 0 issues
Telemetry	✅ 0 issues
Protestware/Troll package	✅ 0 issues

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@2.4.2

• @SocketSecurity ignore @parcel/watcher@2.1.0
• @SocketSecurity ignore lmdb@2.5.2
• @SocketSecurity ignore msgpackr-extract@2.2.0

Powered by socket.dev