Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency parcel-bundler to v1.10.0 [SECURITY] - abandoned #29

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented May 22, 2019

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
parcel-bundler 1.7.1 -> 1.10.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2018-14731

Versions of parcel-bundler before 1.10.0 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.

Recommendation

Update to version 1.10.0 or later.


Release Notes

parcel-bundler/parcel

v1.10.0

Compare Source

Added
  • Babel 7 support Details
  • HTML Bundle loader Details
  • Process inline scripts and styles Details
  • Added LD+JSON asset Details
  • Add support for Elm assets Details
  • Support optionally bundling node_modules for --target=node Details
  • Import existing sourcemaps Details
  • Import GraphQL files from other GraphQL files Details
  • Automatically strip flow types Details
  • SugarSS Support Details
  • Minimal verbose/debug mode Details
  • User friendly error on failed entrypoint resolving Details
  • Support for SharedWorkers Details
  • Add Object Spread to default Babel transforms Details
  • Update help message for --public-url Details
  • Support HTML5 history mode routing Details
  • Split cache into multiple folders for faster FS Details
  • Support array in package.json's sideEffects property Details
  • Added stub for require.cache Details
  • Added dotenv-expand to expand env vars Details
  • Update Typescript to v3.0.0 Details
  • Add --no-content-hash option to build cli Details
Fixed
  • Exit process on Error Details
  • Fix non updating asset hashes Details
  • Fix Sass url resolving Details
  • WorkerFarm Cleanup Details
  • Fix infinite loop in resolver when using ~/... imports Details
  • Default to Dart-Sass and add backwards compatibility for node-sass Details
  • Validate if a PostCSS config is an object Details
  • VSCode syntax highlight with PostCSS in Vue Component style tag Details
  • Glob support in less imports Details
  • Generate unique certificate serial number Details
  • Keep name in sourcemaps mappings Details
  • Replace slack with spectrum badge Details
  • Use esnext with typescript and scope hoisting Details
  • Fix sourcemaps failing on refresh/hmr Details
  • Support sideEffect: false with CommonJS Details
  • Get only existing package main Details
  • Load minified built-in if available Details
  • Support error strings in workers Details
  • Terminate workerfarm when using the API Details
  • Fix comment typo Details
  • Fix dotenv package error Details
  • Don't resolve slash and tilde paths twice Details
  • bundle name hash-key generation is not environment independent Details
  • Don't modify script nodes with text/html type Details
  • Fix various windows bugs & tests Details
  • Cross-platform deterministic asset ids Details
  • allow empty string in meta Details
  • fixed watch not working when NODE_ENV is production Details
  • Incorrect casing for Logger require Details
  • fix security vuln Details
  • Remove wasm-gc from RustAsset Details

v1.9.7

Compare Source

Fixed
  • Fix nested async imports from a shared module Details
  • Prevent nameclashes with internal variables with tree shaking Details

v1.9.6

Compare Source

Fixed
  • Fix ora spinner in CI environments Details

v1.9.5

Compare Source

Added
Fixed
  • JSPackager deduplication now accounts for differences in absolute dependency paths Details
  • Fix worker bundle hoisting Details
  • Prioritize browser field over module Details
  • Fix aliasing of folder relative to project folder Details
  • Only watch directories on macOS Details
  • Fix generating names when outside of the entry directory Details
  • Handle invalidating cache if dependency is a glob Details
  • Fix import deep wildcards with tree-shaking Details
  • Fix tree-shaking named import on wrapped module Details
  • Fix circular deps in isolated bundles (e.g. workers) Details
  • Fix tree-shaking wildcards with sideEffects: false Details
  • Fix 'buildStart' event is not firing Details

v1.9.4

Compare Source

Added
  • Upgrade Typescript to 2.9 Details
  • Upgrade DEFAULT_ENGINES node to Node 8 Details
  • Add a buildError event to bundler Details
  • Use process.env.PARCEL_MAX_CONCURRENT_CALLS environment variable Details
Fixed
  • Fix Sass dependencies can not be watched when includePaths is a relative path Details
  • Replaced fwd slashes with backslashes for win to fix sass deps watch Details
  • Fix sourcemap file size in report Details
  • fix build not exiting in dev env Details
  • Prevent postcss-modules plugin config from being deleted after first run Details

v1.9.3

Compare Source

Fixed
  • Set user provided NODE_ENV if provided with build command Details
  • Fix bugs related to watching symlinks Details
  • add cache-dir option to cli Details
  • Fix tree-shaking DCE Details
  • Fix writing hashed bundle names to the cache Details

v1.9.2

Compare Source

Fixed
  • Fix unintended Vue asset supplemental code insertion Details
  • fix 'Cannot read property 'posthtml' of null Details

v1.9.1

Compare Source

Fixed
  • fix relative paths being the same as node modules Details
  • Fix ES6 re-export of CommonJS modules with tree shaking Details

v1.9.0

Compare Source

Added
  • Tree shaking + scope hoisting for ES6 and CommonJS modules Details
  • Put filewatcher in a worker, for better stability and performance Details
  • Cache resolved paths of dependencies Details
  • Custom less filemanager Details
  • support for sass specific import syntax Details
  • Allow --https for watch Details
  • Fix browser entry-point resolution Details
  • Use config.locals to render pug template Details
  • Use async modules when possibles Details
  • Add a bundlestart event Details
  • Add unit tests for line counter Details
  • Use async FS in tests Details
  • Use async fs on new linecounter tests Details
  • Make CSS assets async Details
  • Enable posthtml-parse options in posthtmlrc Details
  • Enforce Prettier (check if prettier is run in lint script) Details
  • Add support for Cargo workspaces in Rust integration Details
  • Surface Bundler error to browser Details
  • Programatically pass env vars as a whitelist Details
Fixed
  • Fix bundle hoisting when asset is already in the common bundle Details
  • Only resolve env vars on bundling when --target=browser Details
  • improve the time reported by the bundler Details
  • clear console before accepting updates, not after Details
  • Lookup correct generated output for bundle type in RawPackager Details
  • Remove extra argument passed to addAssetToBundle in JSPackager Details
  • Fix indented syntax type for single file vue components Details
  • Fix Vue asset supplemental code concatenation Details
  • Add dependencies referenced by posthtml-include Details
  • node-sass accepts importer as single function or array of functions Details
  • Get mtime of folder on wildcard imports Details
  • Fix vue test Details
  • Fix absolute and tilde paths for url dependencies Details
  • Fix failing appveyor test Details
  • Fix worker environment variable Details
  • Add test/dist to .prettierignore Details
  • Fix typo in uglify.js Details
  • Pass compiler of @​vue/component-compiler-utils to parser. Details
  • Fix package.json configs Details
  • change Uglify to Terser Details
Removed
  • Don’t pass package.json and options over IPC Details

v1.8.1

Compare Source

Fixed
  • Loading modules with AMD Defines Details

v1.8.0

Compare Source

Added
  • Add support for multiple entry points Details
  • Support source field in package.json to enable babel on symlinked modules Details
  • Expose modules as UMD Details
  • Use parcel's resolver for sass imports Details
  • Update default browser engines to > 0.25% marketshare Details
  • Ignore dependencies in falsy branches Details
  • Clear the console in browser on each HMR Details
  • Watch directories instead of individual files to fix EMFILE errors Details
Fixed
  • Prevent build from breaking when .scss file is empty Details
  • Handle empty config files Details
  • Update dependency with security vuln Details
  • Minor change to mkHandle in workerfarm Details
  • Don't start server if target isn't browser Details
  • Let worker return early instead of throw on unknown messages Details
  • change default behaviour to keep default values of HTML form elements Details
  • Fix autoinstall infinite loop Details
  • Allow spaces in filenames Details
  • Update deps Details
  • Fix reference pass error in package config Details
  • Remove eval usage. Fixes CSP cases. Details
  • Remove jsnext:main Details
  • fix for outFile option; respect file-extension Details

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate
Copy link
Author

renovate bot commented Mar 24, 2023

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@renovate renovate bot changed the title Update dependency parcel-bundler to v1.10.0 [SECURITY] Update dependency parcel-bundler to v1.10.0 [SECURITY] - abandoned Feb 24, 2024
Copy link
Author

renovate bot commented Feb 24, 2024

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant