Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency jszip to v3 [security] #322

Closed
wants to merge 459 commits into from
Closed

chore(deps): update dependency jszip to v3 [security] #322

wants to merge 459 commits into from

Conversation

garykim-dev-renovate[bot]
Copy link

@garykim-dev-renovate garykim-dev-renovate bot commented Sep 8, 2022
edited
Loading

This PR contains the following updates:

Package Type Update Change
jszip devDependencies major ^2.6.1 -> ^3.0.0

GitHub Vulnerability Alerts

CVE-2021-23413

This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance.

CVE-2022-48285

loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.

Release Notes

Stuk/jszip

v3.8.0

Compare Source

  • Santize filenames when files are loaded with loadAsync, to avoid "zip slip" attacks. The original filename is available on each zip entry as unsafeOriginalName. See the documentation. Many thanks to McCaulay Hudson for reporting.

v3.7.1

Compare Source

  • Fix build of dist files.
    • Note: this version ensures the changes from 3.7.0 are actually included in the dist files. Thanks to Evan W for reporting.

v3.7.0

Compare Source

  • Fix: Use a null prototype object for this.files (see #​766)
    • This change might break existing code if it uses prototype methods on the .files property of a zip object, for example zip.files.toString(). This approach is taken to prevent files in the zip overriding object methods that would exist on a normal object.

v3.6.0

Compare Source

  • Fix: redirect main to dist on browsers (see #​742)
  • Fix duplicate require DataLengthProbe, utils (see #​734)
  • Fix small error in read_zip.md (see #​703)

v3.5.0

Compare Source

  • Fix 'End of data reached' error when file extra field is invalid (see #​544).
  • Typescript definitions: Add null to return types of functions that may return null (see #​669).
  • Typescript definitions: Correct nodeStream's type (see #​682)
  • Typescript definitions: Add string output type (see #​666)

v3.4.0

Compare Source

  • Add Typescript type definitions (see #​601).

v3.3.0

Compare Source

  • Change browser module resolution to support Angular packager (see #​614).

v3.2.2

Compare Source

  • No public changes, but a number of testing dependencies have been updated.
  • Tested browsers are now: Internet Explorer 11, Chrome (most recent) and Firefox (most recent). Other browsers (specifically Safari) are still supported however testing them on Saucelabs is broken and so they were removed from the test matrix.

v3.2.1

Compare Source

  • Corrected built dist files

v3.2.0

Compare Source

  • Update dependencies to reduce bundle size (see #​532).
  • Fix deprecated Buffer constructor usage and add safeguards (see #​506).

v3.1.5

Compare Source

  • Fix IE11 memory leak (see #​429).
  • Handle 2 nodejs deprecations (see #​459).
  • Improve the "unsupported format" error message (see #​461).
  • Improve webworker compatibility (see #​468).
  • Fix nodejs 0.10 compatibility (see #​480).
  • Improve the error without type in async() (see #​481).

v3.1.4

Compare Source

  • consistently use our own utils object for inheritance (see #​395).
  • lower the memory consumption in generate* with a lot of files (see #​449).

v3.1.3

Compare Source

  • instanceof failing in window / iframe contexts (see #​350).
  • remove a copy with blob output (see #​357).
  • fix crc32 check for empty entries (see #​358).
  • fix the base64 error message with data uri (see #​359).

v3.1.2

Compare Source

  • fix support of nodejs process.platform in generate* methods (see #​335).
  • improve browserify/webpack support (see #​333).
  • partial support of a promise of text (see #​337).
  • fix streamed zip files containing folders (see #​342).

v3.1.1

Compare Source

  • Use a hard-coded JSZip.version, fix an issue with webpack (see #​328).

v3.1.0

Compare Source

  • utils.delay: use macro tasks instead of micro tasks (see #​288).
  • Harden base64 decode (see #​316).
  • Add JSZip.version and the version in the header (see #​317).
  • Support Promise(Blob) (see #​318).
  • Change JSZip.external.Promise implementation (see #​321).
  • Update pako to v1.0.2 to fix a DEFLATE bug (see #​322).

v3.0.0

Compare Source

This release changes a lot of methods, please see the upgrade guide.

  • replace sync getters and generate() with async methods (see #​195).
  • support nodejs streams (in file() and generateAsync()).
  • support Blob and Promise in file() and loadAsync() (see #​275).
  • add support.nodestream.
  • zip.filter: remove the defensive copy.
  • remove the deprecated API (see #​253).
  • type is now mandatory in generateAsync().
  • change the createFolders default value (now true).
  • Dates: use UTC instead of the local timezone.
  • Add base64 and array as possible output type.
  • Add a forEach method.
  • Drop node 0.8 support (see #​270).

v2.7.0

Compare Source

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

Suhas Hariharan and others added 30 commits March 17, 2020 23:00
Ensures middle school grades are not counted, slightly alters cumulat…
c164579 
…ive gpa message

Signed-off-by: Suhas Hariharan <[email protected]>
@gary-kim
Fix an issue in HypoAssignment
c56529d 
Hypothetical Assignment will show a NaN if
there is no value in the percentage input.

This is a fix for that issue. If there is no
value in the percentage field, it will be treated
as a zero.

Signed-off-by: Gary Kim <[email protected]>
Merge pull request #140 from gary-kim/calculate-cumulative-gpa
c1e0a1a 
Added function to calculate cumulative GPA(including unfinished semesters)
@gary-kim
Merge pull request #135 from gary-kim/enh/noid/tune-renovate
262a07b 
Tune Renovate config
@gary-kim-bot
chore(deps): update babel monorepo
3580f4e 
Signed-Off-by: Gary Kim Bot <[email protected]>
@gary-kim-bot
chore(deps): update dependency eslint-plugin-import to ^2.20.1
4ada884 
Signed-Off-by: Gary Kim Bot <[email protected]>
@gary-kim
Merge pull request #143 from gary-kim/renovate/babel-monorepo
4fa206d 
chore(deps): update babel monorepo
@gary-kim-bot
chore(deps): update dependency eslint-plugin-vue to ^6.2.2
64fbdbf 
Signed-Off-by: Gary Kim Bot <[email protected]>
@gary-kim-bot
chore(deps): update dependency vue-loader to ^15.9.1
6dc0afe 
Signed-Off-by: Gary Kim Bot <[email protected]>
@gary-kim-bot
chore(deps): update dependency webpack to ^4.42.0
4d453fc 
Signed-Off-by: Gary Kim Bot <[email protected]>
@gary-kim
Migrate options to Vue and go more community driven
06a4bec 
This commit makes several improvements.
It migrates the options page to Vue, changes the
author field and copyrights to include
The SAS PES Authors,
deduplicates some code,
and adds some missing information/fixes to the README.

Signed-off-by: Gary Kim <[email protected]>
@gary-kim
Fix broken unit tests
addd032 
Mozilla's Webextension Polyfill throws an error when
run in the unit test environment. This has been fixed
by mocking the browser environment using browser-env
and having a global `chrome` object.

Signed-off-by: Gary Kim <[email protected]>
@gary-kim
Merge pull request #152 from gary-kim/enh/noid/options-to-vue
7e1b79b 
Migrate options to Vue and go more community driven
@gary-kim-bot
chore(deps): update dependency ava to ^3.5.1
9926e54 
Signed-Off-by: Gary Kim Bot <[email protected]>
Added function to save grades to chrome storage
3b561dd 
Signed-off-by: Suhas Hariharan <[email protected]>
Added function to get local grades and save local grades to chrome st…
224c333 
…orage API

Signed-off-by: Suhas Hariharan <[email protected]>
@gary-kim
Merge pull request #144 from gary-kim/renovate/ava-3.x
68b900a 
chore(deps): update dependency ava to ^3.5.1
@gary-kim
Merge pull request #151 from gary-kim/renovate/webpack-4.x
0c9cc9f 
chore(deps): update dependency webpack to ^4.42.0
Added function to load grades back in and used Course object, added t…
76243bc 
…oJson method for class

Signed-off-by: Suhas Hariharan <[email protected]>
Modified to use browser API instead and added JSDoc
b9b046f 
Signed-off-by: Suhas Hariharan <[email protected]>
@gary-kim
Merge pull request #150 from gary-kim/renovate/vue-monorepo
652e9d9 
chore(deps): update dependency vue-loader to ^15.9.1
@gary-kim
Merge pull request #149 from gary-kim/renovate/eslint-plugin-vue-6.x
35e5de1 
chore(deps): update dependency eslint-plugin-vue to ^6.2.2
@gary-kim
Merge pull request #148 from gary-kim/renovate/eslint-plugin-import-2.x
5c11b30 
chore(deps): update dependency eslint-plugin-import to ^2.20.1
@gary-kim-bot
chore(deps): update dependency eslint-config-standard to ^14.1.1
cbc4eb6 
Signed-Off-by: Gary Kim Bot <[email protected]>
@gary-kim
Merge pull request #147 from gary-kim/renovate/eslint-config-standard…
257840a 
…-14.x

chore(deps): update dependency eslint-config-standard to ^14.1.1
Modified to use async
4df9270 
Signed-off-by: Suhas Hariharan <[email protected]>
@gary-kim-bot
chore(deps): update dependency webpack to ^4.42.1
1dde239 
Signed-Off-by: Gary Kim Bot <[email protected]>
Fixed bugs
5875aee 
Signed-off-by: Suhas Hariharan <[email protected]>
Merge pull request #153 from gary-kim/last-seen-grades
b4f13cb 
Added function to save grades to local storage and load grades from storage
@gary-kim
Merge pull request #141 from gary-kim/fix/139/NaN-on-no-percentage-value
4c3596e 
Fix an issue in HypoAssignment
fillnye and others added 16 commits October 29, 2021 14:49
@fillnye
fix: ignore queries for home page
cc32c71 
Signed-off-by: fillnye <[email protected]>
fixed other changes and replaced with API calls
cde033b 
Signed-off-by: Suhas Hariharan <[email protected]>
fixed table reading
c992154 
Signed-off-by: Suhas Hariharan <[email protected]>
fixed linter errors
0d30ba0 
Signed-off-by: Suhas Hariharan <[email protected]>
removed console log and added check for blank catmap
aacf572 
Signed-off-by: Suhas Hariharan <[email protected]>
fixed indicators not showing
a0479be 
Signed-off-by: Suhas Hariharan <[email protected]>
fixed linter error
d5ebef4 
Signed-off-by: Suhas Hariharan <[email protected]>
Merge pull request #308 from sas-fossdev/fix-ps-ui-update
c25e630 
Fixed issues due to PowerSchool UI update and fixed category weighting bug
Open Beta v0.26.0 Release
0d007c6 
Signed-off-by: Suhas Hariharan <[email protected]>
Merge pull request #307 from fillnye/master
78b066c 
fix: ignore queries for home page
fixed cumulative GPA double counting current semester at the end
36e0281 
Signed-off-by: Suhas Hariharan <[email protected]>
fixed logic in extract percentage function
afb92dc
changed to using semester instead of date
175a1b4 
Signed-off-by: Suhas Hariharan <[email protected]>
fixed edge case for percentage parsing
3e56d4d 
Signed-off-by: Suhas Hariharan <[email protected]>
Merge pull request #313 from sas-fossdev/fix-percentages-and-cumulati…
3fde949 
…ve-calculation

Fix percentages not showing and cumulative GPA double including finished semester
Open Beta v0.27.0 Release.
9a32755 
Signed-off-by: Suhas Hariharan <[email protected]>
@garykim-dev-renovate garykim-dev-renovate bot added the dependencies Pull requests that update a dependency file label Sep 8, 2022
@garykim-dev-renovate garykim-dev-renovate bot changed the title chore(deps): update dependency jszip to v2.7.0 [security] chore(deps): update dependency jszip to v3 [security] Feb 1, 2023
@garykim-dev-renovate garykim-dev-renovate bot changed the title chore(deps): update dependency jszip to v3 [security] chore(deps): update dependency jszip to v3 [security] - autoclosed Sep 27, 2023
@garykim-dev-renovate garykim-dev-renovate bot deleted the renovate/npm-jszip-vulnerability branch September 27, 2023 02:01
@garykim-dev-renovate garykim-dev-renovate bot changed the title chore(deps): update dependency jszip to v3 [security] - autoclosed chore(deps): update dependency jszip to v3 [security] Sep 27, 2023
@garykim-dev-renovate garykim-dev-renovate bot restored the renovate/npm-jszip-vulnerability branch September 27, 2023 03:01
@garykim-dev-renovate garykim-dev-renovate bot deleted the renovate/npm-jszip-vulnerability branch January 9, 2024 06:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gary-kim gary-kim Awaiting requested review from gary-kim

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@megagames-me @gary-kim @gary-kim-bot @priime0 @ARtheboss @fillnye