Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade: autoprefixer, fibers, handlebars, jstransformer-handlebars, marked, metalsmith, postcss, sass, semver, strftime #287

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

YoYBaBy
Copy link
Owner

@YoYBaBy YoYBaBy commented Sep 17, 2024

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

autoprefixer
from 10.0.4 to 10.4.20 | 37 versions ahead of your current version | a month ago
on 2024-08-02
fibers
from 5.0.0 to 5.0.3 | 3 versions ahead of your current version | 2 years ago
on 2022-08-30
handlebars
from 4.7.6 to 4.7.8 | 2 versions ahead of your current version | a year ago
on 2023-08-01
jstransformer-handlebars
from 1.1.0 to 1.2.0 | 1 version ahead of your current version | 3 years ago
on 2022-01-17
marked
from 1.2.5 to 1.2.9 | 4 versions ahead of your current version | 4 years ago
on 2021-02-03
metalsmith
from 2.3.0 to 2.6.3 | 10 versions ahead of your current version | 6 months ago
on 2024-03-05
postcss
from 8.1.10 to 8.4.41 | 74 versions ahead of your current version | a month ago
on 2024-08-05
sass
from 1.29.0 to 1.77.8 | 141 versions ahead of your current version | 2 months ago
on 2024-07-11
semver
from 7.3.2 to 7.6.3 | 16 versions ahead of your current version | 2 months ago
on 2024-07-16
strftime
from 0.10.0 to 0.10.3 | 3 versions ahead of your current version | 3 months ago
on 2024-06-12

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
696 Proof of Concept
high severity Uncontrolled resource consumption
SNYK-JS-BRACES-6838727
696 Proof of Concept
high severity Remote Code Execution (RCE)
SNYK-JS-HANDLEBARS-1056767
696 Proof of Concept
medium severity Information Exposure
SNYK-JS-NANOID-2332193
696 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-POSTCSS-1090595
696 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-POSTCSS-1255640
696 Proof of Concept
medium severity Improper Input Validation
SNYK-JS-POSTCSS-5926692
696 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-BROWSERSLIST-1090194
696 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-GLOBPARENT-1016905
696 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-HANDLEBARS-1279029
696 Proof of Concept
medium severity Missing Release of Resource after Effective Lifetime
SNYK-JS-INFLIGHT-6095116
696 Proof of Concept
Release notes
Package name: autoprefixer
  • 10.4.20 - 2024-08-02
    • Fixed fit-content prefix for Firefox.
  • 10.4.19 - 2024-03-20
    • Removed end value has mixed support, consider using flex-end warning since end/start now have good support.
  • 10.4.18 - 2024-03-01
    • Fixed removing -webkit-box-orient on -webkit-line-clamp (@ Goodwine).
  • 10.4.17 - 2024-01-17
    • Fixed user-select: contain prefixes.
  • 10.4.16 - 2023-09-20
  • 10.4.15 - 2023-08-13
  • 10.4.14 - 2023-03-09
    • Improved startup time and reduced JS bundle size (by @ Knagis).
  • 10.4.13 - 2022-10-27
    • Fixed missed prefixes on vendor prefixes in name of CSS Custom Property.
  • 10.4.12 - 2022-09-20
    • Fixed support of unit-less zero angle in backgrounds (by @ yisibl).
  • 10.4.11 - 2022-09-14
    • Fixed text-decoration prefixes by moving to MDN data (by @ romainmenke).
  • 10.4.10 - 2022-09-13
  • 10.4.9 - 2022-09-11
  • 10.4.8 - 2022-07-29
  • 10.4.7 - 2022-05-02
  • 10.4.6 - 2022-05-01
  • 10.4.5 - 2022-04-23
  • 10.4.4 - 2022-03-16
  • 10.4.3 - 2022-03-15
  • 10.4.2 - 2022-01-07
  • 10.4.1 - 2021-12-29
  • 10.4.0 - 2021-10-28
  • 10.3.7 - 2021-10-04
  • 10.3.6 - 2021-09-26
  • 10.3.5 - 2021-09-22
  • 10.3.4 - 2021-09-02
  • 10.3.3 - 2021-08-26
  • 10.3.2 - 2021-08-21
  • 10.3.1 - 2021-07-12
  • 10.3.0 - 2021-07-10
  • 10.2.6 - 2021-05-26
  • 10.2.5 - 2021-03-05
  • 10.2.4 - 2021-01-29
  • 10.2.3 - 2021-01-19
  • 10.2.2 - 2021-01-19
  • 10.2.1 - 2021-01-08
  • 10.2.0 - 2021-01-06
  • 10.1.0 - 2020-12-08
  • 10.0.4 - 2020-11-27
from autoprefixer GitHub release notes
Package name: fibers
  • 5.0.3 - 2022-08-30
  • 5.0.2 - 2022-07-28

    creating tag for version 5.0.2

  • 5.0.1 - 2022-01-24

    5.0.1

  • 5.0.0 - 2020-04-22
    • Added npm binary support for node v14.x
    • Dropped npm binary support for node v10.x
    • Dropped binary support for all 32-bit platforms
from fibers GitHub release notes
Package name: handlebars from handlebars GitHub release notes
Package name: jstransformer-handlebars
  • 1.2.0 - 2022-01-17
    • Updated to Handlebars 4.7.7
    • Documented render options in readme
  • 1.1.0 - 2018-01-28

    1.1.0

from jstransformer-handlebars GitHub release notes
Package name: marked from marked GitHub release notes
Package name: metalsmith
  • 2.6.3 - 2024-03-05

    Removed

    • Drops support for Node < 14.18.0 (4 minor, deprecated versions) to be able to use 'node:' protocol imports" b170cf0

    Updated

    • Updated README.md code samples, links, and troubleshooting section
    • Dependencies: 774a164
      • chokidar: 3.5.3 ▶︎ 3.6.0

    Fixed

    • Fixes ms.watch(false) unreliable behavior when the build errors. 0d8d791
  • 2.6.2 - 2023-11-15
    • TS fixes: add generic to Metalsmith.File, bring back Metalsmith.DoneCallback, add Metalsmith.Plugin promise signature 3ae6275
    • #394 Avoid leaking unhandled rejections in build/watch promises. cac48fc, 5b48dce
    • Fix a typo in CLI help message 642a176
  • 2.6.1 - 2023-07-11
    • 34239d9 Documents metalsmith.watch() getter signature in TS
    • a719025 Normalizes ms.watch().paths to an array, allows access to a subset of chokidar options as advertised
    • 5a516b2 Sets chokidar watchOption awaitWriteFinish to false, and batch timer to 0 to speed up watching
    • 23b0944 Fixes #389: ensure not missing watcher ready event to successfully launch build
    • 05265ce Fixes formatting issue in types JSdoc comments
  • 2.6.0 - 2023-05-29

    Added

    • [#356] Added Typescript support 58d22a3
    • Added --debug and --dry-run options to metalsmith (build) command 2d84fbe
    • Added --env option to metalsmith (build) command 9661ddc
    • Added Metalsmith CLI support for loading a .(c)js config. Reads from metalsmith.js as second default after metalsmith.json 45a4afe
    • Added support for running (C/M)JS config files from CLI 424e6ec
    • Dependencies:

    Removed

    • #231 Dropped support for Node < 14.14.0 80d8508
    • Dependencies:
      • rimraf: replaced with native Node.js methods ae05945
      • cross-spawn: baee1de

    Updated

    • Modernized Metalsmith CLI, prepared transition to imports instead of require 24fcffb 4929bc2
    • Dependencies:

    Fixed

    • Fixes a duplicate empty input check in metalsmith.match 60e173a
    • Gray-matter excerpts are removed from contents instead of being duplicated to the excerpt property 2bfe800
    • Gray-matter excerpts are trimmed acb363e

    Full Changelog: v2.5.1...v2.6.0

  • 2.5.1 - 2022-10-07
    • Dependencies: 774a164
      • debug: 4.3.3 ▶︎ 4.3.4
    • Clarified semver policy in README.md
    • Added SECURITY.md

    Fixed

    • Fixes #373: do not crash when postinstall script fails in specific environments
  • 2.5.0 - 2022-06-10

    Important note to metalsmith-watch users:
    Although 2.5.0 is a semver-minor release, it breaks compatibility with metalsmith-watch, which relies on the Metalsmith < 2.4.x private method signature using the outdated unyield package. See issue #374 for more details.

    Added

    • #354 Added Metalsmith#env method. Supports passing DEBUG and DEBUG_LOG amongst others. Sets CLI: true when run from the metalsmith CLI. b42df8c, 446c676, 33d936b, 4c483a3
    • #356 Added Metalsmith#debug method for creating plugin debuggers
    • #362 Upgraded all generator-based methods (Metalsmith#read,Metalsmith#readFile,Metalsmith#write,Metalsmith#writeFile, Metalsmith#run and Metalsmith#process) to dual callback-/ promise-based methods 16a91c5, faf6ab6, 6cb6229
    • Added org migration notification to postinstall script to encourage users to upgrade 3a11a24

    Removed

    • #231 Dropped support for Node < 12 0a53007
    • Dependencies:
      • thunkify: replaced with promise-based implementation faf6ab6
      • unyield replaced with promise-based implementation faf6ab6
      • co-fs-extra: replaced with native Node.js methods faf6ab6
      • chalk: not necessary for the few colors used by Metalsmith CLI 1dae1cb
      • clone: see #247 a871af6

    Updated

    • Restructured and updated README.md 0da0c4d
    • #247 Calling Metalsmith#metadata no longer clones the object passed to it, overwriting the previous metadata, but merges it into existing metadata.

    Fixed

    • #355 Proper path resolution for edge-cases using CLI, running metalsmith from outside or subfolder of metalsmith.directory()5d75539
  • 2.4.3 - 2022-05-16

    Updated

    • Dependencies: 774a164
      • micromatch: 4.0.4 ▶︎ 4.0.5
    • Updated README.md

    Fixed

  • 2.4.2 - 2022-02-13

    Updated

    • Dependencies: af9dec0
      • chalk: 3.0.0 ▶︎ 4.1.2
    • Updated README.md

    Fixed

    • Fixed Metalsmith JSDoc type hints in VS code ebf82f4
  • 2.4.1 - 2022-01-31

    Fixed

    Bugfix: include index.js in package.json files

    Unfortunately release 2.4.0 missed the index.js file and was only usable by doing require('metalsmith/lib'). For this reason the release notes from 2.4.0 are re-included below:

    Added

    • #338 Added Metalsmith#match method. Plugins no longer need to require a matching library 705c4bb, f01c724
    • #358 Added TS-style JSdocs 828b17e
    • Use native fs.rm instead of rimraf when available (Node 14.4+) fcbb76e, 66e4376
    • #226 Allow passing a gray-matter options object to Metalsmith#frontmatter a6438d2
    • Modernized dev setup ef7b781
    • Added 8 new tests (match method, front-matter options, path & symbolic link handling)
    • Files object file paths are now guaranteed to be sorted aphabetically. 4eb1184
    • #211 Metalsmith#build now returns a promise which you can attach a then/catch to or await. The build callback model is still available. 6d5a42d

    Removed

    Updated

    • Dependencies: 75e6878

      • chalk: 1.1.3 ▶︎ 3.0.0
      • gray-matter: 2.0.0 ▶︎ 4.0.3
      • stat-mode: 0.2.0 ▶︎ 1.0.0
      • rimraf: 2.2.8 ▶︎ 3.0.2
      • ware: 1.2.0 ▶︎ 1.3.0
      • commander (used in CLI): 2.15.1 ▶︎ 6.2.1
      • win-fork (used in CLI): replaced with cross-spawn:7.0.3
    • Updated CHANGELOG.md format to follow “Keep A Changelog” (#266) (@ Zearin)

    Fixed

    • #206 Metalsmith#ignore now only matches paths relative to Metalsmith#source (as it should). See linked issue for details 4eb1184
    • #226 Metalsmith will no longer 'swallow' errors on invalid front-matter, they will be passed to Metalsmith#build a6438d2
    • Fix test error on Windows #158 (@ moozzyk)
    • #281 Metalsmith now properly handles symbolic links (will throw an ENOENT error or they can be Metalsmith#ignore'd) 4eb1184
    • #178 Metalsmith#ignore now removes the matched files before they are statted for glob-based ignores (saving some perf & potential errors).
    • #295 Metalsmith now catches all FS errors and passes them to the build callback/ thenable appropriately.

    Security

    • Replace all occurences of new Buffer with Buffer.from

    npm audit vulnerability fixes

    • Development Dependencies:
      • coveralls: 2.11.6 ▶︎ 3.0.1 (#308) (@ Zearin)
        Fix 5 “Moderate” vulnerabilities
      • metalsmith-markdown: 0.2.1 ▶︎ 0.2.2 (#312) (@ Zearin)
        Fix 1 “Low” vulnerability
  • 2.4.0 - 2022-01-31

    Unfortunately this release missed the index.js file and is only usable by doing require('metalsmith/lib'). This has quickly been fixed in 2.4.1 and the release notes ported to it

    Added

    • #338 Added Metalsmith#match method. Plugins no longer need to require a matching library 705c4bb, f01c724
    • #358 Added TS-style JSdocs 828b17e
    • Use native fs.rm instead of rimraf when available (Node 14.4+) fcbb76e, 66e4376
    • #226 Allow passing a gray-matter options object to Metalsmith#frontmatter a6438d2
    • Modernized dev setup ef7b781
    • Added 8 new tests (match method, front-matter options, path & symbolic link handling)
    • Files object file paths are now guaranteed to be sorted aphabetically. 4eb1184
    • #211 Metalsmith#build now returns a promise which you can attach a then/catch to or await. The build callback model is still available. 6d5a42d

    Removed

    Updated

    • Dependencies: 75e6878

      • chalk: 1.1.3 ▶︎ 3.0.0
      • gray-matter: 2.0.0 ▶︎ 4.0.3
      • stat-mode: 0.2.0 ▶︎ 1.0.0
      • rimraf: 2.2.8 ▶︎ 3.0.2
      • ware: 1.2.0 ▶︎ 1.3.0
      • commander (used in CLI): 2.15.1 ▶︎ 6.2.1
      • win-fork (used in CLI): replaced with cross-spawn:7.0.3
    • Updated CHANGELOG.md format to follow “Keep A Changelog” (#266) (@ Zearin)

    Fixed

    • #206 Metalsmith#ignore now only matches paths relative to Metalsmith#source (as it should). See linked issue for details 4eb1184
    • #226 Metalsmith will no longer 'swallow' errors on invalid front-matter, they will be passed to Metalsmith#build a6438d2
    • Fix test error on Windows #158 (@ moozzyk)
    • #281 Metalsmith now properly handles symbolic links (will throw an ENOENT error or they can be Metalsmith#ignore'd) 4eb1184
    • #178 Metalsmith#ignore now removes the matched files before they are statted for glob-based ignores (saving some perf & potential errors).
    • #295 Metalsmith now catches all FS errors and passes them to the build callback/ thenable appropriately.

    Security

    • Replace all occurences of new Buffer with Buffer.from

    npm audit vulnerability fixes

    • Development Dependencies:
      • coveralls: 2.11.6 ▶︎ 3.0.1 (#308) (@ Zearin)
        Fix 5 “Moderate” vulnerabilities
      • metalsmith-markdown: 0.2.1 ▶︎ 0.2.2 (#312) (@ Zearin)
        Fix 1 “Low” vulnerability
  • 2.3.0 - 2016-10-28
from metalsmith GitHub release notes
Package name: postcss
  • 8.4.41 - 2024-08-05
  • 8.4.40 - 2024-07-24
    • Moved to getter/setter in nodes types to help Sass team (by @ nex3).
  • 8.4.39 - 2024-06-29
  • 8.4.38 - 2024-03-20
  • 8.4.37 - 2024-03-19
  • 8.4.36 - 2024-03-17
  • 8.4.35 - 2024-02-07
  • 8.4.34 - 2024-02-05
  • 8.4.33 - 2024-01-04
  • 8.4.32 - 2023-12-02
  • 8.4.31 - 2023-09-28
  • 8.4.30 - 2023-09-18
  • 8.4.29 - 2023-08-29
  • 8.4.28 - 2023-08-15
  • 8.4.27 - 2023-07-21
  • 8.4.26 - 2023-07-13
  • 8.4.25 - 2023-07-06
  • 8.4.24 - 2023-05-28
  • 8.4.23 - 2023-04-19
  • 8.4.22 - 2023-04-16
  • 8.4.21 - 2023-01-06
  • 8.4.20 - 2022-12-11
  • 8.4.19 - 2022-11-10
  • 8.4.18 - 2022-10-12
  • 8.4.17 - 2022-09-30
  • 8.4.16 - 2022-08-06
  • 8.4.15 - 2022-08-06
  • 8.4.14 - 2022-05-18
  • 8.4.13 - 2022-04-30
  • 8.4.12 - 2022-03-16
  • 8.4.11 - 2022-03-15
  • 8.4.10 - 2022-03-15
  • 8.4.9 - 2022-03-15
  • 8.4.8 - 2022-03-07
  • 8.4.7 - 2022-02-24
  • 8.4.6 - 2022-02-01
  • 8.4.5 - 2021-12-13
  • 8.4.4 - 2021-11-27
  • 8.4.3 - 2021-11-26
  • 8.4.2 - 2021-11-26
  • 8.4.1 - 2021-11-24
  • 8.4.0 - 2021-11-24
  • 8.3.11 - 2021-10-21
  • 8.3.10 - 2021-10-20
  • 8.3.9 - 2021-10-04
  • 8.3.8 - 2021-09-25
  • 8.3.7 - 2021-09-22
  • 8.3.6 - 2021-07-21
  • 8.3.5 - 2021-06-17
  • 8.3.4 - 2021-06-14
  • 8.3.3 - 2021-06-14
  • 8.3.2 - 2021-06-11
  • 8.3.1 - 2021-06-09
  • 8.3.0 - 2021-05-21
  • 8.2.15 - 2021-05-10
  • 8.2.14 - 2021-05-05
  • 8.2.13 - 2021-04-26
  • 8.2.12 - 2021-04-22
  • 8.2.11 - 2021-04-22
  • 8.2.10 - 2021-04-11
  • 8.2.9 - 2021-03-30
  • 8.2.8 - 2021-03-09
  • 8.2.7 - 2021-03-03
  • 8.2.6 - 2021-02-10
  • 8.2.5 - 2021-02-06
  • 8.2.4 - 2021-01-09
  • 8.2.3 - 2021-01-07
  • 8.2.2 - 2020-12-29
  • 8.2.1 - 2020-12-09
  • 8.2.0 - 2020-12-08
  • 8.1.14 - 2020-12-04
  • 8.1.13 - 2020-12-03
  • 8.1.12 - 2020-12-03
  • 8.1.11 - 2020-12-03
  • 8.1.10 - 2020-11-23
from postcss GitHub release notes
Package name: sass
  • 1.77.8 - 2024-07-11

    To install Sass 1.77.8, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

    Changes

    • No user-visible changes.

    See the full changelog for changes in earlier releases.

  • 1.77.7 - 2024-07-09

    See sass/sass#3885

  • 1.77.6 - 2024-06-17

    …264)

  • 1.77.5 - 2024-06-11

    To install Sass 1.77.5, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

    Changes

    • Fully trim redundant selectors generated by @ extend.

    See the full changelog for changes in earlier releases.

  • 1.77.4 - 2024-05-30

    To install Sass 1.77.4, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

    Changes

    Embedded Sass

    • Support passing Version input for fatalDeprecations as string over embedded protocol.

    • Fix a bug in the JS Embedded Host where Version could be incorrectly accepted as input for silenceDeprecations and futureDeprecations in pure JS.

    See the full changelog for changes in earlier releases.

  • 1.77.3 - 2024-05-29
  • 1.77.2 - 2024-05-16
  • 1.77.1 - 2024-05-10
  • 1.77.0 - 2024-05-07
  • 1.76.0 - 2024-04-30
  • 1.75.0 - 2024-04-11
  • 1.74.1 - 2024-04-04
  • 1.72.0 - 2024-03-13
  • 1.71.1 - 2024-02-21
  • 1.71.0 - 2024-02-16
  • 1.70.0 - 2024-01-18
  • 1.69.7 - 2024-01-02
  • 1.69.6 - 2023-12-28
  • 1.69.5 - 2023-10-26
  • 1.69.4 - 2023-10-17
  • 1.69.3 - 2023-10-12
  • 1.69.2 - 2023-10-10
  • 1.69.1 - 2023-10-09
  • 1.69.0 - 2023-10-05
  • 1.68.0 - 2023-09-21
  • 1.67.0 - 2023-09-14
  • 1.66.1 - 2023-08-18
  • 1.66.0 - 2023-08-17
  • 1.65.1 - 2023-08-09
  • 1.65.0 - 2023-08-09
  • 1.64.2 - 2023-07-31
  • 1.64.1 - 2023-07-22
  • 1.64.0 - 2023-07-20
  • 1.63.6 - 2023-06-21
  • 1.63.5 - 2023-06-21
  • 1.63.4 - 2023-06-14
  • 1.63.3 - 2023-06-09
  • 1.63.2 - 2023-06-08
  • 1.63...

Snyk has created this PR to upgrade:
  - autoprefixer from 10.0.4 to 10.4.20.
    See this package in npm: https://www.npmjs.com/package/autoprefixer
  - fibers from 5.0.0 to 5.0.3.
    See this package in npm: https://www.npmjs.com/package/fibers
  - handlebars from 4.7.6 to 4.7.8.
    See this package in npm: https://www.npmjs.com/package/handlebars
  - jstransformer-handlebars from 1.1.0 to 1.2.0.
    See this package in npm: https://www.npmjs.com/package/jstransformer-handlebars
  - marked from 1.2.5 to 1.2.9.
    See this package in npm: https://www.npmjs.com/package/marked
  - metalsmith from 2.3.0 to 2.6.3.
    See this package in npm: https://www.npmjs.com/package/metalsmith
  - postcss from 8.1.10 to 8.4.41.
    See this package in npm: https://www.npmjs.com/package/postcss
  - sass from 1.29.0 to 1.77.8.
    See this package in npm: https://www.npmjs.com/package/sass
  - semver from 7.3.2 to 7.6.3.
    See this package in npm: https://www.npmjs.com/package/semver
  - strftime from 0.10.0 to 0.10.3.
    See this package in npm: https://www.npmjs.com/package/strftime

See this project in Snyk:
https://app.snyk.io/org/bvbvyoy-9ml/project/44763e79-c555-468b-b8d6-fbe64cd671f6?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants