[Security] Bump dexie from 2.0.4 to 3.2.2
Bumps dexie from 2.0.4 to 3.2.2. This update includes a security fix.
Vulnerabilities fixed
Prototype Pollution in Dexie Dexie is a minimalistic wrapper for IndexedDB. The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like proto or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. Note: This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input.
Patched versions: 3.2.2 Affected versions: < 3.2.2
Release notes
Sourced from dexie's releases.
Dexie v3.2.2
Security fix
Prohibit possible prototype pollution in Dexie.setByKeyPath() (https://github.com/dexie/Dexie.js/commit/1d655a69b9f28c3af6fae10cf5c61df387dc689b)
Bugfix
Fix #1473 Cannot use Dexie in react-native
A corresponding release 4.0.0-alpha.3 contains the same fixes for 4.x.
Dexie v3.2.1
- Workaround for issue #613: Automatically reopen IndexedDB connection in case it was unexpectedly closed, and redo the operation. When a transaction couldn't be created due to invalid state, Dexie will reopen the IndexedDB connection and retry creating the transaction.
- Resolves #1439 and #1369 by extending the "exports" field to include "require" compliant version of dexie.
Dexie v3.2.1-beta.2
Should resolve #1439 and #1369 by extending the "exports" field to include "require" compliant version of dexie.
Dexie v3.2.1-beta.1
Contains a workaround for Chrome issue #613. Needs to be tested in the field a while before we can release this publicly.
Dexie v3.2.0
Dexie.js has become Reactive
After one year in alpha, beta and RC, Dexie.js with liveQuery() is now officially released. The main reason for this new feature is better integration with frontend libraries like React, Svelte, Vue and Angular.
Together with this release, the website https://dexie.org also got a face lift with tutorials for React, Svelte, Vue and Angular.
dexie.org
Take a look past the updated website. Old tutorials are replaced with modern relevant framework specific ones. We've added React, Svelte, Vue and Angular samples on the landing page.
All changes since 3.0.3 in chronological order
- PR 1104: dbName follows dependencies.indexedDB (II)
- Option
{allKeys: true}
to bulkPut() and bulkAdd() will be equally fast as not providing that option.- Code cleanup and optimizations.
- Expose IDB 'close' event: dfahlander/Dexie.js#1212
- BulkError: Possible to track individual errors. Add failuresByPos property: dfahlander/Dexie.js#1209
- Dexie.getDatabaseNames(): Small optimization for our workaround for non-chromium browsers lacking the IDBFactory.databases(). commit.
- Argument to on.ready() callback will get a special Dexie instance that is not blocked (vip Dexie). This was the case also before but then we had to rely on zone state. This change makes it possible to perform non-dexie operations in on.read() callback (such as fetch()), loosing the zone state (PSD) but still have VIP access to the Dexie instance. This makes the code in a on.ready() callback not having to deal with wrapping all non-Dexie calls with Promise.resolve().
- Allow multiple calls to Version.upgrade() on the same version - will run all of them instead just of the latest registered.
- Retiring old workaround for safari 8 bug not allowing array argument to IDBDatabase.transaction().
- Dexie.delete() specifies an empty addons list to ensure no addons are involved when deleting a database using that static method.
- Minor extended the DBCore interface to make it possible for Dexie Cloud to sync certain operations consistently. Specifically, middlewares that implement the DBCoreTable.mutate() endpoint now also gets information on the where-critera and the update specification when originating from Collection.modify() or Collection.delete().
- Support for Chrome's transaction durability option in Dexie constructor. PR #1367
- Official event Dexie.on('storagemutated')
- Typings: Stop exporting Dexie as namespace. Enables VSCode's ergonomic auto-import feature for dexie. The namespace export was not even working as expected. The intent had been to support those that code Typescript without using modules. But even they must have been disappointed because the typings did not only reveal parts of the Dexie API.
- Let liveQuery() be type-wise compable with RxJS (PR #1417)
... (truncated)
Commits
-
c698052
Build output -
8665bf7
Merge remote-tracking branch 'origin/releases-3' into master-3 -
8939c1d
Releasing v3.2.2 -
c921a2c
Resolve #1473 -
7e34806
Update .travis.yml -
1d655a6
Prohibit prototype pollution -
ea55dcc
Build output -
b350b8c
Releasing v3.2.1 -
7a606b5
Merge remote-tracking branch 'origin/releases-3' into master-3 -
7b08108
Build output - Additional commits viewable in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot rebase
will rebase this MR -
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts