Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Snyk] Upgrade: , , , axios, commander, consola, koa-body, koa-router, lru-cache, luxon, mysql2, node-sql-parser, octokit, p-queue, pinyin, prom-client, reflect-metadata, tiny-async-pool #881

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade: , , , axios, commander, consola, koa-body, koa-router, lru-cache, luxon, mysql2, node-sql-parser, octokit, p-queue, pinyin, prom-client, reflect-metadata, tiny-async-pool #881

wants to merge 1 commit into from

Conversation

q1blue
Copy link
Collaborator

@q1blue q1blue commented Sep 22, 2024

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Name Versions Released on

@koa/cors
from 3.4.3 to 5.0.0 | 2 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 9 months ago
on 2023-12-11
@octokit/core
from 4.2.4 to 6.1.2 | 21 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 5 months ago
on 2024-04-09
@octokit/plugin-throttling
from 4.3.2 to 9.3.1 | 29 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 months ago
on 2024-07-14
axios
from 0.27.2 to 1.7.7 | 46 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 22 days ago
on 2024-08-31
commander
from 9.5.0 to 12.1.0 | 8 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 4 months ago
on 2024-05-18
consola
from 2.15.3 to 3.2.3 | 13 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | a year ago
on 2023-07-05
koa-body
from 5.0.0 to 6.0.1 | 2 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 years ago
on 2022-10-29
koa-router
from 10.1.1 to 12.0.1 | 5 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | a year ago
on 2023-10-12
lru-cache
from 7.18.3 to 11.0.0 | 28 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 months ago
on 2024-07-08
luxon
from 2.5.2 to 3.5.0 | 16 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 months ago
on 2024-08-03
mysql2
from 2.3.3 to 3.11.0 | 50 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 months ago
on 2024-07-27
node-sql-parser
from 4.18.0 to 5.3.1 | 5 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 months ago
on 2024-08-07
octokit
from 1.8.1 to 4.0.2 | 39 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 4 months ago
on 2024-05-08
p-queue
from 7.4.1 to 8.0.1 | 2 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 9 months ago
on 2023-12-14
pinyin
from 3.0.0-alpha.5 to 3.1.0 | 3 versions ahead of your current version | 10 months ago
on 2023-11-22
prom-client
from 14.2.0 to 15.1.3 | 7 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 3 months ago
on 2024-06-27
reflect-metadata
from 0.1.14 to 0.2.2 | 4 versions ahead of your current version | 6 months ago
on 2024-03-29
tiny-async-pool
from 1.3.0 to 2.1.0 | 3 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 years ago
on 2022-05-10

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Improper Handling of Exceptional Conditions
SNYK-JS-OCTOKIT-6129525		 193 No Known Exploit
high severity Cross-site Request Forgery (CSRF)
SNYK-JS-AXIOS-6032459		 193 Proof of Concept
high severity Origin Validation Error
SNYK-JS-KOACORS-6117545		 193 No Known Exploit
high severity Prototype Pollution
SNYK-JS-MYSQL2-6861580		 193 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-AXIOS-6124857		 193 Proof of Concept
medium severity Prototype Poisoning
SNYK-JS-MYSQL2-6591084		 193 Proof of Concept
critical severity Remote Code Execution (RCE)
SNYK-JS-MYSQL2-6591085		 193 Proof of Concept
medium severity Use of Web Browser Cache Containing Sensitive Information
SNYK-JS-MYSQL2-6591300		 193 Proof of Concept
critical severity Arbitrary Code Injection
SNYK-JS-MYSQL2-6670046		 193 Proof of Concept
Release notes
Package name: @koa/cors from @koa/cors GitHub release notes
Package name: @octokit/core from @octokit/core GitHub release notes
Package name: @octokit/plugin-throttling
  • 9.3.1 - 2024-07-14

    9.3.1 (2024-07-14)

    Bug Fixes

  • 9.3.0 - 2024-04-29

    9.3.0 (2024-04-29)

    Features

  • 9.2.1 - 2024-04-23

    9.2.1 (2024-04-23)

    Bug Fixes

  • 9.2.0 - 2024-04-15

    9.2.0 (2024-04-15)

    Features

    • routes changed from repository_id to nwo and enterprise groups now includes the enterprise in route (#684) (734bcba)
  • 9.1.0 - 2024-04-03

    9.1.0 (2024-04-03)

    Features

  • 9.0.4 - 2024-04-03

    9.0.4 (2024-04-03)

    Bug Fixes

    • deps: update dependency @ octokit/types to v13 (8cc6eb9)
  • 9.0.3 - 2024-03-01

    9.0.3 (2024-03-01)

