fix(deps): update dependency mathjs to v7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mathjs (source)	^5.0.4 -> ^7.0.0

GitHub Vulnerability Alerts

CVE-2020-7743

The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates.

---

Prototype Pollution in mathjs

CVE-2020-7743 / GHSA-x2fc-mxcx-w4mf / SNYK-JAVA-ORGWEBJARS-1017113 / SNYK-JAVA-ORGWEBJARSBOWER-1017112 / SNYK-JAVA-ORGWEBJARSNPM-1017111 / SNYK-JS-MATHJS-1016401

More information

Details

The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates.

Severity

• CVSS Score: 7.3 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-7743
• https://github.com/josdejong/mathjs/commit/ecb80514e80bce4e6ec7e71db8ff79954f07c57e
• https://github.com/josdejong/mathjs/blob/develop/HISTORY.md#2020-10-10-version-751
• https://github.com/josdejong/mathjs/blob/develop/src/utils/object.js%23L82
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1017113
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1017112
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1017111
• https://snyk.io/vuln/SNYK-JS-MATHJS-1016401
• https://www.npmjs.com/package/mathjs

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

josdejong/mathjs (mathjs)

v7.5.1

Compare Source

• Fix object pollution vulnerability in math.config. Thanks Snyk.

v7.5.0

Compare Source

• Function pickRandom now allows randomly picking elements from matrices
  with 2 or more dimensions instead of only from a vector, see #​1974.
  Thanks @​KonradLinkowski.

v7.4.0

Compare Source

• Implemented support for passing a precision in functions ceil, floor,
  and fix, similar to round, see #​1967, #​1901. Thanks @​rnd-debug.
• Implemented function rotationMatrix, see #​1160, #​1984. Thanks @​rnd-debug.
• Implement a clear error message when using sqrtm with a matrix having
  more than two dimensions. Thanks @​KonradLinkowski.
• Update dependency decimal.js to 10.2.1.

v7.3.0

Compare Source

• Implemented functions usolveAll and lsolveAll, see #​1916. Thanks @​m93a.
• Implemented support for units in functions std and variance, see #​1950.
  Thanks @​rnd-debug.
• Implemented support for binary, octal, and hexadecimal notation in the
  expression parser, and implemented functions bin, oct, and hex for
  formatting. Thanks @​clnhlzmn.
• Fix #​1964: inconsistent calculation of negative dividend modulo for
  BigNumber and Fraction. Thanks @​ovk.

v7.2.0

Compare Source

• Implemented new function diff, see #​1634, #​1920. Thanks @​Veeloxfire.
• Implemented support for norm 2 for matrices in function norm.
  Thanks @​rnd-debug.

v7.1.0

Compare Source

• Implement support for recursion (self-referencing) of typed-functions,
  new in typed-function@2.0.0. This fixes #​1885: functions which where
  extended with a new data type did not always work. Thanks @​nickewing.
• Fix #​1899: documentation on expression trees still using old namespace
  math.expression.node.* instead of math.*.

v7.0.2

Compare Source

• Fix #​1882: have DenseMatrix.resize and SparseMatrix.resize accept
  DenseMatrix and SparseMatrix as inputs too, not only Array.
• Fix functions sum, prod, min, and max not throwing a conversion error
  when passing a single string, like sum("abc").

v7.0.1

Compare Source

• Fix #​1844: clarify the documentation of function eigs. Thanks @​Lazersmoke.
• Fix #​1855: Fix error in the documentation for math.nthRoots(x).
• Fix #​1856: make the library robust against Object prototype pollution.

v7.0.0

Compare Source

Breaking changes:

• Improvements in calculation of the dot product of complex values.
  The first argument is now conjugated. See #​1761. Thanks @​m93a.
• Dropped official support for Node.js v8 which has reached end of life.
• Removed all deprecation warnings introduced in v6.
  To upgrade smoothly from v5 to v7 or higher, upgrade to v6 first
  and resolve all deprecation warnings.

v6.6.5

Compare Source

• Fix #​1834: value Infinity cannot be serialized and deserialized.
  This is solved now with a new math.replacer function used as
  JSON.stringify(value, math.replacer).
• Fix #​1842: value Infinity not turned into the latex symbol \\infty.

v6.6.4

Compare Source

• Fix published files containing Windows line endings (CRLF instead of LF).

v6.6.3

Compare Source

• Fix #​1813: bug in engineering notation for numbers of function format,
  sometimes resulting in needless trailing zeros.
• Fix #​1808: methods .toNumber() and .toNumeric() not working on a
  unitless unit.
• Fix #​1645: not being able to use named operators mod, and, not, or,
  xor, to, in as object keys. Thanks @​Veeloxfire.
• Fix eigs not using config.epsilon.

v6.6.2

Compare Source

• Fix #​1789: Function eigs not calculating with BigNumber precision
  when input contains BigNumbers.
• Run the build script during npm prepare, so you can use the library
  directly when installing directly from git. See #​1751. Thanks @​cinderblock.

v6.6.1

Compare Source

• Fix #​1725: simplify a/(b/c). Thanks @​dbramwell.
• Fix examples in documentation of row and column.

v6.6.0

Compare Source

• Implemented function eigs, see #​1705, #​542 #​1175. Thanks @​arkajitmandal.
• Fixed #​1727: validate matrix size when creating a DenseMatrix using
  fromJSON.
• Fixed DenseMatrix.map copying the size and datatype from the original
  matrix instead of checking the returned dimensions and type of the callback.
• Add a caret to dependencies (like) ^1.2.3) to allow downstream updates
  without having to await a new release of mathjs.

v6.5.0

Compare Source

• Implemented baseName option for createUnit, see #​1707.
  Thanks @​ericman314.

v6.4.0

Compare Source

• Extended function dimension with support for n-dimensional points.
  Thanks @​Veeloxfire.

v6.3.0

Compare Source

• Improved performance of factorial for BigNumber up to a factor two,
  see #​1687. Thanks @​kmdrGroch.

v6.2.5

Compare Source

• Fixed IndexNode using a hardcoded, one-based implementation of index,
  making it impossible to instantiate a zero-based version of the expression
  parser. See #​782.

v6.2.4

Compare Source

• Fixed #​1669: function 'qr' threw an error if the pivot was zero,
  thanks @​kevinkelleher12 and @​harrysarson.
• Resolves #​942: remove misleading assert in 'qr'. Thanks @​harrysarson.
• Work around a bug in complex.js where sign(0) returns complex NaN.
  Thanks @​harrysarson.

v6.2.3

Compare Source

• Fixed #​1640: function mean not working for units. Thanks @​clintonc.
• Fixed #​1639: function min listed twice in the "See also" section of the
  embedded docs of function std.
• Improved performance of isPrime, see #​1641. Thanks @​arguiot.

v6.2.2

Compare Source

• Fixed methods map and clone not copying the dotNotation property of
  IndexNode. Thanks @​rianmcguire.
• Fixed a typo in the documentation of toHTML. Thanks @​maytanthegeek.
• Fixed #​1615: error in the docs of isNumeric.
• Fixed #​1628: Cannot call methods on empty strings or numbers with value 0.

v6.2.1

Compare Source

• Fixed #​1606: function format not working for expressions.

v6.2.0

Compare Source

• Improved performance of combinationsWithRep. Thanks @​waseemyusuf.
• Add unit aliases bit and byte.
• Fix docs referring to bit and byte instead of bits and bytes.
• Updated dependency typed-function@1.1.1.

v6.1.0

Compare Source

• Implemented function combinationsWithRep (see #​1329). Thanks @​waseemyusuf.

v6.0.4

Compare Source

• Fixed #​1554, #​1565: ES Modules where not transpiled to ES5, giving issues on
  old browsers. Thanks @​mockdeep for helping to find a solution.

v6.0.3

Compare Source

• Add unpkg and jsdelivr fields in package.json pointing to UMD build.
  Thanks @​tmcw.
• Fix #​1550: nested user defined function not receiving variables of an
  outer user defined function.

v6.0.2

Compare Source

• Fix not being able to set configuration after disabling function import
  (regression since v6.0.0).

v6.0.1

Compare Source

• Fix function reference not published in npm library.
• Fix function evaluate and parse missing in generated docs.

v6.0.0

Compare Source

!!! BE CAREFUL: BREAKING CHANGES !!!

Most notable changes

1. Full support for ES modules. Support for tree-shaking out of the box.

   Load all functions:

   import * as math from 'mathjs'

   Use a few functions:

   import { add, multiply } from 'mathjs'

   Load all functions with custom configuration:

   import { create, all } from 'mathjs'
   const config = { number: 'BigNumber' }
   const math = create(all, config)

   Load a few functions with custom configuration:

   import { create, addDependencies, multiplyDependencies } from 'mathjs'
   const config = { number: 'BigNumber' }
   const { add, multiply } = create({
     addDependencies,
     multiplyDependencies
   }, config)

2. Support for lightweight, number-only implementations of all functions:

   import { add, multiply } from 'mathjs/number'
   

3. New dependency injection solution used under the hood.

Breaking changes

• Node 6 is no longer supported.

• Functions config and import are not available anymore in the global
  context:

  // v5
  import * as mathjs from 'mathjs'
  mathjs.config(...) // error in v6.0.0
  mathjs.import(...) // error in v6.0.0

  Instead, create your own mathjs instance and pass config and imports
  there:

  // v6
  import { create, all } from 'mathjs'
  const config = { number: 'BigNumber' }
  const mathjs = create(all, config)
  mathjs.import(...)

• Renamed function typeof to typeOf, var to variance,
  and eval to evaluate. (the old function names are reserved keywords
  which can not be used as a variable name).

• Deprecated the Matrix.storage function. Use math.matrix instead to create
  a matrix.

• Deprecated function math.expression.parse, use math.parse instead.
  Was used before for example to customize supported characters by replacing
  math.parse.isAlpha.

• Moved all classes like math.type.Unit and math.expression.Parser to
  math.Unit and math.Parser respectively.

• Fixed #​1428: transform iterating over replaced nodes. New behavior
  is that it stops iterating when a node is replaced.

• Dropped support for renaming factory functions when importing them.

• Dropped fake BigNumber support of function erf.

• Removed all index.js files used to load specific functions instead of all, like:

  // v5
  // ... set up empty instance of mathjs, then load a set of functions:
  math.import(require('mathjs/lib/function/arithmetic'))
  

  Individual functions are now loaded simply like:

  // v6
  import { add, multiply } from 'mathjs'

  To set a specific configuration on the functions:

  // v6
  import { create, addDependencies, multiplyDependencies } from 'mathjs'
  const config = { number: 'BigNumber' }
  const math = create({ addDependencies, multiplyDependencies }, config)

  See example advanced/custom_loading.js.

• Updated the values of all physical units to their latest official values.
  See #​1529. Thanks @​ericman314.

Non breaking changes

• Implemented units t, tonne, bel, decibel, dB, and prefixes
  for candela. Thanks @​mcvladthegoat.
• Fixed epsilon setting being applied globally to Complex numbers.
• Fix math.simplify('add(2, 3)') throwing an error.
• Fix #​1530: number formatting first applied lowerExp and upperExp
  and after that rounded the value instead of the other way around.
• Fix #​1473: remove 'use strict' in every file, not needed anymore.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/complex.js@2.1.1	None	0	78.9 kB	infusion
npm/fraction.js@4.3.7	None	0	86.2 kB	infusion
npm/mathjs@7.6.0	None	+3	10.7 MB	josdejong

🚮 Removed packages: npm/complex.js@2.0.11, npm/fraction.js@4.0.12, npm/mathjs@5.10.3

View full report↗︎