fix(deps): update dependency dexie to v3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
dexie (source)	2.0.4 -> 3.2.2

GitHub Vulnerability Alerts

CVE-2022-21189

Dexie is a minimalistic wrapper for IndexedDB. The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like proto or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. Note: This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input.

---

Release Notes

dfahlander/Dexie.js (dexie)

v3.2.2: Dexie v3.2.2

Compare Source

Security fix

Prohibit possible prototype pollution in Dexie.setByKeyPath() (dexie/Dexie.js@1d655a6)

Bugfix

Fix #​1473 Cannot use Dexie in react-native

A corresponding release 4.0.0-alpha.3 contains the same fixes for 4.x.

v3.2.1: Dexie v3.2.1

Compare Source

• Workaround for issue #​613: Automatically reopen IndexedDB connection in case it was unexpectedly closed, and redo the operation. When a transaction couldn't be created due to invalid state, Dexie will reopen the IndexedDB connection and retry creating the transaction.
• Resolves #​1439 and #​1369 by extending the "exports" field to include "require" compliant version of dexie.

v3.2.0: Dexie v3.2.0

Compare Source

Dexie.js has become Reactive

After one year in alpha, beta and RC, Dexie.js with liveQuery() is now officially released. The main reason for this new feature is better integration with frontend libraries like React, Svelte, Vue and Angular.

Together with this release, the website https://dexie.org also got a face lift with tutorials for React, Svelte, Vue and Angular.

dexie.org

Take a look past the updated website. Old tutorials are replaced with modern relevant framework specific ones. We've added React, Svelte, Vue and Angular samples on the landing page.

All changes since 3.0.3 in chronological order

• PR 1104: dbName follows dependencies.indexedDB (II)
• Option {allKeys: true} to bulkPut() and bulkAdd() will be equally fast as not providing that option.
• Code cleanup and optimizations.
• Expose IDB 'close' event: https://github.com/dfahlander/Dexie.js/pull/1212
• BulkError: Possible to track individual errors. Add failuresByPos property: https://github.com/dfahlander/Dexie.js/pull/1209
• Dexie.getDatabaseNames(): Small optimization for our workaround for non-chromium browsers lacking the IDBFactory.databases(). commit.
• Argument to on.ready() callback will get a special Dexie instance that is not blocked (vip Dexie). This was the case also before but then we had to rely on zone state. This change makes it possible to perform non-dexie operations in on.read() callback (such as fetch()), loosing the zone state (PSD) but still have VIP access to the Dexie instance. This makes the code in a on.ready() callback not having to deal with wrapping all non-Dexie calls with Promise.resolve().
• Allow multiple calls to Version.upgrade() on the same version - will run all of them instead just of the latest registered.
• Retiring old workaround for safari 8 bug not allowing array argument to IDBDatabase.transaction().
• Dexie.delete() specifies an empty addons list to ensure no addons are involved when deleting a database using that static method.
• Minor extended the DBCore interface to make it possible for Dexie Cloud to sync certain operations consistently. Specifically, middlewares that implement the DBCoreTable.mutate() endpoint now also gets information on the where-critera and the update specification when originating from Collection.modify() or Collection.delete().
• Support for Chrome's transaction durability option in Dexie constructor. PR #​1367
• Official event Dexie.on('storagemutated')
• Typings: Stop exporting Dexie as namespace. Enables VSCode's ergonomic auto-import feature for dexie. The namespace export was not even working as expected. The intent had been to support those that code Typescript without using modules. But even they must have been disappointed because the typings did not only reveal parts of the Dexie API.
• Let liveQuery() be type-wise compable with RxJS (PR #​1417)
• Switch to JS implementation of indexedDB.cmp() (PR #​1412)

Fixed Bugs since 3.0.3 in chronological order

• #​1195 The 'update' crud-hook interpreted array properties as object with number keys.
• #​1280 Cannot add CryptoKeys to table with auto-incrementing primary key
• Typing correction: Fix version signatures (PR #​1287)
• Fix #​1236 - problems updating FileSystemFileHandle properties.
• Bugfix: Transaction.abort() does not rollback changes (filed as a repro PR in #​1329). Fixed in PR #​1330.
• Bugfix in Virtual Indexes (the reuse of compound indexes as plain indexes): Couldn't reuse parts of primary keys - only parts of indexes.
• PR #​1379 fix(bulk-delete): correctly define keys type. Fixes #​1364.
• Bugfix for #​1381 Collection.delete() fails silently for queries on virtual indexes that use .filter().
• Deleting multiple tables in a new version using null (#​1418)
• (Another) mysterious MissingAPI error (#​1400)

v3.0.4

Compare Source

v3.0.3: Dexie v3.0.3

Compare Source

Changes since 3.0.2

This release contains fixes that improves error resilience, typing correctness and bug fixes for some edge cases.

Typing fixes

• Fix Table.bulkGet return typing to include undefined #​1098
• Allow readonly arrays for bulk put & get methods #​1106
• Use error keys insted of values for typescript #​1115

NOTE: Conditional types is now being used in dist/dexie.d.ts. If you are on an ancient typescript version (below 2.8) you will need to update typescript in your dev deps!

Improvements

• Verify schema on open #​1108
• Repro + resolve issue #​1112: typescript declaration of id makes autoInc fail #​1119
• #​1136: Allow declaration-only tables for TS users

Bugfixes

• Allow middleware hooks to return objects that contained field names that contain dotted strings #​1130
• Resolve #​1127 #​1131
• #​1146: Resolve #​1145 Regression: SchemaError during version upgrade
• Bugfix of #​1154 (PR #​1155): WhereClause.equals(undefined) should fail, but it does not fail in dexie 3.0.0-3.0.2. It behaved correctly in dexie 2.x so it's a regression. It is important that libraries fail on invalid arguments so that subtle application bugs are nailed down more easily.

Addons

• Issue 1048 Typings of addons for Dexie 3.0 #​1117
  The addons are released with the "next" tag on npm, so please test them and help me verify that #​1048 is solved:
  npm i dexie-observable@3.0.0-beta.9
  npm i dexie-syncable@3.0.0-beta.9
• #​1138: Dexie.Observable: startObserving function: remove read-only query in order to avoid TransactionInactiveError
• Bugfix of #​1148 (PR #​1149).

v3.0.2

Compare Source

PRs:

• #​1062: Typing fix for Dexie.Observable IDatabaseChange.
• #​1081: Run reading hooks in bulkGet
• Updated dev-dependencies

v3.0.1: Dexie v3.0.1

Compare Source

Maintainance Release

Changes

• Dexie.getDatabaseNames() use new standard IDBFactory.databases() API instead of old obsolete webkitGetDatabaseNames()
• Consistent names in DBCore’s typescript interfaces
• #​1042 Be more unobtrusive with Promise.allSettled() and Promise.any()

Bug fixes

• #​791 Dexie.Observable: Cannot read property 'indexOf' of null
• #​1039 Table named 'schema' not working in Dexie 3

Other

• Released dexie-observable@1.0.0-beta.7
• Released dexie-syncable@1.0.0-beta.7
• npm audit and updated dev dependencies.

v3.0.0: Dexie v3.0.0

Compare Source

CSP compliance

Dexie is now CSP compliant (#​722)

Improved Database Upgrading

It is no longer needed to keep old versions of schemas unless they have an upgrade attached. This is explained in release notes from 3.0.0-rc.3. The docs are updated accordingly.

Also, an old issue with upgrades has been that it was impossible to copy contents from one table to a new one and then remove the old one. This is now fixed, see release notes from [3.0.0-alpha.3] (https://github.com/dfahlander/Dexie.js/releases/tag/v3.0.0-alpha.3))

Typescript

Dexie has been refactored to using Typescript (Announcement #​622, PR #​653).

Redesign

The big difference in this release from v2.0.4, is how we call IndexedDB. Instead of calling it directly, it will go through a middleware-enabled stack, DBCore.

NOTE: This is an internal redesign. The external API is still the same as in Dexie 2.0 so you won't have to adapt to the new possibilities that comes with this redesign, unless you want to use the new middleware api (Dexie.use()).

This rewrite is part of reaching the goals in vision for dexie, specifically it will enable asynchronic work to be done in a middleware, which is something covered in here.

See new documentation of Dexie.use()

Table.bulkGet()

In response to #​833, Table.bulkGet() was added and is a more optimal way than WhereClause.anyOf() when what you need is to fetch several objects with known IDs. The documentation is here

Virtual Indexes

VirtualIndex makes it possible to use the first part of a compound index as if it was an ordinary index.
Dexie will emulate an ordinary index so that it will works with algorithms such as equalsIgnoreCase() etc.

Example:

const db = new Dexie("mydb");
db.version(1).stores({
  friends: '++id, [lastName,firstName]'
});

function findFriendByLastName(prefix) {
   // Note: You can use 'lastName' because it's the first part of a compound index.
   return db.friends.where('lastName').startsWith(prefix);
}

In earlier versions, you would have to specify 'lastName' index side by side with [lastName+firstName]

Issues and fixes since 2.0.4

• PR #​670: updating hook's onsuccess will get the updated object as documented, instead of the primary key.
• PR #​672: fix for setByKeyPath when removing array items
• #​696 Possible to query multiple multiEntry properties using db.table.where({tags: 'browser', categories: 'database'}).
• #​692 Console warnings with indexing advices shall only happen in debug mode.
• #​771 Don't console.warn() unless Dexie.debug is truthy
• #​768 Issues with Collection.raw and Table.mapToClass
• #​612 Native async/await and upgrade handlers
• #​770 Using a database in an upgrade handler prevents subsequent upgrade handlers from running
• Bugfix for extracting index spec for handling dynamically opened outbound primkeys (commit 9718d95d9b3a434749079a7217412b8c9917c0e6)
• #​811 Dexie does not run under ESNext in Node
• Fixed CSP compliance (#​722)
• Fixed bug that omitted changes of properties with non-primitive intrinsic types (Date, ArrayBuffer, etc) in call to update hook (#​841)
• Feature: optionally all keys are returned on Table.bulkAdd() and Table.bulkPut() methods (PR #​973)
• Fix for issue 947 (PR #​948)
• Fix #​491 (Check that versions given to db.version() is a positive number.)
• Support Promise.allSettled() and Promise.any() (runtime only. Typings still rely on Typescript lib to support it)
• Resolves a bug that Dexie may come into a state when it is unable to open a db in case the db exists but has no ObjectStores in it.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Found file in cache: /tmp/renovate-cache/buildpack/7576b42decc67f70b61585f41c5074bea75c260886346e567578ea0e0dc2d571/node-v16.17.0-linux-x64.tar.xz

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated
quark	❌ Failed (Inspect)		Aug 30, 2022 at 6:52AM (UTC)

[cloudflare-pages]

Deploying with    Cloudflare Pages

Latest commit:	8a80df4
Status:	🚫  Build failed.

View logs