Skip to content

Bump the npm_and_yarn group across 1 directory with 11 updates #89

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Bump the npm_and_yarn group across 1 directory with 11 updates #89

wants to merge 1 commit into from

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Mar 16, 2025

Bumps the npm_and_yarn group with 9 updates in the /insecure-js directory:

Package From To
chart.js 2.8.0 2.9.4
dom-iterator 1.0.0 1.0.1
jquery 2.1.0 3.5.0
lodash 4.16.1 4.17.21
mysql2 2.3.3 3.9.8
semver 5.4.1 5.7.2
sequelize 4.44.1 6.29.0
@babel/helpers 7.0.0-rc.1 7.26.10
@babel/core 7.0.0-rc.1 7.26.10

Updates chart.js from 2.8.0 to 2.9.4

Release notes

Sourced from chart.js's releases.

v2.9.4

This is the last release of v2 and focused on fixing bugs identified in the v2.9.3 release.

Bugs Fixed

  • #7404 - Preserve prototypes when cloning. Thanks @​iddings
  • #7587 - Fix docs for external moment.js. Thanks @​mojoaxel
  • #7853 - Fix box recursion when dimensions are NaN. Thanks @​alessandroasm
  • #7883 - Fix call stack exception when computing label sizes. Thanks @​silentmatt
  • #7918 - Prevent global prototype pollution via the merge helper
  • #7920 - Use Object.create(null) as merge target, to prevent prototype pollution

v2.9.3

Bug Fixes

  • #6698 Fix undefined variable
  • #6719 Don't make legend empty when fill is false

Thanks to the maintainers and collaborators for their help to improve and test Chart.js (@​kurkle, @​benmccann, and @​etimberg).

v2.9.2

Bug Fixes

  • #6641 IE11 & Edge compatible style injection
  • #6655 Backwards compatible default fill for radar charts
  • #6660 Improve clipping of line charts when border widths are large
  • #6661 When a legend item is clicked, make sure the correct item is hidden
  • #6663 Refresh package-lock file to pick up new dependency

Performance

  • #6671 Stop unnecessary line calculations

Documentation

  • #6643 Combine performance documentation sections

Thanks to the maintainers and collaborators for their help to improve and test Chart.js (@​nagix, @​kurkle, @​benmccann, @​etimberg and @​simonbrunel).

v2.9.1

Bug Fixes

  • #6603 Fix deprecation warnings for horizontal bar charts
  • #6608 Fix zoom plugin by no longer clipping scale.getDecimalForPixel to the chart area
  • #6617 Non numeric Y axes did not work

Documentation

  • #6613 Add link to performance documentation

... (truncated)

Commits

Updates dom-iterator from 1.0.0 to 1.0.1

Commits

Updates jquery from 2.1.0 to 3.5.0

Release notes

Sourced from jquery's releases.

jQuery 3.5.0 Released!

See the blog post: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ and the upgrade guide: https://jquery.com/upgrade-guide/3.5/

NOTE: Despite being a minor release, this update includes a breaking change that we had to make to fix a security issue ( CVE-2020-11022). Please follow the blog post & the upgrade guide for more details.

Commits
  • 7a0a850 3.5.0
  • 8570a08 Release: Update AUTHORS.txt
  • da3dd85 Ajax: Do not execute scripts for unsuccessful HTTP responses
  • 065143c Ajax: Overwrite s.contentType with content-type header value, if any
  • 1a4f10d Tests: Blacklist one focusin test in IE
  • 9e15d6b Event: Use only one focusin/out handler per matching window & document
  • 966a709 Manipulation: Skip the select wrapper for <option> outside of IE 9
  • 1d61fd9 Manipulation: Make jQuery.htmlPrefilter an identity function
  • 04bf577 Selector: Update Sizzle from 2.3.4 to 2.3.5
  • 7506c9c Build: Resolve Travis config warnings
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by mgol, a new releaser for jquery since your current version.


