🚨 [security] Update browser-sync 2.27.10 → 3.0.3 (major)

[depfu]

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ browser-sync (2.27.10 → 3.0.3) · Repo · Changelog

Release Notes

3.0.3

More info than we can show here.

3.0.2

More info than we can show here.

2.29.3

More info than we can show here.

2.29.0

More info than we can show here.

2.28.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ braces (indirect, 3.0.2 → 3.0.3) · Repo · Changelog

Security Advisories 🚨

🚨 Uncontrolled resource consumption in braces

The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ browser-sync-client (indirect, 2.27.10 → 3.0.3) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ destroy (indirect, 1.0.4 → 1.2.0) · Repo · Changelog

Release Notes

1.2.0 (from changelog)

More info than we can show here.

1.1.1 (from changelog)

More info than we can show here.

1.1.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ engine.io-client (indirect, 6.2.3 → 6.6.2) · Repo · Changelog

Release Notes

6.6.0

More info than we can show here.

6.5.4

More info than we can show here.

6.5.3

More info than we can show here.

6.5.2

More info than we can show here.

6.5.1

More info than we can show here.

6.5.0

More info than we can show here.

6.4.0

More info than we can show here.

6.3.1

More info than we can show here.

6.3.0

More info than we can show here.

Does any of this look wrong? Please let us know.

↗️ fill-range (indirect, 7.0.1 → 7.1.1) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ micromatch (indirect, 4.0.5 → 4.0.8) · Repo · Changelog

Security Advisories 🚨

🚨 Regular Expression Denial of Service (ReDoS) in micromatch

The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to #266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mime (indirect, 1.4.1 → 1.6.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ send (indirect, 0.16.2 → 0.19.1) · Repo · Changelog

↗️ serve-static (indirect, 1.13.2 → 1.16.2) · Repo · Changelog

Security Advisories 🚨

🚨 serve-static vulnerable to template injection that can lead to XSS

Impact

passing untrusted user input - even after sanitizing it - to redirect() may execute untrusted code

Patches

this issue is patched in serve-static 1.16.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

1. The attacker MUST control the input to response.redirect()
2. express MUST NOT redirect before the template appears
3. the browser MUST NOT complete redirection before:
4. the user MUST click on the link in the template

Release Notes

1.16.0

More info than we can show here.

1.15.0

More info than we can show here.

1.14.2

More info than we can show here.

1.14.1 (from changelog)

More info than we can show here.

1.14.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ socket.io-client (indirect, 4.5.3 → 4.8.0) · Repo · Changelog

Release Notes

4.7.5

More info than we can show here.

4.7.4

More info than we can show here.

4.7.3

More info than we can show here.

4.7.2

More info than we can show here.

4.7.1

More info than we can show here.

4.7.0

More info than we can show here.

4.6.2

More info than we can show here.

4.6.1

More info than we can show here.

4.6.0

More info than we can show here.

4.5.4

More info than we can show here.

Does any of this look wrong? Please let us know.

↗️ socket.io-parser (indirect, 4.2.1 → 4.2.4) · Repo · Changelog

Security Advisories 🚨

🚨 Insufficient validation when decoding a Socket.IO packet

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Patches

A fix has been released today (2023/05/22):

• 3b78117, included in socket.io-parser@4.2.3
• 2dc3c92, included in socket.io-parser@3.4.3

Another fix has been released for the 3.3.x branch:

• ee00660, included in `socket.io-parser@3.3.4

socket.io version	socket.io-parser version	Needs minor update?
4.5.2...latest	~4.2.0 (ref)	npm audit fix should be sufficient
4.1.3...4.5.1	~4.1.1 (ref)	Please upgrade to socket.io@4.6.x
3.0.5...4.1.2	~4.0.3 (ref)	Please upgrade to socket.io@4.6.x
3.0.0...3.0.4	~4.0.1 (ref)	Please upgrade to socket.io@4.6.x
2.3.0...2.5.0	~3.4.0 (ref)	npm audit fix should be sufficient

Workarounds

There is no known workaround except upgrading to a safe version.

For more information

If you have any questions or comments about this advisory:

• Open a discussion here

Thanks to @rafax00 for the responsible disclosure.

Release Notes

4.2.4 (from changelog)

More info than we can show here.

4.2.3

More info than we can show here.

4.2.2

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ua-parser-js (indirect, 1.0.2 → 1.0.39) · Repo · Changelog

Security Advisories 🚨

🚨 ReDoS Vulnerability in ua-parser-js version

Description:

A regular expression denial of service (ReDoS) vulnerability has been discovered in ua-parser-js.

Impact:

This vulnerability bypass the library's MAX_LENGTH input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition.

Affected Versions:

All versions of the library prior to version 0.7.33 / 1.0.33.

Patches:

A patch has been released to remove the vulnerable regular expression, update to version 0.7.33 / 1.0.33 or later.

References:

Regular expression Denial of Service - ReDoS

Credits:

Thanks to @snyk who first reported the issue.

Release Notes

1.0.39

More info than we can show here.

1.0.38

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ xmlhttprequest-ssl (indirect, 2.0.0 → 2.1.2) · Repo

Sorry, we couldn't find anything useful about this release.

🗑️ axios (removed)

🗑️ bs-snippet-injector (removed)

🗑️ has-ansi (removed)

🗑️ localtunnel (removed)

🗑️ openurl (removed)

🗑️ qs (removed)

🗑️ rxjs (removed)

🗑️ symbol-observable (removed)

🗑️ tfunk (removed)

🗑️ typescript (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #43.