Skip to content

build(deps-dev): bump expect from 28.1.3 to 29.6.0#80

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/expect-29.6.0
Closed

build(deps-dev): bump expect from 28.1.3 to 29.6.0#80
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/expect-29.6.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 5, 2023

Copy link
Copy Markdown
Contributor

Bumps expect from 28.1.3 to 29.6.0.

Release notes

Sourced from expect's releases.

v29.6.0

Features

  • [jest-circus, jest-snapshot] Add support for snapshot matchers in concurrent tests (#14139)
  • [jest-cli] Include type definitions to generated config files (#14078)
  • [jest-snapshot] Support arrays as property matchers (#14025)
  • [jest-core, jest-circus, jest-reporter, jest-runner] Added support for reporting about start individual test cases using jest-circus (#14174)

Fixes

  • [jest-circus] Prevent false test failures caused by promise rejections handled asynchronously (#14110)
  • [jest-config] Handle frozen config object (#14054)
  • [jest-config] Allow coverageDirectory and collectCoverageFrom in project config (#14180)
  • [jest-core] Always use workers in watch mode to avoid crashes (#14059).
  • [jest-environment-jsdom, jest-environment-node] Fix assignment of customExportConditions via testEnvironmentOptions when custom env subclass defines a default value (#13989)
  • [jest-matcher-utils] Fix copying value of inherited getters (#14007)
  • [jest-mock] Tweak typings to allow jest.replaceProperty() replace methods (#14008)
  • [jest-mock] Improve user input validation and error messages of spyOn and replaceProperty methods (#14087)
  • [jest-runtime] Bind jest.isolateModulesAsync to this (#14083)
  • [jest-runtime] Forward wrapperLength to the Script constructor as columnOffset for accurate debugging (#14148)
  • [jest-runtime] Guard _isMockFunction access with in (#14188)
  • [jest-snapshot] Fix a potential bug when not using prettier and improve performance (#14036)
  • [@jest/transform] Do not instrument .json modules (#14048)

Chore & Maintenance

  • [*] Update semver dependency to get vulnerability fix (#14262)
  • [docs] Updated documentation for the --runTestsByPath CLI command (#14004)
  • [docs] Updated documentation regarding the synchronous fallback when asynchronous code transforms are unavailable (#14056)
  • [docs] Update jest statistics of use and downloads in website Index.

New Contributors

... (truncated)

Changelog

Sourced from expect's changelog.

29.6.0

Features

  • [jest-circus, jest-snapshot] Add support for snapshot matchers in concurrent tests (#14139)
  • [jest-cli] Include type definitions to generated config files (#14078)
  • [jest-snapshot] Support arrays as property matchers (#14025)
  • [jest-core, jest-circus, jest-reporter, jest-runner] Added support for reporting about start individual test cases using jest-circus (#14174)

Fixes

  • [jest-circus] Prevent false test failures caused by promise rejections handled asynchronously (#14110)
  • [jest-config] Handle frozen config object (#14054)
  • [jest-config] Allow coverageDirectory and collectCoverageFrom in project config (#14180)
  • [jest-core] Always use workers in watch mode to avoid crashes (#14059).
  • [jest-environment-jsdom, jest-environment-node] Fix assignment of customExportConditions via testEnvironmentOptions when custom env subclass defines a default value (#13989)
  • [jest-matcher-utils] Fix copying value of inherited getters (#14007)
  • [jest-mock] Tweak typings to allow jest.replaceProperty() replace methods (#14008)
  • [jest-mock] Improve user input validation and error messages of spyOn and replaceProperty methods (#14087)
  • [jest-runtime] Bind jest.isolateModulesAsync to this (#14083)
  • [jest-runtime] Forward wrapperLength to the Script constructor as columnOffset for accurate debugging (#14148)
  • [jest-runtime] Guard _isMockFunction access with in (#14188)
  • [jest-snapshot] Fix a potential bug when not using prettier and improve performance (#14036)
  • [@jest/transform] Do not instrument .json modules (#14048)

Chore & Maintenance

  • [*] Update semver dependency to get vulnerability fix (#14262)
  • [docs] Updated documentation for the --runTestsByPath CLI command (#14004)
  • [docs] Updated documentation regarding the synchronous fallback when asynchronous code transforms are unavailable (#14056)
  • [docs] Update jest statistics of use and downloads in website Index.

29.5.0

Features

  • [jest-changed-files] Support Sapling (#13941)
  • [jest-circus, @jest/cli, jest-config] Add feature to randomize order of tests via CLI flag or through the config file(#12922)
  • [jest-cli, jest-config, @jest/core, jest-haste-map, @jest/reporters, jest-runner, jest-runtime, @jest/types] Add workerThreads configuration option to allow using worker threads for parallelization (#13939)
  • [jest-cli] Export yargsOptions (#13970)
  • [jest-config] Add openHandlesTimeout option to configure possible open handles warning. (#13875)
  • [@jest/create-cache-key-function] Allow passing length argument to createCacheKey() function and set its default value to 16 on Windows (#13827)
  • [jest-message-util] Add support for AggregateError (#13946 & #13947)
  • [jest-message-util] Add support for Error causes in test and it (#13935 & #13966)
  • [jest-reporters] Add summaryThreshold option to summary reporter to allow overriding the internal threshold that is used to print the summary of all failed tests when the number of test suites surpasses it (#13895)
  • [jest-runtime] Expose @sinonjs/fake-timers async APIs functions advanceTimersByTimeAsync(msToRun) (tickAsync(msToRun)), advanceTimersToNextTimerAsync(steps) (nextAsync), runAllTimersAsync (runAllAsync), and runOnlyPendingTimersAsync (runToLastAsync) (#13981)
  • [jest-runtime, @jest/transform] Allow V8 coverage provider to collect coverage from files which were not loaded explicitly (#13974)
  • [jest-snapshot] Add support to cts and mts TypeScript files to inline snapshots (#13975)
  • [jest-worker] Add start method to worker farms (#13937)
  • [jest-worker] Support passing a URL as path to worker (#13982)

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [expect](https://github.com/facebook/jest/tree/HEAD/packages/expect) from 28.1.3 to 29.6.0.
- [Release notes](https://github.com/facebook/jest/releases)
- [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/jest/commits/v29.6.0/packages/expect)

---
updated-dependencies:
- dependency-name: expect
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jul 5, 2023
@github-actions

github-actions Bot commented Jul 5, 2023

Copy link
Copy Markdown
Contributor
=== npm audit security report ===                        
                                                                                
# Run  npm install --save-dev @cyclonedx/bom@4.0.3  to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @cyclonedx/bom [dev]                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @cyclonedx/bom > read-installed > semver                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @cyclonedx/bom [dev]                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @cyclonedx/bom > read-installed > read-package-json >        │
│               │ normalize-package-data > semver                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘


# Run  npm update semver --depth 7  to resolve 10 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @cyclonedx/bom [dev]                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @cyclonedx/bom > synp > semver                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ rewire [dev]                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ rewire > eslint > semver                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard > eslint-plugin-n > builtins > semver               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard > eslint-plugin-n > semver                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard-version > git-semver-tags > meow >                  │
│               │ normalize-package-data > semver                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard-version > conventional-recommended-bump >           │
│               │ conventional-commits-parser > meow > normalize-package-data  │
│               │ > semver                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard-version > conventional-changelog >                  │
│               │ conventional-changelog-core > conventional-changelog-writer  │
│               │ > meow > normalize-package-data > semver                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard-version > conventional-changelog >                  │
│               │ conventional-changelog-core > normalize-package-data >       │
│               │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard-version > semver                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ supertest [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ supertest > superagent > semver                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘


# Run  npm update @babel/core --depth 3  to resolve 2 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nyc [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nyc > istanbul-lib-instrument > @babel/core >                │
│               │ @babel/helper-compilation-targets > semver                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nyc [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nyc > istanbul-lib-instrument > @babel/core > semver         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ TaffyDB can allow access to any data items in the DB         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ taffydb                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jsdoc-to-markdown [dev]                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jsdoc-to-markdown > jsdoc-api > jsdoc > taffydb              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-mxhp-79qh-mcx6            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Sandbox Bypass Leading to Arbitrary Code Execution in        │
│               │ constantinople                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ constantinople                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jade                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jade > constantinople                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-4vmm-mhcq-4x9j            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service in clean-css            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ clean-css                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.1.11                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jade                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jade > clean-css                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-wxhq-pm8v-cw75            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service in uglify-js            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ uglify-js                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.6.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jade                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jade > transformers > uglify-js                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c9f4-xj24-8jqx            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Incorrect Handling of Non-Boolean Comparisons During         │
│               │ Minification in uglify-js                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ uglify-js                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.4.24                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jade                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jade > transformers > uglify-js                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-34r7-q49f-h37c            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nodemon [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nodemon > semver                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard-version > conventional-changelog >                  │
│               │ conventional-changelog-core > read-pkg >                     │
│               │ normalize-package-data > semver                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard-version > conventional-changelog >                  │
│               │ conventional-changelog-core > read-pkg-up > read-pkg >       │
│               │ normalize-package-data > semver                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nodemon [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nodemon > simple-update-notifier > semver                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nyc [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nyc > make-dir > semver                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nyc [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nyc > caching-transform > make-dir > semver                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nyc [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nyc > istanbul-reports > istanbul-lib-report > make-dir >    │
│               │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nyc [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nyc > istanbul-lib-instrument > semver                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard > eslint-plugin-import > semver                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard > eslint-plugin-react > semver                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard-version > git-semver-tags > meow > read-pkg-up >    │
│               │ read-pkg > normalize-package-data > semver                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard-version > conventional-recommended-bump >           │
│               │ conventional-commits-parser > meow > read-pkg-up > read-pkg  │
│               │ > normalize-package-data > semver                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard-version > conventional-changelog >                  │
│               │ conventional-changelog-core > conventional-changelog-writer  │
│               │ > meow > read-pkg-up > read-pkg > normalize-package-data >   │
│               │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard-version > conventional-changelog >                  │
│               │ conventional-changelog-core > conventional-changelog-writer  │
│               │ > semver                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard-version > git-semver-tags > semver                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard-version > conventional-recommended-bump >           │
│               │ git-semver-tags > semver                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard-version > conventional-changelog >                  │
│               │ conventional-changelog-core > git-semver-tags > semver       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ word-wrap vulnerable to Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ word-wrap                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ rewire [dev]                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ rewire > eslint > optionator > word-wrap                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-j8xg-fqg3-53r7            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 37 vulnerabilities (1 low, 32 moderate, 2 high, 2 critical) in 888 scanned packages
  run `npm audit fix` to fix 12 of them.
  2 vulnerabilities require semver-major dependency updates.
  23 vulnerabilities require manual review. See the full report for details.

@github-actions

github-actions Bot commented Jul 5, 2023

Copy link
Copy Markdown
Contributor
# npm audit report

clean-css  <4.1.11
Regular Expression Denial of Service in clean-css - https://github.com/advisories/GHSA-wxhq-pm8v-cw75
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/clean-css
  jade  >=0.30.0
  Depends on vulnerable versions of clean-css
  Depends on vulnerable versions of constantinople
  Depends on vulnerable versions of transformers
  node_modules/jade

constantinople  <3.1.1
Severity: critical
Sandbox Bypass Leading to Arbitrary Code Execution in constantinople - https://github.com/advisories/GHSA-4vmm-mhcq-4x9j
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/constantinople

semver  <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install nodemon@1.14.9, which is a breaking change
node_modules/@babel/core/node_modules/semver
node_modules/@babel/helper-compilation-targets/node_modules/semver
node_modules/builtins/node_modules/semver
node_modules/conventional-changelog-core/node_modules/semver
node_modules/conventional-changelog-writer/node_modules/semver
node_modules/eslint-plugin-import/node_modules/semver
node_modules/eslint-plugin-n/node_modules/semver
node_modules/eslint-plugin-react/node_modules/semver
node_modules/git-semver-tags/node_modules/semver
node_modules/istanbul-lib-instrument/node_modules/semver
node_modules/make-dir/node_modules/semver
node_modules/meow/node_modules/read-pkg/node_modules/semver
node_modules/meow/node_modules/semver
node_modules/rewire/node_modules/semver
node_modules/semver
node_modules/simple-update-notifier/node_modules/semver
node_modules/standard-version/node_modules/semver
node_modules/superagent/node_modules/semver
node_modules/synp/node_modules/semver
  @babel/core  <=7.22.5
  Depends on vulnerable versions of semver
  node_modules/@babel/core
  @babel/helper-compilation-targets  7.8.1 - 7.22.5
  Depends on vulnerable versions of semver
  node_modules/@babel/helper-compilation-targets
  conventional-changelog-writer  *
  Depends on vulnerable versions of meow
  Depends on vulnerable versions of semver
  node_modules/conventional-changelog-writer
    conventional-changelog-core  *
    Depends on vulnerable versions of conventional-changelog-writer
    Depends on vulnerable versions of conventional-commits-parser
    Depends on vulnerable versions of git-raw-commits
    Depends on vulnerable versions of git-semver-tags
    Depends on vulnerable versions of read-pkg
    Depends on vulnerable versions of read-pkg-up
    node_modules/conventional-changelog-core
      conventional-changelog  >=1.0.0
      Depends on vulnerable versions of conventional-changelog-core
      node_modules/conventional-changelog
        standard-version  *
        Depends on vulnerable versions of conventional-changelog
        Depends on vulnerable versions of conventional-recommended-bump
        Depends on vulnerable versions of git-semver-tags
        node_modules/standard-version
  eslint-plugin-import  >=2.27.4
  Depends on vulnerable versions of semver
  node_modules/eslint-plugin-import
    standard  >=17.0.0-0
    Depends on vulnerable versions of eslint-config-standard-jsx
    Depends on vulnerable versions of eslint-plugin-import
    Depends on vulnerable versions of eslint-plugin-react
    node_modules/standard
  eslint-plugin-react  7.19.0 || >=7.26.0
  Depends on vulnerable versions of semver
  node_modules/eslint-plugin-react
    eslint-config-standard-jsx  >=11.0.0-0
    Depends on vulnerable versions of eslint-plugin-react
    node_modules/eslint-config-standard-jsx
  git-semver-tags  *
  Depends on vulnerable versions of meow
  Depends on vulnerable versions of semver
  node_modules/git-semver-tags
    conventional-recommended-bump  >=1.0.0
    Depends on vulnerable versions of conventional-commits-parser
    Depends on vulnerable versions of git-raw-commits
    Depends on vulnerable versions of git-semver-tags
    Depends on vulnerable versions of meow
    node_modules/conventional-recommended-bump
  istanbul-lib-instrument  >=1.2.0
  Depends on vulnerable versions of semver
  node_modules/istanbul-lib-instrument
    nyc  >=7.0.0-alpha.1
    Depends on vulnerable versions of caching-transform
    Depends on vulnerable versions of find-cache-dir
    Depends on vulnerable versions of istanbul-lib-instrument
    Depends on vulnerable versions of istanbul-lib-report
    Depends on vulnerable versions of istanbul-reports
    Depends on vulnerable versions of make-dir
    Depends on vulnerable versions of spawn-wrap
    node_modules/nyc
  make-dir  2.0.0 - 3.1.0
  Depends on vulnerable versions of semver
  node_modules/make-dir
    caching-transform  >=3.0.2
    Depends on vulnerable versions of make-dir
    node_modules/caching-transform
    find-cache-dir  2.1.0 - 3.3.2
    Depends on vulnerable versions of make-dir
    node_modules/find-cache-dir
    istanbul-lib-report  >=2.0.5
    Depends on vulnerable versions of make-dir
    node_modules/istanbul-lib-report
      istanbul-reports  >=3.0.0-alpha.0
      Depends on vulnerable versions of istanbul-lib-report
      node_modules/istanbul-reports
    spawn-wrap  >=2.0.0-beta.0
    Depends on vulnerable versions of make-dir
    node_modules/spawn-wrap
  nodemon  1.4.10-alpha.1 - 1.4.10-alpha.3 || >=1.14.10
  Depends on vulnerable versions of semver
  Depends on vulnerable versions of simple-update-notifier
  node_modules/nodemon
  normalize-package-data  <=2.5.0
  Depends on vulnerable versions of semver
  node_modules/meow/node_modules/read-pkg/node_modules/normalize-package-data
  node_modules/normalize-package-data
    read-package-json  0.4.0 - 2.1.2
    Depends on vulnerable versions of normalize-package-data
    node_modules/read-package-json
      read-installed  *
      Depends on vulnerable versions of read-package-json
      Depends on vulnerable versions of semver
      node_modules/read-installed
        @cyclonedx/bom  <=3.10.6
        Depends on vulnerable versions of read-installed
        node_modules/@cyclonedx/bom
    read-pkg  <=5.2.0
    Depends on vulnerable versions of normalize-package-data
    node_modules/meow/node_modules/read-pkg
    node_modules/read-pkg
      read-pkg-up  <=7.0.1
      Depends on vulnerable versions of read-pkg
      node_modules/meow/node_modules/read-pkg-up
      node_modules/read-pkg-up
        meow  3.4.0 - 9.0.0
        Depends on vulnerable versions of read-pkg-up
        node_modules/meow
          conventional-commits-parser  >=2.1.5
          Depends on vulnerable versions of meow
          node_modules/conventional-commits-parser
          git-raw-commits  >=1.3.4
          Depends on vulnerable versions of meow
          node_modules/git-raw-commits
  simple-update-notifier  1.0.7 - 1.1.0
  Depends on vulnerable versions of semver
  node_modules/simple-update-notifier

