[Snyk] Upgrade: node-fetch, , chai, cheerio, mime-types, get-image-colors, image-size, semver, inquirer, tinycolor2, jimp, json-stable-stringify, lint-staged, prettier, sharp, sinon

[rizkimaung]

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

node-fetch
from 2.6.1 to 2.7.0 | 13 versions ahead of your current version | a year ago
on 2023-08-23
@octokit/rest
from 18.5.5 to 18.12.0 | 24 versions ahead of your current version | 3 years ago
on 2021-10-07
chai
from 4.3.4 to 4.5.0 | 9 versions ahead of your current version | 2 months ago
on 2024-07-25
cheerio
from 1.0.0-rc.9 to 1.0.0 | 4 versions ahead of your current version | a month ago
on 2024-08-09
mime-types
from 2.1.30 to 2.1.35 | 5 versions ahead of your current version | 2 years ago
on 2022-03-12
get-image-colors
from 4.0.0 to 4.0.1 | 1 version ahead of your current version | 3 years ago
on 2022-02-04
image-size
from 1.0.0 to 1.1.1 | 4 versions ahead of your current version | 8 months ago
on 2024-01-02
semver
from 5.7.1 to 5.7.2 | 1 version ahead of your current version | a year ago
on 2023-07-10
inquirer
from 8.1.0 to 8.2.6 | 12 versions ahead of your current version | a year ago
on 2023-08-02
tinycolor2
from 1.4.2 to 1.6.0 | 13 versions ahead of your current version | 2 years ago
on 2023-02-03
jimp
from 0.16.1 to 0.22.12 | 111 versions ahead of your current version | 7 months ago
on 2024-02-23
json-stable-stringify
from 1.0.1 to 1.1.1 | 3 versions ahead of your current version | 8 months ago
on 2024-01-16
lint-staged
from 11.0.0 to 11.2.6 | 14 versions ahead of your current version | 3 years ago
on 2021-10-26
prettier
from 2.3.0 to 2.8.8 | 20 versions ahead of your current version | a year ago
on 2023-04-23
sharp
from 0.28.3 to 0.33.5 | 47 versions ahead of your current version | a month ago
on 2024-08-16
sinon
from 11.1.1 to 11.1.2 | 1 version ahead of your current version | 3 years ago
on 2021-07-27

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-NTHCHECK-1586032	539	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-NTHCHECK-1586032	539	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	539	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	539	Proof of Concept
	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	539	No Known Exploit
	Information Exposure SNYK-JS-SIMPLEGET-2361683	539	Proof of Concept
	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	539	No Known Exploit
	Denial of Service (DoS) SNYK-JS-JPEGJS-2859218	539	Proof of Concept
	Denial of Service (DoS) SNYK-JS-JPEGJS-2859218	539	Proof of Concept
	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	539	No Known Exploit
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	539	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	539	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	539	Proof of Concept
	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	539	Proof of Concept
	Information Exposure SNYK-JS-NODEFETCH-2342118	539	No Known Exploit
	Remote Code Execution (RCE) SNYK-JS-SHARP-2848109	539	No Known Exploit
	Heap-based Buffer Overflow SNYK-JS-SHARP-5922108	539	Mature
	Prototype Poisoning SNYK-JS-QS-3153490	539	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	539	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	539	Proof of Concept
	Uncontrolled resource consumption SNYK-JS-BRACES-6838727	539	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-GETFUNCNAME-5923417	539	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ISSVG-1085627	539	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ISSVG-1243891	539	Proof of Concept
	Prototype Pollution SNYK-JS-XML2JS-5414874	539	Proof of Concept
	Denial of Service (DoS) SNYK-JS-JPEGJS-570039	539	No Known Exploit
	Exposure of Sensitive Information to an Unauthorized Actor SNYK-JS-PHIN-6598077	539	No Known Exploit
	Prototype Pollution SNYK-JS-MINIMIST-2429795	539	Proof of Concept

Release notes

Package name: node-fetch

• 2.7.0 - 2023-08-23
  

  2.7.0 (2023-08-23)

  Features

  • AbortError (#1744) (9b9d458)
• 2.6.13 - 2023-08-18
  

  2.6.13 (2023-08-18)

  Bug Fixes

  • Remove the default connection close header (#1765) (65ae25a), closes #1735 #1473 #1736
• 2.6.12 - 2023-06-29
  

  2.6.12 (2023-06-29)

  Bug Fixes

  • socket variable testing for undefined (#1726) (8bc3a7c)
• 2.6.11 - 2023-05-09
  

  2.6.11 (2023-05-09)

  Reverts

  • Revert "fix: handle bom in text and json (#1739)" (#1741) (afb36f6), closes #1739 #1741
• 2.6.10 - 2023-05-08
  

  2.6.10 (2023-05-08)

  Bug Fixes

  • handle bom in text and json (#1739) (29909d7)
• 2.6.9 - 2023-01-30
  

  2.6.9 (2023-01-30)

  Bug Fixes

  • "global is not defined" (#1704) (70f592d)
• 2.6.8 - 2023-01-13
  

  2.6.8 (2023-01-13)

  Bug Fixes

  • headers: don't forward secure headers on protocol change (#1605) (fddad0e), closes #1599
  • premature close with chunked transfer encoding and for async iterators in Node 12 (#1172) (50536d1), closes #1064 /github.com/node-fetch/node-fetch/pull/1064#issuecomment-849167400
  • prevent hoisting of the undefined global variable in browser.js (#1534) (8bb6e31)
• 2.6.7 - 2022-01-16
• 2.6.6 - 2021-10-31
• 2.6.5 - 2021-09-22
• 2.6.4 - 2021-09-21
• 2.6.3 - 2021-09-20
• 2.6.2 - 2021-09-06
• 2.6.1 - 2020-09-05

from node-fetch GitHub release notes

Package name: @octokit/rest

• 18.12.0 - 2021-10-07
  

  18.12.0 (2021-10-07)

  Features

  • .actions.downloadWorkflowRunAttemptLogs(), .actions.getWorkflowRunAttempt(), .repos.generateReleaseNotes(), .checks.rerequestRun(). Graduate nebula, zzzax, switcheroo, baptiste previews. Removes defunkt /repos/{owner}/{repo}/actions/runs/{run_id}/retry endpoint. Renames methods to have consistent AuthenticatedUser() suffix, deprecates previous method names (#125) (4daa9f3)
• 18.11.4 - 2021-09-30
  

  18.11.4 (2021-09-30)

  Bug Fixes

  • removes defunkt endpoints: GET /repos/{owner}/{repo}/community/code_of_conduct, DELETE /reactions/{reaction_id}. encrypted_value and key_id parameters are required for .rest.actions.{createOrUpdateEnvironmentSecret,setSelectedReposForOrgSecret}(). access_token parameter is required for .rest.apps.deleteAuthorization(). Previews graduated: ant-man, flash, scarlet-witch, squirrel-girl (#122) (9c02e7d)
• 18.11.3 - 2021-09-30
  

  18.11.3 (2021-09-30)

  Bug Fixes

  • deps: bump minimal version of @ octokit/plugin-paginate-rest to v2.16.4 to prevent typescript compile errors (#120) (fca1907)
• 18.11.2 - 2021-09-27
  

  18.11.2 (2021-09-27)

  Bug Fixes

  • luke-cage preview graduated (#119) (38a823f)
• 18.11.1 - 2021-09-24
  

  18.11.1 (2021-09-24)

  Bug Fixes

  • typescript: graduate previews dorian, inertia, london, lydian, wyandotte (#116) (f1e2416)
• 18.11.0 - 2021-09-22
  

  18.11.0 (2021-09-22)

  Features

  • octokit.rest.repos.{enable,disable}LfsForRepo(), octokit.rest.repos.mergeUpstream({ owner, repo, branch }) (916a8bb)
• 18.10.0 - 2021-08-31
  

  18.10.0 (2021-08-31)

  Features

  • typescript: .packages.deletePackageForUser(), .packages.deletePackageVersionForUser(), .packages.restorePackageForUser(), .packages.restorePackageVersionForUser(), .secretScanning.listAlertsForOrg() (#105) (40aeaff)

  Bug Fixes

  • typescript: fix type for labels parameter in .issues.{add,set}Labels() (#105) (40aeaff)
• 18.9.1 - 2021-08-16
  

  18.9.1 (2021-08-16)

  Bug Fixes

  • deps: update dependency @ octokit/plugin-rest-endpoint-methods to v5.8.0 (1b9ca1e)
• 18.9.0 - 2021-08-03
  

  18.9.0 (2021-08-03)

  Features

  • typescript: allow_auto_merge parameter when creating / updating a repository. Search: owner in repository items may no longer be null (#95) (c26c4fe)
• 18.8.0 - 2021-08-02
  

  18.8.0 (2021-08-02)

  Features

  • .rest.repos.createAutolink(), .rest.repos.listAutolinks(), .rest.repos.getAutolink(), .rest.repos.deleteAutolink() (#94) (13df9e7)
• 18.7.2 - 2021-07-30
• 18.7.1 - 2021-07-23
• 18.7.0 - 2021-07-21
• 18.6.8 - 2021-07-20
• 18.6.7 - 2021-07-04
• 18.6.6 - 2021-06-30
• 18.6.5 - 2021-06-30
• 18.6.4 - 2021-06-29
• 18.6.3 - 2021-06-26
• 18.6.2 - 2021-06-24
• 18.6.1 - 2021-06-23
• 18.6.0 - 2021-06-12
• 18.5.6 - 2021-06-01
• 18.5.6-beta.1 - 2021-06-01
• 18.5.5 - 2021-05-28

from @octokit/rest GitHub release notes

Package name: chai

• 4.5.0 - 2024-07-25
  
  • Update type detect (#1631) 1a36d35

  v4.4.1...v4.5.0

  What's Changed

  • Update type detect by @ koddsson in #1631

  Full Changelog: v4.4.1...v4.5.0

• 4.4.1 - 2024-01-12
  

  What's Changed

  • fix: removes ?? for node compat by @ 43081j in #1574

  Full Changelog: v4.4.0...v4.4.1

• 4.4.0 - 2024-01-05
  

  What's Changed

  • Allow deepEqual fonction to be configured globally (4.x.x branch) by @ forty in #1553

  Full Changelog: v4.3.10...v4.4.0

• 4.3.10 - 2023-09-28
• 4.3.9 - 2023-09-27
• 4.3.8 - 2023-08-24
• 4.3.7 - 2022-11-07
• 4.3.6 - 2022-01-26
• 4.3.5 - 2022-01-25
• 4.3.4 - 2021-03-12

from chai GitHub release notes

Package name: cheerio

• 1.0.0 - 2024-08-09
  

  Cheerio 1.0 is here! 🎉

  Announcement Blog Post

  Breaking Changes

  • The minimum NodeJS version is now 18.17 or higher #3959

  • Import paths were simplified. For example, use cheerio/slim instead of
    cheerio/lib/slim. #3970

  • The deprecated default Cheerio instance and static methods were removed. #3974

    Before, it was possible to write code like this:

    import cheerio, { html } from 'cheerio';

    html(cheerio('<test></test>')); // ~ '<test></test>' -- NO LONGER WORKS

    Make sure to always load documents first:

    import * as cheerio from 'cheerio';

    cheerio.load('<test></test>').html();

  • Node types previously re-exported by Cheerio must now be imported directly
    from (domhandler)(https://github.com/fb55/domhandler). #3969

  • htmlparser2 options now reside exclusively under the xml key (#2916):

    const $ = cheerio.load('<html>', {
      xml: {
        withStartIndices: true,
      },
    });

  New Features

  • Add functions to load buffers, streams & URLs in NodeJS by @ fb55 in #2857
  • Add extract method by @ fb55 in #2750

  Fixes

  • Allow imports of cheerio/utils by @ blixt in #2601
  • Allow empty string in data, and simplify by @ fb55 in #2818
  • Make closest be able to start from text nodes by @ Qualtagh in #2811
  • Fix potential github action smells by @ ceddy4395 in #3826

  Other

  • Cheerio has a new website, featuring updated API docs and guides! #2950

  Full Changelog: v1.0.0-rc.12...v1.0.0

• 1.0.0-rc.12 - 2022-06-26
  

  Bugfix release. Fixed issues:

  • Align prop undefined handling with jQuery by @ fb55 in #2557
  • Allow deep imports of cheerio/lib/utils by @ blixt in #2601

  New Contributors

  • @ blixt made their first contribution in #2601

  Full Changelog: v1.0.0-rc.11...v1.0.0-rc.12

• 1.0.0-rc.11 - 2022-05-20
  

  cheerio@1.0.0-rc.11 is hopefully the last RC before the 1.0.0 release of Cheerio. There are two APIs that will be added for the next major release: An exract method (#2523) and NodeJS specific loader methods (#2051). These are still in flux and I'd appreciate feedback on the proposals.

  A big thank you to everyone that contributed to this release! This includes code contributors, as well as the amazing financial support on GitHub Sponsors!

  Under the hood, a lot of work for this release went into updating parse5, cheerio's default HTML parser. Have a look at parse5's release notes to see what has changed there.

  Breaking

  • Cheerio is now a dual CommonJS and ESM module. That means that deep imports will now fail in newer versions of Node. #2508
  • script and style contents are added again in .text() #2509
    • To keep the old behavior, switch .text() to .prop('innerText')
  • The TypeScript types inherited from upstream dependencies have changed. #2503
    • Node types are now using tagged unions, which will make consumption a bit easier.

  Features

  • Relevant options are now forwarded to cheerio-select #2511
    • Custom pseudo classes can now be specified using the pseudos option.
  • For the .prop() method:
    • Add textContent and innerText props #2214
    • Users can now specify a baseURI option, which will lead to href and src props to be resolved as URLs. #2510
  • Added a slim export, which will always use htmlparser2 #1960

  Fixes

  • Have text turn passed values to strings #2047
  • Include undefined in the return type of get by @ glen-84 in #2392
  • Recognise comments as HTML #2504
  • Add missing undefined return value #2505
  • Export missing static methods #2506
  • Have style parsing add malformed fields to previous field #2521

  Refactor

  • Use domutils module directly #1928
  • Hand-roll isHTML #1935
  • Move initialization logic to load #1951
  • Only return elements in closest #2057
  • Remove unnecessary code, be more explicit #2279
  • Use stricter TS, ESLint configs #2507
  • Update exported values #2512

  Development Experience

  • Migrate husky to v6 by @ DavideViolante in #1934
  • Update CI by @ XhmikosR in #2149
  • Set permissions for GitHub actions by @ neilnaveen in #2453

  Docs

  • Update README "is not a web browser" section by @ mxschmitt in #2127

  New Contributors

  • @ DavideViolante made their first contribution in #1934
  • @ mxschmitt made their first contribution in #2127
  • @ glen-84 made their first contribution in #2392
  • @ neilnaveen made their first contribution in #2453

  Full Changelog: v1.0.0-rc.10...v1.0.0-rc.11

• 1.0.0-rc.10 - 2021-06-08
  

  Fixes:

  • .html(node) now moves passed nodes (#1923, fixes #940) 258b26b
  • Boolean attributes are no longer special in xmlMode (#1903, fixes #1805) b393e4a
  • Rename parser adapter files (#1873, fixes #1847) 8f55dd8
  • Make filter work on all collections (#1870, fixes #1867) fb8d31e
  • Bump cheerio-select (#1922, fixes https://www.npmjs.com/advisories/1754) 5cd2b9c

  Documentation:

  • Document how to define TS types for Plug-Ins (#1915, fixes #1778) 880fd2c
  • Remove obsolete Testing section