Skip to content

chore(deps): bump the npm_and_yarn group across 1 directory with 5 updates#13

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-f58166136e
Open

chore(deps): bump the npm_and_yarn group across 1 directory with 5 updates#13
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-f58166136e

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jul 22, 2024

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package From To
vite 5.0.13 5.1.7
jose 5.2.4 5.3.0
@grpc/grpc-js 1.9.12 1.9.15
braces 3.0.2 3.0.3
ws 8.14.2 8.18.0

Updates vite from 5.0.13 to 5.1.7

Release notes

Sourced from vite's releases.

create-vite@5.1.0

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.1.7 (2024-03-24)

5.1.6 (2024-03-11)

  • chore(deps): update all non-major dependencies (#16131) (a862ecb), closes #16131
  • fix: check for publicDir before checking if it is a parent directory (#16046) (b6fb323), closes #16046
  • fix: escape single quote when relative base is used (#16060) (8f74ce4), closes #16060
  • fix: handle function property extension in namespace import (#16113) (f699194), closes #16113
  • fix: server middleware mode resolve (#16122) (8403546), closes #16122
  • fix(esbuild): update tsconfck to fix bug that could cause a deadlock (#16124) (fd9de04), closes #16124
  • fix(worker): hide "The emitted file overwrites" warning if the content is same (#16094) (60dfa9e), closes #16094
  • fix(worker): throw error when circular worker import is detected and support self referencing worker (eef9da1), closes #16103
  • style(utils): remove null check (#16112) (0d2df52), closes #16112
  • refactor(runtime): share more code between runtime and main bundle (#16063) (93be84e), closes #16063

5.1.5 (2024-03-04)

5.1.4 (2024-02-21)

... (truncated)

Commits
  • e710c2f release: v5.1.7
  • 5a056dd fix: fs.deny with globs with directories (#16250)
  • 6f7466e release: v5.1.6
  • a862ecb chore(deps): update all non-major dependencies (#16131)
  • 8403546 fix: server middleware mode resolve (#16122)
  • b6fb323 fix: check for publicDir before checking if it is a parent directory (#16046)
  • fd9de04 fix(esbuild): update tsconfck to fix bug that could cause a deadlock (#16124)
  • f699194 fix: handle function property extension in namespace import (#16113)
  • 0d2df52 style(utils): remove null check (#16112)
  • eef9da1 fix(worker): throw error when circular worker import is detected and support ...
  • Additional commits viewable in compare view

Updates jose from 5.2.4 to 5.3.0

Release notes

Sourced from jose's releases.

v5.3.0

Features

  • allow observing remote JWKS resolver state and its manual reload (fa8b639)

Refactor

  • if should not be the only statement in else blocks (a6b716b)
Changelog

Sourced from jose's changelog.

5.3.0 (2024-05-10)

Features

  • allow observing remote JWKS resolver state and its manual reload (fa8b639)

Refactor

  • if should not be the only statement in else blocks (a6b716b)
Commits
  • f126d36 chore(release): 5.3.0
  • fa8b639 feat: allow observing remote JWKS resolver state and its manual reload
  • 2595451 chore: bump dev deps
  • fd46e2c chore: bump dev deps
  • a6b716b refactor: if should not be the only statement in else blocks
  • 96b15a9 chore: bump dev deps
  • a0fc293 chore: bump dev deps
  • 9199481 chore: bump dev deps
  • adc0f69 chore: cleanup after release
  • See full diff in compare view

Updates @grpc/grpc-js from 1.9.12 to 1.9.15

Release notes

Sourced from @​grpc/grpc-js's releases.

@​grpc/grpc-js 1.9.15

  • Avoid buffering significantly more than grpc.max_receive_message_size per received message.

@​grpc/grpc-js 1.9.14

  • Fix a bug that could rarely cause connection leaks (#2644)
  • Fix a bug that could cause clients to go IDLE incorrectly some time after calling waitForReady (#2643)

@​grpc/grpc-js 1.9.13

  • Fix a bug that could cause the Node process to close early when establishing a connection while a request is pending (#2626)
Commits
  • 08b0422 Merge pull request from GHSA-7v5v-9h63-cj86
  • c75e048 grpc-js: Bump to 1.9.15
  • d5d62b4 grpc-js: Avoid buffering significantly more than max_receive_message_size per...
  • 02d0344 Merge pull request #2741 from sergiitk/backport-1.9-psm-interop-common-prod-t...
  • cf14020 Merge pull request #2729 from sergiitk/psm-interop-common-prod-tests
  • da44229 Merge pull request #2738 from murgatroid99/backport-1.9-grpc-js_linkify-it_fix
  • 5ae7c8c Merge pull request #2735 from murgatroid99/grpc-js_linkify-it_fix
  • eed21ba Merge pull request #2714 from sergiitk/backport-1.9-psm-interop-pkg-dev
  • 63763a4 Merge pull request #2712 from sergiitk/psm-interop-pkg-dev
  • 5be83dd Merge pull request #2643 from murgatroid99/grpc-js_idle_timer_fix
  • Additional commits viewable in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

Updates ws from 8.14.2 to 8.18.0

Release notes

Sourced from ws's releases.

8.18.0

Features

  • Added support for Blob (#2229).

8.17.1

Bug fixes

  • Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

... (truncated)

Commits
  • 976c53c [dist] 8.18.0
  • 59b9629 [feature] Add support for Blob (#2229)
  • 0d1b5e6 [security] Use more descriptive text for 2017 vulnerability link
  • 15f11a0 [security] Add new DoS vulnerability to SECURITY.md
  • 3c56601 [dist] 8.17.1
  • e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
  • 6a00029 [test] Increase code coverage
  • ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
  • b73b118 [dist] 8.17.0
  • 29694a5 [test] Use the highWaterMark variable
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump the npm_and_yarn group across 1 directory with 5 up…
1c2dbd9 
…dates

Bumps the npm_and_yarn group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `5.0.13` | `5.1.7` |
| [jose](https://github.com/panva/jose) | `5.2.4` | `5.3.0` |
| [@grpc/grpc-js](https://github.com/grpc/grpc-node) | `1.9.12` | `1.9.15` |
| [braces](https://github.com/micromatch/braces) | `3.0.2` | `3.0.3` |
| [ws](https://github.com/websockets/ws) | `8.14.2` | `8.18.0` |



Updates `vite` from 5.0.13 to 5.1.7
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v5.1.7/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v5.1.7/packages/vite)

Updates `jose` from 5.2.4 to 5.3.0
- [Release notes](https://github.com/panva/jose/releases)
- [Changelog](https://github.com/panva/jose/blob/main/CHANGELOG.md)
- [Commits](panva/jose@v5.2.4...v5.3.0)

Updates `@grpc/grpc-js` from 1.9.12 to 1.9.15
- [Release notes](https://github.com/grpc/grpc-node/releases)
- [Commits](https://github.com/grpc/grpc-node/compare/@grpc/grpc-js@1.9.12...@grpc/grpc-js@1.9.15)

Updates `braces` from 3.0.2 to 3.0.3
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](micromatch/braces@3.0.2...3.0.3)

Updates `ws` from 8.14.2 to 8.18.0
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.14.2...8.18.0)

---
updated-dependencies:
- dependency-name: vite
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: jose
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@grpc/grpc-js"
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: braces
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Jul 22, 2024
@netlify
Copy link

netlify bot commented Jul 22, 2024
edited
Loading

Deploy Preview for shashwatasaha ready!

Name Link
🔨 Latest commit 1c2dbd9
🔍 Latest deploy log https://app.netlify.com/sites/shashwatasaha/deploys/669e8f402eddd50008201709
😎 Deploy Preview https://deploy-preview-13--shashwatasaha.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants