Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade: , , , , core-js, acorn, dompurify, grunt-cli, mixpanel-browser, react-avatar-editor, react-draggable, validator #1

Merged
merged 1 commit into from
Sep 14, 2024
Merged

[Snyk] Upgrade: , , , , core-js, acorn, dompurify, grunt-cli, mixpanel-browser, react-avatar-editor, react-draggable, validator #1

merged 1 commit into from
Sep 14, 2024

Conversation

organich
Copy link
Owner

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

@elementor/editor-editing-panel
from 0.13.0 to 0.14.0 | 1 version ahead of your current version | 22 days ago
on 2024-08-22
@wordpress/dom-ready
from 3.56.0 to 3.58.0 | 2 versions ahead of your current version | 4 months ago
on 2024-05-16
@wordpress/element
from 5.33.0 to 5.35.0 | 2 versions ahead of your current version | 4 months ago
on 2024-05-16
@wordpress/components
from 27.4.0 to 27.6.0 | 2 versions ahead of your current version | 4 months ago
on 2024-05-16
core-js
from 3.32.0 to 3.38.1 | 15 versions ahead of your current version | 24 days ago
on 2024-08-20
acorn
from 8.10.0 to 8.12.1 | 6 versions ahead of your current version | 2 months ago
on 2024-07-03
dompurify
from 3.0.10 to 3.1.6 | 8 versions ahead of your current version | 2 months ago
on 2024-07-05
grunt-cli
from 1.4.3 to 1.5.0 | 1 version ahead of your current version | 2 months ago
on 2024-07-20
mixpanel-browser
from 2.50.0 to 2.55.0 | 6 versions ahead of your current version | a month ago
on 2024-08-02
react-avatar-editor
from 13.0.0 to 13.0.2 | 2 versions ahead of your current version | 9 months ago
on 2023-12-20
react-draggable
from 4.4.5 to 4.4.6 | 1 version ahead of your current version | a year ago
on 2023-09-27
validator
from 13.11.0 to 13.12.0 | 1 version ahead of your current version | 4 months ago
on 2024-05-09

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
medium severity Template Injection
SNYK-JS-DOMPURIFY-6474511		 586 Proof of Concept
medium severity Improper Input Validation
SNYK-JS-POSTCSS-5926692		 586 No Known Exploit
Release notes
Package name: @wordpress/dom-ready
  • 3.58.0 - 2024-05-16
  • 3.57.0 - 2024-05-02
  • 3.56.0 - 2024-04-19
from @wordpress/dom-ready GitHub release notes
Package name: @wordpress/element
  • 5.35.0 - 2024-05-16
  • 5.34.0 - 2024-05-02
  • 5.33.0 - 2024-04-19
from @wordpress/element GitHub release notes
Package name: @wordpress/components
  • 27.6.0 - 2024-05-16
  • 27.5.0 - 2024-05-02
  • 27.4.0 - 2024-04-19
from @wordpress/components GitHub release notes
Package name: core-js from core-js GitHub release notes
Package name: acorn
  • 8.12.1 - 2024-07-03

    Bug fixes

    Fix a regression that caused Acorn to no longer run on Node versions <8.10.

  • 8.12.0 - 2024-06-14

    New features

    Support ES2025 duplicate capture group names in regular expressions.

    Bug fixes

    Include VariableDeclarator in the AnyNode type so that walker objects can refer to it without getting a type error.

    Properly raise a parse error for invalid for/of statements using async as binding name.

    Properly recognize "use strict" when preceded by a string with an escaped newline.

    Mark the Parser constructor as protected, not private, so plugins can extend it without type errors.

    Fix a bug where some invalid delete expressions were let through when the operand was parenthesized and preserveParens was enabled.

    Properly normalize line endings in raw strings of invalid template tokens.

    Properly track line numbers for escaped newlines in strings.

    Fix a bug that broke line number accounting after a template literal with invalid escape sequences.

  • 8.11.3 - 2023-12-29

    Bug fixes

    Add Function and Class to the AggregateType type, so that they can be used in walkers without raising a type error.

    Make sure onToken get an import keyword token when parsing import.meta.

    Fix a bug where .loc.start could be undefined for new.target meta nodes.

  • 8.11.2 - 2023-10-27

    Bug fixes

    Fix a bug that caused regular expressions after colon tokens to not be properly tokenized in some circumstances.

  • 8.11.1 - 2023-10-26

    Bug fixes

    Fix a regression where onToken would receive 'name' tokens for 'new' keyword tokens.

  • 8.11.0 - 2023-10-26

    Bug fixes

    Fix an issue where tokenizing (without parsing) an object literal with a property named class or function could, in some circumstance, put the tokenizer into an invalid state.

    Fix an issue where a slash after a call to a propery named the same as some keywords would be tokenized as a regular expression.

    New features

    Upgrade to Unicode 15.1.

    Use a set of new, much more precise, TypeScript types.

  • 8.10.0 - 2023-07-05

    New features

    Add a checkPrivateFields option that disables strict checking of private property use.

from acorn GitHub release notes
Package name: dompurify
  • 3.1.6 - 2024-07-05
    • Fixed an issue with the execution logic of attribute hooks to prevent bypasses, thanks @ kevin-mizu
    • Fixed an issue with element removal leading to uncaught errors through DOM Clobbering, thanks @ realansgar
    • Fixed a minor problem with the bower file pointing to the wrong dist path
    • Fixed several minor typos in docs, comments and comment blocks, thanks @ Rotzbua
    • Updated several development dependencies
  • 3.1.5 - 2024-05-31
    • Fixed a minor issue with the dist paths in bower.js, thanks @ HakumenNC
    • Fixed a minor issue with sanitizing HTML coming from copy&paste Word content, thanks @ kakao-bishop-cho
  • 3.1.4 - 2024-05-20
    • Fixed an issue with the recently implemented isNaN checks, thanks @ tulach
    • Added several new popover attributes to allow-list, thanks @ Gigabyte5671
    • Fixed the tests and adjusted the test runner to cover all branches
  • 3.1.3 - 2024-05-11
    • Fixed several mXSS variations found by and thanks to @ kevin-mizu & @ Ry0taK
    • Added better configurability for comment scrubbing default behavior
    • Added better hardening against Prototype Pollution attacks, thanks @ kevin-mizu
    • Added better handling and readability of the nodeType property, thanks @ ssi02014
    • Fixed some smaller issues in README and other documentation
  • 3.1.2 - 2024-04-30
    • Addressed and fixed a mXSS variation found by @ kevin-mizu
    • Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
    • Updated tests for older Safari and Chrome versions
  • 3.1.1 - 2024-04-26
  • 3.1.0 - 2024-04-07
  • 3.0.11 - 2024-03-21
  • 3.0.10 - 2024-03-19
from dompurify GitHub release notes
Package name: grunt-cli from grunt-cli GitHub release notes
Package name: mixpanel-browser
  • 2.55.0 - 2024-08-02

    rebuild 2.55.0

  • 2.54.1 - 2024-07-30

    2.54.1

  • 2.54.0 - 2024-07-23

    The SDK is now provided in several new builds with different options around included modules and asynchronous loading:

    1. Core mixpanel build with bundled mixpanel-recorder session-recording module (default):
    import mixpanel from 'mixpanel-browser';
    1. Core mixpanel build that optionally loads mixpanel-recorder asynchronously via script tag (previous default):
    import mixpanel from 'mixpanel-browser/src/loaders/loader-module-with-async-recorder';
    1. Core mixpanel build only (no session recording available):
    import mixpanel from 'mixpanel-browser/src/loaders/loader-module-core';

    This release also includes updates and improvements to the session recording module:

    • Improved reliability via integration with the main SDK's network batching/retry system
    • Inactivity timeouts are now determined by user interaction events
    • New configuration options enable inlining of images and fonts into recording payloads:
    mixpanel.init(`my token`, {
  record_sessions_percent: 5,
  record_collect_fonts: true,
  record_inline_images: true,
});

    NOTE: with image-inlining turned on, image-intensive pages may increase payload size significantly and possibly surpass the API server's request size limit.

