Sourced from node-fetch's releases.

v2.6.1

This is an important security release. It is strongly recommended to update as soon as possible.

See CHANGELOG for details.

Sourced from node-fetch's changelog.

v2.6.1

This is an important security release. It is strongly recommended to update as soon as possible.

• Fix: honor the size option after following a redirect.

• b5e2e41 update version number
• 2358a6c Honor the size option after following a redirect and revert data uri support
• 8c197f8 docs: Fix typos and grammatical errors in README.md (#686)
• 1e99050 fix: Change error message thrown with redirect mode set to error (#653)
• 244e6f6 docs: Show backers in README
• 6a5d192 fix: Properly parse meta tag when parameters are reversed (#682)
• 47a24a0 chore: Add opencollective badge
• 7b13662 chore: Add funding link
• 5535c2e fix: Check for global.fetch before binding it (#674)
• 1d5778a docs: Add Discord badge
• Additional commits viewable in compare view

This version was pushed to npm by akepinski, a new releaser for node-fetch since your current version.

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from lodash's releases.

4.17.16

• d7fbc52 Bump to v4.17.19
• 2e1c0f2 Add npm-package
• 1b6c282 Bump to v4.17.18
• a370ac8 Bump to v4.17.17
• 1144918 Rebuild lodash and docs
• 3a3b0fd Bump to v4.17.16
• c84fe82 fix(zipObjectDeep): prototype pollution (#4759)
• e7b28ea Sanitize sourceURL so it cannot affect evaled code (#4518)
• 0cec225 Fix lodash.isEqual for circular references (#4320) (#4515)
• 94c3a81 Document matches* shorthands for over* methods (#4510) (#4514)
• Additional commits viewable in compare view

This version was pushed to npm by mathias, a new releaser for lodash since your current version.

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from node-forge's changelog.

1.3.1 - 2022-03-29

Fixes

• RFC 3447 and RFC 8017 allow for optional DigestAlgorithm NULL parameters for sha* algorithms and require NULL paramters for md2 and md5 algorithms.

1.3.0 - 2022-03-17

Security

• Three RSA PKCS#1 v1.5 signature verification issues were reported by Moosa Yahyazadeh ([email protected]).
• HIGH: Leniency in checking digestAlgorithm structure can lead to signature forgery.
  • The code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.
  • CVE ID: CVE-2022-24771
  • GHSA ID: GHSA-cfm4-qjh2-4765
• HIGH: Failing to check tailing garbage bytes can lead to signature forgery.
  • The code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.
  • CVE ID: CVE-2022-24772
  • GHSA ID: GHSA-x4jg-mjrx-434g
• MEDIUM: Leniency in checking type octet.
  • DigestInfo is not properly checked for proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.
  • CVE ID: CVE-2022-24773
  • GHSA ID: GHSA-2r2c-g63r-vccr

Fixed

• [asn1] Add fallback to pretty print invalid UTF8 data.
• [asn1] fromDer is now more strict and will default to ensuring all input bytes are parsed or throw an error. A new option parseAllBytes can disable this behavior.
  • NOTE: The previous behavior is being changed since it can lead to security issues with crafted inputs. It is possible that code doing custom DER parsing may need to adapt to this new behavior and optional flag.
• [rsa] Add and use a validator to check for proper structure of parsed ASN.1

... (truncated)

• a0a4a42 Release 1.3.1.
• a33830f Update changelog.
• 740954d Allow optional DigestAlgorithm parameters.
• 56f4316 Allow DigestInfo.DigestAlgorith.parameters to be optional
• cbf0bd5 Start 1.3.1-0.
• 6c5b901 Release 1.3.0.
• 0f3972a Update changelog.
• dc77b39 Fix error checking.
• bb822c0 Add advisory links.
• d4395fe Update changelog.
• Additional commits viewable in compare view

Sourced from firebase-admin's releases.

Firebase Admin Node.js SDK v11.3.0

New Features

• feat(extensions): Add extensions namespace (#1960)

Miscellaneous

• [chore] Release 11.3.0 (#1981)
• Extensions TSDoc edits (#1982)
• Extensions docstring tweaks (#1980)
• build(deps): bump @​firebase/database-compat from 0.2.9 to 0.2.10 (#1969)
• build(deps-dev): bump @​types/sinon-chai from 3.2.8 to 3.2.9 (#1978)
• build(deps): bump @​firebase/database-types from 0.9.16 to 0.9.17 (#1977)

Firebase Admin Node.js SDK v11.2.1

Bug Fixes

• fix(firestore): added missing 'ReadWriteTransactionOptions' export (#1874) (#1875)
• fix(fcm): Increase FCM timeout to 15s (#1947)

Miscellaneous

• [chore] Release 11.2.1 (#1972)
• build(deps-dev): bump @​typescript-eslint/parser from 5.40.0 to 5.42.1 (#1968)
• build(deps-dev): bump @​typescript-eslint/eslint-plugin (#1967)
• build(deps-dev): bump @​firebase/auth-compat from 0.2.23 to 0.2.24 (#1962)
• build(deps-dev): bump @​firebase/api-documenter from 0.2.0 to 0.3.0 (#1963)
• build(deps-dev): bump @​microsoft/api-extractor from 7.33.4 to 7.33.5 (#1961)
• build(deps): bump @​google-cloud/storage from 6.5.2 to 6.6.0 (#1956)
• build(deps-dev): bump @​firebase/auth-compat from 0.2.20 to 0.2.23 (#1951)
• build(deps-dev): bump @​typescript-eslint/eslint-plugin (#1953)
• Internal implementation of multiDb (#1949)
• build(deps-dev): bump @​microsoft/api-extractor from 7.33.2 to 7.33.4 (#1946)
• build(deps-dev): bump mocha from 10.0.0 to 10.1.0 (#1944)
• build(deps-dev): bump @​typescript-eslint/eslint-plugin (#1943)

Firebase Admin Node.js SDK v11.2.0

New Features

• feat(auth): Support sms region config change on Tenant and Project level (#1921)

Miscellaneous

• [chore] Release 11.2.0 (#1942)
• chore(fs): Upgrade firestore dependency (#1941)
• build(deps-dev): bump sinon from 14.0.0 to 14.0.1 (#1938)
• build(deps-dev): bump @​microsoft/api-extractor from 7.33.1 to 7.33.2 (#1939)
• build(deps): bump @​firebase/database-compat from 0.2.7 to 0.2.9 (#1940)
• build(deps-dev): bump @​firebase/app-compat from 0.1.34 to 0.1.37 (#1937)
• build(deps): bump @​firebase/database-types from 0.9.13 to 0.9.16 (#1932)

... (truncated)

• 1665b6e [chore] Release 11.3.0 (#1981)
• 62fdf5f Extensions TSDoc edits (#1982)
• 38fb85f Extensions docstring tweaks (#1980)
• 34f84b6 build(deps): bump @​firebase/database-compat from 0.2.9 to 0.2.10 (#1969)
• 623c02d feat(extensions): Add extensions namespace (#1960)
• 9f4d23c build(deps-dev): bump @​types/sinon-chai from 3.2.8 to 3.2.9 (#1978)
• e708fef build(deps): bump @​firebase/database-types from 0.9.16 to 0.9.17 (#1977)
• de57933 [chore] Release 11.2.1 (#1972)
• 5af0a8d build(deps-dev): bump @​typescript-eslint/parser from 5.40.0 to 5.42.1 (#1968)
• a64d231 build(deps-dev): bump @​typescript-eslint/eslint-plugin (#1967)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from express's releases.

4.18.2

• Fix regression routing a large stack in a single route
• deps: [email protected]
  • deps: [email protected]
  • perf: remove unnecessary object clone
• deps: [email protected]

4.18.1

• Fix hanging on large stack of sync routes

4.18.0

• Add "root" option to res.download
• Allow options without filename in res.download
• Deprecate string and non-integer arguments to res.status
• Fix behavior of null/undefined as maxAge in res.cookie
• Fix handling very large stacks of sync middleware
• Ignore Object.prototype values in settings through app.set/app.get
• Invoke default with same arguments as types in res.format
• Support proper 205 responses using res.send
• Use http-errors for res.format error
• deps: [email protected]
  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
  • Add priority option
  • Fix expires option to reject invalid dates
• deps: [email protected]
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: [email protected]
  • Remove set content headers that break response
  • deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
  • Prevent loss of async hooks context
• deps: [email protected]
• deps: [email protected]
  • Fix emitted 416 error missing headers property
  • Limit the headers removed for 304 response
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]

... (truncated)

Sourced from express's changelog.

4.18.2 / 2022-10-08

• Fix regression routing a large stack in a single route
• deps: [email protected]
  • deps: [email protected]
  • perf: remove unnecessary object clone
• deps: [email protected]

4.18.1 / 2022-04-29

• Fix hanging on large stack of sync routes

4.18.0 / 2022-04-25

• Add "root" option to res.download
• Allow options without filename in res.download
• Deprecate string and non-integer arguments to res.status
• Fix behavior of null/undefined as maxAge in res.cookie
• Fix handling very large stacks of sync middleware
• Ignore Object.prototype values in settings through app.set/app.get
• Invoke default with same arguments as types in res.format
• Support proper 205 responses using res.send
• Use http-errors for res.format error
• deps: [email protected]
  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
  • Add priority option
  • Fix expires option to reject invalid dates
• deps: [email protected]
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: [email protected]
  • Remove set content headers that break response
  • deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
  • Prevent loss of async hooks context
• deps: [email protected]
• deps: [email protected]

... (truncated)

• 8368dc1 4.18.2
• 61f4049 docs: replace Freenode with Libera Chat
• bb7907b build: [email protected]
• f56ce73 build: [email protected]
• 24b3dc5 deps: [email protected]
• 689d175 deps: [email protected]
• 340be0f build: [email protected]
• 33e8dc3 docs: use Node.js name style
• 644f646 build: [email protected]
• ecd7572 build: [email protected]
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from qs's changelog.

6.11.0

• [New] [Fix] stringify: revert 0e903c0; add commaRoundTrip option (#442)
• [readme] fix version badge

6.10.5

• [Fix] stringify: with arrayFormat: comma, properly include an explicit [] on a single-item array (#434)

6.10.4

• [Fix] stringify: with arrayFormat: comma, include an explicit [] on a single-item array (#441)
• [meta] use npmignore to autogenerate an npmignore file
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, has-symbol, object-inspect, tape

6.10.3

• [Fix] parse: ignore __proto__ keys (#428)
• [Robustness] stringify: avoid relying on a global undefined (#427)
• [actions] reuse common workflows
• [Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, tape

6.10.2

• [Fix] stringify: actually fix cyclic references (#426)
• [Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#424)
• [readme] remove travis badge; add github actions/codecov badges; update URLs
• [Docs] add note and links for coercing primitive values (#408)
• [actions] update codecov uploader
• [actions] update workflows
• [Tests] clean up stringify tests slightly
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, object-inspect, safe-publish-latest, tape

6.10.1

• [Fix] stringify: avoid exception on repeated object values (#402)

6.10.0

• [New] stringify: throw on cycles, instead of an infinite loop (#395, #394, #393)
• [New] parse: add allowSparse option for collapsing arrays with missing indices (#312)
• [meta] fix README.md (#399)
• [meta] only run npm run dist in publish, not install
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, has-symbols, tape
• [Tests] fix tests on node v0.6
• [Tests] use ljharb/actions/node/install instead of ljharb/actions/node/run
• [Tests] Revert "[meta] ignore eclint transitive audit warning"

6.9.7

• [Fix] parse: ignore __proto__ keys (#428)
• [Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#424)
• [Robustness] stringify: avoid relying on a global undefined (#427)
• [readme] remove travis badge; add github actions/codecov badges; update URLs
• [Docs] add note and links for coercing primitive values (#408)
• [Tests] clean up stringify tests slightly
• [meta] fix README.md (#399)
• Revert "[meta] ignore eclint transitive audit warning"

... (truncated)

• 56763c1 v6.11.0
• ddd3e29 [readme] fix version badge
• c313472 [New] [Fix] stringify: revert 0e903c0; add commaRoundTrip option
• 95bc018 v6.10.5
• 0e903c0 [Fix] stringify: with arrayFormat: comma, properly include an explicit `[...
• ba9703c v6.10.4
• 4e44019 [Fix] stringify: with arrayFormat: comma, include an explicit [] on a s...
• 113b990 [Dev Deps] update object-inspect
• c77f38f [Dev Deps] update eslint, @ljharb/eslint-config, aud, has-symbol, tape
• 2cf45b2 [meta] use npmignore to autogenerate an npmignore file
• Additional commits viewable in compare view

Sourced from express's releases.

4.18.2

• Fix regression routing a large stack in a single route
• deps: [email protected]
  • deps: [email protected]
  • perf: remove unnecessary object clone
• deps: [email protected]

4.18.1

• Fix hanging on large stack of sync routes

4.18.0

• Add "root" option to res.download
• Allow options without filename in res.download
• Deprecate string and non-integer arguments to res.status
• Fix behavior of null/undefined as maxAge in res.cookie
• Fix handling very large stacks of sync middleware
• Ignore Object.prototype values in settings through app.set/app.get
• Invoke default with same arguments as types in res.format
• Support proper 205 responses using res.send
• Use http-errors for res.format error
• deps: [email protected]
  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
  • Add priority option
  • Fix expires option to reject invalid dates
• deps: [email protected]
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: [email protected]
  • Remove set content headers that break response
  • deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
  • Prevent loss of async hooks context
• deps: [email protected]
• deps: [email protected]
  • Fix emitted 416 error missing headers property
  • Limit the headers removed for 304 response
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]

... (truncated)

Sourced from express's changelog.

4.18.2 / 2022-10-08

• Fix regression routing a large stack in a single route
• deps: [email protected]
  • deps: [email protected]
  • perf: remove unnecessary object clone
• deps: [email protected]

4.18.1 / 2022-04-29

• Fix hanging on large stack of sync routes

4.18.0 / 2022-04-25

• Add "root" option to res.download
• Allow options without filename in res.download
• Deprecate string and non-integer arguments to res.status
• Fix behavior of null/undefined as maxAge in res.cookie
• Fix handling very large stacks of sync middleware
• Ignore Object.prototype values in settings through app.set/app.get
• Invoke default with same arguments as types in res.format
• Support proper 205 responses using res.send
• Use http-errors for res.format error
• deps: [email protected]
  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
  • Add priority option
  • Fix expires option to reject invalid dates
• deps: [email protected]
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: [email protected]
  • Remove set content headers that break response
  • deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
  • Prevent loss of async hooks context
• deps: [email protected]
• deps: [email protected]

... (truncated)

• 8368dc1 4.18.2
• 61f4049 docs: replace Freenode with Libera Chat
• bb7907b build: [email protected]
• f56ce73 build: [email protected]
• 24b3dc5 deps: [email protected]
• 689d175 deps: [email protected]
• 340be0f build: [email protected]
• 33e8dc3 docs: use Node.js name style
• 644f646 build: [email protected]
• ecd7572 build: [email protected]
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from protobufjs's releases.

v6.11.3

6.11.3 (2022-05-20)

Bug Fixes

• deps: use eslint 8.x (#1728) (a8681ce)
• do not let setProperty change the prototype (#1731) (b5f1391)

v6.11.2

6.11.2 (2021-04-30)

• regenerated index.d.ts to fix the unintended breaking change in types.

v6.11.1

6.11.1 (2021-04-29)

Bug Fixes

• parse.js "parent.add(oneof)“ error (@​leon776) (#1602)

v6.11.0

6.11.0 (2021-04-28)

Features

• support for proto3 optional fields (@​alexander-fenster) (#1584)
• add --no-service option for pbjs (@​mdouglass) (#1577)

Bug Fixes

• do not assign oneof members to default values, use null instead (@​alexander-fenster) (#1597)

Dependencies

• set @types/node to >= 13.7.0 in dependencies (@​indutny) (#1575)

protobuf.js v6.10.2

Bug Fixes

• es6 export enum (#1446) (9f33784)
• make parsedOptions appear in method JSON representation (#1506) (3d29969)
• utf8 -> utf16 decoding bug on surrogate pairs (#1486) (75172cd)

protobuf.js v6.10.1

... (truncated)

Sourced from protobufjs's changelog.

6.11.3 (2022-05-20)

Bug Fixes

• deps: use eslint 8.x (#1728) (a8681ce)
• do not let setProperty change the prototype (#1731) (b5f1391)

6.11.2 (2021-04-30)

• regenerated index.d.ts to fix the unintended breaking change in types.

6.11.1 (2021-04-29)

Bug Fixes

• parse.js "parent.add(oneof)“ error (@​leon776) (#1602)

6.11.0 (2021-04-28)

Features

• support for proto3 optional fields (@​alexander-fenster) (#1584)
• add --no-service option for pbjs (@​mdouglass) (#1577)

Bug Fixes

• do not assign oneof members to default values, use null instead (@​alexander-fenster) (#1597)

Dependencies

• set @types/node to >= 13.7.0 in dependencies (@​indutny) (#1575)

6.10.2 (2020-11-13)

Bug Fixes

• es6 export enum (#1446) (9f33784)
• make parsedOptions appear in method JSON representation (#1506) (3d29969)
• utf8 -> utf16 decoding bug on surrogate pairs (#1486) (75172cd)

6.10.1 (2020-07-16)

Bug Fixes

... (truncated)

• b130dfd chore(6.x): release 6.11.3 (#1737)
• c2c17ae build: publish to main
• b2c6a5c build: run tests if ci label added (#1734)
• a8681ce fix(deps): use eslint 8.x (#1728)
• b5f1391 fix: do not let setProperty change the prototype (#1731)
• 7afd0a3 build: configure 6.x as default branch
• 37285d0 build: configure backports
• d127871 fix: rebuild type, release v6.11.2
• da9fdd2 fix(types): bring back Field.rule to .d.ts
• a2ccda1 chore: release v6.11.1
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from node-fetch's releases.

v2.6.7

Security patch release

Recommended to upgrade, to not leak sensitive cookie and authentication header information to 3th party host while a redirect occurred

What's Changed

• fix: don't forward secure headers to 3th party by @​jimmywarting in node-fetch/node-fetch#1453

Full Changelog: https://github.com/node-fetch/node-fetch/compare/v2.6.6...v2.6.7

v2.6.6

What's Changed

• fix(URL): prefer built in URL version when available and fallback to whatwg by @​jimmywarting in node-fetch/node-fetch#1352

Full Changelog: https://github.com/node-fetch/node-fetch/compare/v2.6.5...v2.6.6

v2.6.2

fixed main path in package.json

v2.6.1

This is an important security release. It is strongly recommended to update as soon as possible.

See CHANGELOG for details.

Sourced from node-fetch's changelog.

Changelog

All notable changes will be recorded here.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

What's Changed

• core: update fetch-blob by @​jimmywarting in node-fetch/node-fetch#1371
• docs: Fix typo around sending a file by @​jimmywarting in node-fetch/node-fetch#1381
• core: (http.request): Cast URL to string before sending it to NodeJS core by @​jimmywarting in node-fetch/node-fetch#1378
• core: handle errors from the request body stream by @​mdmitry01 in node-fetch/node-fetch#1392
• core: Better handle wrong redirect header in a response by @​tasinet in node-fetch/node-fetch#1387
• core: Don't use buffer to make a blob by @​jimmywarting in node-fetch/node-fetch#1402
• docs: update readme for TS @​types/node-fetch by @​adamellsworth in node-fetch/node-fetch#1405
• core: Fix logical operator priority to disallow GET/HEAD with non-empty body by @​maxshirshin in node-fetch/node-fetch#1369
• core: Don't use global buffer by @​jimmywarting in node-fetch/node-fetch#1422
• ci: fix main branch by @​dnalborczyk in node-fetch/node-fetch#1429
• core: use more node: protocol imports by @​dnalborczyk in node-fetch/node-fetch#1428
• core: Warn when using data by @​jimmywarting in node-fetch/node-fetch#1421
• docs: Create SECURITY.md by @​JamieSlome in node-fetch/node-fetch#1445
• core: don't forward secure headers to 3th party by @​jimmywarting in node-fetch/node-fetch#1449

New Contributors

• @​mdmitry01 made their first contribution in node-fetch/node-fetch#1392
• @​tasinet made their first contribution in node-fetch/node-fetch#1387
• @​adamellsworth made their first contribution in node-fetch/node-fetch#1405
• @​maxshirshin made their first contribution in node-fetch/node-fetch#1369
• @​JamieSlome made their first contribution in node-fetch/node-fetch#1445

Full Changelog: https://github.com/node-fetch/node-fetch/compare/v3.1.0...v3.1.2

3.1.0

What's Changed

• fix(Body): Discourage form-data and buffer() by @​jimmywarting in node-fetch/node-fetch#1212
• fix: Pass url string to http.request by @​serverwentdown in node-fetch/node-fetch#1268
• Fix octocat image link by @​lakuapik in node-fetch/node-fetch#1281
• fix(Body.body): Normalize Body.body into a node:stream by @​jimmywarting in node-fetch/node-fetch#924
• docs(Headers): Add default Host request header to README.md file by @​robertoaceves in node-fetch/node-fetch#1316
• Update CHANGELOG.md by @​jimmywarting in node-fetch/node-fetch#1292
• Add highWaterMark to cloned properties by @​davesidious in node-fetch/node-fetch#1162
• Update README.md to fix HTTPResponseError by @​thedanfernandez in node-fetch/node-fetch#1135
• docs: switch url to URL by @​dhritzkiv in node-fetch/node-fetch#1318
• fix(types): declare buffer() deprecated by @​dnalborczyk in node-fetch/node-fetch#1345
• chore: fix lint by @​dnalborczyk in node-fetch/node-fetch#1348
• refactor: use node: prefix for imports by @​dnalborczyk in node-fetch/node-fetch#1346
• Bump data-uri-to-buffer from 3.0.1 to 4.0.0 by @​dependabot in node-fetch/node-fetch#1319
• Bump mocha from 8.4.0 to 9.1.3 by @​dependabot in node-fetch/node-fetch#1339
• Referrer and Referrer Policy by @​tekwiz in node-fetch/node-fetch#1057
• Add typing for Response.redirect(url, status) by @​c-w in node-fetch/node-fetch#1169

... (truncated)

• 1ef4b56 backport of #1449 (#1453)
• 8fe5c4e 2.x: Specify encoding as an optional peer dependency in package.json (#1310)
• f56b0c6 fix(URL): prefer built in URL version when available and fallback to whatwg (...
• b5417ae fix: import whatwg-url in a way compatible with ESM Node (#1303)
• 18193c5 fix v2.6.3 that did not sending query params (#1301)
• ace7536 fix: properly encode url with unicode characters (#1291)
• 152214c Fix(package.json): Corrected main file path in package.json (#1274)
• b5e2e41 update version number
• 2358a6c Honor the size option after following a redirect and revert data uri support
• 8c197f8 docs: Fix typos and grammatical errors in README.md (#686)
• Additional commits viewable in compare view

This version was pushed to npm by endless, a new releaser for node-fetch since your current version.

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

• f299b52 Bump to v4.17.21
• c4847eb Improve performance of toNumber, trim and trimEnd on large input strings
• 3469357 Prevent command injection through _.template's variable option
• ded9bc6 Bump to v4.17.20.
• 63150ef Documentation fixes.
• 00f0f62 test.js: Remove trailing comma.
• 846e434 Temporarily use a custom fork of lodash-cli.
• 5d046f3 Re-enable Travis tests on 4.17 branch.
• aa816b3 Remove /npm-package.
• d7fbc52 Bump to v4.17.19
• Additional commits viewable in compare view

This version was pushed to npm by bnjmnt4n, a new releaser for lodash since your current version.

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from websocket-extensions's changelog.

0.1.4 / 2020-06-02

• Remove a ReDoS vulnerability in the header parser (CVE-2020-7662, reported by Robert McLaughlin)
• Change license from MIT to Apache 2.0

• 8efd0cd Bump version to 0.1.4
• 3dad4ad Remove ReDoS vulnerability in the Sec-WebSocket-Extensions header parser
• 4a76c75 Add Node versions 13 and 14 on Travis
• 44a677a Formatting change: {...} should have spaces inside the braces
• f6c50ab Let npm reformat package.json
• 2d211f3 Change markdown formatting of docs.
• 0b62083 Update Travis target versions.
• 729a465 Switch license to Apache 2.0.
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from jsonwebtoken's changelog.

9.0.0 - 2022-12-21

Breaking changes: See Migration from v8 to v9

Breaking changes

• Removed support for Node versions 11 and below.
• The verify() function no longer accepts unsigned tokens by default. ([834503079514b72264fd13023a3b8d648afd6a16]https://github.com/auth0/node-jsonwebtoken/commit/834503079514b72264fd13023a3b8d648afd6a16)
• RSA key size must be 2048 bits or greater. ([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]https://github.com/auth0/node-jsonwebtoken/commit/ecdf6cc6073ea13a7e71df5fad043550f08d0fa6)
• Key types must be valid for the signing / verification algorithm

Security fixes

• security: fixes Arbitrary File Write via verify function - CVE-2022-23529
• security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
• security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
• security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

• e1fa9dc Merge pull request from GHSA-8cf7-32gw-wr33
• 5eaedbf chore(ci): remove github test actions job (#861)
• cd4163e chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
• ecdf6cc fix!: Prevent accidental use of insecure key sizes & misconfiguration of secr...
• 8345030 fix(sign&verify)!: Remove default none support from sign and verify met...
• 7e6a86b Upload OpsLevel YAML (#849)
• 74d5719 docs: update references vercel/ms references (#770)
• d71e383 docs: document "invalid token" error
• 3765003 docs: fix spelling in README.md: Peak -> Peek (#754)
• a46097e docs: make decode impossible to discover before verify
• Additional commits viewable in compare view

This version was pushed to npm by julien.wollscheid, a new releaser for jsonwebtoken since your current version.

Sourced from firebase-admin's releases.

Firebase Admin Node.js SDK v11.4.1

Bug Fixes

• fix: Update jsonwebtoken to v9.0.0 (#2025)

Miscellaneous

• [chore] Release 11.4.1 (#2026)
• build(deps-dev): bump mocha from 10.1.0 to 10.2.0 (#2019)
• build(deps-dev): bump @​typescript-eslint/parser from 5.42.1 to 5.47.0 (#2020)
• build(deps-dev): bump @​typescript-eslint/eslint-plugin (#2018)

Firebase Admin Node.js SDK v11.4.0

Breaking Changes

• change: Deprecate AutoML model support (#2013)

New Features

• feat(fs): preferRest app option for Firestore (#1901)

Bug Fixes

• fix(fcm): Increase batch send timeout to 15 seconds (#1999)
• fix: Unregister socket timeout listener to prevent MaxListenersExceededWarning (#1993)

Miscellaneous

• [chore] Release 11.4.0 (#2015)
• build(deps): bump @​google-cloud/storage from 6.6.0 to 6.8.0 (#2008)
• build(deps): bump @​types/node from 18.11.9 to 18.11.14 (#2012)
• build(deps-dev): bump @​typescript-eslint/eslint-plugin (#2009)
• build(deps): bump decode-uri-component from 0.2.0 to 0.2.2 (#1998)
• build(deps): bump qs from 6.5.2 to 6.5.3 in /.github/actions/send-tweet (#2006)
• build(deps-dev): bump eslint from 8.28.0 to 8.29.0 (#2003)
• build(deps-dev): bump @​types/lodash from 4.14.186 to 4.14.191 (#1997)
• build(deps-dev): bump eslint from 8.24.0 to 8.28.0 (#1991)
• build(deps-dev): bump chai from 4.3.6 to 4.3.7 (#1990)
• build(deps-dev): bump sinon from 14.0.1 to 14.0.2 (#1984)
• build(deps-dev): bump @​firebase/auth-types from 0.11.0 to 0.11.1 (#1985)
• build(deps): bump @​types/node from 18.7.23 to 18.11.9 (#1983)

• 88ae832 [chore] Release 11.4.1 (#2026)
• ccffa13 build(deps-dev): bump mocha from 10.1.0 to 10.2.0 (#2019)
• 8c5ac01 build(deps-dev): bump @​typescript-eslint/parser from 5.42.1 to 5.47.0 (#2020)
• 8d3501f build(deps-dev): bump @​typescript-eslint/eslint-plugin (#2018)
• d23b1c5 fix: Update jsonwebtoken to v9.0.0 (#2025)
• 1acdb67 [chore] Release 11.4.0 (#2015)
• ba5ec2e change: Deprecate AutoML model support (#2013)
• 8b8c874 build(deps): bump @​google-cloud/storage from 6.6.0 to 6.8.0 (#2008)
• f079949 build(deps): bump @​types/node from 18.11.9 to 18.11.14 (#2012)
• d385b93 build(deps-dev): bump @​typescript-eslint/eslint-plugin (#2009)
• Additional commits viewable in compare view

Sourced from firebase-functions's releases.

v3.24.1

• Fix reference docs for performance monitoring.
• Fix bug where function configuration wil null values couldn't be deployed. (#1246)

v3.24.0

• Add performance monitoring triggers to v2 alerts (#1223).

v3.23.0

• Fixes a bug that disallowed setting customClaims and/or sessionClaims in blocking functions (#1199).
• Add v2 Schedule Triggers (#1177).

v3.22.0

• Adds RTDB Triggers for v2 functions (#1127)
• Adds support for Firebase Admin SDK v11 (#1151)
• Fixes bug where emulated task queue function required auth header (#1154)

v3.21.2

• Fixes bug where toJSON was not defined in UserRecord (#1125).

v3.21.1

• Add debug feature to enable cors option for v2 onRequest and onCall handlers. (#1099)

v3.21.0

• Adds CPU option and enhances internal data structures (#1077)
• Add auth blocking handlers (#1080)
• Add support for secrets in v2 (#1079)
• Update types for AlertPayloads (#1087)
• Update AppDistribution [@type] (#1088)
• Update CloudEvent types (#1089)
• Generate documentation with api-extractor (#1071)
• Change type info to be inheritance friendly. (#1091)
• Changes the memory options from MB to MiB and GB to GiB for greater clarity (#1090)

v3.20.1

• Improve authorization for tasks. (#1073)

v3.20.0

• Changes internal structure to be more flexible (#1070).

v3.19.0

• Add support for more regions and memory for v2 functions (#1037).
• Fixes bug where some RTDB instance names were incorrectly parsed (#1056).

v3.18.1

• Expose stack YAML via __/functions.yaml endpoint instead (#1036).

v3.18.0

• Add new runtime option for setting secrets.

v3.17.2

... (truncated)

• e4bda7d 3.24.1
• 3c5392d Hide documentation for in-app feedback (#1245)
• cc6e28e Fix bug where function configuration with null couldn't be deployed. (#1246)
• cf27ac6 Adding required --project flag to v2 docgen script. (#1239)
• 1ac04ad fix tsdoc comments (#1240)
• bd0fcbc [firebase-release] Removed change log and reset repo after 3.24.0 release
• e191af7 3.24.0
• b93e397 Don't delete fields on a non-breaking change release (#1238)
• 65e66a2 Converting alert type and app id to camel case in the CloudEvent (#1236)
• c18e832 Adds performance monitoring triggers to v2 alerts (#1223)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.