🚨 [security] Update postcss-loader 4.3.0 → 8.1.1 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ postcss-loader (4.3.0 → 8.1.1) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ webpack (4.46.0 → 5.90.3) · Repo

Security Advisories 🚨

🚨 Cross-realm object access in Webpack 5

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​types/estree (indirect, 1.0.1 → 1.0.5) · Repo

Sorry, we couldn't find anything useful about this release.

⁉️ asn1.js (downgrade, 5.4.1 → 4.10.1) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ assert (indirect, 1.5.0 → 1.5.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ async-each (indirect, 1.0.3 → 1.0.6) · Repo

Release Notes

1.0.4

Full Changelog: 1.0.3...1.0.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ browserify-sign (indirect, 4.2.1 → 4.2.3) · Repo · Changelog

Security Advisories 🚨

🚨 browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack

Summary

An upper bound check issue in dsaVerify function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack.

Details

In dsaVerify function, it checks whether the value of the signature is legal by calling function checkValue, namely, whether r and s are both in the interval [1, q - 1]. However, the second line of the checkValue function wrongly checks the upper bound of the passed parameters, since the value of b.cmp(q) can only be 0, 1 and -1, and it can never be greater than q.

In this way, although the values of s cannot be 0, an attacker can achieve the same effect as zero by setting its value to q, and then send (r, s) = (1, q) to pass the verification of any public key.

Impact

All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability.

Fix PR:

Since the temporary private fork was deleted, here's a webarchive of the PR discussion and diff pages: PR webarchive.zip

Release Notes

4.2.2 (from changelog)

Fixed

• [Tests] log when openssl doesn't support cipher #37

Commits

• Only apps should have lockfiles 09a8995
• [eslint] switch to eslint 83fe463
• [meta] add npmignore and auto-changelog 4418183
• [meta] fix package.json indentation 9ac5a5e
• [Tests] migrate from travis to github actions d845d85
• [Fix] sign: throw on unsupported padding scheme 8767739
• [Fix] properly check the upper bound for DSA signatures 85994cd
• [Tests] handle openSSL not supporting a scheme f5f17c2
• [Deps] update bn.js, browserify-rsa, elliptic, parse-asn1, readable-stream, safe-buffer a67d0eb
• [Dev Deps] update nyc, standard, tape cc5350b
• [Tests] always run coverage; downgrade nyc 75ce1d5
• [meta] add safe-publish-latest dcf49ce
• [Tests] add npm run posttest 75dd8fd
• [Dev Deps] update tape 3aec038
• [Tests] skip unsupported schemes 703c83e
• [Tests] node < 6 lacks array includes 3aa43cf
• [Dev Deps] fix eslint range 98d4e0d

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ component-emitter (indirect, 1.3.0 → 1.3.1) · Repo · Changelog

Release Notes

1.3.1

• Internal: Update repo URL

Release notes for older releases

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ cosmiconfig (indirect, 7.1.0 → 9.0.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ des.js (indirect, 1.0.1 → 1.1.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ elliptic (indirect, 6.5.4 → 6.5.5) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

⁉️ enhanced-resolve (downgrade, 5.13.0 → 4.5.0) · Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ function-bind (indirect, 1.1.1 → 1.1.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

⁉️ hash-base (downgrade, 3.1.0 → 3.0.4) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ is-accessor-descriptor (indirect, 1.0.0 → 1.0.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ is-data-descriptor (indirect, 1.0.0 → 1.0.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ is-descriptor (indirect, 1.0.2 → 1.0.3) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minimist (indirect, 1.2.6 → 1.2.8) · Repo · Changelog

Release Notes

1.2.8 (from changelog)

Merged

• [Fix] Fix long option followed by single dash #17
• [Tests] Remove duplicate test #12
• [Fix] opt.string works with multiple aliases #10

Fixed

• [Fix] Fix long option followed by single dash (#17) #15
• [Tests] Remove duplicate test (#12) #8
• [Fix] Fix long option followed by single dash #15
• [Fix] opt.string works with multiple aliases (#10) #9
• [Fix] Fix handling of short option with non-trivial equals #5
• [Tests] Remove duplicate test #8
• [Fix] opt.string works with multiple aliases #9

Commits

• Merge tag 'v0.2.3' a026794
• [eslint] fix indentation and whitespace 5368ca4
• [eslint] fix indentation and whitespace e5f5067
• [eslint] more cleanup 62fde7d
• [eslint] more cleanup 36ac5d0
• [meta] add auto-changelog 73923d2
• [actions] add reusable workflows d80727d
• [eslint] add eslint; rules to enable later are warnings 48bc06a
• [eslint] fix indentation 34b0f1c
• [readme] rename and add badges 5df0fe4
• [Dev Deps] switch from covert to nyc a48b128
• [Dev Deps] update covert, tape; remove unnecessary tap f0fb958
• [meta] create FUNDING.yml; add funding in package.json 3639e0c
• [meta] use npmignore to autogenerate an npmignore file be2e038
• Only apps should have lockfiles 282b570
• isConstructorOrProto adapted from PR ef9153f
• [Dev Deps] update @ljharb/eslint-config, aud 098873c
• [Dev Deps] update @ljharb/eslint-config, aud 3124ed3
• [meta] add safe-publish-latest 4b927de
• [Tests] add aud in posttest b32d9bd
• [meta] update repo URLs f9fdfc0
• [actions] Avoid 0.6 tests due to build failures ba92fe6
• [Dev Deps] update tape 950eaa7
• [Dev Deps] add missing npmignore dev dep 3226afa
• Merge tag 'v0.2.2' 980d7ac

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nan (indirect, 2.17.0 → 2.19.0) · Repo · Changelog

Release Notes

2.18.0 (from changelog)

• Feature: Cast v8::Object::GetInternalField() return value to v8::Value (#956) bdfee17

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ parse-asn1 (indirect, 5.1.6 → 5.1.7) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ readable-stream (indirect, 2.3.7 → 2.3.8) · Repo

Release Notes

2.3.8

What's Changed

• fix undefined global for browser / service worker (v2.x branch) by @smeng9 in #499

Full Changelog: v2.3.7...v2.3.8

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

⁉️ serialize-javascript (downgrade, 6.0.1 → 4.0.0) · Repo

Release Notes

6.0.1

What's Changed

• Bump mocha from 9.0.1 to 9.0.2 by @dependabot in #126
• Bump mocha from 9.0.2 to 9.0.3 by @dependabot in #127
• Bump path-parse from 1.0.6 to 1.0.7 by @dependabot in #129
• Bump mocha from 9.0.3 to 9.1.0 by @dependabot in #130
• Bump mocha from 9.1.0 to 9.1.1 by @dependabot in #131
• Bump mocha from 9.1.1 to 9.1.2 by @dependabot in #132
• Bump mocha from 9.1.2 to 9.1.3 by @dependabot in #133
• Bump mocha from 9.1.3 to 9.1.4 by @dependabot in #137
• Bump mocha from 9.1.4 to 9.2.0 by @dependabot in #138
• Bump chai from 4.3.4 to 4.3.6 by @dependabot in #140
• Bump ansi-regex from 5.0.0 to 5.0.1 by @dependabot in #141
• Bump mocha from 9.2.0 to 9.2.2 by @dependabot in #143
• Bump minimist from 1.2.5 to 1.2.6 by @dependabot in #144
• Bump mocha from 9.2.2 to 10.0.0 by @dependabot in #145
• Bump mocha from 10.0.0 to 10.1.0 by @dependabot in #149
• Bump chai from 4.3.6 to 4.3.7 by @dependabot in #150
• ci: test.yml - actions bump by @piwysocki in #151
• Bump minimatch from 3.0.4 to 3.1.2 by @dependabot in #152
• Bump mocha from 10.1.0 to 10.2.0 by @dependabot in #153
• Bump json5 from 2.1.3 to 2.2.3 by @dependabot in #155
• Fix serialization issue for 0n. by @momocow in #156
• Release v6.0.1 by @okuryu in #157

New Contributors

• @piwysocki made their first contribution in #151
• @momocow made their first contribution in #156

Full Changelog: v6.0.0...v6.0.1

6.0.0

Changelog

• Add support for URL's (#123)
• Bump mocha from 9.0.0 to 9.0.1 (#124)
• Bump mocha from 8.4.0 to 9.0.0 (#121)
• Update Node.js CI matrix (#122)
• Bump mocha from 8.3.2 to 8.4.0 (#120)
• Bump lodash from 4.17.19 to 4.17.21 (#119)
• Bump y18n from 4.0.0 to 4.0.1 (#116)
• Bump chai from 4.3.3 to 4.3.4 (#115)
• Bump mocha from 8.3.1 to 8.3.2 (#114)
• Bump mocha from 8.3.0 to 8.3.1 (#113)
• Bump chai from 4.3.1 to 4.3.3 (#112)
• Bump chai from 4.2.0 to 4.3.1 (#111)
• Bump mocha from 8.2.1 to 8.3.0 (#109)
• Bump mocha from 8.1.3 to 8.2.1 (#105)
• Drop Travis CI settings (#100)
• Change default branch name to main (#99)
• GitHub Aactions (#98)

Behavior changes for URL objects

It serializes URL objects as follows since this version. The result of serialization may be changed if you are passing URL object values into the serialize-javascript.

const serialize = require("serialize-javascript");
serialize({u: new URL("http://example.com/")}); // '{"u":new URL("http://example.com/")}'

---

Thank you @rrdelaney for this release.

5.0.1

Changelog

• Exclude .vscode and .github directories from package (#97)

5.0.0

Changelog

• Bump mocha from 8.1.2 to 8.1.3 (#96)
• Support sparse arrays (#95)
• Bump mocha from 8.1.1 to 8.1.2 (#94)
• Bump mocha from 8.1.0 to 8.1.1 (#92)
• Create Dependabot config file (#91)
• Bump mocha from 8.0.1 to 8.1.0 (#90)
• Bump lodash from 4.17.15 to 4.17.19 (#89)
• Bump mocha from 7.2.0 to 8.0.1 (#88)

Behavior changes for sparse arrays

It serializes sparse arrays as follows since this version. The result of serialization may be changed if you are passing sparse arrays values into the serialize-javascript.

const serialize = require('serialize-javascript');
var a = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10];

delete a[0];

a.length = 3;

a[5] = 'wat';

serialize(a) // 'Array.prototype.slice.call({"1":2,"2":3,"5":"wat","length":6})'

---

Thank you @victorporof for this release.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ stream-shift (indirect, 1.0.1 → 1.0.3) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ terser (indirect, 5.17.1 → 5.29.1) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ terser-webpack-plugin (indirect, 1.4.5 → 5.3.10) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ url (indirect, 0.11.0 → 0.11.3) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 acorn-import-assertions (added, 1.9.0)

🆕 buffer (added, 4.9.2)

🆕 call-bind (added, 1.0.7)

🆕 define-data-property (added, 1.1.4)

🆕 define-properties (added, 1.2.1)

🆕 env-paths (added, 2.2.1)

🆕 es-define-property (added, 1.0.0)

🆕 es-errors (added, 1.3.0)

🆕 get-intrinsic (added, 1.2.4)

🆕 gopd (added, 1.0.1)

🆕 has-property-descriptors (added, 1.0.2)

🆕 has-proto (added, 1.0.3)

🆕 has-symbols (added, 1.0.3)

🆕 hasown (added, 2.0.1)

🆕 object-inspect (added, 1.13.1)

🆕 object-keys (added, 1.1.1)

🆕 object.assign (added, 4.1.5)

🆕 qs (added, 6.12.0)

🆕 set-function-length (added, 1.2.1)

🆕 side-channel (added, 1.0.6)

🗑️ @​types/parse-json (removed)

🗑️ cosmiconfig-typescript-loader (removed)

🗑️ klona (removed)

🗑️ querystring (removed)

🗑️ safer-buffer (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)