taffydb  *
Severity: high
TaffyDB can allow access to any data items in the DB - https://github.com/advisories/GHSA-mxhp-79qh-mcx6
fix available via `npm audit fix`
node_modules/taffydb
  jsdoc  3.2.0-dev - 3.6.11
  Depends on vulnerable versions of taffydb
  node_modules/jsdoc-api/node_modules/jsdoc
    jsdoc-api  4.0.0 - 7.1.1
    Depends on vulnerable versions of jsdoc
    node_modules/jsdoc-api

uglify-js  <=2.5.0
Severity: critical
Regular Expression Denial of Service in uglify-js - https://github.com/advisories/GHSA-c9f4-xj24-8jqx
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js - https://github.com/advisories/GHSA-34r7-q49f-h37c
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/transformers/node_modules/uglify-js
  transformers  >=2.0.0
  Depends on vulnerable versions of uglify-js
  node_modules/transformers

word-wrap  *
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap
  optionator  0.8.3 - 0.9.1
  Depends on vulnerable versions of word-wrap
  node_modules/optionator

42 vulnerabilities (1 low, 34 moderate, 4 high, 3 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

@dependabot @github

dependabot Bot commented on behalf of github Jul 6, 2023

Copy link
Copy Markdown
Contributor Author

Superseded by #81.

@dependabot dependabot Bot closed this Jul 6, 2023
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/expect-29.6.0 branch July 6, 2023 15:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant