fix(deps): update all non-major dependencies
This MR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| loglevel | dependencies | minor | ~1.7.1 -> ~1.8.0 |
| node | image | patch |
16.20.0-slim -> 16.20.2-slim
|
| react-contenteditable | dependencies | minor | ~3.1.1 -> ~3.3.0 |
| reactstrap | dependencies | minor | ~9.1.10 -> ~9.2.0 |
| release-it | devDependencies | minor | ~15.10.5 -> ~15.11.0 |
Release Notes
nodejs/node (node)
v16.20.2: 2023-08-09, Version 16.20.2 'Gallium' (LTS), @RafaelGSS
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
- CVE-2023-32002: Policies can be bypassed via Module._load (High)
- CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
- CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
- OpenSSL Security Releases
More detailed information on each of the vulnerabilities can be found in August 2023 Security Releases blog post.
Commits
- [
40c3958a5a] - deps: update archs files for OpenSSL-1.1.1v (RafaelGSS) #49043 - [
a9ac9da89a] - deps: fix openssl crypto clean (RafaelGSS) #49043 - [
362d4c7494] - deps: upgrade openssl sources to OpenSSL_1_1_1v (RafaelGSS) #49043 - [
d8ccfe9ad4] - policy: handle Module.constructor and main.extensions bypass (RafaelGSS) nodejs-private/node-private#445 - [
242aaa0caa] - policy: disable process.binding() when enabled (Tobias Nießen) nodejs-private/node-private#459
v16.20.1: 2023-06-20, Version 16.20.1 'Gallium' (LTS), @RafaelGSS
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
-
CVE-2023-30581:
mainModule.__proto__Bypass Experimental Policy Mechanism (High) - CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
- CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
- CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
- CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
- OpenSSL Security Releases
- c-ares vulnerabilities:
More detailed information on each of the vulnerabilities can be found in June 2023 Security Releases blog post.
Commits
- [
5a92ea7a3b] - crypto: handle cert with invalid SPKI gracefully (Tobias Nießen) - [
5df04e893a] - deps: setCARES_RANDOM_FILEfor c-ares (Richard Lau) #48156 - [
c171cbd124] - deps: update c-ares to 1.19.1 (RafaelGSS) #48115 - [
155d3aac02] - deps: update archs files for OpenSSL-1.1.1u+quic (RafaelGSS) #48369 - [
8d4c8f8ebe] - deps: upgrade openssl sources to OpenSSL_1_1_1u (RafaelGSS) #48369 - [
1a5c9284eb] - doc,test: clarify behavior of DH generateKeys (Tobias Nießen) nodejs-private/node-private#426 - [
e42ff4b018] - http: disable request smuggling via empty headers (Paolo Insogna) nodejs-private/node-private#429 - [
10042683c8] - msi: do not create AppData\Roaming\npm (Tobias Nießen) nodejs-private/node-private#408 - [
a6f4e87bc9] - policy: handle mainModule.__proto__ bypass (RafaelGSS) nodejs-private/node-private#416 - [
b77000f4d7] - test: allow SIGBUS in signal-handler abort test (Michaël Zasso) #47851
lovasoa/react-contenteditable (react-contenteditable)
v3.3.7
v3.3.6
v3.3.5
v3.3.4
v3.3.3
v3.3.2
v3.3.1
v3.3.0
v3.2.6
v3.2.5
v3.2.4
v3.2.3
v3.2.2
v3.2.1
v3.2.0
reactstrap/reactstrap (reactstrap)
v9.2.0
Features
- modal: add 'aria-modal="true"' to modal (2a43591)
Bug Fixes
release-it/release-it (release-it)
v15.11.0
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.