Skip to content

Bump the npm_and_yarn group across 1 directory with 3 updates#31

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/npm_and_yarn-d542987528
Open

Bump the npm_and_yarn group across 1 directory with 3 updates#31
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/npm_and_yarn-d542987528

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Jun 24, 2025

Bumps the npm_and_yarn group with 3 updates in the / directory: color-string, color and pbkdf2.

Updates color-string from 0.3.0 to 2.0.1

Release notes

Sourced from color-string's releases.

2.0.1

What's Changed

New Contributors

Full Changelog: Qix-/color-string@2.0.0...2.0.1

2.0.0

What's Changed

New Contributors

Full Changelog: Qix-/color-string@1.9.1...2.0.0

1.9.0

Minor Release 1.9.0

  • Add parsing of exponential alpha values for HWB and HSL (#66)

Thanks to @​babycannotsay for their contribution!

1.8.2

Patch release 1.8.2

  • Fix incorrect handling of optional comma in rgb() regex (#65)

Thanks to @​gerdasi and @​mastertheblaster for reporting and confirming the bug!

1.8.1

Patch release 1.8.1

  • Fix rgb alpha percentage parsing from int to float (#61)

Thanks to @​clytras for their contribution!

1.8.0

Minor release 1.8.0

  • Add anchors to keyword regex (#64)

Thanks to @​cq360767996 for their contribution!

1.7.4

Patch Release 1.7.4

  • Fix bug in .to.hex() output if the inputs aren't rounded numbers (#25)

... (truncated)

Changelog

Sourced from color-string's changelog.

0.4.0

  • Changed: Invalid conversions now return null instead of undefined
  • Changed: Moved to XO standard
  • Fixed: a few details in package.json
  • Fixed: readme output regarding wrapped hue values (#21)
Commits
Maintainer changes

This version was pushed to npm by qix, a new releaser for color-string since your current version.


Updates color from 0.11.4 to 5.0.0

Release notes

Sourced from color's releases.

5.0.0

What's Changed

New Contributors

Full Changelog: Qix-/color@4.2.3...5.0.0

4.2.3

Patch Release 4.2.3

  • 957531fee48e2bceb0eae567cab6820c6cd9da27 mention .hex() is lossy (#244)
  • d00bd1aa371c8313dd4fa29140b0249984ec70fc Correct the limits on XYZ model
  • 4ac13152eaf814f611b77c86d14dd98c7d33d90a mark the package as side-effects free (#189)
  • f34a0baee81b4d9bea9c2ffc13abb334cb52f803 use correct WCAG luminance constant (fixes #248)
  • 9dcc3b7190083a999eb932f8ca696988ace96da7 update YIQ formula constants (fixes #107, ref chartjs/chartjs-color#2)
  • 5696221711e97781c459ac3022f22db68c614a17 remove numeric separators
    • Not sure why I had such a strong stance on this. I see now how annoying and terrible they are. Apologies to everyone who was affected, this was a bad decision on my part.
  • b26040e44c5b91aaddd766334ed767c8c32f4f19 remove bitchy issue template

Thanks to @​csandman, @​zdenekkostal, @​technobuddha, and @​maranomynet for their contributions!

4.2.2

Patch Release 4.2.2

  • 406d384e39cdc7d7fceabf10f34209f27d57376c contast ratio level AAA is above 7:1
  • c7b8e759f384748e906943c09255ec8779ebbb6d fix linting issues
  • 5df6f50f139f2e01e54c5240cc4a19216cd476f0 don't compute valpha based on faulty argument counts (fixes #250)

Thanks to @​shfshanyue for their contribution!

4.2.1

Patch Release 4.2.1

NOTE: This is a metadata patch that changes no functionality of the library itself.

  • Restrict node version to ">=12.5.0" #236

Thank you @​wtho for their contribution!

4.2.0

Minor Release 4.2.0

  • Add .hexa() method (#237)

... (truncated)

Commits

Updates pbkdf2 from 3.1.2 to 3.1.3

Changelog

Sourced from pbkdf2's changelog.

v3.1.3 - 2025-06-20

Commits

  • Only apps should have lockfiles 8b06730
  • [lint] fix whitespace 9a76e2f
  • [lint] fix parens/curlies/semis/etc 6fd84bf
  • [meta] add auto-changelog 796c38d
  • [Tests] fix tests in node 17 3661fb0
  • Revert "[Tests] fix tests in node < 3" 7431b57
  • [Tests] fix tests in node < 3 eb9f97a
  • [Fix] ensure unknown algorithms throw + known ones match node 26d4fd3
  • [Tests] add GHA, always run nyc 513906a
  • [lint] fix a few more rules ab04da8
  • [lint] switch to eslint 89694cf
  • [Tests] add coverage d0d534b
  • [Refactor] use to-buffer e3102a8
  • [readme] improve badges fca0c9d
  • [Tests] remove unused travis file a2c7d93
  • [meta] switch from files to npmignore 7f31fbc
  • [Tests] use .nycrc 8d628e8
  • [Refactor] minor tweaks fc61005
  • [Deps] update create-hmac, safe-buffer, sha.js ae2a7d0
  • [Fix] pin create-hash, ripemd160 due to breaking changes e079968
  • [Tests] fix tests in node 3 45fbcf3
  • [meta] skip publishing benchmarks 19ea57b
  • [Dev Deps] add missing peer dep 645e252
Commits
Maintainer changes

This version was pushed to npm by ljharb, a new releaser for pbkdf2 since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the npm_and_yarn group across 1 directory with 3 updates
bd9fee4 
Bumps the npm_and_yarn group with 3 updates in the / directory: [color-string](https://github.com/Qix-/color-string), [color](https://github.com/Qix-/color) and [pbkdf2](https://github.com/crypto-browserify/pbkdf2).


Updates `color-string` from 0.3.0 to 2.0.1
- [Release notes](https://github.com/Qix-/color-string/releases)
- [Changelog](https://github.com/Qix-/color-string/blob/master/CHANGELOG.md)
- [Commits](Qix-/color-string@0.3.0...2.0.1)

Updates `color` from 0.11.4 to 5.0.0
- [Release notes](https://github.com/Qix-/color/releases)
- [Commits](Qix-/color@0.11.4...5.0.0)

Updates `pbkdf2` from 3.1.2 to 3.1.3
- [Changelog](https://github.com/browserify/pbkdf2/blob/master/CHANGELOG.md)
- [Commits](browserify/pbkdf2@v3.1.2...v3.1.3)

---
updated-dependencies:
- dependency-name: color-string
  dependency-version: 2.0.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: color
  dependency-version: 5.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: pbkdf2
  dependency-version: 3.1.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 24, 2025
@socket-security
Copy link

socket-security bot commented Jun 24, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedcolor@​0.11.4 ⏵ 5.0.0100 +1100100 +177100

View full report

@socket-security
Copy link

socket-security bot commented Jun 24, 2025

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action Severity Alert (click for details)
Block High
pbkdf2@3.1.3 has Unstable ownership.

Author: ljharb

From: package-lock.jsonnpm/browserify@17.0.1npm/pbkdf2@3.1.3

ℹ Read more on: This package | This alert | What is unstable ownership?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pbkdf2@3.1.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block High
to-buffer@1.2.1 has Unstable ownership.

Author: ljharb

From: package-lock.jsonnpm/browserify@17.0.1npm/to-buffer@1.2.1

ℹ Read more on: This package | This alert | What is unstable ownership?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/to-buffer@1.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
pbkdf2@3.1.3 has a New author.

New Author: ljharb

Previous Author: cwmma

From: package-lock.jsonnpm/browserify@17.0.1npm/pbkdf2@3.1.3

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pbkdf2@3.1.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants