Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade: bootstrap, dotenv, ejs, express, google-auth-library, mysql2, object-sizeof, qrcode, rotating-file-stream #455

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

PugChungus
Copy link
Owner

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

bootstrap
from 5.3.2 to 5.3.3 | 1 version ahead of your current version | 7 months ago
on 2024-02-20
dotenv
from 16.4.1 to 16.4.5 | 4 versions ahead of your current version | 7 months ago
on 2024-02-20
ejs
from 3.1.9 to 3.1.10 | 1 version ahead of your current version | 5 months ago
on 2024-04-12
express
from 4.18.2 to 4.19.2 | 4 versions ahead of your current version | 6 months ago
on 2024-03-25
google-auth-library
from 9.4.1 to 9.14.0 | 14 versions ahead of your current version | a month ago
on 2024-08-20
mysql2
from 3.6.5 to 3.11.0 | 18 versions ahead of your current version | 2 months ago
on 2024-07-27
object-sizeof
from 2.6.4 to 2.6.5 | 1 version ahead of your current version | 2 months ago
on 2024-07-12
qrcode
from 1.5.3 to 1.5.4 | 1 version ahead of your current version | 2 months ago
on 2024-08-05
rotating-file-stream
from 3.2.1 to 3.2.3 | 2 versions ahead of your current version | 3 months ago
on 2024-06-10

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
medium severity Improper Control of Dynamically-Managed Code Resources
SNYK-JS-EJS-6689533
479 No Known Exploit
medium severity Open Redirect
SNYK-JS-EXPRESS-6474509
479 No Known Exploit
medium severity Prototype Poisoning
SNYK-JS-MYSQL2-6591084
479 Proof of Concept
critical severity Remote Code Execution (RCE)
SNYK-JS-MYSQL2-6591085
479 Proof of Concept
medium severity Use of Web Browser Cache Containing Sensitive Information
SNYK-JS-MYSQL2-6591300
479 Proof of Concept
critical severity Arbitrary Code Injection
SNYK-JS-MYSQL2-6670046
479 Proof of Concept
high severity Prototype Pollution
SNYK-JS-MYSQL2-6861580
479 Proof of Concept
Release notes
Package name: bootstrap
  • 5.3.3 - 2024-02-20

    Highlights

    • Fixed a breaking change introduced with color modes where it was required to manually import variables-dark.scss when building Bootstrap with Sass. Now, _variables.scss will automatically import _variables-dark.scss. If you were already importing _variables-dark.scss manually, you should keep doing it as it won't break anything and will be the way to go in v6.
    • Fixed a regression in the selector engine that wasn't able to handle multiple IDs anymore.

    Color modes

    • Badges now use the .text-bg-* text utilities to be certain that the text is always readable (especially when the customized colors are different in light and dark modes).
    • Fixed our color-modes.js script to handle the case where the OS is set to light mode and the auto color mode is used on the website. If you copied the script from our docs, you should apply this change to your own script.
    • Fixed color schemes description in the color modes documentation to show that color-scheme() only accept light and dark values as parameters.

    Miscellaneous

    • Allowed <dl>, <dt> and <dd> in the sanitizer.
    • Dropped evenly items distribution for modal and offcanvas headers.
    • Fixed the accordion CSS selectors to avoid inheritance issues when nesting accordions.
    • Fixed the focus box-shadow for the validation stated form controls.
    • Fixed the focus ring on focused checked buttons.
    • Fixed the product example mobile navbar toggler.
    • Changed the RTL processing of carousel control icons.

    🎨 CSS

    • #37508: Use child combinators to avoid inheriting parent accordion's flush styles
    • #38719: Fix focus box-shadow for validation stated form-controls
    • #38884: fix border-radius on radio-switch
    • #39294: Tests: update navbar in visual modal test
    • #39373: refactor css: modal and offcanvas header spacing
    • #39380: Fix Sass compilation breaking change in v5.3
    • #39387: docs: fix typo
    • #39411: Optimize the accordion icon
    • #39497: Fix a typo
    • #39536: Changed RTL processing of carousel control icons
    • #39560: Drop --bs-accordion-btn-focus-border-color and deprecate $accordion-button-focus-border-color
    • #39595: CSS: Fix the focus ring on focused checked buttons

    ☕️ JavaScript

    • #39201: Selector Engine: fix multiple IDs
    • #39224: Fix edge case in color-mode.js
    • #39376: Allow dl, dt and dd in sanitizer

    📖 Docs

    • #39200: Typo Fix
    • #39214: Doc: use .text-bg-{color} for all badges
    • #39246: Docs: fix for example code blocks have unnecessary 30px right-margin
    • #39249: Doc: consistent rendering of 'Heads up!' callouts
    • #39281: Fix getOrCreateInstance() doc example
    • #39293: Update background.md
    • #39304: Doc: add expanded accordion explanation
    • #39320: Drop .table-light from table foot example
    • #39340: Doc: add dispose() to Offcanvas methods
    • #39378: Docs: fix sentence in modal
    • #39417: Fix color schemes description in Sass customization documentation
    • #39418: Docs: change vite config path import in vite guide
    • #39435: Docs: add shift-color() usage example in sass customization page
    • #39458: Docs: enhance .card-img-* description
    • #39503: Minor image compression improvements
    • #39519: Docs: use consistent HTML elements in Utilities -> Background page
    • #39520: Docs: drop unused .theme-icon class
    • #39528: docs: clean up example.html
    • #39537: Docs: fix desc around deprecated Sass mixins for alerts and list groups
    • #39539: Update links on get-started page
    • #39592: Update vite.md
    • #39604: Fix typo in 'media-breakpoint-between' in migration docs
    • #39617: Docs: add missing comma in native font stack code source in Content -> Reboot
    • #39663: updated table to be responsive

    🛠 Examples

    • #39657: Fix product example mobile navbar toggler
    • #39585: Docs: Add missing type="button" to Cheatsheet nav buttons

    🏭 Tests

    • #39294: Tests: update navbar in visual modal test

    🧰 Misc

    • #39096: CI: stop running coveralls in forks
    • #39501: CI: switch to Node.js 20

    📦 Dependencies

  • 5.3.2 - 2023-09-14

    Highlights

    • Passing a percentage unit to the global abs() is deprecated since Dart Sass v1.65.0. It resulted in a deprecation warning when compiling Bootstrap with Dart Sass. This has been fixed internally by changing the values passed to the divide() function. The divide() function has not been fixed itself so that we can keep supporting node-sass cross-compatibility. In v6, this won't be an issue as we plan to drop support for node-sass.
    • Using multiple ids in a collapse target wasn't working anymore and has been fixed.

    Color modes

    • Increased color contrast of form range track background in light and dark modes.
    • Fixed table state rendering for color modes with a focus on the striped table in dark mode to increase color contrast.
    • Allow <mark> color customization for color modes.

    Docs


    🎨 CSS

    • #38816: Use box-shadow CSS variables shadow utilities
    • #38955: Fix radios looking like ellipse on responsive mode
    • #38976: Use box-shadow CSS vars instead of Sass vars in assets and variables
    • #39030: Fix dart-sass deprecation warning
    • #39033: Color mode: fix table state rendering
    • #39095: Make form range track background more contrasted
    • #39119: New Sass var $btn-link-focus-shadow-rgb to allow customization
    • #39141: New Sass variable to handle <mark> dark mode bg color

    ☕️ JavaScript

    • #38989: Collapse: Fix multiple ids calls
    • #39046: Dropdown: reuse variable

    📖 Docs

    • #38873: Discord reddit bootstrap
    • #38970: docs: add BootstrapVueNext to docs
    • #38977: Docs: Add missing form elements in focusable elements
    • #38978: Docs: Fix popover template role error
    • #38995: introduction: drop details element
    • #39037: Further improve image compression with oxipng and the latest jpegoptim
    • #39054: Docs: Remove incorrect mention of .left- and .right- utilities from migration guide
    • #39060: Migration: add back v5.0.0 heading
    • #39145: Docs: add warning callout to add a workaround when jsDelivr is not available
    • #39177: Fix: make theme selector tick icon visible when active in examples layout
    • #39179: download: Reword CDN paragraph

    🛠 Examples

    • #38994: examples: update 3rd-party packages
    • #39086: Correct grammar error in examples/starter-template

    🌎 Accessibility

    • #38978: Docs: Fix popover template role error
    • #39095: Make form range track background more contrasted

    🧰 Misc

    • #38983: Improve change-version script
    • #38984: Convert build scripts to ESM
    • #39021: CI: update permissions for calibreapp-image-actions.yml

    📦 Dependencies

from bootstrap GitHub release notes
Package name: dotenv from dotenv GitHub release notes
Package name: ejs from ejs GitHub release notes
Package name: express from express GitHub release notes
Package name: google-auth-library

Snyk has created this PR to upgrade:
  - bootstrap from 5.3.2 to 5.3.3.
    See this package in npm: https://www.npmjs.com/package/bootstrap
  - dotenv from 16.4.1 to 16.4.5.
    See this package in npm: https://www.npmjs.com/package/dotenv
  - ejs from 3.1.9 to 3.1.10.
    See this package in npm: https://www.npmjs.com/package/ejs
  - express from 4.18.2 to 4.19.2.
    See this package in npm: https://www.npmjs.com/package/express
  - google-auth-library from 9.4.1 to 9.14.0.
    See this package in npm: https://www.npmjs.com/package/google-auth-library
  - mysql2 from 3.6.5 to 3.11.0.
    See this package in npm: https://www.npmjs.com/package/mysql2
  - object-sizeof from 2.6.4 to 2.6.5.
    See this package in npm: https://www.npmjs.com/package/object-sizeof
  - qrcode from 1.5.3 to 1.5.4.
    See this package in npm: https://www.npmjs.com/package/qrcode
  - rotating-file-stream from 3.2.1 to 3.2.3.
    See this package in npm: https://www.npmjs.com/package/rotating-file-stream

See this project in Snyk:
https://app.snyk.io/org/ryanleezx/project/a66bdb8e-5826-46a4-b2d6-ccc21c8b6334?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants