🚨 [security] [js] Update gulp 4.0.2 → 5.0.0 (major) (!54) · Merge requests · noraj / hacker-profile

Depfu Bot requested to merge depfu/update/npm/gulp-5.0.0 into master Mar 30, 2024

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ gulp (4.0.2 → 5.0.0) · Repo · Changelog

Release Notes

5.0.0

We've tried to provide a high-level changelog for gulp v5 below, but it
doesn't contain all changes from the 60+ dependencies that we maintain.

Please see individual changelogs to drill down
into all changes that were made.

⚠ BREAKING CHANGES

Drop support for Node.js <10.13

Default stream encoding to UTF-8

Standardized on anymatch library for globbing paths. All globs should work the same between src and watch now!

Removed support for ordered globs. This aligns with the chokidar globbing implementation. If you need your globs to be ordered, you can use ordered-read-stream

All globs and paths are normalized to unix-like filepaths

Only allow JS variants for .gulp.* config files

Removed support for alpha releases of v4 from gulp-cli

Removed the --verify flag

Renamed the --require flag to --preload to avoid conflicting with Node.js flags

Removed many legacy and deprecated loaders

Upgrade to chokidar v3

Clone Vinyl objects with stream contents using teex, but no longer wait for all streams to flow before cloned streams will receive data

Stop using process.umask() to make directories, instead falling back to Node's default mode

Throw on non-function, non-string option coercers

Drop support of Node.js snake_case flags

Use a Symbol for attaching the gulplog namespace to the store

Use a Symbol for attaching the gulplog store to the global

Use sha256 to hash the v8flags cache into a filename

Features

Streamlined the dependency tree

Switch all streams implementation to Streamx

Rewrote glob-stream to use a custom directory walk that relies on newer Node.js features and is more performant than old implementation

Implement translation support for all CLI messages and all messages passing through gulplog

Allow users to customize or remove the timestamp from their logs

Upgraded gulplog to v2. Messages logged via v1 will also display a deprecated warning. Plugins should update to v2 as the community upgrades to gulp 5

Added support for gulpile.cjs and gulpfile.mjs

Add support for swc, esbuild, sucrase, and mdx loaders

Provide an ESM export (#2760) (b00de68)

Support sourcemap handling on streaming Vinyl contents

Support extends syntax for .gulp.* config file

Allow overriding gulpfile and preloads via .gulp.* config file

Bug Fixes

Resolve bugs related to symlinks on various platforms

Resolved some reported ReDoS CVEs and improved performance in glob-parent

Rework errors surfaced when encountering files or symlinks when trying to create directories

Ensure watch allows japanese characters in globs (72668c6)

Ensure watch does not trigger on negated globs (72668c6)

Improve handling of BOM at the beginning of a stream

Properly handle function coercer in array of option coercers

Fork to-absolute-glob to:

Check negative patterns before trimming

Ensure glob-like characters are escaped in cwd & root options

Resolve ../ at the beginning of globs

Miscellaneous Chores

Remove lazystream dependency

Updated various stream test suites to test against Node.js core stream, readable-stream, and streamx

Normalize repository, dropping node <10.13 support (#2758) (72668c6)

Individual Changelogs

We created and maintain various projects that gulp depends upon. You can find their changelogs linked below:

undertaker

vinyl-fs

glob-stream

gulp-cli

interpret

glob-parent

glob-watcher

vinyl

fs-mkdirp-stream

lead

vinyl-sourcemap

to-through

resolve-options

remove-bom-stream

value-or-function

now-and-later

@gulpjs/to-absolute-glob

fined

mute-stdout

semver-greatest-satisfied-range

flagged-respawn

rechoir

gulplog

glogg

@gulpjs/messages

sparkles

liftoff

v8flags

bach

undertaker-registry

async-settle

last-run

async-done

replace-homedir

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 45 commits:

↗️ ansi-regex (indirect, 2.1.1 → 5.0.1) · Repo

Security Advisories 🚨

🚨 Inefficient Regular Expression Complexity in chalk/ansi-regex

ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.

Proof of Concept
import ansiRegex from 'ansi-regex';
for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = "\u001B["+";".repeat(i*10000);
    ansiRegex().test(attack_str)
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
The ReDOS is mainly due to the sub-patterns [[\\]()#;?]* and (?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*

🚨 Inefficient Regular Expression Complexity in chalk/ansi-regex

ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.

Proof of Concept
import ansiRegex from 'ansi-regex';
for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = "\u001B["+";".repeat(i*10000);
    ansiRegex().test(attack_str)
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
The ReDOS is mainly due to the sub-patterns [[\\]()#;?]* and (?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*

🚨 Inefficient Regular Expression Complexity in chalk/ansi-regex

ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.

Proof of Concept
import ansiRegex from 'ansi-regex';
for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = "\u001B["+";".repeat(i*10000);
    ansiRegex().test(attack_str)
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
The ReDOS is mainly due to the sub-patterns [[\\]()#;?]* and (?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*

Release Notes

5.0.1

Fixes (backport of 6.0.1 to v5)

This is a backport of the minor ReDos vulnerability in ansi-regex@<6.0.1, as requested in #38.

Fix ReDoS in certain cases (#37)
You are only really affected if you run the regex on untrusted user input in a server context, which it's very unlikely anyone is doing, since this regex is mainly used in command-line tools.

CVE-2021-3807

https://github.com/chalk/ansi-regex/compare/v5.0.0..v5.0.1

Thank you @yetingli for the patch and reproduction case!

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 23 commits:

↗️ anymatch (indirect, 2.0.0 → 3.1.3) · Repo

Release Notes

3.1.3

Fixes:

Keep trailing slash on paths

Add TypeScript overload for test string being null

3.1.2

Bugfixes

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 51 commits:

↗️ binary-extensions (indirect, 1.13.1 → 2.3.0) · Repo

Release Notes

2.3.0

Add afdesign, afphoto, and afpub (#30) 11b0135

v2.2.0...v2.3.0

2.2.0

Add OpenDocument file extensions (#27) 882c75c

v2.1.0...v2.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 14 commits:

↗️ braces (indirect, 2.3.2 → 3.0.2) · Repo · Changelog

Release Notes

3.0.0 (from changelog)

v3.0 is a complete refactor, resulting in a faster, smaller codebase, with fewer deps, and a more accurate parser and compiler.

Breaking Changes

The undocumented .makeRe method was removed

Non-breaking changes

Caching was removed

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 1 commit:

3.0.2

↗️ chokidar (indirect, 2.1.6 → 3.6.0) · Repo · Changelog

Release Notes

3.6.0

What's Changed

fix readyCount logic by @JLHwung in #1288

handle MustScanSubDirs by @MarcCelani-at in #1197

update fs.FSWatcher types to satisfy nodejs versions >= 16; fixes #1299 by @ben-polinsky in #1300

New Contributors

@Mutahhar made their first contribution in #1226

@zqianem made their first contribution in #1242

@JLHwung made their first contribution in #1288

@MarcCelani-at made their first contribution in #1197

@ben-polinsky made their first contribution in #1300

Full Changelog: 3.5.3...3.6.0

3.5.2

"Update" glob-parent dependency from ~5.1.0 to ~5.1.2 to silence "vulnerability" warnings

3.5.0

Support for ARM Macs with Apple Silicon.

Fixed missing removal of symlinks when the target path was deleted (#1042)

3.2.1

Improve Linux RAM usage by 50%. Stability optimizations. Race condition fixes. Windows glob fixes.

3.1.1

Fixes "Expected pattern to be a non-empty string" (#871)

3.1.0

Emit dotfiles by default. You can filter them out by using ignored option.

Improves Linux performance by 50%.

3.0.2

Brings bigint support to stat outputs on windows.

Fixes ready event emission for symlink directories.

3.0.1

Fixes "Assertion failed" errors when a watcher is closed

General optimizations

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ cliui (indirect, 3.2.0 → 7.0.4) · Repo · Changelog

Release Notes

7.0.4

Bug Fixes

deno: import UIOptions from definitions (#97) (f04f343)

7.0.3

Bug Fixes

exports: node 13.0 and 13.1 require the dotted object form with a string fallback (#93) (eca16fc)

7.0.2

Bug Fixes

exports: node 13.0-13.6 require a string fallback (#91) (b529d7e)

7.0.1

Bug Fixes

build: main should be build/index.cjs (dc29a3c)

7.0.0

⚠ BREAKING CHANGES

tsc/ESM/Deno support (#82)

modernize deps and build (#80)

Build System

modernize deps and build (#80) (339d08d)

Code Refactoring

tsc/ESM/Deno support (#82) (4b777a5)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 57 commits:

↗️ convert-source-map (indirect, 1.6.0 → 2.0.0) · Repo

Commits

See the full diff on Github. The new version differs by 15 commits:

↗️ copy-props (indirect, 2.0.4 → 4.0.0) · Repo · Changelog

Security Advisories 🚨

🚨 Prototype Pollution in copy-props

The package copy-props before 2.0.5 are vulnerable to Prototype Pollution via the main functionality.

Release Notes

4.0.0

⚠ BREAKING CHANGES

Upgrade each-props to v3.0.0

Remove pre-built browser bundles (#13)

Miscellaneous Chores

Remove pre-built browser bundles (#13) (ebb6dab)

Upgrade each-props to v3.0.0 (ebb6dab)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 21 commits:

↗️ end-of-stream (indirect, 1.4.1 → 1.4.4) · Repo

Commits

See the full diff on Github. The new version differs by 14 commits:

↗️ fill-range (indirect, 4.0.0 → 7.0.1) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ findup-sync (indirect, 3.0.0 → 5.0.0) · Repo · Changelog

Release Notes

5.0.0

⚠ BREAKING CHANGES

Normalize repository, dropping node <10.13 support (#52)

Miscellaneous Chores

Normalize repository, dropping node <10.13 support (#52) (b62b918)

4.0.0

Breaking

Drop support for node <8 (4e46134)

Upgrade

Update micromatch & devDeps (b926b21)

Build

Ignore fixtures directory when linting (35cd0a2)

Disable npm audit (3cee51e)

Scaffold

Update license year (513e4de)

Update repository template (67fa64b)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

↗️ fsevents (indirect, 1.2.9 → 2.3.3) · Repo

Security Advisories 🚨

🚨 Code injection in fsevents

fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary.

Release Notes

2.3.1

Released to npm as v2.3.1

Release contains universal binary for x86 & amd64 (m1) chips

2.2.2

Released to npm as v2.2.2

Universal Binary Support x86-64 & amd64(m1)

2.2.0

Electron Enabled (no static functions/variables)

2.0.1

Fixing the API for chokidar since it was calling FSEvents as a constructor

2.0.0

We have upgraded to N-API. For that reason we have also dropped support for node < 6.

For that reason, we have made this a major version bump so dependents have to opt in. The actual API remains entirely the same, so if you are depending on fsevents, it should be as simple as changing the version number in your package.json.

1.2.13

Only build on Mac-OSX

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ function-bind (indirect, 1.1.1 → 1.1.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 26 commits:

↗️ get-caller-file (indirect, 1.0.3 → 2.0.5) · Repo

Commits

See the full diff on Github. The new version differs by 37 commits:

↗️ glob-parent (indirect, 3.1.0 → 5.1.2) · Repo · Changelog

Security Advisories 🚨

🚨 glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular Expression Denial of Service (ReDoS)

glob-parent before 6.0.1 and 5.1.2 is vulnerable to Regular Expression Denial of Service (ReDoS). This issue is fixed in version 6.0.1 and 5.1.2.

🚨 glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Release Notes

5.1.2

Bug Fixes

eliminate ReDoS (#36) (f923116)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 23 commits:

↗️ glob-stream (indirect, 6.1.0 → 8.0.1) · Repo · Changelog

Release Notes

8.0.1

Bug Fixes

Avoid pushing additional paths to queue when error occurs (#124) (8eaab85)

Traverse symlink folders (#122) (d49d9bd)

8.0.0

⚠ BREAKING CHANGES

Switch to streamx (#119)

Combine GlobStream & GlobReadable into unified API

Replace glob with anymatch & custom directory walk (#118)

Drop support for ordered globs (#115)

Features

Combine GlobStream & GlobReadable into unified API (6aad264)

Replace glob with anymatch & custom directory walk (#118) (6aad264)

Switch to streamx (#119) (8d6b35c)

Bug Fixes

Normalize cwd on windows (8d6b35c)

Properly handle glob-like characters in paths (#117) (872a957)

Resolve cwd to support relative cwd paths (8d6b35c)

Miscellaneous Chores

Drop support for ordered globs (#115) (f37bccc)

7.0.0

⚠ BREAKING CHANGES

Normalize repository, dropping node <10.13 support (#101)

Miscellaneous Chores

Normalize repository, dropping node <10.13 support (#101) (c110ed1)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 20 commits:

↗️ glogg (indirect, 1.0.2 → 2.2.0) · Repo · Changelog

Release Notes

2.2.0

Features

Re-emit messages from legacy namespace on new namespace (#9) (88350e4)

2.1.0

Features

Emit all arguments when first argument is not a string (#7) (578a2aa)

2.0.0

⚠ BREAKING CHANGES

Normalize repository, dropping node <10.13 support (#5)

Miscellaneous Chores

Normalize repository, dropping node <10.13 support (#5) (8bb6148)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

↗️ graceful-fs (indirect, 4.1.15 → 4.2.11) · Repo

Commits

See the full diff on Github. The new version differs by 55 commits:

↗️ inherits (indirect, 2.0.3 → 2.0.4) · Repo

Commits

See the full diff on Github. The new version differs by 6 commits:

↗️ ini (indirect, 1.3.5 → 1.3.8) · Repo · Changelog

Security Advisories 🚨

🚨 ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse

Overview

The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6.

Steps to reproduce

payload.ini
[__proto__]
polluted = "polluted"
poc.js:
var fs = require('fs')
var ini = require('ini')
var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.proto)
console.log(polluted)
> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted

Commits

See the full diff on Github. The new version differs by 9 commits:

↗️ interpret (indirect, 1.2.0 → 3.1.1) · Repo · Changelog

Release Notes

3.1.1

Bug Fixes

Include cjs-stub in npm bundle (4f7d798)

3.1.0

Features

Add .cts to support typescript 4.7 (#90) (c1ffa36)

3.0.0

⚠ BREAKING CHANGES

Provide default configuration in register functions (#83)

Only load sucrase tsx hook for .tsx extension

Normalize repository, dropping node <10.13 support (#80)

Remove legacy node-jsx hook

Remove deprecated typescript-node hook

Remove deprecated typescript-register hook

Remove unmaintained typescript-require hook

Replace legacy require-yaml with yaml-hook

Remove legacy require-xml support

Remove legacy/deprecated babel hooks

Remove legacy buble support

Remove legacy cirru-script support

Remove legacy node-cjsx support

Remove legacy coco support

Remove legacy/deprecated coffeescript hooks

Remove legacy require-csv support

Remove legacy earlgrey support

Remove legacy iced-coffee-script support

Remove legacy require-ini support

Remove legacy json5 hook

Remove legacy livescript support

Remove legacy wisp support

Drop legacy loaders & extensions (#79)

Ensure babel only transforms files that match the full extension

Features

Add .cjs extension and stub hook (#75) (7989161)

Add @swc/register as a loader for .ts and .tsx extensions (#74) (f160451)

Add esbuild-register for typescript extensions (#77) (963f5fa)

Add new extensions as JS variants (8a8df59)

Add sucrase hook as alternative for .jsx (58f678e)

Add support for .esbuild.(js|jsx|ts|tsx) extensions (fcb9672)

Add support for .sucrase.(js|jsx|ts|tsx) extensions (216ad12)

Add support for .swc.(js|jsx|ts|tsx) extensions (c054cf2)

Allow register function configuration to be overridden (7856f7e)

Leverage endsWith instead of RegExp in matchers (#82) (6404724)

Provide default configuration in register functions (#83) (7856f7e)

Support .babel.(jsx|tsx) extensions (1e3d0f8)

Support .mdx extension hook (#85) (cd24c39)

Bug Fixes

Apply correct ordering to esbuild-register (fcfbdb4)

Ensure babel only transforms files that match the full extension (81ed502)

Ensure esbuild-register only applies to ts or tsx files (5680b3f)

Only load sucrase tsx hook for .tsx extension (e9376a1)

Miscellaneous Chores

Drop legacy loaders & extensions (#79) (18a0319)

Normalize repository, dropping node <10.13 support (#80) (7b69c63)

Remove deprecated typescript-node hook (18a0319)

Remove deprecated typescript-register hook (18a0319)

Remove legacy buble support (18a0319)

Remove legacy cirru-script support (18a0319)

Remove legacy coco support (18a0319)

Remove legacy earlgrey support (18a0319)

Remove legacy iced-coffee-script support (18a0319)

Remove legacy json5 hook (18a0319)

Remove legacy livescript support (18a0319)

Remove legacy node-cjsx support (18a0319)

Remove legacy node-jsx hook (18a0319)

Remove legacy require-csv support (18a0319)

Remove legacy require-ini support (18a0319)

Remove legacy require-xml support (18a0319)

Remove legacy wisp support (18a0319)

Remove legacy/deprecated babel hooks (18a0319)

Remove legacy/deprecated coffeescript hooks (18a0319)

Remove unmaintained typescript-require hook (18a0319)

Replace legacy require-yaml with yaml-hook (18a0319)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 58 commits:

↗️ is-binary-path (indirect, 1.0.1 → 2.1.0) · Repo

Release Notes

2.1.0

Add TypeScript definition (#4) 7a23522

v2.0.0...v2.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 11 commits:

↗️ is-fullwidth-code-point (indirect, 1.0.0 → 3.0.0) · Repo

Release Notes

3.0.0

Breaking:

Require Node.js 8 15be660

Enhancements:

Add TypeScript definition (#6) 8ee750b

v2.0.0...v3.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

↗️ is-glob (indirect, 4.0.1 → 4.0.3) · Repo

Commits

See the full diff on Github. The new version differs by 8 commits:

↗️ is-number (indirect, 3.0.0 → 7.0.0) · Repo

Commits

See the full diff on Github. The new version differs by 19 commits:

↗️ is-plain-object (indirect, 2.0.4 → 5.0.0) · Repo

Release Notes

5.0.0

Migrated from default to named export (see why here lukeed/klona#17):

ESM/TypeScript
- import isPlainObject from 'is-plain-object';
+ import { isPlainObject } from 'is-plain-object';
CommonJS
- const isPlainObject = require('is-plain-object');
+ const { isPlainObject } = require('is-plain-object');
Added native ESM support via exports mapping

4.1.0

Reduced size and added type guide to ts definition (thanks to @lifeiscontent)

4.0.0

In this release Object.create(null) is considered as plain object as well.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 22 commits:

↗️ liftoff (indirect, 3.1.0 → 5.0.0) · Repo · Changelog

Release Notes

5.0.0

⚠ BREAKING CHANGES

Define configFiles with an array to prioritize configs (#133)

Populate additional preload modules with configFiles (#131)

Lookup configPath in configFiles (#128)

Features

Define configFiles with an array to prioritize configs (#133) (55123fc)

Lookup configPath in configFiles (#128) (5301335)

Populate additional preload modules with configFiles (#131) (fad21a9)

Bug Fixes

Disallow non-string configPath overrides (#130) (6bcd381)

4.0.0

⚠ BREAKING CHANGES

Support extends syntax in config files (#103)

Normalize repository, dropping node <10.13 support (#118)

call env.completion inside execute to allow additional configuration (#106)

Rename opts.require to opts.preload

Rename events to be more specific

Remove launch API

Features

Add beforeRequire event (65f350d)

Rename opts.require to opts.preload (596926a)

Rename events to be more specific (cbb8456)

Support extends syntax in config files (#103) (68c9db7)

Bug Fixes

call env.completion inside execute to allow additional configuration (#106) (2a1fc4b)

Update rechoir to support dots in config name (33a6286)

Miscellaneous Chores

Normalize repository, dropping node <10.13 support (#118) (d671e76)

Remove launch API (dea6860)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 18 commits:

↗️ micromatch (indirect, 3.1.10 → 4.0.5) · Repo · Changelog

Release Notes

4.0.4

fix: Update picomatch to fix regression #179 (8becb55)

4.0.3

Enforce newer version of picomatch with bugfixes

4.0.0 (from changelog)

Added

Adds support for options.onMatch. See the readme for details

Adds support for options.onIgnore. See the readme for details

Adds support for options.onResult. See the readme for details

Breaking changes

Removed support for passing an array of brace patterns to micromatch.braces().

To strictly enforce closing brackets (for {, [, and (), you must now use strictBrackets=true instead of strictErrors.

cache - caching and all related options and methods have been removed

options.unixify was renamed to options.windows

options.nodupes Was removed. Duplicates are always removed by default. You can override this with custom behavior by using the onMatch, onResult and onIgnore functions.

options.snapdragon was removed, as snapdragon is no longer used.

options.sourcemap was removed, as snapdragon is no longer used, which provided sourcemap support.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ normalize-path (indirect, 2.1.1 → 3.0.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 4 commits:

↗️ path-parse (indirect, 1.0.6 → 1.0.7) · Repo

Security Advisories 🚨

🚨 Regular Expression Denial of Service in path-parse

Affected versions of npm package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Commits

See the full diff on Github.

Sorry, we couldn't find anything useful about this release.

↗️ readable-stream (indirect, 2.3.6 → 3.6.2) · Repo

Release Notes

3.6.2

What's Changed

Fix es5 compatibility by @mcollina in #508

Full Changelog: v3.6.1...v3.6.2

3.6.0

Fix babel loose mode for classes and update to Node v10.19.0 #428 by @ljharb

2.3.8

What's Changed

fix undefined global for browser / service worker (v2.x branch) by @smeng9 in #499

Full Changelog: v2.3.7...v2.3.8

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 73 commits:

↗️ readdirp (indirect, 2.2.1 → 3.6.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rechoir (indirect, 0.6.2 → 0.8.0) · Repo · Changelog

Release Notes

0.8.0

⚠ BREAKING CHANGES

Normalize repository, dropping node <10.13 support (#40)

Miscellaneous Chores

Normalize repository, dropping node <10.13 support (#40) (00f5968)

0.7.1

Fix

Support single character extensions (1258548) - Closes #38 #39

Docs

Add enterprise language (4b3adcc)

Scaffold

Add FUNDING.yml (64cccd9)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

↗️ resolve (indirect, 1.11.0 → 1.22.8) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ safe-buffer (indirect, 5.1.2 → 5.2.1) · Repo

Commits

See the full diff on Github. The new version differs by 14 commits:

↗️ semver (indirect, 5.7.0 → 6.3.1) · Repo · Changelog

Security Advisories 🚨

🚨 semver vulnerable to Regular Expression Denial of Service

Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

🚨 semver vulnerable to Regular Expression Denial of Service

Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Release Notes

6.3.1

6.3.1 (2023-07-10)

Bug Fixes

928e56d #591 better handling of whitespace (#591) (@lukekarrys, @joaomoreno, @nicolo-ribaudo)

5.7.2

5.7.2 (2023-07-10)

Bug Fixes

2f8fd41 #585 better handling of whitespace (#585) (@joaomoreno, @lukekarrys)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 31 commits:

↗️ string-width (indirect, 1.0.2 → 4.2.3) · Repo

Commits

See the full diff on Github. The new version differs by 31 commits:

↗️ string_decoder (indirect, 1.1.1 → 1.3.0) · Repo

Commits

See the full diff on Github. The new version differs by 8 commits:

↗️ strip-ansi (indirect, 3.0.1 → 6.0.1) · Repo

Commits

See the full diff on Github. The new version differs by 19 commits:

↗️ to-regex-range (indirect, 2.1.1 → 5.0.1) · Repo

Commits

See the full diff on Github. The new version differs by 23 commits:

↗️ to-through (indirect, 2.0.0 → 3.0.0) · Repo · Changelog

Release Notes

3.0.0

⚠ BREAKING CHANGES

Switch to streamx (#9)

Upgrade scaffold, dropping node <10 support (#8)

Features

Switch to streamx (#9) (cf656cf)

Miscellaneous Chores

Upgrade scaffold, dropping node <10 support (#8) (f095480)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 6 commits:

↗️ v8flags (indirect, 3.1.3 → 4.0.1) · Repo · Changelog

Release Notes

4.0.1

Bug Fixes

Exclude example flags provided by node (#66) (58f009a)

4.0.0

⚠ BREAKING CHANGES

Drop support for snake_case flags

Utilize process.allowedNodeEnvironmentFlags (#63)

Use SHA-256 for the config file name (#57)

Normalize repository, dropping node <10.13 support (#60)

Features

Remove homedir polyfill (#62) (306f970)

Utilize process.allowedNodeEnvironmentFlags (#63) (2240a0f)

Bug Fixes

Use SHA-256 for the config file name (#57) (f30a18e)

Miscellaneous Chores

Drop support for snake_case flags (e5194ca)

Normalize repository, dropping node <10.13 support (#60) (42ad05f)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 17 commits:

↗️ vinyl (indirect, 2.2.0 → 3.0.0) · Repo · Changelog

Release Notes

3.0.0

⚠ BREAKING CHANGES

Clone streams with teex

No longer await all streams to flow before emitting data

Remove cloneable-readable (#155)

Remove inspect method & rely on util.inspect.custom symbol

Normalize repository, dropping node <10.13 support (#151)

Features

Clone streams with teex (d4868f4)

No longer await all streams to flow before emitting data (d4868f4)

Remove cloneable-readable (#155) (d4868f4)

Miscellaneous Chores

Normalize repository, dropping node <10.13 support (#151) (9302802)

Remove inspect method & rely on util.inspect.custom symbol (9302802)

2.2.1

Fix

Ensure symbolic link files are cloned properly (b5e1570) - Closes #143 #146

Docs

Improve isCustomProp documentation (02c8923) - Closes #144

Build

Avoid referencing deprecated Buffer (ec0ca87) - Closes #142

Scaffold

Add support-bot template (1ed02bb)

Update repository patterns (dc3fd77)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

↗️ vinyl-fs (indirect, 3.0.3 → 4.0.0) · Repo · Changelog

Release Notes

4.0.0

⚠ BREAKING CHANGES

Prefer symlink property set on Vinyl object over its path (#345)

Avoid error and reflect filesystem stat if futimes not implemented (#341)

Consider the greater of ctime & mtime when comparing since option (#340)

Normalize repository, dropping node <10.13 support

Switch stream implementation to streamx (#333)

Features

Consider the greater of ctime & mtime when comparing since option (#340) (9f907ba)

Convert Windows-style paths in src() to proper globs (910c8a5)

Prefer symlink property set on Vinyl object over its path (#345) (0ac27a2)

Replace lazystream with streamx Composer (#344) (a80dae3)

Switch stream implementation to streamx (#333) (910c8a5)

Test against streams from core, streamx, and readable-stream (910c8a5)

Bug Fixes

Add regression test for negative relative globs (#343) (ebe6498)

Avoid error and reflect filesystem stat if futimes not implemented (#341) (9ba20fd)

Correct regression with src using arrays of globs (#342) (5659934)

Reference correct property name in integration testing (#320) (df245a4)

Workaround symlink stat bug in Node 10 on Windows (910c8a5)

Miscellaneous Chores

Normalize repository, dropping node <10.13 support (910c8a5)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 19 commits:

↗️ wrap-ansi (indirect, 2.1.0 → 7.0.0) · Repo

Commits

See the full diff on Github. The new version differs by 30 commits:

↗️ y18n (indirect, 3.2.1 → 5.0.8) · Repo · Changelog

Security Advisories 🚨

🚨 Prototype Pollution in y18n

Overview

The npm package y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution.

POC
const y18n = require('y18n')();
y18n.setLocale('proto');
y18n.updateLocale({polluted: true});
console.log(polluted); // true
Recommendation

Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later.

🚨 Prototype Pollution in y18n

Overview

The npm package y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution.

POC
const y18n = require('y18n')();
y18n.setLocale('proto');
y18n.updateLocale({polluted: true});
console.log(polluted); // true
Recommendation

Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later.

🚨 Prototype Pollution in y18n

Overview

The npm package y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution.

POC
const y18n = require('y18n')();
y18n.setLocale('proto');
y18n.updateLocale({polluted: true});
console.log(polluted); // true
Recommendation

Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later.

Release Notes

5.0.8

Bug Fixes

deno: force modern release for Deno (b1c215a)

5.0.7

Bug Fixes

deno: force release for deno (#121) (d3f2560)

5.0.6

Bug Fixes

webpack: skip readFileSync if not defined (#117) (6966fa9)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 67 commits:

↗️ yargs (indirect, 7.1.0 → 16.2.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 6 commits:

↗️ yargs-parser (indirect, 5.0.0 → 20.2.9)

Security Advisories 🚨

🚨 yargs-parser Vulnerable to Prototype Pollution

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Recommendation

Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.

🚨 Prototype Pollution in yargs-parser

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Recommendation

Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.

🚨 yargs-parser Vulnerable to Prototype Pollution

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Recommendation

Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.

🚨 yargs-parser Vulnerable to Prototype Pollution

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Recommendation

Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.

🚨 yargs-parser Vulnerable to Prototype Pollution

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Recommendation

Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.

Sorry, we couldn't find anything useful about this release.

🆕 @gulpjs/messages (added, 1.1.0)

🆕 @gulpjs/to-absolute-glob (added, 4.0.0)

🆕 ansi-styles (added, 4.3.0)

🆕 bare-events (added, 2.2.2)

🆕 base64-js (added, 1.5.1)

🆕 bl (added, 5.1.0)

🆕 buffer (added, 6.0.3)

🆕 chalk (added, 4.1.2)

🆕 color-convert (added, 2.0.1)

🆕 color-name (added, 1.1.4)

🆕 emoji-regex (added, 8.0.0)

🆕 escalade (added, 3.1.2)

🆕 fast-fifo (added, 1.3.2)

🆕 fast-levenshtein (added, 3.0.0)

🆕 fastest-levenshtein (added, 1.0.16)

🆕 fastq (added, 1.17.1)

🆕 gulp-cli (added, 3.0.0)

🆕 has-flag (added, 4.0.0)

🆕 hasown (added, 2.0.2)

🆕 iconv-lite (added, 0.6.3)

🆕 ieee754 (added, 1.2.1)

🆕 is-core-module (added, 2.13.1)

🆕 picomatch (added, 2.3.1)

🆕 queue-tick (added, 1.0.1)

🆕 reusify (added, 1.0.4)

🆕 safer-buffer (added, 2.1.2)

🆕 stream-composer (added, 1.0.2)

🆕 streamx (added, 2.16.1)

🆕 supports-color (added, 7.2.0)

🆕 supports-preserve-symlinks-flag (added, 1.0.0)

🆕 sver (added, 1.8.4)

🆕 teex (added, 1.0.1)

🆕 vinyl-contents (added, 2.0.0)

🗑️ ansi-colors (removed)

🗑️ ansi-gray (removed)

🗑️ ansi-wrap (removed)

🗑️ append-buffer (removed)

🗑️ archy (removed)

🗑️ arr-diff (removed)

🗑️ arr-filter (removed)

🗑️ arr-flatten (removed)

🗑️ arr-map (removed)

🗑️ arr-union (removed)

🗑️ array-initial (removed)

🗑️ array-last (removed)

🗑️ array-sort (removed)

🗑️ array-unique (removed)

🗑️ assign-symbols (removed)

🗑️ async-each (removed)

🗑️ atob (removed)

🗑️ balanced-match (removed)

🗑️ base (removed)

🗑️ brace-expansion (removed)

🗑️ buffer-equal (removed)

🗑️ buffer-from (removed)

🗑️ cache-base (removed)

🗑️ camelcase (removed)

🗑️ class-utils (removed)

🗑️ clone-buffer (removed)

🗑️ cloneable-readable (removed)

🗑️ code-point-at (removed)

🗑️ collection-map (removed)

🗑️ collection-visit (removed)

🗑️ color-support (removed)

🗑️ component-emitter (removed)

🗑️ concat-map (removed)

🗑️ concat-stream (removed)

🗑️ copy-descriptor (removed)

🗑️ core-util-is (removed)

🗑️ d (removed)

🗑️ debug (removed)

🗑️ decamelize (removed)

🗑️ decode-uri-component (removed)

🗑️ default-compare (removed)

🗑️ default-resolution (removed)

🗑️ define-properties (removed)

🗑️ define-property (removed)

🗑️ duplexify (removed)

🗑️ error-ex (removed)

🗑️ es5-ext (removed)

🗑️ es6-iterator (removed)

🗑️ es6-symbol (removed)

🗑️ es6-weak-map (removed)

🗑️ expand-brackets (removed)

🗑️ extend-shallow (removed)

🗑️ extglob (removed)

🗑️ fancy-log (removed)

🗑️ find-up (removed)

🗑️ flush-write-stream (removed)

🗑️ fragment-cache (removed)

🗑️ fs.realpath (removed)

🗑️ get-value (removed)

🗑️ glob (removed)

🗑️ has-symbols (removed)

🗑️ has-value (removed)

🗑️ has-values (removed)

🗑️ hosted-git-info (removed)

🗑️ inflight (removed)

🗑️ invert-kv (removed)

🗑️ is-accessor-descriptor (removed)

🗑️ is-arrayish (removed)

🗑️ is-buffer (removed)

🗑️ is-data-descriptor (removed)

🗑️ is-descriptor (removed)

🗑️ is-extendable (removed)

🗑️ is-utf8 (removed)

🗑️ isarray (removed)

🗑️ json-stable-stringify-without-jsonify (removed)

🗑️ just-debounce (removed)

🗑️ kind-of (removed)

🗑️ lazystream (removed)

🗑️ lcid (removed)

🗑️ load-json-file (removed)

🗑️ make-iterator (removed)

🗑️ map-visit (removed)

🗑️ matchdep (removed)

🗑️ minimatch (removed)

🗑️ mixin-deep (removed)

🗑️ ms (removed)

🗑️ nan (removed)

🗑️ nanomatch (removed)

🗑️ next-tick (removed)

🗑️ normalize-package-data (removed)

🗑️ number-is-nan (removed)

🗑️ object-copy (removed)

🗑️ object-keys (removed)

🗑️ object-visit (removed)

🗑️ object.assign (removed)

🗑️ object.map (removed)

🗑️ object.reduce (removed)

🗑️ ordered-read-streams (removed)

🗑️ os-locale (removed)

🗑️ parse-json (removed)

🗑️ parse-node-version (removed)

🗑️ pascalcase (removed)

🗑️ path-dirname (removed)

🗑️ path-exists (removed)

🗑️ path-is-absolute (removed)

🗑️ path-type (removed)

🗑️ pify (removed)

🗑️ pinkie (removed)

🗑️ pinkie-promise (removed)

🗑️ posix-character-classes (removed)

🗑️ pretty-hrtime (removed)

🗑️ process-nextick-args (removed)

🗑️ pump (removed)

🗑️ pumpify (removed)

🗑️ read-pkg (removed)

🗑️ read-pkg-up (removed)

🗑️ regex-not (removed)

🗑️ remove-bom-buffer (removed)

🗑️ remove-bom-stream (removed)

🗑️ repeat-element (removed)

🗑️ repeat-string (removed)

🗑️ require-main-filename (removed)

🗑️ resolve-url (removed)

🗑️ ret (removed)

🗑️ safe-regex (removed)

🗑️ set-blocking (removed)

🗑️ set-value (removed)

🗑️ snapdragon (removed)

🗑️ snapdragon-node (removed)

🗑️ snapdragon-util (removed)

🗑️ source-map (removed)

🗑️ source-map-resolve (removed)

🗑️ source-map-url (removed)

🗑️ spdx-correct (removed)

🗑️ spdx-exceptions (removed)

🗑️ spdx-expression-parse (removed)

🗑️ spdx-license-ids (removed)

🗑️ split-string (removed)

🗑️ stack-trace (removed)

🗑️ static-extend (removed)

🗑️ stream-shift (removed)

🗑️ strip-bom (removed)

🗑️ sver-compat (removed)

🗑️ through2 (removed)

🗑️ through2-filter (removed)

🗑️ time-stamp (removed)

🗑️ to-absolute-glob (removed)

🗑️ to-object-path (removed)

🗑️ to-regex (removed)

🗑️ typedarray (removed)

🗑️ union-value (removed)

🗑️ unique-stream (removed)

🗑️ unset-value (removed)

🗑️ upath (removed)

🗑️ urix (removed)

🗑️ use (removed)

🗑️ validate-npm-package-license (removed)

🗑️ which-module (removed)

🗑️ xtend (removed)

👉

No CI detected

You don't seem to have any Continuous Integration service set up!

Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.

This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:

* Circle CI, Semaphore and Github Actions are all excellent options. * If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github. * If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with `depfu/`.

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@depfu rebase

Rebases against your default branch and redoes this update

@depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@depfu cancel merge

Cancels automatic merging of this PR

@depfu close

Closes this PR and deletes the branch

@depfu reopen

Restores the branch and reopens this PR (if it's closed)

@depfu pause

Ignores all future updates for this dependency and closes this PR

@depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

Admin message

🚨 [security] [js] Update gulp 4.0.2 → 5.0.0 (major)

What changed?

✳️ gulp (4.0.2 → 5.0.0) · Repo · Changelog

⚠ BREAKING CHANGES

Features

Bug Fixes

Miscellaneous Chores

Individual Changelogs

↗️ ansi-regex (indirect, 2.1.1 → 5.0.1) · Repo

Fixes (backport of 6.0.1 to v5)

↗️ anymatch (indirect, 2.0.0 → 3.1.3) · Repo

↗️ binary-extensions (indirect, 1.13.1 → 2.3.0) · Repo

↗️ braces (indirect, 2.3.2 → 3.0.2) · Repo · Changelog

3.0.0 (from changelog)

↗️ chokidar (indirect, 2.1.6 → 3.6.0) · Repo · Changelog

What's Changed

New Contributors

↗️ cliui (indirect, 3.2.0 → 7.0.4) · Repo · Changelog

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

⚠ BREAKING CHANGES

Build System

Code Refactoring

↗️ convert-source-map (indirect, 1.6.0 → 2.0.0) · Repo

↗️ copy-props (indirect, 2.0.4 → 4.0.0) · Repo · Changelog

⚠ BREAKING CHANGES

Miscellaneous Chores

↗️ end-of-stream (indirect, 1.4.1 → 1.4.4) · Repo

↗️ fill-range (indirect, 4.0.0 → 7.0.1) · Repo

↗️ findup-sync (indirect, 3.0.0 → 5.0.0) · Repo · Changelog

⚠ BREAKING CHANGES

Miscellaneous Chores

Breaking

Upgrade

Build

Scaffold

↗️ fsevents (indirect, 1.2.9 → 2.3.3) · Repo

↗️ function-bind (indirect, 1.1.1 → 1.1.2) · Repo · Changelog

↗️ get-caller-file (indirect, 1.0.3 → 2.0.5) · Repo

↗️ glob-parent (indirect, 3.1.0 → 5.1.2) · Repo · Changelog

Bug Fixes

↗️ glob-stream (indirect, 6.1.0 → 8.0.1) · Repo · Changelog

Bug Fixes

⚠ BREAKING CHANGES

Features

Bug Fixes

Miscellaneous Chores

⚠ BREAKING CHANGES

Miscellaneous Chores

↗️ glogg (indirect, 1.0.2 → 2.2.0) · Repo · Changelog

Features

Features

⚠ BREAKING CHANGES

Miscellaneous Chores

↗️ graceful-fs (indirect, 4.1.15 → 4.2.11) · Repo

↗️ inherits (indirect, 2.0.3 → 2.0.4) · Repo

↗️ ini (indirect, 1.3.5 → 1.3.8) · Repo · Changelog

Overview

Patches

Steps to reproduce

↗️ interpret (indirect, 1.2.0 → 3.1.1) · Repo · Changelog

Bug Fixes

Features

⚠ BREAKING CHANGES

Features

Bug Fixes

Miscellaneous Chores

↗️ is-binary-path (indirect, 1.0.1 → 2.1.0) · Repo

↗️ is-fullwidth-code-point (indirect, 1.0.0 → 3.0.0) · Repo

↗️ is-glob (indirect, 4.0.1 → 4.0.3) · Repo

↗️ is-number (indirect, 3.0.0 → 7.0.0) · Repo

↗️ is-plain-object (indirect, 2.0.4 → 5.0.0) · Repo

↗️ liftoff (indirect, 3.1.0 → 5.0.0) · Repo · Changelog

⚠ BREAKING CHANGES

Features

Bug Fixes

⚠ BREAKING CHANGES

Fixes (backport of `6.0.1` to v5)