Update dependency dexie to v3.2.2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
dexie (source)	3.0.3 -> 3.2.2

GitHub Vulnerability Alerts

CVE-2022-21189

Dexie is a minimalistic wrapper for IndexedDB. The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like proto or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. Note: This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input.

---

Release Notes

dfahlander/Dexie.js

v3.2.2: Dexie v3.2.2

Compare Source

Security fix

Prohibit possible prototype pollution in Dexie.setByKeyPath() (dexie/Dexie.js@1d655a6)

Bugfix

Fix #​1473 Cannot use Dexie in react-native

A corresponding release 4.0.0-alpha.3 contains the same fixes for 4.x.

v3.2.1: Dexie v3.2.1

Compare Source

• Workaround for issue #​613: Automatically reopen IndexedDB connection in case it was unexpectedly closed, and redo the operation. When a transaction couldn't be created due to invalid state, Dexie will reopen the IndexedDB connection and retry creating the transaction.
• Resolves #​1439 and #​1369 by extending the "exports" field to include "require" compliant version of dexie.

v3.2.0: Dexie v3.2.0

Compare Source

Dexie.js has become Reactive

After one year in alpha, beta and RC, Dexie.js with liveQuery() is now officially released. The main reason for this new feature is better integration with frontend libraries like React, Svelte, Vue and Angular.

Together with this release, the website https://dexie.org also got a face lift with tutorials for React, Svelte, Vue and Angular.

dexie.org

Take a look past the updated website. Old tutorials are replaced with modern relevant framework specific ones. We've added React, Svelte, Vue and Angular samples on the landing page.

All changes since 3.0.3 in chronological order

• PR 1104: dbName follows dependencies.indexedDB (II)
• Option {allKeys: true} to bulkPut() and bulkAdd() will be equally fast as not providing that option.
• Code cleanup and optimizations.
• Expose IDB 'close' event: https://github.com/dfahlander/Dexie.js/pull/1212
• BulkError: Possible to track individual errors. Add failuresByPos property: https://github.com/dfahlander/Dexie.js/pull/1209
• Dexie.getDatabaseNames(): Small optimization for our workaround for non-chromium browsers lacking the IDBFactory.databases(). commit.
• Argument to on.ready() callback will get a special Dexie instance that is not blocked (vip Dexie). This was the case also before but then we had to rely on zone state. This change makes it possible to perform non-dexie operations in on.read() callback (such as fetch()), loosing the zone state (PSD) but still have VIP access to the Dexie instance. This makes the code in a on.ready() callback not having to deal with wrapping all non-Dexie calls with Promise.resolve().
• Allow multiple calls to Version.upgrade() on the same version - will run all of them instead just of the latest registered.
• Retiring old workaround for safari 8 bug not allowing array argument to IDBDatabase.transaction().
• Dexie.delete() specifies an empty addons list to ensure no addons are involved when deleting a database using that static method.
• Minor extended the DBCore interface to make it possible for Dexie Cloud to sync certain operations consistently. Specifically, middlewares that implement the DBCoreTable.mutate() endpoint now also gets information on the where-critera and the update specification when originating from Collection.modify() or Collection.delete().
• Support for Chrome's transaction durability option in Dexie constructor. PR #​1367
• Official event Dexie.on('storagemutated')
• Typings: Stop exporting Dexie as namespace. Enables VSCode's ergonomic auto-import feature for dexie. The namespace export was not even working as expected. The intent had been to support those that code Typescript without using modules. But even they must have been disappointed because the typings did not only reveal parts of the Dexie API.
• Let liveQuery() be type-wise compable with RxJS (PR #​1417)
• Switch to JS implementation of indexedDB.cmp() (PR #​1412)

Fixed Bugs since 3.0.3 in chronological order

• #​1195 The 'update' crud-hook interpreted array properties as object with number keys.
• #​1280 Cannot add CryptoKeys to table with auto-incrementing primary key
• Typing correction: Fix version signatures (PR #​1287)
• Fix #​1236 - problems updating FileSystemFileHandle properties.
• Bugfix: Transaction.abort() does not rollback changes (filed as a repro PR in #​1329). Fixed in PR #​1330.
• Bugfix in Virtual Indexes (the reuse of compound indexes as plain indexes): Couldn't reuse parts of primary keys - only parts of indexes.
• PR #​1379 fix(bulk-delete): correctly define keys type. Fixes #​1364.
• Bugfix for #​1381 Collection.delete() fails silently for queries on virtual indexes that use .filter().
• Deleting multiple tables in a new version using null (#​1418)
• (Another) mysterious MissingAPI error (#​1400)

v3.0.4

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.