  • 2.53.0 - 2024-06-21
    • Network payload format for session recording batches has changed, including client-side compression on browsers which support it
    • Google Tag Manager wrapper now includes session-recording start/stop methods
  • 2.52.0 - 2024-06-07

    This release reverts the UTM param persistence change introduced in v2.51.0, to minimize disruption for older implementations. UTM parameters will be persisted by default in super property storage when the SDK finds them on pageload. To opt in to the recommended modern behavior, use initialization option {stop_utm_persistence: true}.

  • 2.51.0 - 2024-05-30
    • UTM parameters are no longer persisted as superproperties by default. Mixpanel analyses now have attribution support that does not require client-side persistence of these properties. To opt in to the previous behavior, use initialization option {stop_utm_persistence: false}.
    • localStorage->cookie migration support: when switching an implementation from localStorage persistence to cookie persistence (to support cross-subdomain tracking), the SDK will now automatically copy any existing superproperties from localStorage into the new superprop cookie. This migration behavior already existed in the opposite direction (going from cookie to localStorage).
    • The initialization options record_block_class, record_block_selector, and record_mask_text_class offer finer-grained control over elements to block in session recording, and provide stricter defaults.
    • New method mixpanel.get_session_recording_properties() exposes Replay ID property for tagging events controlled by other client-side SDKs such as Segment or mParticle.
  • 2.50.0 - 2024-04-29
    No content.
from mixpanel-browser GitHub release notes
Package name: react-avatar-editor from react-avatar-editor GitHub release notes
Package name: react-draggable from react-draggable GitHub release notes
Package name: validator

@snyk-bot
fix: upgrade multiple dependencies with Snyk
69d41a6 
Snyk has created this PR to upgrade:
  - @elementor/editor-editing-panel from 0.13.0 to 0.14.0.
    See this package in npm: https://www.npmjs.com/package/@elementor/editor-editing-panel
  - @wordpress/dom-ready from 3.56.0 to 3.58.0.
    See this package in npm: https://www.npmjs.com/package/@wordpress/dom-ready
  - @wordpress/element from 5.33.0 to 5.35.0.
    See this package in npm: https://www.npmjs.com/package/@wordpress/element
  - @wordpress/components from 27.4.0 to 27.6.0.
    See this package in npm: https://www.npmjs.com/package/@wordpress/components
  - core-js from 3.32.0 to 3.38.1.
    See this package in npm: https://www.npmjs.com/package/core-js
  - acorn from 8.10.0 to 8.12.1.
    See this package in npm: https://www.npmjs.com/package/acorn
  - dompurify from 3.0.10 to 3.1.6.
    See this package in npm: https://www.npmjs.com/package/dompurify
  - grunt-cli from 1.4.3 to 1.5.0.
    See this package in npm: https://www.npmjs.com/package/grunt-cli
  - mixpanel-browser from 2.50.0 to 2.55.0.
    See this package in npm: https://www.npmjs.com/package/mixpanel-browser
  - react-avatar-editor from 13.0.0 to 13.0.2.
    See this package in npm: https://www.npmjs.com/package/react-avatar-editor
  - react-draggable from 4.4.5 to 4.4.6.
    See this package in npm: https://www.npmjs.com/package/react-draggable
  - validator from 13.11.0 to 13.12.0.
    See this package in npm: https://www.npmjs.com/package/validator

See this project in Snyk:
https://app.snyk.io/org/organich/project/51205114-2bef-45f2-b640-08b2e2e824eb?utm_source=github&utm_medium=referral&page=upgrade-pr
@organich organich merged commit 3aba63f into main Sep 14, 2024
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@organich @snyk-bot