fix(deps): update dependency mathjs to v7 [security] #10841
+31
−36
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^5.0.4
->^7.0.0
GitHub Vulnerability Alerts
CVE-2020-7743
The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates.
Prototype Pollution in mathjs
CVE-2020-7743 / GHSA-x2fc-mxcx-w4mf / SNYK-JAVA-ORGWEBJARS-1017113 / SNYK-JAVA-ORGWEBJARSBOWER-1017112 / SNYK-JAVA-ORGWEBJARSNPM-1017111 / SNYK-JS-MATHJS-1016401
More information
Details
The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
josdejong/mathjs (mathjs)
v7.5.1
Compare Source
math.config
. Thanks Snyk.v7.5.0
Compare Source
pickRandom
now allows randomly picking elements from matriceswith 2 or more dimensions instead of only from a vector, see #1974.
Thanks @KonradLinkowski.
v7.4.0
Compare Source
ceil
,floor
,and
fix
, similar toround
, see #1967, #1901. Thanks @rnd-debug.rotationMatrix
, see #1160, #1984. Thanks @rnd-debug.sqrtm
with a matrix havingmore than two dimensions. Thanks @KonradLinkowski.
decimal.js
to10.2.1
.v7.3.0
Compare Source
usolveAll
andlsolveAll
, see #1916. Thanks @m93a.std
andvariance
, see #1950.Thanks @rnd-debug.
expression parser, and implemented functions
bin
,oct
, andhex
forformatting. Thanks @clnhlzmn.
BigNumber
andFraction
. Thanks @ovk.v7.2.0
Compare Source
diff
, see #1634, #1920. Thanks @Veeloxfire.norm
.Thanks @rnd-debug.
v7.1.0
Compare Source
new in
typed-function@2.0.0
. This fixes #1885: functions which whereextended with a new data type did not always work. Thanks @nickewing.
math.expression.node.*
instead ofmath.*
.v7.0.2
Compare Source
DenseMatrix.resize
andSparseMatrix.resize
acceptDenseMatrix
andSparseMatrix
as inputs too, not onlyArray
.sum
,prod
,min
, andmax
not throwing a conversion errorwhen passing a single string, like
sum("abc")
.v7.0.1
Compare Source
eigs
. Thanks @Lazersmoke.math.nthRoots(x)
.v7.0.0
Compare Source
Breaking changes:
dot
product of complex values.The first argument is now conjugated. See #1761. Thanks @m93a.
To upgrade smoothly from v5 to v7 or higher, upgrade to v6 first
and resolve all deprecation warnings.
v6.6.5
Compare Source
Infinity
cannot be serialized and deserialized.This is solved now with a new
math.replacer
function used asJSON.stringify(value, math.replacer)
.Infinity
not turned into the latex symbol\\infty
.v6.6.4
Compare Source
v6.6.3
Compare Source
format
,sometimes resulting in needless trailing zeros.
.toNumber()
and.toNumeric()
not working on aunitless unit.
mod
,and
,not
,or
,xor
,to
,in
as object keys. Thanks @Veeloxfire.eigs
not usingconfig.epsilon
.v6.6.2
Compare Source
eigs
not calculating with BigNumber precisionwhen input contains BigNumbers.
prepare
, so you can use the librarydirectly when installing directly from git. See #1751. Thanks @cinderblock.
v6.6.1
Compare Source
a/(b/c)
. Thanks @dbramwell.row
andcolumn
.v6.6.0
Compare Source
eigs
, see #1705, #542 #1175. Thanks @arkajitmandal.DenseMatrix
usingfromJSON
.DenseMatrix.map
copying the size and datatype from the originalmatrix instead of checking the returned dimensions and type of the callback.
^1.2.3
) to allow downstream updateswithout having to await a new release of mathjs.
v6.5.0
Compare Source
baseName
option forcreateUnit
, see #1707.Thanks @ericman314.
v6.4.0
Compare Source
dimension
with support for n-dimensional points.Thanks @Veeloxfire.
v6.3.0
Compare Source
factorial
forBigNumber
up to a factor two,see #1687. Thanks @kmdrGroch.
v6.2.5
Compare Source
IndexNode
using a hardcoded, one-based implementation ofindex
,making it impossible to instantiate a zero-based version of the expression
parser. See #782.
v6.2.4
Compare Source
thanks @kevinkelleher12 and @harrysarson.
sign(0)
returns complex NaN.Thanks @harrysarson.
v6.2.3
Compare Source
mean
not working for units. Thanks @clintonc.min
listed twice in the "See also" section of theembedded docs of function
std
.isPrime
, see #1641. Thanks @arguiot.v6.2.2
Compare Source
map
andclone
not copying thedotNotation
property ofIndexNode
. Thanks @rianmcguire.toHTML
. Thanks @maytanthegeek.isNumeric
.0
.v6.2.1
Compare Source
format
not working for expressions.v6.2.0
Compare Source
combinationsWithRep
. Thanks @waseemyusuf.bit
andbyte
.bit
andbyte
instead ofbits
andbytes
.typed-function@1.1.1
.v6.1.0
Compare Source
combinationsWithRep
(see #1329). Thanks @waseemyusuf.v6.0.4
Compare Source
old browsers. Thanks @mockdeep for helping to find a solution.
v6.0.3
Compare Source
unpkg
andjsdelivr
fields in package.json pointing to UMD build.Thanks @tmcw.
outer user defined function.
v6.0.2
Compare Source
import
(regression since v6.0.0).
v6.0.1
Compare Source
evaluate
andparse
missing in generated docs.v6.0.0
Compare Source
!!! BE CAREFUL: BREAKING CHANGES !!!
Most notable changes
Full support for ES modules. Support for tree-shaking out of the box.
Load all functions:
Use a few functions:
Load all functions with custom configuration:
Load a few functions with custom configuration:
Support for lightweight, number-only implementations of all functions:
New dependency injection solution used under the hood.
Breaking changes
Node 6 is no longer supported.
Functions
config
andimport
are not available anymore in the globalcontext:
Instead, create your own mathjs instance and pass config and imports
there:
Renamed function
typeof
totypeOf
,var
tovariance
,and
eval
toevaluate
. (the old function names are reserved keywordswhich can not be used as a variable name).
Deprecated the
Matrix.storage
function. Usemath.matrix
instead to createa matrix.
Deprecated function
math.expression.parse
, usemath.parse
instead.Was used before for example to customize supported characters by replacing
math.parse.isAlpha
.Moved all classes like
math.type.Unit
andmath.expression.Parser
tomath.Unit
andmath.Parser
respectively.Fixed #1428: transform iterating over replaced nodes. New behavior
is that it stops iterating when a node is replaced.
Dropped support for renaming factory functions when importing them.
Dropped fake BigNumber support of function
erf
.Removed all index.js files used to load specific functions instead of all, like:
Individual functions are now loaded simply like:
To set a specific configuration on the functions:
See example
advanced/custom_loading.js
.Updated the values of all physical units to their latest official values.
See #1529. Thanks @ericman314.
Non breaking changes
t
,tonne
,bel
,decibel
,dB
, and prefixesfor
candela
. Thanks @mcvladthegoat.epsilon
setting being applied globally to Complex numbers.math.simplify('add(2, 3)')
throwing an error.lowerExp
andupperExp
and after that rounded the value instead of the other way around.
'use strict'
in every file, not needed anymore.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.