[Snyk] Upgrade microbundle from 0.3.1 to 0.13.0 - autoclosed

[snyk-bot]

Snyk has created this PR to upgrade microbundle from 0.3.1 to 0.13.0.

✨ Snyk has automatically assigned this pull request, set who gets assigned.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 34 versions ahead of your current version.
• The recommended version was released 21 days ago, on 2020-12-21.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Arbitrary Command Injection npm:macaddress:20180511	490/1000 Why? CVSS 9.8	No Known Exploit
	Arbitrary Code Execution SNYK-JS-JSYAML-174129	490/1000 Why? CVSS 9.8	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ACORN-559469	490/1000 Why? CVSS 9.8	No Known Exploit
	Uninitialized Memory Exposure npm:concat-with-sourcemaps:20180429	490/1000 Why? CVSS 9.8	Mature
	Arbitrary File Read SNYK-JS-MACADDRESS-567156	490/1000 Why? CVSS 9.8	No Known Exploit
	Denial of Service (DoS) SNYK-JS-JSYAML-173999	490/1000 Why? CVSS 9.8	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	490/1000 Why? CVSS 9.8	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: microbundle

• 0.13.0 - 2020-12-21
  

  Minor Changes

  • bd5d15e #738 Thanks @ wardpeet! - Upgrade rollup to version latest and upgrade all its dependencies

  • 967f8d5 #769 Thanks @ developit! - Add --css inline option. The default CSS output for all formats is now external files (as it was supposed to be).

  • 8142704 #741 Thanks @ whitetrefoil! - Use user's typescript first, fallback to bundled

  Patch Changes

  • 12668b9 #687 Thanks @ developit! - Add friendly microbundle-specific errors when modules can't be resolved.

  • 8b60fc8 #754 Thanks @ stipsan! - Enable sourcemaps for CSS

  • fdafaf7 #764 Thanks @ bakerkretzmar! - Add support for generating inline sourcemaps

  • 52a1771 #768 Thanks @ developit! - Add ambient typescript declaration for CSS Modules

• 0.12.4 - 2020-09-28
  

  Patch Changes

  • ffcc9d9 #713 Thanks @ developit! - Support extending a UMD global by prefixing the package.json "amdName" field (eg: "global.xyz").

  • 0527862 #722 Thanks @ developit! - Support "esm" (-f esm) as an alias of "es" format.

  • d08f977 #702 Thanks @ wardpeet! - Use @ babel/preset-env with bugfixes instead of preset-modules to enable "Optional chaining" & "nullish coalescing" by default.

  • d33a7ba #731 Thanks @ vaneenige! - Add jsxImportSource flag for new JSX runtime

  • 0fec414 #716 Thanks @ wardpeet! - Don't transpile generators and async for Node

  • ba1c047 #701 Thanks @ wardpeet! - re-enable unpkg alias for umd bundles as described in the readme

  • 3488411 #700 Thanks @ wardpeet! - Disable warnings for node's builtin-modules when using node as a target environment.

• 0.12.3 - 2020-07-14
  

  Features & Improvements

  • New onStart, onError callbacks for programmatic Microbundle usage! (#668, thanks @ katywings!)
  • allow multi-file output and code splitting (#674, thanks @ katywings!)
  • Strip comments from output (#548)

  Bug Fixes

  • don't mark --alias modules as externals (#671, thanks @ katywings!)
• 0.12.2 - 2020-06-20
  
  • Updated Babel and preset-env to 7.10 (#660)
  • Fixed an version conflict caused by multiple copies of Babel (#664)
  • Fixed globals generation when --external values include dashes (#667, thanks @ katywings!)
• 0.12.1 - 2020-06-15
  

  Features

  • New --no-pkg-main option for disabling filename inference (#658, thanks @ katywings)
  • Allow the use of import.meta (#627, thanks @ developit)

  Bugfixes

  • Fix non-alphanumeric values for --external (#650, thanks @ katywings)
  • Preserve comments when --no-compress is enabled (#648, thanks @ developit)
  • Fix TypeScript issue when "module" is set to "CommonJS" (#638, thanks @ marvinhagemeister)
  • Fix TypeScript declaration emit target (#629, thanks @ marvinhagemeister)
  • Fix TypeScript declarationDir option so it respects the cwd (#643) (#646, thanks @ katywings)
  • Fix TypeScript Fragments breaking when jsxFactory is set (#623, thanks @ marvinhagemeister)

  General Improvements

  • Dependency updates (#634 #616, thanks @ teodragovic, @ merceyz)
  • Documentation updates for 0.12 and --externals (#636 #628 #625 #609 #611 #614, thanks @ gtrufitt, @ developit, @ SeanBannister, @ adrienpoly & @ i-like-robots)
• 0.12.0 - 2020-05-08
  Read more
• 0.12.0-next.9 - 2020-05-01
  
  • Fix accidental bundle size increase due to core-js version (#550)
  • Use preset-modules for modern output (#557, thanks @ JoviDeCroock)
  • Add --css-modules option for *.css files in addition to *.module.css (#370, thanks @ maraisr)
  • Fix a bug that caused modern output to be not modern (#570)
  • Add support for --define @ expression=replacement (#588)
  • Silence a bunch of unnecessary warnings
  • Reduce bundle size when using async/await, in particular for await () (#596)
  • Fix output filename generation when using .ts entry modules (#587)
• 0.12.0-next.8 - 2020-01-22
  

  0.12.0-next.8

• 0.12.0-next.7 - 2020-01-06
  

  v0.12.0-next.7

• 0.12.0-next.6 - 2019-08-23
  

  v0.12.0-next.6

• 0.12.0-next.5 - 2019-08-23
• 0.12.0-next.4 - 2019-08-08
• 0.12.0-next.3 - 2019-06-17
• 0.12.0-next.2 - 2019-06-15
• 0.12.0-next.1 - 2019-06-11
• 0.12.0-next.0 - 2019-05-27
• 0.11.0 - 2019-03-04
• 0.10.1 - 2019-02-22
• 0.10.0 - 2019-02-21
• 0.9.0 - 2018-12-18
• 0.8.4 - 2018-12-17
• 0.8.3 - 2018-12-03
• 0.8.2 - 2018-12-03
• 0.8.1 - 2018-12-01
• 0.8.0 - 2018-11-30
• 0.7.0 - 2018-10-26
• 0.7.0-beta.0 - 2018-10-23
• 0.6.0 - 2018-07-19
• 0.5.1 - 2018-07-05
• 0.4.4 - 2018-02-21
• 0.4.3 - 2018-01-26
• 0.4.2 - 2018-01-24
• 0.4.1 - 2018-01-24
• 0.4.0 - 2018-01-23
• 0.3.1 - 2018-01-14

from microbundle GitHub release notes

Commit messages

Package name: microbundle

• eb5cfd9 Version Packages (Console disappear from embed url after view change with devtoolsheight parameter stackblitz/core#735)
• 9ccf400 restore CSS sourcemap support (ionic 4 : ion-icon not showing stackblitz/core#770)
• 52a1771 Add ambient typescript declaration for CSS Modules (Previously working project w/o changes now fails to build due to CORS errors stackblitz/core#768)
• 94bd8ed Add link to inlining guide
• 967f8d5 Add --css inline option (CORS error loading @angular/elements stackblitz/core#769)
• 25b2b62 Add --generate-types option (why not show properly stackblitz/core#589)
• fdafaf7 Add support for generating inline sourcemaps (Drag and Drop not working stackblitz/core#764)
• 2ed5633 Rollup upgrade size fixes (how to install extensions in stackblitz stackblitz/core#767)
• bd5d15e chore: upgrade all dependencies (Angular project can't find package: src - Solved stackblitz/core#738)
• e2eabae Document @ for the --define option (Nested Components link is not working stackblitz/core#692)
• 8b60fc8 fix(CSS): sourcemap support for PostCSS files (Download project is not working for this project stackblitz/core#754)
• 8142704 Use user's typescript first, fallback to bundled (The url to this repository is invalid stackblitz/core#741)
• 360511b Update the readme to recommend package exports (AngularJS app - UI doesn't load with bindings stackblitz/core#749)
• a6eb6e7 Update examples to reference preact/compat instead of preact (Dumping Event (Angular) stackblitz/core#750)
• 12668b9 Friendly microbundle-specific resolve errors (Unable to open branch repo from github even though it compiles and run locally stackblitz/core#687)
• 3f12b9f Version Packages (Lightweight uneditable source code preview [ft request] stackblitz/core#734)
• 0527862 Support "esm" as an alias of "es" format (Ionic base de datos stackblitz/core#722)
• 0fec414 chore: add forgotten changeset (Pressing Ctrl+P ? crashes the web app stackblitz/core#716)
• 0899008 repo token for changesets ("Can't find package: " not found empty string dependency name stackblitz/core#732)
• d33a7ba Add jsxImportSource flag for new JSX runtime (feat(a11y): please look into providing an accessible experience stackblitz/core#731)
• efb7cf3 docs: Fix simple typo, realy -> really (How can I deactivate text wrap in the editor ? stackblitz/core#727)
• 7b2ff57 fix: bring back @ babel/env preset match (Failed to import report stackblitz/core#714)
• ffcc9d9 Support global extend via amdName (resulted in a network error response: an object that was not a Response was passed to respondWith() stackblitz/core#713)
• d08f977 fix: use @ babel/preset-env with bugfixes for modern builds (POST request/SDK not filling in preset on FE stackblitz/core#702)

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

👩‍💻 Set who automatically gets assigned

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[guardrails]

⚠️ We detected security issues in this pull request:

Vulnerable Libraries (2)

• handlebars@4.0.11 no details available
• lodash@4.17.5 no details available

More info on how to fix Vulnerable Libraries in Javascript.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

[mend-bolt-for-github]

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.