Skip to content

Bump node-forge and @vue/cli-plugin-unit-jest #33999

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dependabot wants to merge 1 commit into from
Closed

Bump node-forge and @vue/cli-plugin-unit-jest #33999

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 9, 2022
edited
Loading

Bumps node-forge and @vue/cli-plugin-unit-jest. These dependencies needed to be updated together.
Updates node-forge from 0.10.0 to 1.3.1

Changelog

Sourced from node-forge's changelog.

1.3.1 - 2022-03-29

Fixes

  • RFC 3447 and RFC 8017 allow for optional DigestAlgorithm NULL parameters for sha* algorithms and require NULL paramters for md2 and md5 algorithms.

1.3.0 - 2022-03-17

Security

  • Three RSA PKCS#1 v1.5 signature verification issues were reported by Moosa Yahyazadeh ([email protected]).
  • HIGH: Leniency in checking digestAlgorithm structure can lead to signature forgery.
  • HIGH: Failing to check tailing garbage bytes can lead to signature forgery.
  • MEDIUM: Leniency in checking type octet.
    • DigestInfo is not properly checked for proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.
    • CVE ID: CVE-2022-24773
    • GHSA ID: GHSA-2r2c-g63r-vccr

Fixed

  • [asn1] Add fallback to pretty print invalid UTF8 data.
  • [asn1] fromDer is now more strict and will default to ensuring all input bytes are parsed or throw an error. A new option parseAllBytes can disable this behavior.
    • NOTE: The previous behavior is being changed since it can lead to security issues with crafted inputs. It is possible that code doing custom DER parsing may need to adapt to this new behavior and optional flag.
  • [rsa] Add and use a validator to check for proper structure of parsed ASN.1

... (truncated)

Commits

Updates @vue/cli-plugin-unit-jest from 4.5.15 to 5.0.8

Release notes

Sourced from @​vue/cli-plugin-unit-jest's releases.

v5.0.8

🐛 Bug Fix

v5.0.7

  • @vue/cli-service
  • @vue/cli-ui
    • #7210 chore: upgrade to apollo-server-express 3.x

Committers: 2

v5.0.6

Fix compatibility with the upcoming Vue 2.7 (currently in alpha) and Vue Loader 15.10 (currently in beta).

In Vue 2.7, vue-template-compiler is no longer a required peer dependency. Rather, there's a new export under the main package as vue/compiler-sfc.

v5.0.5

🐛 Bug Fix

  • @vue/cli
    • #7167 fix(upgrade): prevent changing the structure of package.json file during upgrade (@​blzsaa)
  • @vue/cli-service
  • @vue/cli-plugin-e2e-cypress
    • [697bb44] fix: should correctly resolve cypress bin path for Cypress 10 (Note that the project is still created with Cypress 9 by default, but you can upgrade to Cypress 10 on your own now)

Committers: 3

v5.0.4

🐛 Bug Fix

  • @vue/cli-service
  • @vue/cli-shared-utils, @vue/cli-ui
    • 75826d6 fix: replace node-ipc with @achrinza/node-ipc to further secure the dependency chain

Committers: 1

v5.0.3

... (truncated)

Changelog

Sourced from @​vue/cli-plugin-unit-jest's changelog.

5.0.7 (2022-07-05)

  • @vue/cli-service
  • @vue/cli-ui
    • #7210 chore: upgrade to apollo-server-express 3.x

Committers: 2

5.0.6 (2022-06-16)

Fix compatibility with the upcoming Vue 2.7 (currently in alpha) and Vue Loader 15.10 (currently in beta).

In Vue 2.7, vue-template-compiler is no longer a required peer dependency. Rather, there's a new export under the main package as vue/compiler-sfc.

5.0.5 (2022-06-16)

🐛 Bug Fix

  • @vue/cli
    • #7167 feat(upgrade): prevent changing the structure of package.json file during upgrade (@​blzsaa)
  • @vue/cli-service

Committers: 3

5.0.4 (2022-03-22)

🐛 Bug Fix

  • @vue/cli-service
  • @vue/cli-shared-utils, @vue/cli-ui
    • 75826d6 fix: replace node-ipc with @achrinza/node-ipc to further secure the dependency chain

Committers: 1

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot bot requested a review from a team September 9, 2022 14:05
@PVince81 PVince81 self-assigned this Sep 26, 2022
@PVince81
Copy link
Member

PVince81 commented Sep 26, 2022

@dependabot-bot recreate

@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/node-forge-and-vue/cli-plugin-unit-jest-1.3.1 branch from dea34a0 to 2fe520d Compare September 26, 2022 07:20
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/node-forge-and-vue/cli-plugin-unit-jest-1.3.1 branch from 2fe520d to fb9da5c Compare September 26, 2022 12:37
@dependabot
Bump node-forge and @vue/cli-plugin-unit-jest
c764f88 
Bumps [node-forge](https://github.com/digitalbazaar/forge) and [@vue/cli-plugin-unit-jest](https://github.com/vuejs/vue-cli/tree/HEAD/packages/@vue/cli-plugin-unit-jest). These dependencies needed to be updated together.

Updates `node-forge` from 0.10.0 to 1.3.1
- [Release notes](https://github.com/digitalbazaar/forge/releases)
- [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md)
- [Commits](digitalbazaar/forge@0.10.0...v1.3.1)

Updates `@vue/cli-plugin-unit-jest` from 4.5.15 to 5.0.8
- [Release notes](https://github.com/vuejs/vue-cli/releases)
- [Changelog](https://github.com/vuejs/vue-cli/blob/dev/CHANGELOG.md)
- [Commits](https://github.com/vuejs/vue-cli/commits/v5.0.8/packages/@vue/cli-plugin-unit-jest)

---
updated-dependencies:
- dependency-name: node-forge
  dependency-type: indirect
- dependency-name: "@vue/cli-plugin-unit-jest"
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/node-forge-and-vue/cli-plugin-unit-jest-1.3.1 branch from fb9da5c to c764f88 Compare September 26, 2022 12:41
@PVince81
Copy link
Member

PVince81 commented Sep 26, 2022

challenge: it looks like the runner now wants a new package @vue/[email protected]

but installing locally causes trouble:

% npm install "@vue/[email protected]" "@vue/vue2-jest@29" "jest@29" "babel-jest@29"
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: [email protected]
npm ERR! Found: @vue/[email protected]
npm ERR! node_modules/@vue/cli-plugin-unit-jest
npm ERR!   @vue/cli-plugin-unit-jest@"5.0.8" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! @vue/cli-plugin-unit-jest@"5.0.8" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: [email protected]
npm ERR! node_modules/babel-jest
npm ERR!   peer babel-jest@"29.x" from @vue/[email protected]
npm ERR!   node_modules/@vue/vue2-jest
npm ERR!     @vue/vue2-jest@"29" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /home/vincent/.npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/vincent/.npm/_logs/2022-09-26T12_43_29_776Z-debug-0.log

@PVince81
Copy link
Member

PVince81 commented Sep 26, 2022

I tried starting from scratch and here I don't even understand how dependabot even managed to upgrade those deps, maybe it uses an older node version ?

this is with node v16.16:

% npm install "node-forge@latest" "@vue/cli-plugin-unit-jest@latest"       
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: [email protected]
npm ERR! Found: @vue/[email protected]
npm ERR! node_modules/@vue/cli-plugin-unit-jest
npm ERR!   @vue/cli-plugin-unit-jest@"5.0.8" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! @vue/cli-plugin-unit-jest@"5.0.8" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: [email protected]
npm ERR! node_modules/babel-jest
npm ERR!   peer babel-jest@">= 27 < 28" from @vue/[email protected]
npm ERR!   node_modules/@vue/vue2-jest
npm ERR!     peerOptional @vue/vue2-jest@"^27.0.0-alpha.3" from @vue/[email protected]
npm ERR!     node_modules/@vue/cli-plugin-unit-jest
npm ERR!       @vue/cli-plugin-unit-jest@"5.0.8" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /home/vincent/.npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/vincent/.npm/_logs/2022-09-26T12_56_06_732Z-debug-0.log

same error without "node-forge"

@PVince81
Copy link
Member

PVince81 commented Sep 26, 2022

I'll try to remove it like with nextcloud/spreed#7683

@PVince81 PVince81 mentioned this pull request Sep 26, 2022
Merged
@PVince81
Copy link
Member

PVince81 commented Sep 26, 2022

Obsoleted by #34260

@PVince81 PVince81 closed this Sep 26, 2022
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Sep 26, 2022

OK, I won't notify you again about this release, but will get in touch when a new version is available. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot bot deleted the dependabot/npm_and_yarn/node-forge-and-vue/cli-plugin-unit-jest-1.3.1 branch September 26, 2022 13:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

@PVince81 PVince81

Labels

3. to review Waiting for reviews feature: dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@PVince81