    Bug Fixes

  • 9.0.2 - 2024-02-27

    9.0.2 (2024-02-27)

    Bug Fixes

  • 9.0.1 - 2024-02-26

    9.0.1 (2024-02-26)

    Bug Fixes

    • add missing file extension on bottleneck import (#676) (1c64559)
  • 9.0.0 - 2024-02-25

    9.0.0 (2024-02-25)

    Features

    BREAKING CHANGES

    • package is now ESM
  • 8.2.0 - 2024-02-22
  • 8.1.3 - 2023-11-18
  • 8.1.2 - 2023-10-25
  • 8.1.1 - 2023-10-25
  • 8.1.0 - 2023-10-24
  • 8.0.1 - 2023-10-21
  • 8.0.0 - 2023-09-23
  • 7.0.0 - 2023-07-10
  • 6.1.0 - 2023-06-09
  • 6.0.1 - 2023-06-07
  • 6.0.0 - 2023-05-22
  • 5.2.3 - 2023-05-19
  • 5.2.2 - 2023-05-17
  • 5.2.1 - 2023-05-13
  • 5.2.0 - 2023-05-05
  • 5.1.1 - 2023-04-21
  • 5.1.0 - 2023-04-20
  • 5.0.1 - 2023-01-20
  • 5.0.0 - 2023-01-20
  • 4.3.2 - 2022-10-31
from @octokit/plugin-throttling GitHub release notes
Package name: axios
  • 1.7.7 - 2024-08-31

    Release notes:

    Bug Fixes

    • fetch: fix stream handling in Safari by fallback to using a stream reader instead of an async iterator; (#6584) (d198085)
    • http: fixed support for IPv6 literal strings in url (#5731) (364993f)

    Contributors to this release

  • 1.7.6 - 2024-08-30

    Release notes:

    Bug Fixes

    • fetch: fix content length calculation for FormData payload; (#6524) (085f568)
    • fetch: optimize signals composing logic; (#6582) (df9889b)

    Contributors to this release

  • 1.7.5 - 2024-08-23

    Release notes:

    Bug Fixes

    • adapter: fix undefined reference to hasBrowserEnv (#6572) (7004707)
    • core: add the missed implementation of AxiosError#status property; (#6573) (6700a8a)
    • core: fix ReferenceError: navigator is not defined for custom environments; (#6567) (fed1a4b)
    • fetch: fix credentials handling in Cloudflare workers (#6533) (550d885)

    Contributors to this release

  • 1.7.4 - 2024-08-13

    Release notes:

    Bug Fixes

    Contributors to this release

  • 1.7.3 - 2024-08-01

    Release notes:

    Bug Fixes

    • adapter: fix progress event emitting; (#6518) (e3c76fc)
    • fetch: fix withCredentials request config (#6505) (85d4d0e)
    • xhr: return original config on errors from XHR adapter (#6515) (8966ee7)

    Contributors to this release

  • 1.7.2 - 2024-05-21

    Release notes:

    Bug Fixes

    Contributors to this release

  • 1.7.1 - 2024-05-20

    Release notes:

    Bug Fixes

    • fetch: fixed ReferenceError issue when TextEncoder is not available in the environment; (#6410) (733f15f)

    Contributors to this release

  • 1.7.0 - 2024-05-19

    Release notes:

    Features

    Bug Fixes

    • core/axios: handle un-writable error stack (#6362) (81e0455)

    Contributors to this release

  • 1.7.0-beta.2 - 2024-05-19

    Release notes:

    Bug Fixes

    • fetch: capitalize HTTP method names; (#6395) (ad3174a)
    • fetch: fix & optimize progress capturing for cases when the request data has a nullish value or zero data length (#6400) (95a3e8e)
    • fetch: fix headers getting from a stream response; (#6401) (870e0a7)

    Contributors to this release

  • 1.7.0-beta.1 - 2024-05-07

    Release notes:

    Bug Fixes

    • core/axios: handle un-writable error stack (#6362) (81e0455)
    • fetch: fix cases when ReadableStream or Response.body are not available; (#6377) (d1d359d)
    • fetch: treat fetch-related TypeError as an AxiosError.ERR_NETWORK error; (#6380) (bb5f9a5)

    Contributors to this release

    Install

    npm i axios@next
  • 1.7.0-beta.0 - 2024-04-28
  • 1.6.8 - 2024-03-15
  • 1.6.7 - 2024-01-25
  • 1.6.6 - 2024-01-24
  • 1.6.5 - 2024-01-05
  • 1.6.4 - 2024-01-03
  • 1.6.3 - 2023-12-26
  • 1.6.2 - 2023-11-14
  • 1.6.1 - 2023-11-08
  • 1.6.0 - 2023-10-26
  • 1.5.1 - 2023-09-26
  • 1.5.0 - 2023-08-26
  • 1.4.0 - 2023-04-27
  • 1.3.6 - 2023-04-19
  • 1.3.5 - 2023-04-05
  • 1.3.4 - 2023-02-22
  • 1.3.3 - 2023-02-13
  • 1.3.2 - 2023-02-03
  • 1.3.1 - 2023-02-01
  • 1.3.0 - 2023-01-31
  • 1.2.6 - 2023-01-28
  • 1.2.5 - 2023-01-26
  • 1.2.4 - 2023-01-24
  • 1.2.3 - 2023-01-17
  • 1.2.2 - 2022-12-29
  • 1.2.1 - 2022-12-05
  • 1.2.0 - 2022-11-22
  • 1.2.0-alpha.1 - 2022-11-10
  • 1.1.3 - 2022-10-15
  • 1.1.2 - 2022-10-07
  • 1.1.1 - 2022-10-07
  • 1.1.0 - 2022-10-06
  • 1.0.0 - 2022-10-04
  • 1.0.0-alpha.1 - 2022-05-31
  • 0.28.1 - 2024-03-28
  • 0.28.0 - 2024-02-12
  • 0.27.2 - 2022-04-27
from axios GitHub release notes
Package name: commander
  • 12.1.0 - 2024-05-18

    Added

    • auto-detect special node flags node --eval and node --print when call .parse() with no arguments (#2164)

    Changed

    • prefix require of Node.js core modules with node: (#2170)
    • format source files with Prettier (#2180)
    • switch from StandardJS to directly calling ESLint for linting (#2153)
    • extend security support for previous major version of Commander (#2150)

    Removed

    • removed unimplemented Option.fullDescription from TypeScript definition (#2191)
  • 12.0.0 - 2024-02-03

    Added

    • .addHelpOption() as another way of configuring built-in help option (#2006)
    • .helpCommand() for configuring built-in help command (#2087)

    Fixed

    • Breaking: use non-zero exit code when spawned executable subcommand terminates due to a signal (#2023)
    • Breaking: check passThroughOptions constraints when using .addCommand and throw if parent command does not have .enablePositionalOptions() enabled (#1937)

    Changed

    • Breaking: Commander 12 requires Node.js v18 or higher (#2027)
    • Breaking: throw an error if add an option with a flag which is already in use (#2055)
    • Breaking: throw an error if add a command with name or alias which is already in use (#2059)
    • Breaking: throw error when calling .storeOptionsAsProperties() after setting an option value (#1928)
    • replace non-standard JSDoc of @ api private with documented @ private (#1949)
    • .addHelpCommand() now takes a Command (passing string or boolean still works as before but deprecated) (#2087)
    • refactor internal implementation of built-in help option (#2006)
    • refactor internal implementation of built-in help command (#2087)

    Deprecated

    • .addHelpCommand() passing string or boolean (use .helpCommand() or pass a Command) (#2087)

    Removed

    • Breaking: removed default export of a global Command instance from CommonJS (use the named program export instead) (#2017)

    Migration Tips

    global program

    If you are using the deprecated default import of the global Command object, you need to switch to using a named import (or create a new Command).

    // const program = require('commander');
const { program } = require('commander');

    option and command clashes

    A couple of configuration problems now throw an error, which will pick up issues in existing programs:

    • adding an option which uses the same flag as a previous option
    • adding a command which uses the same name or alias as a previous command
  • 12.0.0-1 - 2024-01-19

    Added

    • .addHelpOption() as another way of configuring built-in help option (#2006)
    • .helpCommand() for configuring built-in help command (#2087)

    Changed

    • .addHelpCommand() now takes a Command (passing string or boolean still works as before but deprecated) (#2087)
    • refactor internal implementation of built-in help option (#2006)
    • refactor internal implementation of built-in help command (#2087)

    Deprecated

    • .addHelpCommand() passing string or boolean (use .helpCommand() or pass a Command) (#2087)
  • 12.0.0-0 - 2023-11-11

    Fixed

    • Breaking: use non-zero exit code when spawned executable subcommand terminates due to a signal (#2023)
    • Breaking: check passThroughOptions constraints when using .addCommand and throw if parent command does not have .enablePositionalOptions() enabled (#1937)

    Changed

    • Breaking: Commander 12 requires Node.js v18 or higher (#2027)
    • Breaking: throw an error if add an option with a flag which is already in use (#2055)
    • Breaking: throw an error if add a command with name or alias which is already in use (#2059)
    • Breaking: throw error when calling .storeOptionsAsProperties() after setting an option value (#1928)
    • replace non-standard JSDoc of @ api private with documented @ private (#1949)

    Removed

    • Breaking: removed default export of a global Command instance from CommonJS (use the named program export instead) (#2017)

    Migration Tips

    global program

    If you are using the deprecated default import of the global Command object, you need to switch to using a named import (or create a new Command).

    // const program = require('commander');
const { program } = require('commander');

    option and command clashes

    A couple of configuration problems now throw an error, which will pick up issues in existing programs:

    • adding an option which uses the same flag as a previous option
    • adding a command which uses the same name or alias as a previous command
  • 11.1.0 - 2023-10-13

    Fixed

    • TypeScript: update OptionValueSource to allow any string, to match supported use of custom sources (#1983)
    • TypeScript: add that Command.version() can also be used as getter (#1982)
    • TypeScript: add null return type to Commands.executableDir(), for when not configured (#1965)
    • subcommands with an executable handler and only a short help flag are now handled correctly by the parent's help command (#1930)

    Added

    • registeredArguments property on Command with the array of defined Argument (like Command.options for Option) (#2010)
    • TypeScript declarations for Option properties: envVar, presetArg (#2019)
    • TypeScript declarations for Argument properties: argChoices, defaultValue, defaultValueDescription (#2019)
    • example file which shows how to configure help to display any custom usage in the list of subcommands (#1896)

    Changed

    • (developer) refactor TypeScript configs for multiple use-cases, and enable checks in JavaScript files in supporting editors (#1969)

    Deprecated

    • Command._args was private anyway, but now available as registeredArguments (

@snyk-bot
feat: upgrade multiple dependencies with Snyk
7f690d1 
Snyk has created this PR to upgrade:
  - @koa/cors from 3.4.3 to 5.0.0.
    See this package in npm: https://www.npmjs.com/package/@koa/cors
  - @octokit/core from 4.2.4 to 6.1.2.
    See this package in npm: https://www.npmjs.com/package/@octokit/core
  - @octokit/plugin-throttling from 4.3.2 to 9.3.1.
    See this package in npm: https://www.npmjs.com/package/@octokit/plugin-throttling
  - axios from 0.27.2 to 1.7.7.
    See this package in npm: https://www.npmjs.com/package/axios
  - commander from 9.5.0 to 12.1.0.
    See this package in npm: https://www.npmjs.com/package/commander
  - consola from 2.15.3 to 3.2.3.
    See this package in npm: https://www.npmjs.com/package/consola
  - koa-body from 5.0.0 to 6.0.1.
    See this package in npm: https://www.npmjs.com/package/koa-body
  - koa-router from 10.1.1 to 12.0.1.
    See this package in npm: https://www.npmjs.com/package/koa-router
  - lru-cache from 7.18.3 to 11.0.0.
    See this package in npm: https://www.npmjs.com/package/lru-cache
  - luxon from 2.5.2 to 3.5.0.
    See this package in npm: https://www.npmjs.com/package/luxon
  - mysql2 from 2.3.3 to 3.11.0.
    See this package in npm: https://www.npmjs.com/package/mysql2
  - node-sql-parser from 4.18.0 to 5.3.1.
    See this package in npm: https://www.npmjs.com/package/node-sql-parser
  - octokit from 1.8.1 to 4.0.2.
    See this package in npm: https://www.npmjs.com/package/octokit
  - p-queue from 7.4.1 to 8.0.1.
    See this package in npm: https://www.npmjs.com/package/p-queue
  - pinyin from 3.0.0-alpha.5 to 3.1.0.
    See this package in npm: https://www.npmjs.com/package/pinyin
  - prom-client from 14.2.0 to 15.1.3.
    See this package in npm: https://www.npmjs.com/package/prom-client
  - reflect-metadata from 0.1.14 to 0.2.2.
    See this package in npm: https://www.npmjs.com/package/reflect-metadata
  - tiny-async-pool from 1.3.0 to 2.1.0.
    See this package in npm: https://www.npmjs.com/package/tiny-async-pool

See this project in Snyk:
https://app.snyk.io/org/q1blue-rxw/project/061589ad-3276-41ad-ab3d-5cb52331031e?utm_source=github&utm_medium=referral&page=upgrade-pr
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Sep 22, 2024

⚠️ No Changeset found

Latest commit: 7f690d1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@socket-security Socket Security
Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/pinyin@3.1.0 Transitive: environment, eval, filesystem, network, shell, unsafe +117 271 MB hotoo

🚮 Removed packages: npm/pinyin@3.0.0-alpha.5

View full report↗︎

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG]: No "exports" main defined in version 6.0.1
2 participants
@q1blue @snyk-bot