Skip to content

Update all #1083

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 14, 2021
Merged

Update all #1083

merged 3 commits into from
Sep 14, 2021

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 9, 2021
edited
Loading

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@ampproject/rollup-plugin-closure-compiler 0.26.0 -> 0.27.0 age adoption passing confidence
@types/node 14.17.7 -> 14.17.15 age adoption passing confidence
acorn 8.4.1 -> 8.5.0 age adoption passing confidence
acorn-walk 8.1.1 -> 8.2.0 age adoption passing confidence
husky (source) 7.0.1 -> 7.0.2 age adoption passing confidence
lint-staged 11.1.1 -> 11.1.2 age adoption passing confidence
mini-css-extract-plugin 2.1.0 -> 2.2.2 age adoption passing confidence
node 14.17.4 -> 14.17.6 age adoption passing confidence
prettier (source) 2.3.2 -> 2.4.0 age adoption passing confidence
rollup (source) 2.55.1 -> 2.56.3 age adoption passing confidence
sirv 1.0.12 -> 1.0.17 age adoption passing confidence
typescript (source) 4.3.5 -> 4.4.2 age adoption passing confidence
webpack 5.48.0 -> 5.52.1 age adoption passing confidence
webpack-cli 4.7.2 -> 4.8.0 age adoption passing confidence

Release Notes

ampproject/rollup-plugin-closure-compiler

v0.27.0

Compare Source

This release adds support for M1 Macintoshes.

acornjs/acorn

v8.5.0

Compare Source

typicode/husky

v7.0.2

Compare Source

Fix pre-commit hook in WebStorm (#​1023)

okonet/lint-staged

v11.1.2

Compare Source

Bug Fixes
  • try to automatically fix and warn about invalid brace patterns (#​992) (b3d97cf)
webpack-contrib/mini-css-extract-plugin

v2.2.2

Compare Source

v2.2.1

Compare Source

v2.2.0

Compare Source

Features
Bug Fixes
  • hmr in browser extension (3d09da1)
nodejs/node

v14.17.6

Compare Source

This is a security release.

Notable Changes

These are vulnerabilities in the node-tar, arborist, and npm cli modules which
are related to the initial reports and subsequent remediation of node-tar
vulnerabilities CVE-2021-32803
and CVE-2021-32804.
Subsequent internal security review of node-tar and additional external bounty
reports have resulted in another 5 CVE being remediated in core npm CLI
dependencies including node-tar, and npm arborist.

You can read more about it in:

Commits

v14.17.5

Compare Source

This is a security release.

Notable Changes
  • CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
    • Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
  • CVE-2021-22930: Use after free on close http2 on stream canceling (High)
  • CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
    • If the Node.js HTTPS API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.
Commits
prettier/prettier

v2.4.0

Compare Source

diff

🔗 Release Notes

rollup/rollup

v2.56.3

Compare Source

2021-08-23

Bug Fixes
  • Make sure moduleInfo contains complete information about imported ids in the moduleParsed hook (#​4208)
Pull Requests

v2.56.2

Compare Source

2021-08-10

Bug Fixes
  • Check if after simplification, an object pattern would become an expression statement or arrow function return value (#​4204)
Pull Requests

v2.56.1

Compare Source

2021-08-08

Bug Fixes
  • Fix rendering of SystemJS export declarations initialized with a simplifiable expression (#​4202)
Pull Requests

v2.56.0

Compare Source

2021-08-05

Features
  • Create more efficient code for SystemJS exports (#​4199)
  • Extend maxParallelFileReads option to also throttle plugin load hooks (#​4200)
Bug Fixes
  • Return correct value for postfix update expressions of exported variables (#​4194)
Pull Requests
lukeed/sirv

v1.0.17

Compare Source

v1.0.16

Compare Source

v1.0.15

Compare Source

v1.0.14

Compare Source

Chores

  • (sirv): Bump @polka/url to take advantage of this fix

v1.0.13

Compare Source

Patches

  • (sirv) Only use req.path if has req._decoded flag exists (#​82):

    The req._decoded check was added & should have always been in there, since this was sirv's way of preventing duplicate decodeURIComponent calls. However, this was only true when it received a request from a polka@next app, since Polka was previously writing the decoded value to req.path – this changed with polka@v1.0.0-next.16

    Now that the latest polka@next (and Express) doesn't decode automatically anymore, req.path isn't trustworthy on its own. It needs req._decoded to be there too in order to trust it.

    This combo-check is backwards compatible for polka@next users who don't upgrade and will unblock Express users for the first time, who have always had a "raw" req.path value set.

Microsoft/TypeScript

v4.4.2

Compare Source

For release notes, check out the release announcement.

For the complete list of fixed issues, check out the

Downloads are available on:

webpack/webpack

v5.52.1

Compare Source

Performance

  • split fresh created persistent cache files by time to avoid creating very large files

v5.52.0

Compare Source

Feature

  • experiments.executeModule is enabled by default and the option is removed
    • loaders are now free to use this.importModule

Bugfixes

  • fix generated __WEBPACK_EXTERNAL_MODULE_null__, which leads to merged externals
  • .webpack[...] extension is not part of matching and module name

v5.51.2

Compare Source

Bugfixes
  • fix crash in FileSystemInfo when errors occur
  • avoid property access of reserved properties
  • fix reexports from async modules
  • automatically close an active watching when closing the compiler
  • when filenames of other runtimes are referenced that need a full hash, upgrade referencing runtime moduel to full hash mode too
    • fixes a bug where [contenthash] is undefined when using new Worker

v5.51.1

Compare Source

Bugfixes

  • library: "module" propages top-level-await correctly
  • fix crash in filesystem snapshotting when trying to snapshot a non-existing directory
  • fix some context-dependent logic in concatenated modules and source url handling

v5.51.0

Compare Source

Bugfixes

  • correctly keep chunk loading state when the chunk loading logic is HMR updated
    • This fixes some edge cases that e. g. occur when using lazy compilation for entrypoints. It is now able to HMR update that instead of needing a manual reload. Also see fixes in webpack-dev-server@4.
  • track and resolve symlinks for filesystem snapshotting
    • This fixes some cases of circular yarn linking of dependencies.
    • It also fixes some problems when using package managers that use symlinks to deduplicate (e. g. cnpm or pnpm)
  • pass the resulting module in the callbacks of Compilation.addModuleChain and Compilation.addModuleTree

v5.50.0

Compare Source

Features

Performance

  • disable cache compression by default as it tend to make performance worse
    • I could still be enabled again for specific scenarios
  • reduce the number of allocations during cache serialization
    • This improves performance and memory usage

v5.49.0

Compare Source

Features

  • add experiments.buildHttp to build http(s):// imports instead of keeping them external
    • keeps a webpack.lock file with integrity and webpack.lock.data with cached content that should be committed
    • Automatically upgrades lockfile during development when remote resources change
      (might be disabled with experiments.buildHttp.upgrade: false)
    • Lockfile is frozen during production builds and usually no network requests are made
      (exception: Cache-Control: no-cache).
    • The webpack.lock.data persisting can be disabled with experiments.buildHttp.cacheLocation: false.
      That will will introduce a availability risk.
      (webpack cache will be used to cache network responses)

Bugfixes

  • fix HMR infinite loop (again)
  • fix rare non-determinism with splitChunks.maxSize introduces in the last release
  • optional modules no longer cause the module to fail when bail is set
  • fix typo in records format: chunkHashs -> chunkHashes

Performance

  • limit the number of parallel generated chunks for memory reasons
webpack/webpack-cli

v4.8.0

Compare Source

Bug Fixes
Features
  • show possible values for option in help output (#​2819) (828e5c9)
  • init-generator: add ability to specify a package manager of choice (#​2769) (e53f164)

4.7.2 (2021-06-07)

Note: Version bump only for package webpack-cli (due @webpack-cli/serve)

4.7.1 (2021-06-07)

Bug Fixes

Configuration

📅 Schedule: "before 3am on Monday" (UTC).

🚦 Automerge: Enabled.

Rebasing: Renovate will not automatically rebase this PR, because other commits have been found.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/all branch 7 times, most recently from fa6c8b1 to d5ea25f Compare August 15, 2021 20:59
@renovate renovate bot force-pushed the renovate/all branch 7 times, most recently from 97fbc99 to d4eaaa0 Compare August 23, 2021 05:50
@samouri
Copy link
Member

samouri commented Aug 23, 2021

One of the package updates is increasing size. Will investigate this within the next ~mo, but this does not seem urgent.

@renovate renovate bot force-pushed the renovate/all branch 9 times, most recently from c58a5ed to c57ae84 Compare August 31, 2021 23:15
@renovate renovate bot force-pushed the renovate/all branch 4 times, most recently from 36bb077 to 6e8da05 Compare September 7, 2021 13:34
@renovate renovate bot force-pushed the renovate/all branch 2 times, most recently from d27a4b6 to 669f1ff Compare September 9, 2021 09:51
@renovate renovate bot force-pushed the renovate/all branch 2 times, most recently from 26fd99b to 363cdcc Compare September 10, 2021 10:18
@samouri samouri self-assigned this Sep 10, 2021
@samouri
Two fixes required by TS updates:
a5137e1 
- OffscreenCanvas was already a type, refer to our own instead.
- When stubbing postMessage (which has multiple signatures), can no longer be lazy without coercion.
@samouri
Copy link
Member

samouri commented Sep 13, 2021
edited
Loading

Closure compiler upgrade caused this change:

before

s.addGlobalEventListener("message", ({ data: s }) => {	
              if (1 === s[12]) {	
                var i = t((s = s[39])[7]);	
                null !== i &&	
                  i.dispatchEvent(	
                    Object.assign(	
                      new W(s[12], { bubbles: s[25], cancelable: s[26] }),	
                      {	
                        cancelBubble: s[27],	
                        defaultPrevented: s[29],	
                        eventPhase: s[30],	
                        isTrusted: s[31],	
                        returnValue: s[32],	
                        target: X(e.document, s),	
                        timeStamp: s[33],	
                        scoped: s[34],	
                        keyCode: s[35],	
                        pageX: s[60],	
                        pageY: s[61],	
                        offsetX: s[65],	
                        offsetY: s[66],	
                        touches: Q(e.document, s, 62),	
                        changedTouches: Q(e.document, s, 63),	
                      }	
                    )	
                  );

after

s.addGlobalEventListener("message", ({ data: s }) => {
              if (1 === s[12]) {
                var i = t((s = s[39])[7]);
                if (null !== i) {
                  var r = i.dispatchEvent,
                    n = Object,
                    a = n.assign,
                    l = new W(s[12], { bubbles: s[25], cancelable: s[26] }),
                    o = s[27],
                    h = s[29],
                    d = s[30],
                    u = s[31],
                    c = s[32];
                  if (null !== s[13]) {
                    var g = s[13][0];
                    g = t(0 !== g ? g : e.document[7]);
                  } else g = null;
                  r.call(
                    i,
                    a.call(n, l, {
                      cancelBubble: o,
                      defaultPrevented: h,
                      eventPhase: d,
                      isTrusted: u,
                      returnValue: c,
                      target: g,
                      timeStamp: s[33],
                      scoped: s[34],
                      keyCode: s[35],
                      pageX: s[60],
                      pageY: s[61],
                      offsetX: s[65],
                      offsetY: s[66],
                      touches: X(e.document, s, 62),
                      changedTouches: X(e.document, s, 63),
                    })
                  );

@samouri samouri self-requested a review September 13, 2021 18:36
@samouri samouri merged commit 5d3cdab into main Sep 14, 2021
@samouri samouri deleted the renovate/all branch September 14, 2021 16:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samouri samouri samouri approved these changes

Assignees

@samouri samouri

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@samouri