Skip to content

[Security] Bump nth-check and cheerio

Dependabot requested to merge dependabot-npm_and_yarn-nth-check-and-cheerio-2.1.1 into master

Bumps nth-check to 2.1.1 and updates ancestor dependency cheerio. These dependencies need to be updated together.

Updates nth-check from 1.0.2 to 2.1.1 This update includes a security fix.

Vulnerabilities fixed

Inefficient Regular Expression Complexity in nth-check nth-check is vulnerable to Inefficient Regular Expression Complexity

Patched versions: 2.0.1 Affected versions: < 2.0.1

Release notes

Sourced from nth-check's releases.

v2.1.1

  • The ESM code had some issues that are now fixed aeeb067

https://github.com/fb55/nth-check/compare/v2.1.0...v2.1.1

v2.1.0

What's Changed

  • nth-check is now a dual CommonJS and ESM module fb55/nth-check#206
  • With the new sequence and generate methods, it is now possible to generate a sequence of indices for a given formula fb55/nth-check#207

Full Changelog: https://github.com/fb55/nth-check/compare/v2.0.1...v2.1.0

v2.0.1

Fixes:

  • Replace regex with hand-rolled parser for nth-expressions (#9) 9894c1d
    • Ensures parsing will always have linear time complexity.

Internal:

  • chore(ci): Use GitHub Actions, Dependabot (#10) e02b4dd
  • Bump dependencies

https://github.com/fb55/nth-check/compare/v2.0.0...v2.0.1

v2.0.0

  • Port module to TS, Jest, ESLint

Breaking:

  • The main export is now a default export.
  • The module now throws regular Errors on invalid selectors instead of SyntaxErrors.
Commits

Updates cheerio from 0.22.0 to 1.0.0-rc.12

Release notes

Sourced from cheerio's releases.

v1.0.0-rc.12

Bugfix release. Fixed issues:

New Contributors

Full Changelog: https://github.com/cheeriojs/cheerio/compare/v1.0.0-rc.11...v1.0.0-rc.12

v1.0.0-rc.11

cheerio@1.0.0-rc.11 is hopefully the last RC before the 1.0.0 release of Cheerio. There are two APIs that will be added for the next major release: An exract method (cheeriojs/cheerio#2523) and NodeJS specific loader methods (cheeriojs/cheerio#2051). These are still in flux and I'd appreciate feedback on the proposals.

A big thank you to everyone that contributed to this release! This includes code contributors, as well as the amazing financial support on GitHub Sponsors!

Under the hood, a lot of work for this release went into updating parse5, cheerio's default HTML parser. Have a look at parse5's release notes to see what has changed there.

Breaking

  • Cheerio is now a dual CommonJS and ESM module. That means that deep imports will now fail in newer versions of Node. cheeriojs/cheerio#2508
  • script and style contents are added again in .text() cheeriojs/cheerio#2509
    • To keep the old behavior, switch .text() to .prop('innerText')
  • The TypeScript types inherited from upstream dependencies have changed. cheeriojs/cheerio#2503
    • Node types are now using tagged unions, which will make consumption a bit easier.

Features

Fixes

Refactor

... (truncated)

Changelog

Sourced from cheerio's changelog.

Starting with 1.0.0-rc.4, release notes are exclusively tracked in GitHub Releases.

1.0.0-rc.3 / 2019-04-06

This release corrects a test expectation that was fixed by one of the project's dependencies.

1.0.0-rc.2 / 2017-07-02

This release changes Cheerio's default parser to the Parse5 HTML parser. Parse5 is an excellent project that rigorously conforms to the HTML standard. It does not support XML, so Cheerio continues to use htmlparser2 when working with XML documents.

This switch addresses many long-standing bugs in Cheerio, but some users may experience slower behavior in performance-critical applications. In addition, htmlparser2 is more forgiving of invalid markup which can be useful when input sourced from a third party and cannot be corrected. For these reasons, the load method also accepts a DOM structure as produced by the htmlparser2 library. See the project's "readme" file for more details on this usage pattern.

Migrating from version 0.x

cheerio.load( html[, options ] ) This method continues to act as a "factory" function. It produces functions that define an API that is similar to the global jQuery function provided by the jQuery library. The generated function operates on a DOM structure based on the provided HTML.

In releases prior to version 1.0, the provided HTML was interpreted as a document fragment. Following version 1.0, strings provided to the load method are interpreted as documents. The same example will produce a $ function that operates on a full HTML document, including an <html> document element with nested <head> and <body> tags. This mimics web browser behavior much more closely, but may require alterations to existing code.

For example, the following code will produce different results between 0.x and 1.0 releases:

var $ = cheerio.load('<p>Hello, <b>world</b>!</p>');
$.root().html();
//=> In version 0.x: '<p>Hello, <b>world</b>!</p>'
//=> In version 1.0: '<html><head></head><body><p>Hello, <b>world</b>!</p></body></html>'

Users wishing to parse, manipulate, and render full documents should not need to modify their code. Likewise, code that does not interact with the "root"

... (truncated)

Commits

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports