Bump the dependencies group across 1 directory with 5 updates #25

dependabot · 2024-06-17T20:53:05Z

Bumps the dependencies group with 5 updates in the / directory:

Package	From	To
ws	`8.17.0`	`8.17.1`
@rollup/plugin-commonjs	`25.0.7`	`26.0.1`
@types/node	`20.12.11`	`20.14.3`
rollup	`4.17.2`	`4.18.0`
tslib	`2.6.2`	`2.6.3`

Updates ws from 8.17.0 to 8.17.1

Release notes

Sourced from ws's releases.

8.17.1

Bug fixes

Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.
const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});
The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size][] and/or the [maxHeaderSize][] options so that no more headers than the server.maxHeadersCount limit can be sent.

... (truncated)

Commits

3c56601 [dist] 8.17.1
e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
6a00029 [test] Increase code coverage
ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
See full diff in compare view

Updates @rollup/plugin-commonjs from 25.0.7 to 26.0.1

Changelog

Sourced from @rollup/plugin-commonjs's changelog.

v26.0.1

2024-06-05

Bugfixes

fix: correct import of glob (04a15b5)

v26.0.0

2024-06-05

Breaking Changes

chore!: bump glob's version (#1695)

v25.0.8

2024-05-22

Bugfixes

fix: preserve the class body property keys even if they are special keywords (#1688)

Commits

8550c4b chore(release): commonjs v26.0.1
04a15b5 fix(commonjs): correct import of glob
b3149b0 chore(release): commonjs v26.0.0
2447548 chore(commonjs)!: bump glob's version (#1695)
8949965 chore(release): commonjs v25.0.8
0bb872b fix(commonjs): preserve the class body property keys even if they are special...
dcd8da5 chore(repo): use @dot/versioner for releases (#1612)
See full diff in compare view

Updates @types/node from 20.12.11 to 20.14.3

Commits

See full diff in compare view

Updates rollup from 4.17.2 to 4.18.0

Release notes

Sourced from rollup's releases.

v4.18.0

4.18.0

2024-05-22

Features

Resolve import.meta.filename and .dirname in transpiled plugins (#5520)

Pull Requests

#5504: Auto generate node index (@lukastaegert)

#5507: chore(deps): lock file maintenance minor/patch updates (@renovate[bot])

#5508: chore(deps): lock file maintenance (@renovate[bot])

#5510: Split up converter.rs into AST nodes (@lukastaegert)

#5512: chore(deps): update dependency builtin-modules to v4 (@renovate[bot], @lukastaegert)

#5514: chore(deps): lock file maintenance minor/patch updates (@renovate[bot])

#5518: chore(deps): update dependency eslint-plugin-unicorn to v53 (@renovate[bot], @lukastaegert)

#5519: chore(deps): lock file maintenance minor/patch updates (@renovate[bot], @lukastaegert)

#5520: Resolve import.meta.{filename,dirname} in files imported from config (@BPScott)

#5521: docs: correct base32 to base36 in documentation (@highcastlee)

Changelog

Sourced from rollup's changelog.

4.18.0

2024-05-22

Features

Resolve import.meta.filename and .dirname in transpiled plugins (#5520)

Pull Requests

#5504: Auto generate node index (@lukastaegert)

#5507: chore(deps): lock file maintenance minor/patch updates (@renovate[bot])

#5508: chore(deps): lock file maintenance (@renovate[bot])

#5510: Split up converter.rs into AST nodes (@lukastaegert)

#5512: chore(deps): update dependency builtin-modules to v4 (@renovate[bot], @lukastaegert)

#5514: chore(deps): lock file maintenance minor/patch updates (@renovate[bot])

#5518: chore(deps): update dependency eslint-plugin-unicorn to v53 (@renovate[bot], @lukastaegert)

#5519: chore(deps): lock file maintenance minor/patch updates (@renovate[bot], @lukastaegert)

#5520: Resolve import.meta.{filename,dirname} in files imported from config (@BPScott)

#5521: docs: correct base32 to base36 in documentation (@highcastlee)

Commits

bb6f069 4.18.0
13d8c99 docs: correct base32 to base36 in documentation (#5521)
cc993e7 Resolve import.meta.{filename,dirname} in files imported from config (#5520)
a25a779 Split up converter.rs into AST nodes (#5510)
a9cda18 chore(deps): lock file maintenance minor/patch updates (#5519)
62c53c9 chore(deps): update dependency eslint-plugin-unicorn to v53 (#5518)
3520da5 chore(deps): update dependency builtin-modules to v4 (#5512)
afdcc84 chore(deps): lock file maintenance minor/patch updates (#5514)
00f0681 chore(deps): lock file maintenance (#5508)
786566c chore(deps): lock file maintenance minor/patch updates (#5507)
Additional commits viewable in compare view

Updates tslib from 2.6.2 to 2.6.3

Release notes

Sourced from tslib's releases.

v2.6.3

What's Changed

'await using' normative changes by @rbuckton in microsoft/tslib#258

Full Changelog: microsoft/tslib@v2.6.2...v2.6.3

Commits

a280d4b 2.6.3
983d81b 'await using' normative changes (#258)
54cd71c Bump the github-actions group with 3 updates (#253)
298efd9 Bump the github-actions group with 1 update (#242)
e8b4418 Bump the github-actions group with 1 update (#241)
ae8c5c3 Bump the github-actions group with 2 updates (#240)
2b38d87 JSDoc typo on __exportStar. (#221)
8466326 Bump the github-actions group with 1 update (#233)
a57d986 Bump the github-actions group with 1 update (#230)
2bf5a06 Bump the github-actions group with 2 updates (#228)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the dependencies group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [ws](https://github.com/websockets/ws) | `8.17.0` | `8.17.1` | | [@rollup/plugin-commonjs](https://github.com/rollup/plugins/tree/HEAD/packages/commonjs) | `25.0.7` | `26.0.1` | | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `20.12.11` | `20.14.3` | | [rollup](https://github.com/rollup/rollup) | `4.17.2` | `4.18.0` | | [tslib](https://github.com/Microsoft/tslib) | `2.6.2` | `2.6.3` | Updates `ws` from 8.17.0 to 8.17.1 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.17.0...8.17.1) Updates `@rollup/plugin-commonjs` from 25.0.7 to 26.0.1 - [Changelog](https://github.com/rollup/plugins/blob/master/packages/commonjs/CHANGELOG.md) - [Commits](https://github.com/rollup/plugins/commits/commonjs-v26.0.1/packages/commonjs) Updates `@types/node` from 20.12.11 to 20.14.3 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `rollup` from 4.17.2 to 4.18.0 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.17.2...v4.18.0) Updates `tslib` from 2.6.2 to 2.6.3 - [Release notes](https://github.com/Microsoft/tslib/releases) - [Commits](microsoft/tslib@v2.6.2...v2.6.3) --- updated-dependencies: - dependency-name: ws dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: "@rollup/plugin-commonjs" dependency-type: direct:development update-type: version-update:semver-major dependency-group: dependencies - dependency-name: "@types/node" dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: rollup dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: tslib dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dependencies ... Signed-off-by: dependabot[bot] <support@github.com>

Bump version of the app as non-dev dependency is being updated

TeddiO

@dependabot merge

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 17, 2024

Bump manifest version

57e5a4b

Bump version of the app as non-dev dependency is being updated

TeddiO approved these changes Jun 19, 2024

View reviewed changes

dependabot bot merged commit 97ed11b into main Jun 19, 2024
1 check passed

dependabot bot deleted the dependabot/npm_and_yarn/dependencies-58b9d40b07 branch June 19, 2024 10:42

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the dependencies group across 1 directory with 5 updates #25

Bump the dependencies group across 1 directory with 5 updates #25

dependabot bot commented on behalf of github Jun 17, 2024

TeddiO left a comment

Bump the dependencies group across 1 directory with 5 updates #25

Bump the dependencies group across 1 directory with 5 updates #25

Conversation

dependabot bot commented on behalf of github Jun 17, 2024

8.17.1

Bug fixes

v26.0.1

Bugfixes

v26.0.0

Breaking Changes

v25.0.8

Bugfixes

v4.18.0

4.18.0

Features

Pull Requests

4.18.0

Features

Pull Requests

v2.6.3

What's Changed

TeddiO left a comment

Choose a reason for hiding this comment