Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update all non-major dependencies #178

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 6, 2021

This PR contains the following updates:

Package Change Age Adoption Passing Confidence Type Update
@nuxt/content-theme-docs ^0.8.2 -> ^0.11.1 age adoption passing confidence dependencies minor
consola ^2.15.0 -> ^2.15.3 age adoption passing confidence dependencies patch
minimatch ^3.0.4 -> ^3.1.2 age adoption passing confidence dependencies minor
node (source) >=8.9.0 -> >=8.17.0 age adoption passing confidence engines minor
npm (source) >=5.0.0 -> >=5.10.0 age adoption passing confidence engines minor
nuxt (source) ^2.14.11 -> ^2.18.1 age adoption passing confidence dependencies minor

Release Notes

nuxt/content (@​nuxt/content-theme-docs)

v0.11.1

Compare Source

v0.11.0

Compare Source

v0.10.2

Compare Source

v0.10.1

Compare Source

v0.10.0

Compare Source

v0.9.0

Compare Source

unjs/consola (consola)

v2.15.3

Compare Source

v2.15.2

Compare Source

v2.15.1

Compare Source

isaacs/minimatch (minimatch)

v3.1.2

Compare Source

v3.1.1

Compare Source

v3.1.0

Compare Source

v3.0.8

Compare Source

v3.0.7

Compare Source

v3.0.6

Compare Source

v3.0.5

Compare Source

nodejs/node (node)

v8.17.0: 2019-12-17, Version 8.17.0 'Carbon' (LTS), @​MylesBorins

Compare Source

This is a security release.

For more details about the vulnerability please consult the npm blog:

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Notable changes
Commits

v8.16.2: 2019-10-09, Version 8.16.2 'Carbon' (LTS), @​BethGriggs

Compare Source

Node.js 8 is due to go End-of-Life on 31st December 2019.

Notable changes
  • deps: upgrade openssl sources to 1.0.2s (Sam Roberts) #​28230
Commits

v8.16.1: 2019-08-15, Version 8.16.1 'Carbon' (LTS), @​BethGriggs

Compare Source

Notable changes

This is a security release.

Node.js, as well as many other implementations of HTTP/2, have been found
vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.

Vulnerabilities fixed:

  • CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
  • CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
  • CVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
  • CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
  • CVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
  • CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
  • CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
  • CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service. (Discovered by Piotr Sikora of Google)
Commits

v8.16.0: 2019-04-16, Version 8.16.0 'Carbon' (LTS), @​MylesBorins

Compare Source

Notable Changes
  • n-api:
    • add API for asynchronous functions (Gabriel Schulhof) #​17887
    • mark thread-safe function as stable (Gabriel Schulhof) #​25556
Commits

v8.15.1

Compare Source

v8.15.0: 2018-12-26, Version 8.15.0 'Carbon' (LTS), @​MylesBorins

Compare Source

The 8.14.0 security release introduced some unexpected breakages on the 8.x release line.
This is a special release to fix a regression in the HTTP binary upgrade response body and add
a missing CLI flag to adjust the max header size of the http parser.

Notable Changes
  • cli:
    • add --max-http-header-size flag (cjihrig) #​24811
  • http:
    • add maxHeaderSize property (cjihrig) #​24860
Commits

v8.14.1: 2018-12-18, Version 8.14.1 'Carbon' (LTS), @​MylesBorins prepared by @​BethGriggs

Compare Source

Notable changes
  • assert:
    • revert breaking change (Ruben Bridgewater) #​24786
  • http2:
    • fix sequence of error/close events (Gerhard Stoebich) #​24789
Commits

v8.14.0: 2018-11-27, Version 8.14.0 'Carbon' (LTS), @​rvagg

Compare Source

This is a security release. All Node.js users should consult the security release summary at:

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  • Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
  • Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
  • Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)
  • Node.js: HTTP request splitting (CVE-2018-12116)
  • OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
  • OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)
Notable Changes
  • deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
  • http:
    • Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina)
    • A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with server.headersTimeout. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with server.setTimeout(), this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach (liebdich.com). (CVE-2018-12122 / Matteo Collina)
    • Two-byte characters are now strictly disallowed for the path option in HTTP client requests. Paths containing characters outside of the range \u0021 - \u00ff will now be rejected with a TypeError. This behavior can be reverted if necessary by supplying the --security-revert=CVE-2018-12116 command line argument (this is not recommended). Reported as security concern for Node.js 6 and 8 by Arkadiy Tetelman (Lob), fixed by backporting a change by Benno Fünfstück applied to Node.js 10 and later. (CVE-2018-12116 / Matteo Collina)
  • url: Fix a bug that would allow a hostname being spoofed when parsing URLs with url.parse() with the 'javascript:' protocol. Reported by Martin Bajanik (Kentico). (CVE-2018-12123 / Matteo Collina)
Commits

v8.13.0: 2018-11-20, Version 8.13.0 'Carbon' (LTS), @​MylesBorins prepared by @​BethGriggs

Compare Source

Notable changes
  • assert:
    • backport some assert commits (Ruben Bridgewater) #​23223
  • deps:
    • upgrade to libuv 1.23.2 (cjihrig) #​23336
    • V8: cherry-pick 64-bit hash seed commits (Yang Guo) #​23274
  • http:
    • added aborted property to request (Robert Nagy) #​20094
  • http2:
    • graduate from experimental (James M Snell) #​22466
Commits

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@codecov
Copy link

codecov bot commented Jan 6, 2021

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 100.00%. Comparing base (0bc0ebd) to head (bb49f87).
Report is 3 commits behind head on dev.

Current head bb49f87 differs from pull request most recent head aa26f1d

Please upload reports for the commit aa26f1d to get more accurate results.

Additional details and impacted files
@@            Coverage Diff            @@
##               dev      #178   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            7         7           
  Lines          261       261           
  Branches        57        57           
=========================================
  Hits           261       261           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@renovate renovate bot changed the title chore(deps): update dependency nuxt to ^2.14.12 chore(deps): update all non-major dependencies Feb 3, 2021
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from d47a225 to 18de832 Compare February 15, 2021 11:43
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 18de832 to 6f6a565 Compare April 26, 2021 12:42
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from a4fed2f to cb33e29 Compare May 15, 2021 19:13
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from cb33e29 to 9ccb3b8 Compare June 14, 2021 21:09
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from ab32f4b to bb49f87 Compare October 21, 2021 11:53
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 57020c7 to 442173a Compare March 7, 2022 17:02
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 442173a to aa54883 Compare March 18, 2023 04:10
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from aa54883 to 47f6a3e Compare June 9, 2023 23:00
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 47f6a3e to 1d0b1ad Compare July 14, 2023 22:51
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 65f9eff to 6e5a3c7 Compare June 14, 2024 14:42
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 6e5a3c7 to 90af95a Compare June 27, 2024 15:51
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 90af95a to aa26f1d Compare June 28, 2024 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants