-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
📦 Update dependency tar to v6.1.9 [SECURITY] #35509
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Hey @estherkim! These files were changed:
|
renovate
bot
force-pushed
the
renovate/npm-tar-vulnerability
branch
from
August 16, 2021 16:47
9f05b69
to
b5eba69
Compare
rsimha
approved these changes
Aug 27, 2021
renovate
bot
force-pushed
the
renovate/npm-tar-vulnerability
branch
3 times, most recently
from
August 31, 2021 23:57
79e0c85
to
34dfc6f
Compare
renovate
bot
changed the title
📦 Update dependency tar to v6.1.2 [SECURITY]
📦 Update dependency tar to v6.1.9 [SECURITY]
Aug 31, 2021
renovate
bot
changed the title
📦 Update dependency tar to v6.1.9 [SECURITY]
📦 Update dependency tar to v6.1.9 [SECURITY] - autoclosed
Sep 20, 2021
auto-merge was automatically disabled
September 20, 2021 22:06
Pull request was closed
renovate
bot
changed the title
📦 Update dependency tar to v6.1.9 [SECURITY] - autoclosed
📦 Update dependency tar to v6.1.9 [SECURITY]
Sep 20, 2021
renovate
bot
force-pushed
the
renovate/npm-tar-vulnerability
branch
from
September 20, 2021 22:50
34dfc6f
to
60c81a1
Compare
renovate
bot
force-pushed
the
renovate/npm-tar-vulnerability
branch
from
September 29, 2021 17:40
60c81a1
to
390091d
Compare
AnuragVasanwala
added a commit
to rtCamp/amphtml
that referenced
this pull request
Oct 6, 2021
* tickevents: remove unused enum values (ampproject#36159) * tickevents: remove unused enum values * Remove dupe of CLS, fidv, lj1,lj2 * format * 📦 Update cimg/openjdk Docker tag to v17 (ampproject#36172) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency rollup to v2.57.0 (ampproject#36134) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency @octokit/graphql to v4.7.0 (ampproject#35844) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * ♻️ Migrate `observeWithSharedInOb` to `observeIntersections` (ampproject#36106) * 🏗 Make setup-node step consistent across gh actions (ampproject#36175) * Partially revert "🏗 Parallelize `dist` steps (ampproject#35943)" (ampproject#36176) * Revert "🏗 Parallelize `dist` steps (ampproject#35943)" This reverts commit 1e2c808. * Partially allow parallelization for smaller tasks * Also include `compileAllJs` in the parallelized part * (amp-lightbox-gallery): opens to selected image, resolve ampproject#35920 (ampproject#36103) removed a unlayout call that would cause the image to default to the first slide * ♻️ preact inob: small cleanup (ampproject#36177) * preact inob: small cleanup * also remove current * build-system: only write version.txt once per dir (ampproject#36162) * build-system: only write version.txt once * output full set of * sort the paths * write files...not directories * succinct format * bind-impl: missing ampStateEl is a user error (ampproject#36113) * Update Yandex & ADFOX amp-ad codes (ampproject#35442) * 🧪Update OT token for attribution-reporting (ampproject#36181) * 🏗 Add `exports` for stylesheets to `package.json` (ampproject#36027) * Add styles.css export to package.json * Conditionally add export * Use `fast-glob` * Add separate export entry for each stylesheet * window support * sort for lint Co-authored-by: Jake Fried <[email protected]> * ✨ [bento][amp-iframe] Add validator rules for 1.0 (ampproject#36182) * 🚮 Sweep experiments older than 2021-02-01 (ampproject#35486) Sweep experiments last flipped globally up to 2021-02-01: - (2021-01-20, a9e2778) `adsense-ad-size-optimization`: 1 * UTF8 encoding/decoding library to deprecated utf8 functions in strings.h|cc (ampproject#36184) library. PiperOrigin-RevId: 398102411 Co-authored-by: Amaltas Bohra <[email protected]> * Validator rollup (ampproject#36185) * cl/398081751 Use the proto message number instead of index for enums. * cl/398323481 Two-way sync for PR ampproject#36085. No-op, or fixes merge conflicts, if any. Co-authored-by: honeybadgerdontcare <[email protected]> * 📦 Update dependency @octokit/rest to v18.11.2 (ampproject#36180) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * deps: bump bento-compiler (ampproject#36191) * 📦 Update dependency @jest/core to v27.2.3 (ampproject#36189) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency esbuild to v0.12.25 (ampproject#35928) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update linting devDependencies (ampproject#36119) * 📦 Update linting devDependencies * Fix lint errors Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> Co-authored-by: Raghu Simha <[email protected]> * 📦 Update dependency axios to 0.21.2 [SECURITY] (ampproject#35999) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency esbuild to v0.13.3 (ampproject#36198) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency tar to v6.1.9 [SECURITY] (ampproject#35509) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * performance-impl: cant check ampdoc vis hidden while null (ampproject#36197) * performance-impl: cant check ampdoc vis hidden before initted * Add unit test * 🏗 Add nice colors to release tagger logs (ampproject#36200) * log * comment * 📦 Update core devDependencies (ampproject#36196) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency @ampproject/worker-dom to v0.32.0 (ampproject#36138) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency google-closure-library to v20210808 (ampproject#35617) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * SwG Release 0.1.22.186 (ampproject#36202) * 📦 Update dependency chromedriver to v94 (ampproject#35951) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> Co-authored-by: Raghu Simha <[email protected]> * 📦 Update dependency tar to v6.1.11 (ampproject#36203) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📖 `bento-facebook` Documentation (ampproject#36038) * [`bento-facebook`] Update the amp-facebook.md file for both 0.1 and 1.0. Add a README.md for 1.0 bento mode. * [`bento-facebook`] Add documentation to describe the amp-facebook usage outside of valid AMP docs. * [`bento-facebook`] Add readme.md for BentoFacebook. * [`bento-facebook`] Address PR comments to update some attribute names. * [`bento-facebook`] Update CDN link to bento-facebook-1.0.js. * [`bento-facebook`] Prettify amp-facebook.md. * [`bento-facebook`] Update dead link to FB documentation to a real link. * [`bento-facebook`] Update dead links to be valid. * 🚮 Clean up dead amp-sidebar code within stories (ampproject#36178) * Remove amp-sidebar code from extensions/amp-story * Remove amp-sidebar visual tests from examples/visual-tests/amp-story * Remove reference to amp-sidebar from amp-story-interactive README * Remove remaining amp-sidebar logic from extensions/amp-story * Remove amp-sidebar logic from amp-story-system-layer code * Remove amp-sidebar code from amp-story-store-service.js * Remove amp-sidebar storybook JS files * A few missed deletions in test-amp-story and build-system/ caught by linter * Revert extensions/amp-sidebar/*/storybook removal from forbidden terms * Add back the amp-sidebar storybook files * Add newline at end of each storybook file * Run amp get-zindex --fix * 🐛 [amp-story-panning-media] Set width on amp-img el (ampproject#36217) * Set width on amp-img el. * Add height * 📦 Update dependency @octokit/rest to v18.11.3 (ampproject#36212) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency eslint-plugin-react to v7.26.1 (ampproject#36214) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency @ampproject/bento-compiler to v0.0.9 (ampproject#36225) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * ♻️Don't fetch crypto signature verifier in no-signing (ampproject#36187) * 🐛 Force transfer of `amp-consent` element to the `FixedLayer` (ampproject#36223) Fixes ampproject#36063 `amp-consent` explicitly adds itself to the `FixedLayer`, transferring itself before the iframe is loaded. On a later pass, `FixedLayer` decides that `amp-consent` is not transferrable, so it returns it to the original `<body>` element. Enabling `forceTransfer` causes the return reparenting to not occur, thus preventing the iframe from loading a second time. * 📦 Update core dependencies (ampproject#35061) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency rollup to v2.58.0 (ampproject#36232) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency @octokit/rest to v18.11.4 (ampproject#36227) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * [bento][amp-iframe] Add README (ampproject#36210) * [bento][amp-iframe] changes to publish to npm (ampproject#36190) * 🐛 fix broken link to Preact/React component section in various README (ampproject#36222) * 🏗 release: Update self-hosting support to use amp release (ampproject#36165) * Update self-host to use amp release `amp release` copies static files and downloaded resources to supplement an `amp dist` runtime. Support custom release flavor definitions and update the amp-framework-hosting documentation. * Fix typo in documentation * Prefer accessing argv instead of passing value * Skip cleaning custom configs by default * Review suggestions * [amp-iframe] iframe viewability (ampproject#36131) * bento amp-iframe: guard effect from running without a win (ampproject#36241) * 🚀 babel/terser: rename all amp privates with sentinel suffix (ampproject#36143) * configs: Separate user configs from output files (ampproject#36236) Identify user configuration files under build-system/global-configs as distinct from generated output. This will help avoid accidentally including them in the cleanup script in the future. * Fix ref issue in DisplayAsWithRef component * Update the fix Co-authored-by: Jake Fried <[email protected]> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> Co-authored-by: dmanek <[email protected]> Co-authored-by: Esther Kim <[email protected]> Co-authored-by: Daniel Rozenberg <[email protected]> Co-authored-by: William Johnson <[email protected]> Co-authored-by: Mikhail Troshev <[email protected]> Co-authored-by: Caleb Cordry <[email protected]> Co-authored-by: Pascal Birchler <[email protected]> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Allan Banaag <[email protected]> Co-authored-by: Amaltas Bohra <[email protected]> Co-authored-by: honeybadgerdontcare <[email protected]> Co-authored-by: Raghu Simha <[email protected]> Co-authored-by: qidonna <[email protected]> Co-authored-by: rebeccanthomas <[email protected]> Co-authored-by: Corey Masanto <[email protected]> Co-authored-by: Philip Bell <[email protected]> Co-authored-by: Alan Orozco <[email protected]> Co-authored-by: Matt Mower <[email protected]> Co-authored-by: Anurag Vasanwala <[email protected]>
dethstrobe
added a commit
that referenced
this pull request
Apr 12, 2022
* ✨ Initial Commit * ♻️ Attributes mapped to props * ♻️ Base skeleton with references * ♻️ Added build functions and 🖍 CSS * 🧪 Experimental commit for `Gesture` Service * ♻️ Added `Gesture`, `Mouse` and `Keyboard` Service `prettify` is also performed. * Added `"npm": true` for build-system compilation config Co-Authored-By: Caroline Liu <[email protected]> * 🚮 Removed validator file until rules are added Co-Authored-By: Caroline Liu <[email protected]> * 🚮 Removed unnecessary example code Co-Authored-By: Caroline Liu <[email protected]> * 🚮 Removed `copyright` header from all files Co-Authored-By: Caroline Liu <[email protected]> * ♻️ Cleanup * 🚮 Renoved `Services` Services should not be used in the Preact component. Co-Authored-By: Caroline Liu <[email protected]> * 🧪 Experiment commit, 🚮 Remvoed test `console.log` * 🖍 Added and Formatted `JSS` & `CSS` Co-Authored-By: Caroline Liu <[email protected]> * 🐛 Minor fixes for `JSS` * ♻️ `shouldHintReappear` renamed to more precise name `repeatHint` Co-Authored-By: Caroline Liu <[email protected]> * 🧪 Experimental Test: `DOM` APIs to `JSX` Preact component should not be creating any elements with DOM APIs. Preferring JSX instead. This is an experimental code for my storybook test. * ♻️ Minor fixes and Cleanup * ✨ Added `seekTo` API Function * ♻️ Minor fix to initialise base class * ♻️ Added classes on the JSX node * ⏪ Removed `CSS` Co-Authored-By: Caroline Liu <[email protected]> * ♻️ `ActionTrust` set for only user interaction `DEFAULT` is needed for user interaction whereas `LOW` events could include things like autoplaying carousels. Thus, `DEFAULT` is recommended! Co-Authored-By: Caroline Liu <[email protected]> * ♻️ Removed unnecessary initialisation and import Co-Authored-By: Caroline Liu <[email protected]> * ♻️ `ImageSlider` prefixed with `Bento` The one exception that can stay `ImageSlider` is Storybooks. So, the Storybooks are still alphabetised and searchable without getting clogged up by the `Bento` prefix noise. Co-Authored-By: Caroline Liu <[email protected]> * ♻️ Preact storybook updated with new prefix `Bento` Preact Storybook `title` should be left as `ImageSlider` so it is still alphabetised and searchable without getting clogged up by the `Bento` prefix noise. Co-Authored-By: Caroline Liu <[email protected]> * ♻️ `classList` changed with `class` Always prefer `class` to `classList`. Co-Authored-By: Caroline Liu <[email protected]> * ♻️ `initial-slider-position` type corrected to `number` Co-Authored-By: Caroline Liu <[email protected]> * 🐛 Bug fix for `images` and `labels` Co-Authored-By: Caroline Liu <[email protected]> * ♻️ Updated storybook examples Co-Authored-By: Caroline Liu <[email protected]> * 🚮 Cleanup unnecessary storybook comment * ♻️ `disable-hint-reappear` renamed as `display-hint-once` in Bento `1.0` The intention is to not have an attribute with a negative name, since enabling or disabling it can be confusing to reason about. On second thought, `repeat-hint` is not a good alternative because it flips the default behaviour when omitted. Let's rename to `display-hint-once` or similar, which has the same default omitted/provided behaviour, but perhaps a clearer name. Co-Authored-By: Caroline Liu <[email protected]> * ⏪ Changes to markdown reverted and moved to `0.1` Co-Authored-By: Caroline Liu <[email protected]> * ✨ Added markdown for `1.0` Co-Authored-By: Caroline Liu <[email protected]> * 🐛 Fix for Preact Component API Co-authored-by: Caroline Liu <[email protected]> * 🐛 Minor bug fixes Co-authored-by: Caroline Liu <[email protected]> * ♻️ Validation check added for `percent` attribute Co-authored-by: Caroline Liu <[email protected]> * ♻️ Updated use of `DisplayAs` as a component Co-Authored-By: Caroline Liu <[email protected]> * ♻️ `BentoImageSliderApi` namespace renamed to `Api` for precise meaning Co-Authored-By: Caroline Liu <[email protected]> * 🖍 Added `css` for `1.0`, 🐛 Minor bug fixes and `prettify` Co-Authored-By: Caroline Liu <[email protected]> * ♻️ Minor fix for `percent` validation check * ♻️ Removed superfluous trailing argument for `parseFloat` * 🧪 Experimental Code: Image Reference Issue This commit is intended to check and resolve image reference issue mentioned in discussion: #35783 (comment) Use keyboard "left" & "right" arrow key to move bar and slide images. Also, focus on the container to enable keyboard input to the component. * Fix ref issue in DisplayAsWithRef component (#5) * tickevents: remove unused enum values (#36159) * tickevents: remove unused enum values * Remove dupe of CLS, fidv, lj1,lj2 * format * 📦 Update cimg/openjdk Docker tag to v17 (#36172) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency rollup to v2.57.0 (#36134) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency @octokit/graphql to v4.7.0 (#35844) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * ♻️ Migrate `observeWithSharedInOb` to `observeIntersections` (#36106) * 🏗 Make setup-node step consistent across gh actions (#36175) * Partially revert "🏗 Parallelize `dist` steps (#35943)" (#36176) * Revert "🏗 Parallelize `dist` steps (#35943)" This reverts commit 1e2c808. * Partially allow parallelization for smaller tasks * Also include `compileAllJs` in the parallelized part * (amp-lightbox-gallery): opens to selected image, resolve #35920 (#36103) removed a unlayout call that would cause the image to default to the first slide * ♻️ preact inob: small cleanup (#36177) * preact inob: small cleanup * also remove current * build-system: only write version.txt once per dir (#36162) * build-system: only write version.txt once * output full set of * sort the paths * write files...not directories * succinct format * bind-impl: missing ampStateEl is a user error (#36113) * Update Yandex & ADFOX amp-ad codes (#35442) * 🧪Update OT token for attribution-reporting (#36181) * 🏗 Add `exports` for stylesheets to `package.json` (#36027) * Add styles.css export to package.json * Conditionally add export * Use `fast-glob` * Add separate export entry for each stylesheet * window support * sort for lint Co-authored-by: Jake Fried <[email protected]> * ✨ [bento][amp-iframe] Add validator rules for 1.0 (#36182) * 🚮 Sweep experiments older than 2021-02-01 (#35486) Sweep experiments last flipped globally up to 2021-02-01: - (2021-01-20, a9e2778) `adsense-ad-size-optimization`: 1 * UTF8 encoding/decoding library to deprecated utf8 functions in strings.h|cc (#36184) library. PiperOrigin-RevId: 398102411 Co-authored-by: Amaltas Bohra <[email protected]> * Validator rollup (#36185) * cl/398081751 Use the proto message number instead of index for enums. * cl/398323481 Two-way sync for PR #36085. No-op, or fixes merge conflicts, if any. Co-authored-by: honeybadgerdontcare <[email protected]> * 📦 Update dependency @octokit/rest to v18.11.2 (#36180) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * deps: bump bento-compiler (#36191) * 📦 Update dependency @jest/core to v27.2.3 (#36189) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency esbuild to v0.12.25 (#35928) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update linting devDependencies (#36119) * 📦 Update linting devDependencies * Fix lint errors Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> Co-authored-by: Raghu Simha <[email protected]> * 📦 Update dependency axios to 0.21.2 [SECURITY] (#35999) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency esbuild to v0.13.3 (#36198) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency tar to v6.1.9 [SECURITY] (#35509) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * performance-impl: cant check ampdoc vis hidden while null (#36197) * performance-impl: cant check ampdoc vis hidden before initted * Add unit test * 🏗 Add nice colors to release tagger logs (#36200) * log * comment * 📦 Update core devDependencies (#36196) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency @ampproject/worker-dom to v0.32.0 (#36138) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency google-closure-library to v20210808 (#35617) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * SwG Release 0.1.22.186 (#36202) * 📦 Update dependency chromedriver to v94 (#35951) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> Co-authored-by: Raghu Simha <[email protected]> * 📦 Update dependency tar to v6.1.11 (#36203) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📖 `bento-facebook` Documentation (#36038) * [`bento-facebook`] Update the amp-facebook.md file for both 0.1 and 1.0. Add a README.md for 1.0 bento mode. * [`bento-facebook`] Add documentation to describe the amp-facebook usage outside of valid AMP docs. * [`bento-facebook`] Add readme.md for BentoFacebook. * [`bento-facebook`] Address PR comments to update some attribute names. * [`bento-facebook`] Update CDN link to bento-facebook-1.0.js. * [`bento-facebook`] Prettify amp-facebook.md. * [`bento-facebook`] Update dead link to FB documentation to a real link. * [`bento-facebook`] Update dead links to be valid. * 🚮 Clean up dead amp-sidebar code within stories (#36178) * Remove amp-sidebar code from extensions/amp-story * Remove amp-sidebar visual tests from examples/visual-tests/amp-story * Remove reference to amp-sidebar from amp-story-interactive README * Remove remaining amp-sidebar logic from extensions/amp-story * Remove amp-sidebar logic from amp-story-system-layer code * Remove amp-sidebar code from amp-story-store-service.js * Remove amp-sidebar storybook JS files * A few missed deletions in test-amp-story and build-system/ caught by linter * Revert extensions/amp-sidebar/*/storybook removal from forbidden terms * Add back the amp-sidebar storybook files * Add newline at end of each storybook file * Run amp get-zindex --fix * 🐛 [amp-story-panning-media] Set width on amp-img el (#36217) * Set width on amp-img el. * Add height * 📦 Update dependency @octokit/rest to v18.11.3 (#36212) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency eslint-plugin-react to v7.26.1 (#36214) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency @ampproject/bento-compiler to v0.0.9 (#36225) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * ♻️Don't fetch crypto signature verifier in no-signing (#36187) * 🐛 Force transfer of `amp-consent` element to the `FixedLayer` (#36223) Fixes #36063 `amp-consent` explicitly adds itself to the `FixedLayer`, transferring itself before the iframe is loaded. On a later pass, `FixedLayer` decides that `amp-consent` is not transferrable, so it returns it to the original `<body>` element. Enabling `forceTransfer` causes the return reparenting to not occur, thus preventing the iframe from loading a second time. * 📦 Update core dependencies (#35061) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency rollup to v2.58.0 (#36232) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * 📦 Update dependency @octokit/rest to v18.11.4 (#36227) Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> * [bento][amp-iframe] Add README (#36210) * [bento][amp-iframe] changes to publish to npm (#36190) * 🐛 fix broken link to Preact/React component section in various README (#36222) * 🏗 release: Update self-hosting support to use amp release (#36165) * Update self-host to use amp release `amp release` copies static files and downloaded resources to supplement an `amp dist` runtime. Support custom release flavor definitions and update the amp-framework-hosting documentation. * Fix typo in documentation * Prefer accessing argv instead of passing value * Skip cleaning custom configs by default * Review suggestions * [amp-iframe] iframe viewability (#36131) * bento amp-iframe: guard effect from running without a win (#36241) * 🚀 babel/terser: rename all amp privates with sentinel suffix (#36143) * configs: Separate user configs from output files (#36236) Identify user configuration files under build-system/global-configs as distinct from generated output. This will help avoid accidentally including them in the cleanup script in the future. * Fix ref issue in DisplayAsWithRef component * Update the fix Co-authored-by: Jake Fried <[email protected]> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> Co-authored-by: dmanek <[email protected]> Co-authored-by: Esther Kim <[email protected]> Co-authored-by: Daniel Rozenberg <[email protected]> Co-authored-by: William Johnson <[email protected]> Co-authored-by: Mikhail Troshev <[email protected]> Co-authored-by: Caleb Cordry <[email protected]> Co-authored-by: Pascal Birchler <[email protected]> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Allan Banaag <[email protected]> Co-authored-by: Amaltas Bohra <[email protected]> Co-authored-by: honeybadgerdontcare <[email protected]> Co-authored-by: Raghu Simha <[email protected]> Co-authored-by: qidonna <[email protected]> Co-authored-by: rebeccanthomas <[email protected]> Co-authored-by: Corey Masanto <[email protected]> Co-authored-by: Philip Bell <[email protected]> Co-authored-by: Alan Orozco <[email protected]> Co-authored-by: Matt Mower <[email protected]> Co-authored-by: Anurag Vasanwala <[email protected]> * Fix bento slider issues (#12) * Refactor bento amp image slider markup * Fix label styling * Fix hints and slider touch gestures * Add storybook styling for custom label and hints * Remove unneccesary code * Add comments for `containerClass` and `initLogContructor` * Update import path using alias * ♻️ Update alias, update AMP example * 🏗 Update compilation config * 🖍 Fix for `amp-img` size * ♻️ Update image `selector` order * ♻️ Minor fix passing class name * Fix bento image slider misc issues (#14) * Add slot for custom hints and fix label markup * Implement display-hint-once option and cleanup code * Fix LGTM check * Fix LGTM check * Use ContainWrapper for component wrapper * Fix circleCI checks * Add unit test cases for amp-image-slider component * Update initial position attribute in storybook * Add unit test code coverage * Fix flaky test cases * Fix unit test cases * Remove image slider 1.0 example file * Remove unused code * Remove unused code * Fix unlisten event function logic * ♻️ Minor fix, `lint` and `prettify` * ♻️ Update derived class extends using `setSuperClass` * ♻️ Correct dead links in `markdown` * ♻️ Remove `@storybook/addon-knobs` dependency from storybook * ♻️ Allow `src/service/timer-impl.js` dependency * ♻️ Update `Z_INDEX.md` * ♻️ Add check for `initialPosition` and `stepSize` * 🐛 Update `isFiniteNumber` with `isNaN` Co-authored-by: Caroline Liu <[email protected]> Co-authored-by: Edi Amin <[email protected]> Co-authored-by: Jake Fried <[email protected]> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <renovate[bot]@users.noreply.github.com> Co-authored-by: dmanek <[email protected]> Co-authored-by: Esther Kim <[email protected]> Co-authored-by: Daniel Rozenberg <[email protected]> Co-authored-by: William Johnson <[email protected]> Co-authored-by: Mikhail Troshev <[email protected]> Co-authored-by: Caleb Cordry <[email protected]> Co-authored-by: Pascal Birchler <[email protected]> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Allan Banaag <[email protected]> Co-authored-by: Amaltas Bohra <[email protected]> Co-authored-by: honeybadgerdontcare <[email protected]> Co-authored-by: Raghu Simha <[email protected]> Co-authored-by: qidonna <[email protected]> Co-authored-by: rebeccanthomas <[email protected]> Co-authored-by: Corey Masanto <[email protected]> Co-authored-by: Philip Bell <[email protected]> Co-authored-by: Alan Orozco <[email protected]> Co-authored-by: Matt Mower <[email protected]> Co-authored-by: Deepak Lalwani <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
6.1.0
->6.1.9
6.1.2
->6.1.9
See all other Renovate PRs on the Dependency Dashboard
How to resolve breaking changes
This PR may introduce breaking changes that require manual intervention. In such cases, you will need to check out this branch, fix the cause of the breakage, and commit the fix to ensure a green CI build. To check out and update this PR, follow the steps below:
GitHub Vulnerability Alerts
CVE-2021-32803
Impact
Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution
node-tar
aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessarystat
calls to determine whether a given path is a directory, paths are cached when directories are created.This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the
node-tar
directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also wherenode-tar
checks for symlinks occur.By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass
node-tar
symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.
Patches
3.2.3 || 4.4.15 || 5.0.7 || 6.1.2
Workarounds
Users may work around this vulnerability without upgrading by creating a custom
filter
method which prevents the extraction of symbolic links.Users are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.
CVE-2021-32804
Impact
Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution
node-tar
aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when thepreservePaths
flag is not set totrue
. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example/home/user/.bashrc
would turn intohome/user/.bashrc
.This logic was insufficient when file paths contained repeated path roots such as
////home/user/.bashrc
.node-tar
would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g.///home/user/.bashrc
) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite.Patches
3.2.2 || 4.4.14 || 5.0.6 || 6.1.1
NOTE: an adjacent issue CVE-2021-32803 affects this release level. Please ensure you update to the latest patch levels that address CVE-2021-32803 as well if this adjacent issue affects your
node-tar
use case.Workarounds
Users may work around this vulnerability without upgrading by creating a custom
onentry
method which sanitizes theentry.path
or afilter
method which removes entries with absolute paths.Users are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.
CVE-2021-37701
Impact
Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution
node-tar
aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both
\
and/
characters as path separators, however\
is a valid filename character on posix systems.By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.
Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at
FOO
, followed by a symbolic link namedfoo
, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but not from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within theFOO
directory would then be placed in the target of the symbolic link, thinking that the directory had already been created.These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7.
The v3 branch of
node-tar
has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version ofnode-tar
. If this is not possible, a workaround is available below.Patches
4.4.16 || 5.0.8 || 6.1.7
Workarounds
Users may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.
Users are encouraged to upgrade to the latest patched versions, rather than attempt to sanitize tar input themselves.
Fix
The problem is addressed in the following ways:
/
as a path separator, replacing\
with/
on Windows systems, and leaving\
intact in the path on posix systems. This is performed in depth, at every level of the program where paths are consumed.Caveat
Note that this means that the
entry
objects exposed in various parts of tar's API will now always use/
as a path separator, even on Windows systems. This is not expected to cause problems, as/
is a valid path separator on Windows systems, but may result in issues ifentry.path
is compared against a path string coming from some other API such asfs.realpath()
orpath.resolve()
.Users are encouraged to always normalize paths using a well-tested method such as
path.resolve()
before comparing paths to one another.CVE-2021-37712
Impact
Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution
node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.
This logic was insufficient when extracting tar files that contained two directories and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include directories with two forms of the path that resolve to the same file system entity, followed by a symbolic link with a name in the first form, lastly followed by a file using the second form. It led to bypassing node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.
The v3 branch of
node-tar
has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version ofnode-tar
. If this is not possible, a workaround is available below.Patches
6.1.9 || 5.0.10 || 4.4.18
Workarounds
Users may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.
Users are encouraged to upgrade to the latest patched versions, rather than attempt to sanitize tar input themselves.
Fix
The problem is addressed in the following ways, when comparing paths in the directory cache and path reservation systems:
String.normalize('NFKD')
method is used to first normalize all unicode to its maximally compatible and multi-code-point form./
on Windows systems (on posix systems,\
is a valid filename character, and thus left intact).CVE-2021-37713
Impact
Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution
node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain
..
path portions, and resolving the sanitized paths against the extraction target directory.This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as
C:some\path
. If the drive letter does not match the extraction target, for exampleD:\extraction\dir
, then the result ofpath.resolve(extractionDirectory, entryPath)
would resolve against the current working directory on theC:
drive, rather than the extraction target directory.Additionally, a
..
portion of the path could occur immediately after the drive letter, such asC:../foo
, and was not properly sanitized by the logic that checked for..
within the normalized and split portions of the path.This only affects users of
node-tar
on Windows systems.Patches
4.4.18 || 5.0.10 || 6.1.9
Workarounds
There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does.
Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.
Fix
The fixed versions strip path roots from all paths prior to being resolved against the extraction target folder, even if such paths are not "absolute".
Additionally, a path starting with a drive letter and then two dots, like
c:../
, would bypass the check for..
path portions. This is checked properly in the patched versions.Finally, a defense in depth check is added, such that if the
entry.absolute
is outside of the extraction taret, and we are not in preservePaths:true mode, a warning is raised on that entry, and it is skipped. Currently, it is believed that this check is redundant, but it did catch some oversights in development.Release Notes
npm/node-tar
v6.1.9
Compare Source
v6.1.8
Compare Source
v6.1.7
Compare Source
v6.1.6
Compare Source
v6.1.5
Compare Source
v6.1.4
Compare Source
v6.1.3
Compare Source
v6.1.2
Compare Source
v6.1.1
Compare Source
Configuration
📅 Schedule: "" in timezone America/Los_Angeles.
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by WhiteSource Renovate. View repository job log here.