Skip to content

🚨 [security] Update @vue/eslint-config-typescript 11.0.2 → 11.0.3 (patch) #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
depfu wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🚨 [security] Update @vue/eslint-config-typescript 11.0.2 → 11.0.3 (patch) #2

depfu wants to merge 1 commit into from

Conversation

@depfu
Copy link

@depfu depfu bot commented Apr 10, 2025

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ @​vue/eslint-config-typescript (11.0.2 → 11.0.3) · Repo

Commits

See the full diff on Github. The new version differs by 3 commits:

↗️ @​types/json-schema (indirect, 7.0.11 → 7.0.15) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ @​types/semver (indirect, 7.3.13 → 7.7.0) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ @​typescript-eslint/eslint-plugin (indirect, 5.50.0 → 5.62.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

↗️ @​typescript-eslint/parser (indirect, 5.50.0 → 5.62.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

↗️ @​typescript-eslint/scope-manager (indirect, 5.50.0 → 5.62.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

↗️ @​typescript-eslint/types (indirect, 5.50.0 → 5.62.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

↗️ @​typescript-eslint/typescript-estree (indirect, 5.50.0 → 5.62.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

↗️ @​typescript-eslint/utils (indirect, 5.50.0 → 5.62.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

↗️ @​typescript-eslint/visitor-keys (indirect, 5.50.0 → 5.62.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

↗️ braces (indirect, 3.0.2 → 3.0.3) · Repo · Changelog

Security Advisories 🚨

🚨 Uncontrolled resource consumption in braces

The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Commits

See the full diff on Github. The new version differs by 12 commits:

↗️ eslint-visitor-keys (indirect, 3.3.0 → 3.4.3) · Repo · Changelog

Release Notes

3.4.3

3.4.3 (2023-08-08)

Chores

3.4.2

3.4.2 (2023-07-27)

Documentation

Chores

3.4.1

3.4.1 (2023-05-05)

Bug Fixes

  • correct types for node16 resolution (#47) (7bd1fc1)

Chores

3.4.0

Features

  • 6ece4bd feat: add JSXSpreadChild and tool to build keys out of AST definitions (#36) (Brett Zamir)

Bug Fixes

  • e9a070f fix: remove useless sourcemap url (fixes #43) (#44) (余腾靖)

Documentation

  • 4beb7a7 docs: update badges (#37) (Milos Djermanovic)

Build Related

Chores

  • 0398109 chore: add triage action (#42) (Milos Djermanovic)
  • bcffbe5 ci: add Node v19 (#41) (Milos Djermanovic)
  • c24f2e4 chore: update github actions and add funding field (#40) (Deepshika S)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 23 commits:

↗️ fast-glob (indirect, 3.2.12 → 3.3.3) · Repo

Release Notes

3.3.3

Full Changelog: 3.3.2...3.3.3

💬 Common

🐛 Bug fixes

  • Apply absolute negative patterns to full path instead of file path (#441, thanks @webpro)

3.3.2

Full Changelog: 3.3.1...3.3.2

🐛 Bug fixes

  • Handle square brackets as a special character on Windows in escape functions (#425)
  • Keep escaping after brace expansion (#422)

3.3.1

Full Changelog: 3.3.0...3.3.1

This release fixes a regression for cases where the ignore option is used with a string (#403, #404).

The public interface of this package does not support a string as the value for the ignore option since 2018 year (release).

So, in the next major release, we will reintroduce method implementations that do not involve strings in the ignore option.

3.3.0

Full Changelog: 3.2.12...3.3.0

🚀 Improvements

Method aliases

New methods (glob, globSync, globStream) have been added in addition to the current methods (default import, sync, stream), which eliminate the need to rename the method when importing. In addition, an async alias has been added for the default import, which makes it possible to use this packet with ESM.

Method to convert paths to globs

A new method (convertPathToPattern) has been added in this release to convert a path to a pattern. The primary goal is to enable users to avoid processing Windows paths in each location where this package is used by utilities from third-party packages.

See more details in the pull request.

🐛 Bug fixes

  • In the past, we mishandled patterns that contained slashes when the baseNameMatch option was enabled, which went against the documented behavior. (#312)
  • Several problems with matching patterns that contain brace expansion have been resolved. The primary issue solved is when the pattern has duplicate slashes after it is expanded (#394), or the micromatch package does not correctly generate a regular expression (#365).
  • All negative patterns will now have the dot option enabled when matching paths. Previously, the !**/* patterns did not exclude hidden files (start with a dot). (#343)
  • The issue that led to duplicates in the results when overlapping or duplicate patterns were present among the patterns has been fixed. At the moment, we are only talking about leading dot. Other cases are not included. For example, running with the patterns ['./file.md', 'file.md', '*'] will now only include file.md once in the results. (#190)

📖 Documentation

A clarifying note has been added for the concurrency option, which provides more detailed information about the Thread Pool utilization.

⚙️ Infrastructure

  • The benchmark in CI is now running on Node.js 20.
  • The benchmark now uses the public package bencho instead of an in-house implementation. You may want to try this solution for your packages and provide feedback.

🥇 New Contributors

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 58 commits:

↗️ fill-range (indirect, 7.0.1 → 7.1.1) · Repo

Commits

See the full diff on Github. The new version differs by 7 commits:

↗️ micromatch (indirect, 4.0.5 → 4.0.8) · Repo · Changelog

Security Advisories 🚨

🚨 Regular Expression Denial of Service (ReDoS) in micromatch

The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to #266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

Commits

See the full diff on Github. The new version differs by 16 commits:

↗️ vue-eslint-parser (indirect, 9.1.0 → 9.4.3) · Repo

Release Notes

9.4.3

🐛 Bug Fixes

Full Changelog: v9.4.2...v9.4.3

9.4.2

🐛 Bug Fixes

Full Changelog: v9.4.1...v9.4.2

9.4.1

🐛 Bug Fixes

  • fix: shorthand camelize should be used in rawName by @waynzh in #218
  • Fix an error when using CRLF for generic directive by @ota-meshi in #220

Full Changelog: v9.4.0...v9.4.1

9.4.0

✨ Enhancements

Full Changelog: v9.3.2...v9.4.0

9.3.2

🐛 Bug Fixes

Full Changelog: v9.3.1...v9.3.2

9.3.1

🐛 Bug Fixes

  • Fix wrong scope for generics with multiple script blocks by @ota-meshi in #201

Full Changelog: v9.3.0...v9.3.1

9.3.0

✨ Enhancements

Full Changelog: v9.2.1...v9.3.0

9.2.1

🐛 Bug Fixes

  • Fix defineCustomBlocksVisitor was incompatible with ESLint v8.40 by @ota-meshi in #192

Full Changelog: v9.2.0...v9.2.1

9.2.0

⚙️ Updates

🐛 Bug Fixes

  • Fix false positives for type def with script setup in ts no-unused-vars by @ota-meshi in #191

Full Changelog: v9.1.1...v9.2.0

9.1.1

🐛 Bug Fixes

  • Fix wrong scope reference type for <script setup lang=ts> by @ota-meshi in #181

Full Changelog: v9.1.0...v9.1.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 38 commits:

🆕 @​eslint-community/eslint-utils (added, 4.5.1)

🆕 @​eslint-community/regexpp (added, 4.12.1)

🆕 graphemer (added, 1.4.0)

🆕 semver (added, 7.7.1)

👉 No CI detected

You don't seem to have any Continuous Integration service set up!

Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.

This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:

* [Circle CI](https://circleci.com), [Semaphore ](https://semaphoreci.com) and [Github Actions](https://docs.github.com/actions) are all excellent options. * If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github. * If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with `depfu/`.

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added the depfu label Apr 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

depfu

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants