[Security] Bump semver and @mapbox/node-pre-gyp
Bumps semver and @mapbox/node-pre-gyp. These dependencies needed to be updated together.
Updates semver from 6.3.1 to 7.5.4 This update includes a security fix.
Vulnerabilities fixed
semver vulnerable to Regular Expression Denial of Service Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Patched versions: 7.5.2 Affected versions: < 7.5.2
Release notes
Sourced from semver's releases.
v7.5.4
7.5.4 (2023-07-07)
Bug Fixes
cc6fde2#588 trim each range set before parsing (@lukekarrys)99d8287#583 correctly parse long build ids as valid (#583) (@lukekarrys)v7.5.3
7.5.3 (2023-06-22)
Bug Fixes
abdd93d#571 set max lengths in regex for numeric and build identifiers (#571) (@lukekarrys)Documentation
v7.5.2
7.5.2 (2023-06-15)
Bug Fixes
58c791f#566 diff when detecting major change from prerelease (#566) (@lukekarrys)5c8efbc#565 preserve build in raw after inc (#565) (@lukekarrys)717534e#564 better handling of whitespace (#564) (@lukekarrys)v7.5.1
7.5.1 (2023-05-12)
Bug Fixes
d30d25a#559 show type on invalid semver error (#559) (@tjenkinson)v7.5.0
7.5.0 (2023-04-17)
Features
503a4e5#548 allow identifierBase to be false (#548) (@lsvalina)Bug Fixes
e219bb4#552 throw on bad version with correct error message (#552) (@wraithgar)fc2f3df#546 incorrect results from diff sometimes with prerelease versions (#546) (@tjenkinson)2781767#547 avoid re-instantiating SemVer during diff compare (#547) (@macno)v7.4.0
7.4.0 (2023-04-10)
... (truncated)
Changelog
Sourced from semver's changelog.
7.5.4 (2023-07-07)
Bug Fixes
cc6fde2#588 trim each range set before parsing (@lukekarrys)99d8287#583 correctly parse long build ids as valid (#583) (@lukekarrys)7.5.3 (2023-06-22)
Bug Fixes
abdd93d#571 set max lengths in regex for numeric and build identifiers (#571) (@lukekarrys)Documentation
7.5.2 (2023-06-15)
Bug Fixes
58c791f#566 diff when detecting major change from prerelease (#566) (@lukekarrys)5c8efbc#565 preserve build in raw after inc (#565) (@lukekarrys)717534e#564 better handling of whitespace (#564) (@lukekarrys)7.5.1 (2023-05-12)
Bug Fixes
d30d25a#559 show type on invalid semver error (#559) (@tjenkinson)7.5.0 (2023-04-17)
Features
503a4e5#548 allow identifierBase to be false (#548) (@lsvalina)Bug Fixes
e219bb4#552 throw on bad version with correct error message (#552) (@wraithgar)fc2f3df#546 incorrect results from diff sometimes with prerelease versions (#546) (@tjenkinson)2781767#547 avoid re-instantiating SemVer during diff compare (#547) (@macno)7.4.0 (2023-04-10)
Features
113f513#532 identifierBase parameter for .inc (#532) (@wraithgar,@b-bly)48d8f8f#530 export new RELEASE_TYPES constant (@hcharley)
... (truncated)
Commits
-
36cd334chore: release 7.5.4 -
8456d87chore: postinstall for dependabot template-oss PR -
dde1f00chore: postinstall for dependabot template-oss PR -
dffcd1bchore: bump@npmcli/template-ossfrom 4.16.0 to 4.17.0 -
d619f66chore: postinstall for dependabot template-oss PR -
3bc4247chore: bump@npmcli/template-ossfrom 4.15.1 to 4.16.0 -
cc6fde2fix: trim each range set before parsing -
99d8287fix: correctly parse long build ids as valid (#583) -
4f0f6b1chore: fix arguments in whitespace test (#574) -
6bd1a37chore: remove duplicate test in semver class (#575) - Additional commits viewable in compare view
Updates @mapbox/node-pre-gyp from 1.0.10 to 1.0.10
Changelog
Sourced from @mapbox/node-pre-gyp's changelog.
Commits
- See full diff in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot rebasewill rebase this MR -
$dependabot recreatewill recreate this MR rewriting all the manual changes and resolving conflicts