Updates lodash from 4.16.1 to 4.17.21

Commits
  • f299b52 Bump to v4.17.21
  • c4847eb Improve performance of toNumber, trim and trimEnd on large input strings
  • 3469357 Prevent command injection through _.template's variable option
  • ded9bc6 Bump to v4.17.20.
  • 63150ef Documentation fixes.
  • 00f0f62 test.js: Remove trailing comma.
  • 846e434 Temporarily use a custom fork of lodash-cli.
  • 5d046f3 Re-enable Travis tests on 4.17 branch.
  • aa816b3 Remove /npm-package.
  • d7fbc52 Bump to v4.17.19
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by bnjmnt4n, a new releaser for lodash since your current version.


Updates mysql2 from 2.3.3 to 3.9.8

Release notes

Sourced from mysql2's releases.

v3.9.8

3.9.8 (2024-05-26)

Bug Fixes

  • security: sanitize fields and tables when using nestTables (#2702) (efe3db5)
  • support deno + caching_sha2_password FULL_AUTHENTICATION_PACKET flow (#2704) (2e03694)
  • typings: typo from jonServerPublicKey to onServerPublicKey (#2699) (8b5f691)

v3.9.7

3.9.7 (2024-04-21)

Bug Fixes

  • security: sanitize timezone parameter value to prevent code injection - report by zhaoyudi (Nebulalab) (#2608) (7d4b098)

v3.9.6

3.9.6 (2024-04-18)

Bug Fixes

  • binary parser sometimes reads out of packet bounds when results contain null and typecast is false (#2601) (705835d)

v3.9.5

3.9.5 (2024-04-17)

Bug Fixes

  • revert breaking change in results creation (#2591) (f7c60d0)

v3.9.4

3.9.4 (2024-04-09)

Bug Fixes

  • SSL: separate each certificate into an individual item #2542 (63f1055)
  • security: improve supportBigNumbers and bigNumberStrings sanitization (#2572) (74abf9e)
    • Fixes a potential RCE attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
  • security: improve results object creation (#2574) (4a964a3)
    • Fixes a potential Prototype Pollution attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
  • docs: improve the contribution guidelines (#2552) (8a818ce)

v3.9.3

3.9.3 (2024-03-26)

... (truncated)

Changelog

Sourced from mysql2's changelog.

3.9.8 (2024-05-26)

Bug Fixes

  • security: sanitize fields and tables when using nestTables (#2702) (efe3db5)
  • support deno + caching_sha2_password FULL_AUTHENTICATION_PACKET flow (#2704) (2e03694)
  • typings: typo from jonServerPublicKey to onServerPublicKey (#2699) (8b5f691)

3.9.7 (2024-04-21)

Bug Fixes

  • security: sanitize timezone parameter value to prevent code injection (#2608) (7d4b098)

3.9.6 (2024-04-18)

Bug Fixes

  • binary parser sometimes reads out of packet bounds when results contain null and typecast is false (#2601) (705835d)

3.9.5 (2024-04-17)

Bug Fixes

  • revert breaking change in results creation (#2591) (f7c60d0)

3.9.4 (2024-04-09)

Bug Fixes

  • docs: improve the contribution guidelines (#2552) (8a818ce)
  • security: improve results object creation (#2574) (4a964a3)
  • security: improve supportBigNumbers and bigNumberStrings sanitization (#2572) (74abf9e)

3.9.3 (2024-03-26)

Bug Fixes

  • security: improve cache key formation (#2424) (0d54b0c)
    • Fixes a potential parser cache poisoning attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
  • update Amazon RDS SSL CA cert (#2131) (d9dccfd)

3.9.2 (2024-02-26)

... (truncated)

Commits
  • f637d3f chore(master): release 3.9.8 (#2700)
  • efe3db5 fix(security): sanitize fields and tables when using nestTables (#2702)
  • 2e03694 fix: support deno + caching_sha2_password FULL_AUTHENTICATION_PACKET flow (#2...
  • 8b5f691 fix(typings): typo from jonServerPublicKey to onServerPublicKey (#2699)
  • 5c75802 build(deps-dev): bump tsx from 4.10.5 to 4.11.0 in /website (#2695)
  • 179769f build(deps): bump @​easyops-cn/docusaurus-search-local in /website (#2696)
  • 56289e2 build(deps-dev): bump poku from 1.12.1 to 1.13.0 (#2698)
  • b029308 build(deps-dev): bump poku from 1.12.1 to 1.13.0 in /website (#2697)
  • 539acb8 build(deps): bump lucide-react from 0.378.0 to 0.379.0 in /website (#2693)
  • dc80580 build(deps-dev): bump @​typescript-eslint/eslint-plugin from 7.9.0 to 7.10.0 i...
  • Additional commits viewable in compare view

Updates semver from 5.4.1 to 5.7.2

Release notes

Sourced from semver's releases.

v5.7.2

5.7.2 (2023-07-10)

Bug Fixes

Changelog

Sourced from semver's changelog.

5.7.2 (2023-07-10)

Bug Fixes

5.7

  • Add minVersion method

5.6

  • Move boolean loose param to an options object, with backwards-compatibility protection.
  • Add ability to opt out of special prerelease version handling with the includePrerelease option flag.

5.5

  • Add version coercion capabilities

5.4

  • Add intersection checking

5.3

  • Add minSatisfying method

5.2

  • Add prerelease(v) that returns prerelease components

5.1

  • Add Backus-Naur for ranges
  • Remove excessively cute inspection methods

5.0

  • Remove AMD/Browserified build artifacts
  • Fix ltr and gtr when using the * range
  • Fix for range * with a prerelease identifier
Commits
Maintainer changes

This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.


Updates sequelize from 4.44.1 to 6.29.0

Release notes

Sourced from sequelize's releases.

v6.29.0

6.29.0 (2023-02-23)

Features

v6.28.2

6.28.2 (2023-02-22)

Bug Fixes

v6.28.1

6.28.1 (2023-02-21)

Bug Fixes

v6.28.0

6.28.0 (2022-12-20)

Features

  • types: use retry-as-promised types for retry options to match documentation (#15484) (fd4afa6)

v6.27.0

6.27.0 (2022-12-12)

Features

v6.26.0

6.26.0 (2022-11-29)

Features

v6.25.8

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by sdepold, a new releaser for sequelize since your current version.


Updates @babel/helpers from 7.0.0-rc.1 to 7.26.10

Release notes

Sourced from @​babel/helpers's releases.

v7.26.10 (2025-03-11)

Thanks @​jordan-choi and @​mmmsssttt404 for your first PRs!

This release includes a fix for GHSA-968p-4wvh-cqc8, a security vulnerability which affects the .replace method of transpiled regular expressions that use named capturing groups.

👓 Spec Compliance

🐛 Bug Fix

  • babel-parser, babel-template
  • babel-core
  • babel-parser, babel-plugin-transform-typescript
  • babel-traverse
  • babel-generator
  • babel-parser
  • babel-helpers, babel-runtime, babel-runtime-corejs2, babel-runtime-corejs3

💅 Polish

  • babel-standalone

🏠 Internal

Committers: 6

v7.26.9 (2025-02-14)

🐛 Bug Fix

... (truncated)

Changelog

Sourced from @​babel/helpers's changelog.

v7.26.10 (2025-03-11)

👓 Spec Compliance

🐛 Bug Fix

  • babel-parser, babel-template
  • babel-core
  • babel-parser, babel-plugin-transform-typescript
  • babel-traverse
  • babel-generator
  • babel-parser
  • babel-helpers, babel-runtime, babel-runtime-corejs2, babel-runtime-corejs3

💅 Polish

  • babel-standalone

🏠 Internal

v7.26.9 (2025-02-14)

🐛 Bug Fix

🏠 Internal

v7.26.7 (2025-01-24)

🐛 Bug Fix

  • babel-helpers, babel-preset-env, babel-runtime-corejs3
  • babel-plugin-transform-typeof-symbol

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by nicolo-ribaudo, a new releaser for @​babel/helpers since your current version.


Updates @babel/core from 7.0.0-rc.1 to 7.26.10

Release notes

Sourced from @​babel/core's releases.

v7.26.10 (2025-03-11)

Thanks @​jordan-choi and @​mmmsssttt404 for your first PRs!

This release includes a fix for GHSA-968p-4wvh-cqc8, a security vulnerability which affects the .replace method of transpiled regular expressions that use named capturing groups.

👓 Spec Compliance

🐛 Bug Fix

  • babel-parser, babel-template
  • babel-core
  • babel-parser, babel-plugin-transform-typescript
  • babel-traverse
  • babel-generator
  • babel-parser
  • babel-helpers, babel-runtime, babel-runtime-corejs2, babel-runtime-corejs3

💅 Polish

  • babel-standalone

🏠 Internal

Committers: 6

v7.26.9 (2025-02-14)

🐛 Bug Fix

... (truncated)

Changelog

Sourced from @​babel/core's changelog.

v7.26.10 (2025-03-11)

👓 Spec Compliance

🐛 Bug Fix

  • babel-parser, babel-template
  • babel-core
  • babel-parser, babel-plugin-transform-typescript
  • babel-traverse
  • babel-generator
  • babel-parser
  • babel-helpers, babel-runtime, babel-runtime-corejs2, babel-runtime-corejs3

💅 Polish

  • babel-standalone

🏠 Internal

v7.26.9 (2025-02-14)

🐛 Bug Fix

🏠 Internal

v7.26.7 (2025-01-24)

🐛 Bug Fix

  • babel-helpers, babel-preset-env, babel-runtime-corejs3
  • babel-plugin-transform-typeof-symbol

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by nicolo-ribaudo, a new releaser for @​babel/core since your current version.


Updates @babel/traverse from 7.0.0-rc.1 to 7.26.10

Release notes

Sourced from @​babel/traverse's releases.

v7.26.10 (2025-03-11)

Thanks @​jordan-choi and @​mmmsssttt404 for your first PRs!

This release includes a fix for GHSA-968p-4wvh-cqc8, a security vulnerability which affects the .replace method of transpiled regular expressions that use named capturing groups.

👓 Spec Compliance

🐛 Bug Fix

  • babel-parser, babel-template
  • babel-core
  • babel-parser, babel-plugin-transform-typescript
  • babel-traverse
  • babel-generator
  • babel-parser
  • babel-helpers, babel-runtime, babel-runtime-corejs2, babel-runtime-corejs3

💅 Polish

  • babel-standalone

🏠 Internal

Committers: 6

@dependabot
Bump the npm_and_yarn group across 1 directory with 11 updates
b0199af 
Bumps the npm_and_yarn group with 9 updates in the /insecure-js directory:

| Package | From | To |
| --- | --- | --- |
| [chart.js](https://github.com/chartjs/Chart.js) | `2.8.0` | `2.9.4` |
| [dom-iterator](https://github.com/MatthewMueller/dom-iterator) | `1.0.0` | `1.0.1` |
| [jquery](https://github.com/jquery/jquery) | `2.1.0` | `3.5.0` |
| [lodash](https://github.com/lodash/lodash) | `4.16.1` | `4.17.21` |
| [mysql2](https://github.com/sidorares/node-mysql2) | `2.3.3` | `3.9.8` |
| [semver](https://github.com/npm/node-semver) | `5.4.1` | `5.7.2` |
| [sequelize](https://github.com/sequelize/sequelize) | `4.44.1` | `6.29.0` |
| [@babel/helpers](https://github.com/babel/babel/tree/HEAD/packages/babel-helpers) | `7.0.0-rc.1` | `7.26.10` |
| [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) | `7.0.0-rc.1` | `7.26.10` |



Updates `chart.js` from 2.8.0 to 2.9.4
- [Release notes](https://github.com/chartjs/Chart.js/releases)
- [Commits](chartjs/Chart.js@v2.8.0...v2.9.4)

Updates `dom-iterator` from 1.0.0 to 1.0.1
- [Changelog](https://github.com/matthewmueller/dom-iterator/blob/master/History.md)
- [Commits](matthewmueller/dom-iterator@1.0.0...1.0.1)

Updates `jquery` from 2.1.0 to 3.5.0
- [Release notes](https://github.com/jquery/jquery/releases)
- [Changelog](https://github.com/jquery/jquery/blob/main/changelog.md)
- [Commits](jquery/jquery@2.1.0...3.5.0)

Updates `lodash` from 4.16.1 to 4.17.21
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.16.1...4.17.21)

Updates `mysql2` from 2.3.3 to 3.9.8
- [Release notes](https://github.com/sidorares/node-mysql2/releases)
- [Changelog](https://github.com/sidorares/node-mysql2/blob/master/Changelog.md)
- [Commits](sidorares/node-mysql2@v2.3.3...v3.9.8)

Updates `semver` from 5.4.1 to 5.7.2
- [Release notes](https://github.com/npm/node-semver/releases)
- [Changelog](https://github.com/npm/node-semver/blob/v5.7.2/CHANGELOG.md)
- [Commits](npm/node-semver@v5.4.1...v5.7.2)

Updates `sequelize` from 4.44.1 to 6.29.0
- [Release notes](https://github.com/sequelize/sequelize/releases)
- [Commits](sequelize/sequelize@v4.44.1...v6.29.0)

Updates `@babel/helpers` from 7.0.0-rc.1 to 7.26.10
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.26.10/packages/babel-helpers)

Updates `@babel/core` from 7.0.0-rc.1 to 7.26.10
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.26.10/packages/babel-core)

Updates `@babel/traverse` from 7.0.0-rc.1 to 7.26.10
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.26.10/packages/babel-traverse)

Updates `validator` from 10.11.0 to 13.12.0
- [Release notes](https://github.com/validatorjs/validator.js/releases)
- [Changelog](https://github.com/validatorjs/validator.js/blob/master/CHANGELOG.md)
- [Commits](validatorjs/validator.js@10.11.0...13.12.0)

---
updated-dependencies:
- dependency-name: chart.js
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: dom-iterator
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: jquery
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: mysql2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: semver
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: sequelize
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@babel/helpers"
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@babel/core"
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@babel/traverse"
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: validator
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot requested a review from confusedcrib as a code owner March 16, 2025 02:59
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 16, 2025
arnica-github-connector[bot]
arnica-github-connector bot reviewed Mar 16, 2025
View reviewed changes
insecure-js/package-lock.json
"node": ">=6.9.0"
}
},
"node_modules/@babel/core": {
Copy link

@arnica-github-connector arnica-github-connector bot Mar 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependency Risk: @babel/core@7.26.10 has 1 transitive vulnerability

🏗️ Recreate the package-lock.json file (run npm update @babel/core) to mitigate all risks

Severity: High 🚨
Status: Open 🔴

Take action by replying with an [arnica] command 💬

Actions

Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.

[arnica] ack <message>

Acknowledge the finding as a valid code risk.

Examples

[arnica] ack looking into it


[a] ack triaged by the security team

[arnica] dismiss <fp|accept|capacity> <message>

Dismiss the risk with a reason.

  • fp: False positive, i.e. the result is incorrect and indicates no actual risk.

  • accept: Tolerable risk, i.e. risk severity is lower than what has been reported or is accepted as it stands.

  • capacity: No capacity, i.e. leave me alone, please.

Examples

[arnica] dismiss fp test function


[arnica] dismiss accept ChatGPT assures us that we will be just fine


[a] dismiss capacity not enough caffeine to fix it

@dryrunsecurity
Copy link

dryrunsecurity bot commented Mar 16, 2025

DryRun Security Summary

Comprehensive npm dependency updates across multiple packages with potential security improvements and version upgrades for Babel, jQuery, Sequelize, MySQL2, and other libraries.

Expand for full summary

  1. Summary: Updated multiple npm dependencies across package.json and package-lock.json, including upgrades to Babel, jQuery, Sequelize, MySQL2, and other packages.

  2. Security Findings:

  • Potential security vulnerabilities in multiple dependencies due to version updates
  • jQuery upgrade from 2.1.0 to 3.5.0 includes security enhancements
  • Sequelize upgrade from 4.x to 6.x includes potential security improvements
  • MySQL2 upgrade includes potential security fixes
  • Multiple package updates likely contain security patches and bug fixes

View PR in the DryRun Dashboard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arnica-github-connector arnica-github-connector[bot] arnica-github-connector[bot] left review comments

@confusedcrib confusedcrib Awaiting requested review from confusedcrib confusedcrib is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant