Skip to content

Bump the npm_and_yarn group across 2 directories with 4 updates #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump the npm_and_yarn group across 2 directories with 4 updates #4

wants to merge 1 commit into from

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Jun 19, 2024

Bumps the npm_and_yarn group with 3 updates in the /coder-base directory: express, mustache and socket.io.
Bumps the npm_and_yarn group with 4 updates in the /raspbian-addons/home/coder/coder-dist/coder-base directory: express, mustache, socket.io and bcrypt.

Updates express from 3.1.0 to 4.19.2

Release notes

Sourced from express's releases.

4.19.2

What's Changed

Full Changelog: expressjs/express@4.19.1...4.19.2

4.19.1

What's Changed

Full Changelog: expressjs/express@4.19.0...4.19.1

4.19.0

What's Changed

New Contributors

Full Changelog: expressjs/express@4.18.3...4.19.0

4.18.3

Main Changes

Other Changes

... (truncated)

Changelog

Sourced from express's changelog.

4.19.2 / 2024-03-25

  • Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

  • Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

4.18.3 / 2024-02-29

4.18.2 / 2022-10-08

4.18.1 / 2022-04-29

  • Fix hanging on large stack of sync routes

4.18.0 / 2022-04-25

  • Add "root" option to res.download
  • Allow options without filename in res.download
  • Deprecate string and non-integer arguments to res.status
  • Fix behavior of null/undefined as maxAge in res.cookie
  • Fix handling very large stacks of sync middleware
  • Ignore Object.prototype values in settings through app.set/app.get

... (truncated)

Commits
  • 04bc627 4.19.2
  • da4d763 Improved fix for open redirect allow list bypass
  • 4f0f6cc 4.19.1
  • a003cfa Allow passing non-strings to res.location with new encoding handling checks f...
  • a1fa90f fixed un-edited version in history.md for 4.19.0
  • 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
  • 084e365 4.19.0
  • 0867302 Prevent open redirect allow list bypass due to encodeurl
  • 567c9c6 Add note on how to update docs for new release (#5541)
  • 69a4cf2 deps: [email protected]
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.


Updates mustache from 0.7.2 to 2.2.1

Release notes

Sourced from mustache's releases.

v2.2.1

Fixes

v2.2.0

Added

Changed

Fixes

  • Fix README spelling error to "aforementioned", by @​djchie.
  • Equal error message test in .render() for server and browser, by @​phillipj.

Dependencies

  • chai -> 3.3.0
  • eslint -> 1.6.0

v2.1.3

Added

  • Throw error when providing .render() with invalid template type, by @​phillipj.
  • Documents use of string literals containing double quotes, by @​jfmercer.

Changed

Fixed

  • Update UMD Shim to be resilient to HTMLElement global pollution, by @​mikesherov.

v2.1.2

Added

v2.1.1

Added

... (truncated)

Changelog

Sourced from mustache's changelog.

[2.2.1] / 13 December 2015

Fixes

[2.2.0] / 15 October 2015

Added

Changed

Fixes

  • Fix README spelling error to "aforementioned", by [@​djchie].
  • Equal error message test in .render() for server and browser, by [@​phillipj].

Dependencies

  • chai -> 3.3.0
  • eslint -> 1.6.0

[2.1.3] / 23 July 2015

Added

  • Throw error when providing .render() with invalid template type, by [@​phillipj].
  • Documents use of string literals containing double quotes, by [@​jfmercer].

Changed

  • Move mustache gif to githubusercontent, by [@​Andersos].

Fixed

... (truncated)

Commits
  • cd06b22 🚢 bump to version 2.2.1
  • 692609d Merge pull request #533 from keirog/fix-quote-typo-docs
  • 1a391c9 Fix minor typo in docs
  • 60a41db Merge pull request #532 from simast/master
  • 3460f1e Fix inconsistency in defining global mustache object.
  • 34ebd1c Merge pull request #530 from janl/improve-html-escaping
  • 378bcca Improve HTML escaping.
  • 53b1c95 Merge pull request #500 from imagentleman/patch-1
  • a518c6d Merge pull request #524 from janl/unpin-chai-eslint
  • dadbe20 Unpin chai and eslint versions
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by dasilvacontin, a new releaser for mustache since your current version.


Updates socket.io from 0.9.13 to 2.5.0

Release notes

Sourced from socket.io's releases.

2.5.0

⚠️ WARNING ⚠️

The default value of the maxHttpBufferSize option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.

Security advisory: GHSA-j4f2-536g-r55m

Bug Fixes

  • fix race condition in dynamic namespaces (05e1278)
  • ignore packet received after disconnection (22d4bdf)
  • only set 'connected' to true after middleware execution (226cc16)
  • prevent the socket from joining a room after disconnection (f223178)

Links:

2.4.1

This release reverts the breaking change introduced in 2.4.0 (socketio/socket.io@f78a575).

If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests:

  • without CORS (server and client are served from the same domain):
const io = require("socket.io")(httpServer, {
  allowRequest: (req, callback) => {
    callback(null, req.headers.origin === undefined); // cross-origin requests will not be allowed
  }
});
  • with CORS (server and client are served from distinct domains):
io.origins(["http://localhost:3000"]); // for local development
io.origins(["https://example.com"]);

In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default).

Reverts

  • fix(security): do not allow all origins by default (a169050)

Links:

... (truncated)

Changelog

Sourced from socket.io's changelog.

2.5.0 (2022-06-26)

⚠️ WARNING ⚠️

The default value of the maxHttpBufferSize option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.

Security advisory: GHSA-j4f2-536g-r55m

Bug Fixes

  • fix race condition in dynamic namespaces (05e1278)
  • ignore packet received after disconnection (22d4bdf)
  • only set 'connected' to true after middleware execution (226cc16)
  • prevent the socket from joining a room after disconnection (f223178)

Dependencies

4.5.1 (2022-05-17)

Bug Fixes

  • forward the local flag to the adapter when using fetchSockets() (30430f0)
  • typings: add HTTPS server to accepted types (#4351) (9b43c91)

Dependencies

4.5.0 (2022-04-23)

Bug Fixes

  • typings: ensure compatibility with TypeScript 3.x (#4259) (02c87a8)

Features

Catch-all listeners for outgoing packets

... (truncated)

Commits
  • baa6804 chore(release): 2.5.0
  • f223178 fix: prevent the socket from joining a room after disconnection
  • 226cc16 fix: only set 'connected' to true after middleware execution
  • 05e1278 fix: fix race condition in dynamic namespaces
  • 22d4bdf fix: ignore packet received after disconnection
  • dfded53 chore: update engine.io version to 3.6.0
  • e6b8697 chore(release): 2.4.1
  • a169050 revert: fix(security): do not allow all origins by default
  • 873fdc5 chore(release): 2.4.0
  • f78a575 fix(security): do not allow all origins by default
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by darrachequesne, a new releaser for socket.io since your current version.


Updates express from 3.1.0 to 4.19.2

Release notes

Sourced from express's releases.

4.19.2

What's Changed

Full Changelog: expressjs/express@4.19.1...4.19.2

4.19.1

What's Changed

Full Changelog: expressjs/express@4.19.0...4.19.1

4.19.0

What's Changed

New Contributors

Full Changelog: expressjs/express@4.18.3...4.19.0

4.18.3

Main Changes

Other Changes

... (truncated)

Changelog

Sourced from express's changelog.

4.19.2 / 2024-03-25

  • Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

  • Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

4.18.3 / 2024-02-29

4.18.2 / 2022-10-08

4.18.1 / 2022-04-29

  • Fix hanging on large stack of sync routes

4.18.0 / 2022-04-25

  • Add "root" option to res.download
  • Allow options without filename in res.download
  • Deprecate string and non-integer arguments to res.status
  • Fix behavior of null/undefined as maxAge in res.cookie
  • Fix handling very large stacks of sync middleware
  • Ignore Object.prototype values in settings through app.set/app.get

... (truncated)

Commits
  • 04bc627 4.19.2
  • da4d763 Improved fix for open redirect allow list bypass
  • 4f0f6cc 4.19.1
  • a003cfa Allow passing non-strings to res.location with new encoding handling checks f...
  • a1fa90f fixed un-edited version in history.md for 4.19.0
  • 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
  • 084e365 4.19.0
  • 0867302 Prevent open redirect allow list bypass due to encodeurl
  • 567c9c6 Add note on how to update docs for new release (#5541)
  • 69a4cf2 deps: [email protected]
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.


Updates mustache from 0.7.2 to 2.2.1

Release notes

Sourced from mustache's releases.

v2.2.1

Fixes

v2.2.0

Added

Changed

Fixes

  • Fix README spelling error to "aforementioned", by @​djchie.
  • Equal error message test in .render() for server and browser, by @​phillipj.

Dependencies

  • chai -> 3.3.0
  • eslint -> 1.6.0

v2.1.3

Added

  • Throw error when providing .render() with invalid template type, by @​phillipj.
  • Documents use of string literals containing double quotes, by @​jfmercer.

Changed

Fixed

  • Update UMD Shim to be resilient to HTMLElement global pollution, by @​mikesherov.

v2.1.2

Added

v2.1.1

Added

... (truncated)

Changelog

Sourced from mustache's changelog.

[2.2.1] / 13 December 2015

Fixes

[2.2.0] / 15 October 2015

Added

Changed

Fixes

  • Fix README spelling error to "aforementioned", by [@​djchie].
  • Equal error message test in .render() for server and browser, by [@​phillipj].

Dependencies

  • chai -> 3.3.0
  • eslint -> 1.6.0

[2.1.3] / 23 July 2015

Added

  • Throw error when providing .render() with invalid template type, by [@​phillipj].
  • Documents use of string literals containing double quotes, by [@​jfmercer].

Changed

  • Move mustache gif to githubusercontent, by [@​Andersos].

Fixed

... (truncated)

Commits
  • cd06b22 🚢 bump to version 2.2.1
  • 692609d Merge pull request #533 from keirog/fix-quote-typo-docs
  • 1a391c9 Fix minor typo in docs
  • 60a41db Merge pull request #532 from simast/master
  • 3460f1e Fix inconsistency in defining global mustache object.
  • 34ebd1c Merge pull request #530 from janl/improve-html-escaping
  • 378bcca Improve HTML escaping.
  • 53b1c95 Merge pull request #500 from imagentleman/patch-1
  • a518c6d Merge pull request #524 from janl/unpin-chai-eslint
  • dadbe20 Unpin chai and eslint versions
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by dasilvacontin, a new releaser for mustache since your current version.


Updates socket.io from 0.9.13 to 2.5.0

Release notes

Sourced from socket.io's releases.

2.5.0

⚠️ WARNING ⚠️

The default value of the maxHttpBufferSize option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.

Security advisory: GHSA-j4f2-536g-r55m

Bug Fixes

  • fix race condition in dynamic namespaces (05e1278)
  • ignore packet received after disconnection (22d4bdf)
  • only set 'connected' to true after middleware execution (226cc16)
  • prevent the socket from joining a room after disconnection (f223178)

Links:

2.4.1

This release reverts the breaking change introduced in 2.4.0 (socketio/socket.io@f78a575).

If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests:

  • without CORS (server and client are served from the same domain):
const io = require("socket.io")(httpServer, {
  allowRequest: (req, callback) => {
    callback(null, req.headers.origin === undefined); // cross-origin requests will not be allowed
  }
});
  • with CORS (server and client are served from distinct domains):
io.origins(["http://localhost:3000"]); // for local development
io.origins(["https://example.com"]);

In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default).

Reverts

  • fix(security): do not allow all origins by default (a169050)

Links:

... (truncated)

Changelog

Sourced from socket.io's changelog.

2.5.0 (2022-06-26)

⚠️ WARNING ⚠️

The default value of the maxHttpBufferSize option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.

Security advisory: GHSA-j4f2-536g-r55m

Bug Fixes

  • fix race condition in dynamic namespaces (05e1278)
  • ignore packet received after disconnection (22d4bdf)
  • only set 'connected' to true after middleware execution (226cc16)
  • prevent the socket from joining a room after disconnection (f223178)

Dependencies

4.5.1 (2022-05-17)

Bug Fixes

  • forward the local flag to the adapter when using fetchSockets() (30430f0)
  • typings: add HTTPS server to accepted types (#4351) (9b43c91)

Dependencies

4.5.0 (2022-04-23)

Bug Fixes

  • typings: ensure compatibility with TypeScript 3.x (#4259) (02c87a8)

Features

Catch-all listeners for outgoing packets

... (truncated)

Commits
  • baa6804 chore(release): 2.5.0
  • f223178 fix: prevent the socket from joining a room after disconnection
  • 226cc16 fix: only set 'connected' to true after middleware execution
  • 05e1278 fix: fix race condition in dynamic namespaces
  • 22d4bdf fix: ignore packet received after disconnection
  • dfded53 chore: update engine.io version to 3.6.0
  • e6b8697 chore(release): 2.4.1
  • a169050 revert: fix(security): do not allow all origins by default
  • 873fdc5 chore(release): 2.4.0
  • f78a575 fix(security): do not allow all origins by default
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by darrachequesne, a new releaser for socket.io since your current version.


Updates bcrypt from 0.7.4 to 5.0.0

Release notes

Sourced from bcrypt's releases.

v5.0.0

  • Fix the bcrypt "wrap-around" bug. It affects passwords with lengths >= 255. It is uncommon but it's a bug nevertheless. Previous attempts to fix the bug was unsuccessful.
  • Experimental support for z/OS
  • Fix a bug related to NUL in password input
  • Update node-pre-gyp to 0.15.0

v4.0.1

bcrypt 4.0.1

v4.0.0

NAPI support

v3.0.8

  • Update node-pre-gyp to 0.14
  • Pre-built binaries for NodeJS 13

v3.0.7

bcrypt 3.0.7

v3.0.6

bcrypt 3.0.6

v3.0.5

  • Update nan to 2.13.1
  • NodeJS 12 (nightly) support

v3.0.4

  • Fix GCC, NAN and V8 deprecation warnings
  • NodeJS 12 compatibility

v3.0.4-napi

bcrypt 3.0.4-napi

v3.0.3

  • Update nan to 2.12.1

v3.0.2

  • Update nan to 2.11.1

v3.0.1

No release notes provided.

v3.0.0

No release notes provided.

v2.0.1

No release notes provided.

... (truncated)

Changelog

Sourced from bcrypt's changelog.

5.0.0 (2020-06-02)

  • Fix the bcrypt "wrap-around" bug. It affects passwords with lengths >= 255. It is uncommon but it's a bug nevertheless. Previous attempts to fix the bug was unsuccessful.
  • Experimental support for z/OS
  • Fix a bug related to NUL in password input
  • Update node-pre-gyp to 0.15.0

4.0.1 (2020-02-27)

  • Fix compilation errors in Alpine linux

4.0.0 (2020-02-17)

  • Switch to NAPI bcrypt
  • Drop support for NodeJS 8

3.0.8 (2019-12-31)

  • Update node-pre-gyp to 0.14
  • Pre-built binaries for NodeJS 13

3.0.7 (2019-10-18)

  • Update nan to 2.14.0
  • Update node-pre-gyp to 0.13

3.0.6 (2019-04-11)

  • Update nan to 2.13.2

3.0.5 (2019-03-19)

  • Update nan to 2.13.1
  • NodeJS 12 compatibility
  • Remove node-pre-gyp from bundled dependencies

3.0.4-napi (2019-03-08)

  • Sync N-API bcrypt with NAN bcrypt

3.0.4 (2019-02-07)

  • Fix GCC, NAN and V8 deprecation warnings

3.0.3 (2018-12-19)

  • Update nan to 2.12.1

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by amitosh, a new releaser for bcrypt since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the npm_and_yarn group across 2 directories with 4 updates
37b81cb 
Bumps the npm_and_yarn group with 3 updates in the /coder-base directory: [express](https://github.com/expressjs/express), [mustache](https://github.com/janl/mustache.js) and [socket.io](https://github.com/socketio/socket.io).
Bumps the npm_and_yarn group with 4 updates in the /raspbian-addons/home/coder/coder-dist/coder-base directory: [express](https://github.com/expressjs/express), [mustache](https://github.com/janl/mustache.js), [socket.io](https://github.com/socketio/socket.io) and [bcrypt](https://github.com/kelektiv/node.bcrypt.js).


Updates `express` from 3.1.0 to 4.19.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@3.1.0...4.19.2)

Updates `mustache` from 0.7.2 to 2.2.1
- [Release notes](https://github.com/janl/mustache.js/releases)
- [Changelog](https://github.com/janl/mustache.js/blob/master/CHANGELOG.md)
- [Commits](janl/mustache.js@0.7.2...v2.2.1)

Updates `socket.io` from 0.9.13 to 2.5.0
- [Release notes](https://github.com/socketio/socket.io/releases)
- [Changelog](https://github.com/socketio/socket.io/blob/main/CHANGELOG.md)
- [Commits](socketio/socket.io@0.9.13...2.5.0)

Updates `express` from 3.1.0 to 4.19.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@3.1.0...4.19.2)

Updates `mustache` from 0.7.2 to 2.2.1
- [Release notes](https://github.com/janl/mustache.js/releases)
- [Changelog](https://github.com/janl/mustache.js/blob/master/CHANGELOG.md)
- [Commits](janl/mustache.js@0.7.2...v2.2.1)

Updates `socket.io` from 0.9.13 to 2.5.0
- [Release notes](https://github.com/socketio/socket.io/releases)
- [Changelog](https://github.com/socketio/socket.io/blob/main/CHANGELOG.md)
- [Commits](socketio/socket.io@0.9.13...2.5.0)

Updates `bcrypt` from 0.7.4 to 5.0.0
- [Release notes](https://github.com/kelektiv/node.bcrypt.js/releases)
- [Changelog](https://github.com/kelektiv/node.bcrypt.js/blob/master/CHANGELOG.md)
- [Commits](kelektiv/node.bcrypt.js@v0.7.4...v5.0.0)

---
updated-dependencies:
- dependency-name: express
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: mustache
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: socket.io
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: express
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: mustache
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: socket.io
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: bcrypt
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Jun 19, 2024
This was referenced Jun 19, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant