Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump the npm_and_yarn group across 5 directories with 8 updates #18477

Closed

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jul 8, 2024

Bumps the npm_and_yarn group with 2 updates in the / directory: braces and ws.
Bumps the npm_and_yarn group with 4 updates in the /docroot/design-system directory: braces, ws, ejs and express.
Bumps the npm_and_yarn group with 2 updates in the /docroot/modules/custom/va_gov_graphql/assets/explorer directory: braces and undici.
Bumps the npm_and_yarn group with 5 updates in the /docroot/themes/custom/vagovclaro directory:

Package From To
braces 3.0.2 3.0.3
ws 8.11.0 8.17.1
socket.io-client 4.6.1 4.7.5
socket.io 4.6.1 4.7.5
axios 1.6.1 1.6.2

Bumps the npm_and_yarn group with 1 update in the /scripts/cd_metrics directory: braces.

Updates braces from 3.0.2 to 3.0.3

Commits

Updates ws from 8.13.0 to 8.18.0

Release notes

Sourced from ws's releases.

8.18.0

Features

  • Added support for Blob (#2229).

8.17.1

Bug fixes

  • Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

... (truncated)

Commits
  • 976c53c [dist] 8.18.0
  • 59b9629 [feature] Add support for Blob (#2229)
  • 0d1b5e6 [security] Use more descriptive text for 2017 vulnerability link
  • 15f11a0 [security] Add new DoS vulnerability to SECURITY.md
  • 3c56601 [dist] 8.17.1
  • e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
  • 6a00029 [test] Increase code coverage
  • ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
  • b73b118 [dist] 8.17.0
  • 29694a5 [test] Use the highWaterMark variable
  • Additional commits viewable in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

Updates ws from 6.2.2 to 6.2.3

Release notes

Sourced from ws's releases.

8.18.0

Features

  • Added support for Blob (#2229).

8.17.1

Bug fixes

  • Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

... (truncated)

Commits
  • 976c53c [dist] 8.18.0
  • 59b9629 [feature] Add support for Blob (#2229)
  • 0d1b5e6 [security] Use more descriptive text for 2017 vulnerability link
  • 15f11a0 [security] Add new DoS vulnerability to SECURITY.md
  • 3c56601 [dist] 8.17.1
  • e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
  • 6a00029 [test] Increase code coverage
  • ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
  • b73b118 [dist] 8.17.0
  • 29694a5 [test] Use the highWaterMark variable
  • Additional commits viewable in compare view

Updates ejs from 3.1.9 to 3.1.10

Release notes

Sourced from ejs's releases.

v3.1.10

Version 3.1.10

Commits

Updates express from 4.18.2 to 4.19.2

Release notes

Sourced from express's releases.

4.19.2

What's Changed

Full Changelog: expressjs/express@4.19.1...4.19.2

4.19.1

What's Changed

Full Changelog: expressjs/express@4.19.0...4.19.1

4.19.0

What's Changed

New Contributors

Full Changelog: expressjs/express@4.18.3...4.19.0

4.18.3

Main Changes

Other Changes

... (truncated)

Changelog

Sourced from express's changelog.

4.19.2 / 2024-03-25

  • Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

  • Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

4.18.3 / 2024-02-29

Commits
  • 04bc627 4.19.2
  • da4d763 Improved fix for open redirect allow list bypass
  • 4f0f6cc 4.19.1
  • a003cfa Allow passing non-strings to res.location with new encoding handling checks f...
  • a1fa90f fixed un-edited version in history.md for 4.19.0
  • 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
  • 084e365 4.19.0
  • 0867302 Prevent open redirect allow list bypass due to encodeurl
  • 567c9c6 Add note on how to update docs for new release (#5541)
  • 69a4cf2 deps: [email protected]
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.


Updates braces from 3.0.2 to 3.0.3

Commits

Updates undici from 5.26.3 to 5.28.4

Release notes

Sourced from undici's releases.

v5.28.4

⚠️ Security Release ⚠️

Full Changelog: nodejs/undici@v5.28.3...v5.28.4

v5.28.3

⚠️ Security Release ⚠️

Fixes:

Full Changelog: nodejs/undici@v5.28.2...v5.28.3

v5.28.2

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.28.1...v5.28.2

v5.28.1

What's Changed

... (truncated)

Commits

Updates braces from 3.0.2 to 3.0.3

Commits

Updates ws from 8.11.0 to 8.17.1

Release notes

Sourced from ws's releases.

8.18.0

Features

  • Added support for Blob (#2229).

8.17.1

Bug fixes

  • Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

... (truncated)

Commits
  • 976c53c [dist] 8.18.0
  • 59b9629 [feature] Add support for Blob (#2229)
  • 0d1b5e6 [security] Use more descriptive text for 2017 vulnerability link
  • 15f11a0 [security] Add new DoS vulnerability to SECURITY.md
  • 3c56601 [dist] 8.17.1
  • e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
  • 6a00029 [test] Increase code coverage
  • ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
  • b73b118 [dist] 8.17.0
  • 29694a5 [test] Use the highWaterMark variable
  • Additional commits viewable in compare view

Updates socket.io-client from 4.6.1 to 4.7.5

Release notes

Sourced from socket.io-client's releases.

4.7.5

Bug Fixes

  • discard acknowledgements upon disconnection (34cbfbb)

Links

4.7.4

There were some minor bug fixes on the server side, which mandate a client bump.

Links

4.7.3

Bug Fixes

  • improve compatibility with node16 module resolution (#1595) (605de78)
  • typings: accept string | undefined as init argument (5a3eafe)
  • typings: fix the type of the socket#id attribute (f9c16f2)

Links

4.7.2

Some bug fixes are included from the engine.io-client package:

  • webtransport: add proper framing (d55c39e)
  • webtransport: honor the binaryType attribute (8270e00)

Links

4.7.1

... (truncated)

Changelog

Sourced from socket.io-client's changelog.

4.7.5 (2024-03-14)

Bug Fixes

  • discard acknowledgements upon disconnection (34cbfbb)

Dependencies

4.7.4 (2024-01-12)

There were some minor bug fixes on the server side, which mandate a client bump.

Dependencies

4.7.3 (2024-01-03)

Bug Fixes

  • improve compatibility with node16 module resolution (#1595) (605de78)
  • typings: accept string | undefined as init argument (5a3eafe)
  • typings: fix the type of the socket#id attribute (f9c16f2)

Dependencies

4.7.2 (2023-08-02)

Some bug fixes are included from the engine.io-client package:

  • webtransport: add proper framing (d55c39e)
  • webtransport: honor the binaryType attribute (8270e00)

... (truncated)

Commits
  • 4f6030f chore(release): 4.7.5
  • 34cbfbb fix: discard acknowledgements upon disconnection
  • 8cfea8c chore(release): 4.7.4
  • ca5d50e chore(release): 4.7.3
  • f9c16f2 fix(typings): fix the type of the socket#id attribute
  • b3f0cab ci: add Node.js 20 in the test matrix
  • 5a3eafe fix(typings): accept string | undefined as init argument
  • 605de78 fix: improve compatibility with node16 module resolution (#1595)
  • d00ccd2 ci: bump appiumVersion for Android tests in SauceLabs
  • 928d76d chore(release): 4.7.2
  • Additional commits viewable in compare view

Updates socket.io from 4.6.1 to 4.7.5

Release notes

Sourced from socket.io's releases.

4.7.5

Bug Fixes

  • close the adapters when the server is closed (bf64870)
  • remove duplicate pipeline when serving bundle (e426f3e)

Links

4.7.4

Bug Fixes

  • typings: calling io.emit with no arguments incorrectly errored (cb6d2e0), closes #4914

Links

4.7.3

Bug Fixes

  • return the first response when broadcasting to a single socket (#4878) (df8e70f)
  • typings: allow to bind to a non-secure Http2Server (#4853) (8c9ebc3)

Links

4.7.2

Bug Fixes

  • clean up child namespace when client is rejected in middleware (#4773) (0731c0d)
  • webtransport: properly handle WebTransport-only connections (3468a19)
  • webtransport: add proper framing (a306db0)

Links

... (truncated)

Changelog

Sourced from socket.io's changelog.

4.7.5 (2024-03-14)

Bug Fixes

  • close the adapters when the server is closed (bf64870)
  • remove duplicate pipeline when serving bundle (e426f3e)

Dependencies

4.7.4 (2024-01-12)

Bug Fixes

  • typings: calling io.emit with no arguments incorrectly errored (cb6d2e0), closes #4914

Dependencies

4.7.3 (2024-01-03)

Bug Fixes

  • return the first response when broadcasting to a single socket (#4878) (df8e70f)
  • typings: allow to bind to a non-secure Http2Server (#4853) (8c9ebc3)

Dependencies

4.7.2 (2023-08-02)

... (truncated)

Commits
  • 5017681 chore(release): 4.7.5
  • bf64870 fix: close the adapters when the server is closed
  • 748e18c ci: test with older TypeScript version
  • b9ce6a2 refactor: create specific adapter for parent namespaces (#4950)
  • 54dabe5 ci: upgrade to actions/checkout@4 and actions/setup-node@4
  • e426f3e fix: remove duplicate pipeline when serving bundle
  • e36062c docs: update the webtransport example
  • 0bbe8ae docs: only execute the passport middleware once
  • 914a8bd docs: add example with JWT
  • d943c3e docs: update the Passport.js example
  • Additional commits viewable in compare view

Updates axios from 1.6.1 to 1.6.2

Release notes

Sourced from axios's releases.

Release v1.6.2

Release notes:

Features

  • withXSRFToken: added withXSRFToken option as a workaround to achieve the old withCredentials behavior; (#6046) (cff9967)

PRs

  • feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old `withCredentials` behavior; ( #6046 )

📢 This PR added &#x27;withXSRFToken&#x27; option as a replacement for old withCredentials behaviour. 
You should now use withXSRFToken along with withCredential to get the old behavior.
This functionality is considered as a fix.

Contributors to this release

Changelog

Sourced from axios's changelog.

1.6.2 (2023-11-14)

Features

  • withXSRFToken: added withXSRFToken option as a workaround to achieve the old withCredentials behavior; (#6046) (cff9967)

PRs

  • feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old `withCredentials` behavior; ( #6046 )

📢 This PR added &#x27;withXSRFToken&#x27; option as a replacement for old withCredentials behaviour. 
You should now use withXSRFToken along with withCredential to get the old behavior.
This functionality is considered as a fix.

Contributors to this release

Commits
  • b3be365 chore(release): v1.6.2 (#6082)
  • 8739acb chore(ci): removed redundant release action; (#6081)
  • bfa9c30 chore(docs): fix outdated grunt to npm scripts (#6073)
  • a2b0fb3 chore(docs): update README.md (#6048)
  • b12a608 chore(ci): removed paths-ignore filter; (#6080)
  • 0c9d886 chore(ci): reworked ignoring files logic; (#6079)
  • 30873ee chore(ci): add paths-ignore config to testing action; (#6078)
  • cff9967 feat(withXSRFToken): added withXSRFToken option as a workaround to achieve th...
  • 7009715 chore(ci): fixed release notification action; (#6064)
  • 7144f10 chore(ci): fixed release notification action; (#6063)
  • See full diff in compare view

Updates socket.io from 4.6.1 to 4.7.5

Release notes

Sourced from socket.io's releases.

4.7.5

Bug Fixes

  • close the adapters when the server is closed (bf64870)
  • remove duplicate pip...

    Description has been truncated

Bumps the npm_and_yarn group with 2 updates in the / directory: [braces](https://github.com/micromatch/braces) and [ws](https://github.com/websockets/ws).
Bumps the npm_and_yarn group with 4 updates in the /docroot/design-system directory: [braces](https://github.com/micromatch/braces), [ws](https://github.com/websockets/ws), [ejs](https://github.com/mde/ejs) and [express](https://github.com/expressjs/express).
Bumps the npm_and_yarn group with 2 updates in the /docroot/modules/custom/va_gov_graphql/assets/explorer directory: [braces](https://github.com/micromatch/braces) and [undici](https://github.com/nodejs/undici).
Bumps the npm_and_yarn group with 5 updates in the /docroot/themes/custom/vagovclaro directory:

| Package | From | To |
| --- | --- | --- |
| [braces](https://github.com/micromatch/braces) | `3.0.2` | `3.0.3` |
| [ws](https://github.com/websockets/ws) | `8.11.0` | `8.17.1` |
| [socket.io-client](https://github.com/socketio/socket.io-client) | `4.6.1` | `4.7.5` |
| [socket.io](https://github.com/socketio/socket.io) | `4.6.1` | `4.7.5` |
| [axios](https://github.com/axios/axios) | `1.6.1` | `1.6.2` |

Bumps the npm_and_yarn group with 1 update in the /scripts/cd_metrics directory: [braces](https://github.com/micromatch/braces).


Updates `braces` from 3.0.2 to 3.0.3
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](micromatch/braces@3.0.2...3.0.3)

Updates `ws` from 8.13.0 to 8.18.0
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.13.0...8.18.0)

Updates `braces` from 3.0.2 to 3.0.3
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](micromatch/braces@3.0.2...3.0.3)

Updates `ws` from 6.2.2 to 6.2.3
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.13.0...8.18.0)

Updates `ejs` from 3.1.9 to 3.1.10
- [Release notes](https://github.com/mde/ejs/releases)
- [Commits](mde/ejs@v3.1.9...v3.1.10)

Updates `express` from 4.18.2 to 4.19.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@4.18.2...4.19.2)

Updates `braces` from 3.0.2 to 3.0.3
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](micromatch/braces@3.0.2...3.0.3)

Updates `undici` from 5.26.3 to 5.28.4
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v5.26.3...v5.28.4)

Updates `braces` from 3.0.2 to 3.0.3
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](micromatch/braces@3.0.2...3.0.3)

Updates `ws` from 8.11.0 to 8.17.1
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.13.0...8.18.0)

Updates `socket.io-client` from 4.6.1 to 4.7.5
- [Release notes](https://github.com/socketio/socket.io-client/releases)
- [Changelog](https://github.com/socketio/socket.io-client/blob/main/CHANGELOG.md)
- [Commits](socketio/socket.io-client@4.6.1...4.7.5)

Updates `socket.io` from 4.6.1 to 4.7.5
- [Release notes](https://github.com/socketio/socket.io/releases)
- [Changelog](https://github.com/socketio/socket.io/blob/4.7.5/CHANGELOG.md)
- [Commits](socketio/socket.io@4.6.1...4.7.5)

Updates `axios` from 1.6.1 to 1.6.2
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.6.1...v1.6.2)

Updates `socket.io` from 4.6.1 to 4.7.5
- [Release notes](https://github.com/socketio/socket.io/releases)
- [Changelog](https://github.com/socketio/socket.io/blob/4.7.5/CHANGELOG.md)
- [Commits](socketio/socket.io@4.6.1...4.7.5)

Updates `braces` from 3.0.2 to 3.0.3
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](micromatch/braces@3.0.2...3.0.3)

---
updated-dependencies:
- dependency-name: braces
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: braces
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ejs
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: express
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: braces
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: braces
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: socket.io-client
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: socket.io
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: axios
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: socket.io
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: braces
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Dependabot: : Pull requests that update a dependency file Javascript Pull requests that update Javascript code labels Jul 8, 2024
@edmund-dunn
Copy link
Contributor

Closing, this work will need to be done manually.

Copy link
Contributor Author

dependabot bot commented on behalf of github Jul 18, 2024

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot bot deleted the dependabot/npm_and_yarn/npm_and_yarn-47d853ccd5 branch July 18, 2024 14:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Dependabot: : Pull requests that update a dependency file Javascript Pull requests that update Javascript code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant