[Snyk] Upgrade: argon2-browser, bourbon, chai, dompurify, handlebars, jquery, marked, morphdom #130

ragnarstolsmark · 2024-09-12T03:55:26Z

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

argon2-browser
from 1.15.4 to 1.18.0 | 3 versions ahead of your current version | 3 years ago
on 2021-06-05
bourbon
from 7.2.0 to 7.3.0 | 1 version ahead of your current version | 2 years ago
on 2023-01-23
chai
from 4.3.6 to 4.5.0 | 7 versions ahead of your current version | 2 months ago
on 2024-07-25
dompurify
from 2.3.6 to 2.5.6 | 23 versions ahead of your current version | 2 months ago
on 2024-07-05
handlebars
from 4.7.7 to 4.7.8 | 1 version ahead of your current version | a year ago
on 2023-08-01
jquery
from 3.6.0 to 3.7.1 | 6 versions ahead of your current version | a year ago
on 2023-08-28
marked
from 4.0.12 to 4.3.0 | 23 versions ahead of your current version | a year ago
on 2023-03-22
morphdom
from 2.6.1 to 2.7.4 | 6 versions ahead of your current version | 2 months ago
on 2024-07-19

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Template Injection SNYK-JS-DOMPURIFY-6474511	586	Proof of Concept

Release notes

Package name: argon2-browser

1.18.0 - 2021-06-05
1.18.0
1.17.0 - 2021-05-31
1.17.0
1.16.0 - 2021-05-26
1.16.0
1.15.4 - 2021-03-31
1.15.4

from argon2-browser GitHub release notes

Package name: bourbon

7.3.0 - 2023-01-23
Update initializers so they only include assets for >=Rails 5. Dropped support for <Rails 5.
7.2.0 - 2022-02-22
What's Changed
- Reverted:
Replace / with math.div per Dart Sass 2.0.0 updates. Thanks to @ dkjensen for raising the issue and @ jclusso for merging the migration."

For context see : #1106 (comment)

from bourbon GitHub release notes

Package name: chai

4.5.0 - 2024-07-25
- Update type detect (#1631) 1a36d35
v4.4.1...v4.5.0

What's Changed
- Update type detect by @ koddsson in #1631
Full Changelog: v4.4.1...v4.5.0
4.4.1 - 2024-01-12
What's Changed
- fix: removes ?? for node compat by @ 43081j in #1574
Full Changelog: v4.4.0...v4.4.1
4.4.0 - 2024-01-05
What's Changed
- Allow deepEqual fonction to be configured globally (4.x.x branch) by @ forty in #1553
Full Changelog: v4.3.10...v4.4.0
4.3.10 - 2023-09-28
4.3.9 - 2023-09-27
4.3.8 - 2023-08-24
4.3.7 - 2022-11-07
4.3.6 - 2022-01-26

from chai GitHub release notes

Package name: dompurify

2.5.6 - 2024-07-05
- Fixed an issue with the execution logic of attribute hooks to prevent bypasses, thanks @ kevin-mizu
- Fixed a minor problem with the bower file pointing to the wrong dist path
- Updated several development dependencies
2.5.5 - 2024-05-31
- Fixed a minor issue with the dist paths in bower.js, thanks @ HakumenNC
- Fixed a minor issue with sanitizing HTML coming from copy&paste Word content, thanks @ kakao-bishop-cho
2.5.4 - 2024-05-20
- Fixed a bug with latest isNaN checks affecting MSIE, thanks @ tulach
- Fixed the tests for MSIE and fixed related test-runner
2.5.3 - 2024-05-11
- Fixed several mXSS variations found by and thanks to @ kevin-mizu & @ Ry0taK
- Added better configurability for comment scrubbing default behavior
- Added better hardening against Prototype Pollution attacks, thanks @ kevin-mizu
- Fixed some smaller issues in README and other documentation
2.5.2 - 2024-04-30
- Addressed and fixed a mXSS variation found by @ kevin-mizu
- Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
- Updated tests for older Safari and Chrome versions
2.5.1 - 2024-04-26
2.5.0 - 2024-04-07
2.4.9 - 2024-03-21
2.4.8 - 2024-03-19
2.4.7 - 2023-07-11
2.4.6 - 2023-07-10
2.4.5 - 2023-03-01
2.4.4 - 2023-02-13
2.4.3 - 2023-01-06
2.4.2 - 2023-01-05
2.4.1 - 2022-11-10
2.4.0 - 2022-08-24
2.3.12 - 2022-08-23
2.3.11 - 2022-08-23
2.3.10 - 2022-07-18
2.3.9 - 2022-07-11
2.3.8 - 2022-05-13
2.3.7 - 2022-05-11
2.3.6 - 2022-02-16

from dompurify GitHub release notes

Package name: handlebars

4.7.8 - 2023-08-01
- Make library compatible with workers (#1894) - 3d3796c
- Don't rely on Node.js global object (#1776) - 2954e7e
- Fix compiling of each block params in strict mode (#1855) - 30dbf04
- Fix rollup warning when importing Handlebars as ESM - 03d387b
- Fix bundler issue with webpack 5 (#1862) - c6c6bbb
- Use https instead of git for mustache submodule - 88ac068
Commits
4.7.7 - 2021-02-15
v4.7.7

from handlebars GitHub release notes

Package name: jquery

3.7.1 - 2023-08-28
https://blog.jquery.com/2023/08/28/jquery-3-7-1-released-reliable-table-row-dimensions/
3.7.0 - 2023-05-11
https://blog.jquery.com/2023/05/11/jquery-3-7-0-released-staying-in-order/
3.6.4 - 2023-03-08
https://blog.jquery.com/2023/03/08/jquery-3-6-4-released-selector-forgiveness/
3.6.3 - 2022-12-20
https://blog.jquery.com/2022/12/20/jquery-3-6-3-released-a-quick-selector-fix/
3.6.2 - 2022-12-13
https://blog.jquery.com/2022/12/13/jquery-3-6-2-released/
3.6.1 - 2022-08-26
https://blog.jquery.com/2022/08/26/jquery-3-6-1-maintenance-release/
3.6.0 - 2021-03-02
https://blog.jquery.com/2021/03/02/jquery-3-6-0-released/

from jquery GitHub release notes

Package name: marked

4.3.0 - 2023-03-22
4.3.0 (2023-03-22)

Bug Fixes
- always return promise if async (#2728) (042dcc5)
- fenced code doesn't need a trailing newline (#2756) (3acbb7f)
Features
- add preprocess and postprocess hooks (#2730) (9b452bc)
4.2.12 - 2023-01-14
4.2.12 (2023-01-14)

Sorry for all of the quick releases. We were testing out different ways to build the files for releases. v4.2.5 - v4.2.12 have no changes to how marked works. The only addition is the version number in the comment in the build files.

Bug Fixes
- revert to build script in ci (d2ab474)
4.2.11 - 2023-01-14
4.2.11 (2023-01-14)

Bug Fixes
- just build in version (22ac2cf)
4.2.10 - 2023-01-14
4.2.10 (2023-01-14)

Bug Fixes
- use version (fd759b3)
4.2.9 - 2023-01-14
4.2.9 (2023-01-14)

Bug Fixes
- fix version (96380c3)
4.2.8 - 2023-01-14
4.2.8 (2023-01-14)

Bug Fixes
- build in postversion for build file version (60c3b7f)
4.2.7 - 2023-01-14
4.2.7 (2023-01-14)

Bug Fixes
- fix build file version (94fa76f)
4.2.6 - 2023-01-14
4.2.6 (2023-01-14)

Bug Fixes
- add version to build files (79b8c0b)
4.2.5 - 2022-12-23
4.2.5 (2022-12-23)

Bug Fixes
- fix paragraph continuation after block element (#2686) (1bbda68)
- fix tabs at beginning of list items (#2679) (e692634)
4.2.4 - 2022-12-07
4.2.4 (2022-12-07)

Bug Fixes
- loose list items are loose (#2672) (df4eb0e)
- remove quotes at the end of gfm autolink (#2673) (697ac2a)
- use paragraph token in blockquote in list (#2671) (edc857c)
4.2.3 - 2022-11-20
4.2.2 - 2022-11-05
4.2.1 - 2022-11-02
4.2.0 - 2022-10-31
4.1.1 - 2022-10-01
4.1.0 - 2022-08-30
4.0.19 - 2022-08-21
4.0.18 - 2022-07-11
4.0.17 - 2022-06-13
4.0.16 - 2022-05-17
4.0.15 - 2022-05-02
4.0.14 - 2022-04-11
4.0.13 - 2022-04-08
4.0.12 - 2022-01-27

from marked GitHub release notes

Package name: morphdom

2.7.4 - 2024-07-19
Version 2.7.4
2.7.3 - 2024-06-20
Version 2.7.3
2.7.2 - 2024-01-17
Version 2.7.2
2.7.1 - 2023-10-04
Verison 2.7.1
2.7.0 - 2023-01-31
Version 2.7.0
2.6.2 - 2023-01-30
2.6.1 - 2020-05-05
2.6.1

from morphdom GitHub release notes

Important

Check the changes in this PR to ensure they won't cause issues with your project.
This PR was automatically created by Snyk using the credentials of a real user.
Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

📜 Customise PR templates

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Snyk has created this PR to upgrade: - argon2-browser from 1.15.4 to 1.18.0. See this package in npm: https://www.npmjs.com/package/argon2-browser - bourbon from 7.2.0 to 7.3.0. See this package in npm: https://www.npmjs.com/package/bourbon - chai from 4.3.6 to 4.5.0. See this package in npm: https://www.npmjs.com/package/chai - dompurify from 2.3.6 to 2.5.6. See this package in npm: https://www.npmjs.com/package/dompurify - handlebars from 4.7.7 to 4.7.8. See this package in npm: https://www.npmjs.com/package/handlebars - jquery from 3.6.0 to 3.7.1. See this package in npm: https://www.npmjs.com/package/jquery - marked from 4.0.12 to 4.3.0. See this package in npm: https://www.npmjs.com/package/marked - morphdom from 2.6.1 to 2.7.4. See this package in npm: https://www.npmjs.com/package/morphdom See this project in Snyk: https://app.snyk.io/org/identitystream/project/030988fc-487f-4799-b536-26fc1d435c73?utm_source=github&utm_medium=referral&page=upgrade-pr

bfotland merged commit 2da9e3c into servicemanager Oct 23, 2024

bfotland deleted the snyk-upgrade-4c02118b16a94e18fc406fc1e4872570 branch October 23, 2024 13:01

[Snyk] Upgrade: argon2-browser, bourbon, chai, dompurify, handlebars, jquery, marked, morphdom #130

[Snyk] Upgrade: argon2-browser, bourbon, chai, dompurify, handlebars, jquery, marked, morphdom #130

Uh oh!

Conversation

ragnarstolsmark commented Sep 12, 2024

Snyk has created this PR to upgrade multiple dependencies.

Issues fixed by the recommended upgrade:

What's Changed

What's Changed

What's Changed

What's Changed

4.3.0 (2023-03-22)

Bug Fixes

Features

4.2.12 (2023-01-14)

Bug Fixes

4.2.11 (2023-01-14)

Bug Fixes

4.2.10 (2023-01-14)

Bug Fixes

4.2.9 (2023-01-14)

Bug Fixes

4.2.8 (2023-01-14)

Bug Fixes

4.2.7 (2023-01-14)

Bug Fixes

4.2.6 (2023-01-14)

Bug Fixes

4.2.5 (2022-12-23)

Bug Fixes

4.2.4 (2022-12-07)

Bug Fixes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants