New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update dependency dexie to v3 [security] - autoclosed #132
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
69pmb
force-pushed
the
master
branch
2 times, most recently
from
December 27, 2022 13:25
80af8da
to
90833bd
Compare
renovate
bot
force-pushed
the
renovate/npm-dexie-vulnerability
branch
from
January 4, 2023 13:24
7ff21fd
to
8b81d3c
Compare
renovate
bot
changed the title
fix(deps): update dependency dexie to v3 [security]
chore(deps): update dependency dexie to 3.2.2 [security]
Jan 4, 2023
renovate
bot
changed the title
chore(deps): update dependency dexie to 3.2.2 [security]
chore(deps): update dependency dexie to 3.2.2 [security] - autoclosed
Feb 2, 2023
renovate
bot
changed the title
chore(deps): update dependency dexie to 3.2.2 [security] - autoclosed
chore(deps): update dependency dexie to 3.2.2 [security]
Feb 2, 2023
renovate
bot
changed the title
chore(deps): update dependency dexie to 3.2.2 [security]
fix(deps): update dependency dexie to v3 [security]
Mar 9, 2023
renovate
bot
changed the title
fix(deps): update dependency dexie to v3 [security]
chore(deps): update dependency dexie to 3.2.2 [security]
Mar 16, 2023
renovate
bot
changed the title
chore(deps): update dependency dexie to 3.2.2 [security]
fix(deps): update dependency dexie to v3 [security]
Mar 24, 2023
renovate
bot
force-pushed
the
renovate/npm-dexie-vulnerability
branch
6 times, most recently
from
June 13, 2023 21:07
d6db5ea
to
90e83a2
Compare
renovate
bot
force-pushed
the
renovate/npm-dexie-vulnerability
branch
2 times, most recently
from
June 15, 2023 09:55
aa1b00f
to
8e5e350
Compare
renovate
bot
force-pushed
the
renovate/npm-dexie-vulnerability
branch
from
June 15, 2023 12:17
8e5e350
to
47ee898
Compare
renovate
bot
force-pushed
the
renovate/npm-dexie-vulnerability
branch
2 times, most recently
from
June 17, 2023 18:46
e3bc973
to
4edb554
Compare
renovate
bot
force-pushed
the
renovate/npm-dexie-vulnerability
branch
2 times, most recently
from
January 20, 2024 01:56
ebe471f
to
3986ed4
Compare
renovate
bot
force-pushed
the
renovate/npm-dexie-vulnerability
branch
2 times, most recently
from
January 26, 2024 23:18
d6b79a5
to
1ac022c
Compare
renovate
bot
force-pushed
the
renovate/npm-dexie-vulnerability
branch
from
February 20, 2024 16:34
1ac022c
to
5ad87de
Compare
renovate
bot
force-pushed
the
renovate/npm-dexie-vulnerability
branch
from
February 22, 2024 19:01
5ad87de
to
4118b3c
Compare
renovate
bot
force-pushed
the
renovate/npm-dexie-vulnerability
branch
from
February 22, 2024 20:38
4118b3c
to
0853bf1
Compare
69pmb
force-pushed
the
main
branch
3 times, most recently
from
February 24, 2024 11:27
5bedec8
to
21b2146
Compare
renovate
bot
changed the title
fix(deps): update dependency dexie to v3 [security]
fix(deps): update dependency dexie to v3 [security] - autoclosed
Feb 24, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.0.4
->3.2.2
GitHub Vulnerability Alerts
CVE-2022-21189
Dexie is a minimalistic wrapper for IndexedDB. The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like proto or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. Note: This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input.
Release Notes
dfahlander/Dexie.js (dexie)
v3.2.2
: Dexie v3.2.2Compare Source
Security fix
Prohibit possible prototype pollution in Dexie.setByKeyPath() (dexie/Dexie.js@1d655a6)
Bugfix
Fix #1473 Cannot use Dexie in react-native
A corresponding release 4.0.0-alpha.3 contains the same fixes for 4.x.
v3.2.1
: Dexie v3.2.1Compare Source
v3.2.0
: Dexie v3.2.0Compare Source
Dexie.js has become Reactive
After one year in alpha, beta and RC, Dexie.js with liveQuery() is now officially released. The main reason for this new feature is better integration with frontend libraries like React, Svelte, Vue and Angular.
Together with this release, the website https://dexie.org also got a face lift with tutorials for React, Svelte, Vue and Angular.
dexie.org
Take a look past the updated website. Old tutorials are replaced with modern relevant framework specific ones. We've added React, Svelte, Vue and Angular samples on the landing page.
All changes since 3.0.3 in chronological order
{allKeys: true}
to bulkPut() and bulkAdd() will be equally fast as not providing that option.Fixed Bugs since 3.0.3 in chronological order
v3.0.4
Compare Source
v3.0.3
: Dexie v3.0.3Compare Source
Changes since 3.0.2
This release contains fixes that improves error resilience, typing correctness and bug fixes for some edge cases.
Typing fixes
NOTE: Conditional types is now being used in dist/dexie.d.ts. If you are on an ancient typescript version (below 2.8) you will need to update typescript in your dev deps!
Improvements
Bugfixes
Addons
The addons are released with the "next" tag on npm, so please test them and help me verify that #1048 is solved:
npm i dexie-observable@3.0.0-beta.9
npm i dexie-syncable@3.0.0-beta.9
v3.0.2
Compare Source
PRs:
v3.0.1
: Dexie v3.0.1Compare Source
Maintainance Release
Changes
Bug fixes
Other
v3.0.0
: Dexie v3.0.0Compare Source
CSP compliance
Dexie is now CSP compliant (#722)
Improved Database Upgrading
It is no longer needed to keep old versions of schemas unless they have an upgrade attached. This is explained in release notes from 3.0.0-rc.3. The docs are updated accordingly.
Also, an old issue with upgrades has been that it was impossible to copy contents from one table to a new one and then remove the old one. This is now fixed, see release notes from [3.0.0-alpha.3] (https://github.com/dfahlander/Dexie.js/releases/tag/v3.0.0-alpha.3))
Typescript
Dexie has been refactored to using Typescript (Announcement #622, PR #653).
Redesign
The big difference in this release from v2.0.4, is how we call IndexedDB. Instead of calling it directly, it will go through a middleware-enabled stack, DBCore.
NOTE: This is an internal redesign. The external API is still the same as in Dexie 2.0 so you won't have to adapt to the new possibilities that comes with this redesign, unless you want to use the new middleware api (Dexie.use()).
This rewrite is part of reaching the goals in vision for dexie, specifically it will enable asynchronic work to be done in a middleware, which is something covered in here.
See new documentation of Dexie.use()
Table.bulkGet()
In response to #833, Table.bulkGet() was added and is a more optimal way than WhereClause.anyOf() when what you need is to fetch several objects with known IDs. The documentation is here
Virtual Indexes
VirtualIndex makes it possible to use the first part of a compound index as if it was an ordinary index.
Dexie will emulate an ordinary index so that it will works with algorithms such as equalsIgnoreCase() etc.
Example:
In earlier versions, you would have to specify 'lastName' index side by side with [lastName+firstName]
Issues and fixes since 2.0.4
db.table.where({tags: 'browser', categories: 'database'})
.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.