Skip to content

[Security] Bump dexie from 2.0.4 to 3.2.2

Dependabot requested to merge dependabot-npm_and_yarn-dexie-3.2.2 into master

Bumps dexie from 2.0.4 to 3.2.2. This update includes a security fix.

Vulnerabilities fixed

Prototype Pollution in Dexie Dexie is a minimalistic wrapper for IndexedDB. The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like proto or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. Note: This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input.

Patched versions: 3.2.2 Affected versions: < 3.2.2

Release notes

Sourced from dexie's releases.

Dexie v3.2.2

Security fix

Prohibit possible prototype pollution in Dexie.setByKeyPath() (https://github.com/dexie/Dexie.js/commit/1d655a69b9f28c3af6fae10cf5c61df387dc689b)

Bugfix

Fix #1473 Cannot use Dexie in react-native

A corresponding release 4.0.0-alpha.3 contains the same fixes for 4.x.

Dexie v3.2.1

  • Workaround for issue #613: Automatically reopen IndexedDB connection in case it was unexpectedly closed, and redo the operation. When a transaction couldn't be created due to invalid state, Dexie will reopen the IndexedDB connection and retry creating the transaction.
  • Resolves #1439 and #1369 by extending the "exports" field to include "require" compliant version of dexie.

Dexie v3.2.1-beta.2

Should resolve #1439 and #1369 by extending the "exports" field to include "require" compliant version of dexie.

Dexie v3.2.1-beta.1

Contains a workaround for Chrome issue #613. Needs to be tested in the field a while before we can release this publicly.

Dexie v3.2.0

Dexie.js has become Reactive

After one year in alpha, beta and RC, Dexie.js with liveQuery() is now officially released. The main reason for this new feature is better integration with frontend libraries like React, Svelte, Vue and Angular.

Together with this release, the website https://dexie.org also got a face lift with tutorials for React, Svelte, Vue and Angular.

dexie.org

Take a look past the updated website. Old tutorials are replaced with modern relevant framework specific ones. We've added React, Svelte, Vue and Angular samples on the landing page.

All changes since 3.0.3 in chronological order

  • PR 1104: dbName follows dependencies.indexedDB (II)
  • Option {allKeys: true} to bulkPut() and bulkAdd() will be equally fast as not providing that option.
  • Code cleanup and optimizations.
  • Expose IDB 'close' event: dfahlander/Dexie.js#1212
  • BulkError: Possible to track individual errors. Add failuresByPos property: dfahlander/Dexie.js#1209
  • Dexie.getDatabaseNames(): Small optimization for our workaround for non-chromium browsers lacking the IDBFactory.databases(). commit.
  • Argument to on.ready() callback will get a special Dexie instance that is not blocked (vip Dexie). This was the case also before but then we had to rely on zone state. This change makes it possible to perform non-dexie operations in on.read() callback (such as fetch()), loosing the zone state (PSD) but still have VIP access to the Dexie instance. This makes the code in a on.ready() callback not having to deal with wrapping all non-Dexie calls with Promise.resolve().
  • Allow multiple calls to Version.upgrade() on the same version - will run all of them instead just of the latest registered.
  • Retiring old workaround for safari 8 bug not allowing array argument to IDBDatabase.transaction().
  • Dexie.delete() specifies an empty addons list to ensure no addons are involved when deleting a database using that static method.
  • Minor extended the DBCore interface to make it possible for Dexie Cloud to sync certain operations consistently. Specifically, middlewares that implement the DBCoreTable.mutate() endpoint now also gets information on the where-critera and the update specification when originating from Collection.modify() or Collection.delete().
  • Support for Chrome's transaction durability option in Dexie constructor. PR #1367
  • Official event Dexie.on('storagemutated')
  • Typings: Stop exporting Dexie as namespace. Enables VSCode's ergonomic auto-import feature for dexie. The namespace export was not even working as expected. The intent had been to support those that code Typescript without using modules. But even they must have been disappointed because the typings did not only reveal parts of the Dexie API.
  • Let liveQuery() be type-wise compable with RxJS (PR #1417)

... (truncated)

Commits


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports

Loading