🚨 [security] Update eslint 6.6.0 → 6.8.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ eslint (6.6.0 → 6.8.0) · Repo · Changelog

Release Notes

6.8.0

• c5c7086 Fix: ignore aligning single line in key-spacing (fixes #11414) (#12652) (YeonJuan)
• 9986d9e Chore: add object option test cases in yield-star-spacing (#12679) (YeonJuan)
• 1713d07 New: Add no-error-on-unmatched-pattern flag (fixes #10587) (#12377) (ncraley)
• 5c25a26 Update: autofix bug in lines-between-class-members (fixes #12391) (#12632) (YeonJuan)
• 4b3cc5c Chore: enable prefer-regex-literals in eslint codebase (#12268) (薛定谔的猫)
• 05faebb Update: improve suggestion testing experience (#12602) (Brad Zacher)
• 05f7dd5 Update: Add suggestions for no-unsafe-negation (fixes #12591) (#12609) (Milos Djermanovic)
• d3e43f1 Docs: Update no-multi-assign explanation (#12615) (Yuping Zuo)
• 272e4db Fix: no-multiple-empty-lines: Adjust reported loc (#12594) (Tobias Bieniek)
• a258039 Fix: no-restricted-imports schema allows multiple paths/patterns objects (#12639) (Milos Djermanovic)
• 51f9620 Fix: improve report location for array-bracket-spacing (#12653) (Milos Djermanovic)
• 45364af Fix: prefer-numeric-literals doesn't check types of literal arguments (#12655) (Milos Djermanovic)
• e3c570e Docs: Add example for expression option (#12694) (Arnaud Barré)
• 6b774ef Docs: Add spacing in comments for no-console rule (#12696) (Nikki Nikkhoui)
• 7171fca Chore: refactor regex in config comment parser (#12662) (Milos Djermanovic)
• 1600648 Update: Allow $schema in config (#12612) (Yordis Prieto)
• acc0e47 Update: support .eslintrc.cjs (refs eslint/rfcs#43) (#12321) (Evan Plaice)
• 49c1658 Chore: remove bundling of ESLint during release (#12676) (Kai Cataldo)
• 257f3d6 Chore: complete to move to GitHub Actions (#12625) (Toru Nagashima)
• ab912f0 Docs: 1tbs with allowSingleLine edge cases (refs #12284) (#12314) (Ari Kardasis)
• dd1c30e Sponsors: Sync README with website (ESLint Jenkins)
• a230f84 Update: include node version in cache (#12582) (Eric Wang)
• 8b65f17 Chore: remove references to parser demo (#12644) (Kai Cataldo)
• e9cef99 Docs: wrap {{}} in raw liquid tags to prevent interpolation (#12643) (Kai Cataldo)
• e707453 Docs: Fix configuration example in no-restricted-imports (fixes #11717) (#12638) (Milos Djermanovic)
• 19194ce Chore: Add tests to cover default object options in comma-dangle (#12627) (YeonJuan)
• 6e36d12 Update: do not recommend require-atomic-updates (refs #11899) (#12599) (Kai Cataldo)

6.7.2

• bc435a9 Fix: isSpaceBetweenTokens() recognizes spaces in JSXText (fixes #12614) (#12616) (Toru Nagashima)
• 4928d51 Fix: don't ignore the entry directory (fixes #12604) (#12607) (Toru Nagashima)
• b41677a Docs: Clarify suggestion's data in Working with Rules (refs #12606) (#12617) (Milos Djermanovic)
• ea16de4 Fix: Support tagged template literal generics in no-unexpected-multiline (#11698) (Brad Zacher)
• fa6415d Sponsors: Sync README with website (ESLint Jenkins)
• e1e158b Sponsors: Sync README with website (ESLint Jenkins)

6.7.1

• dd1e9f4 Fix: revert changes to key-spacing due to regression (#12598) (Kai Cataldo)
• c644b54 Docs: Update README team and sponsors (ESLint Jenkins)

6.7.0

• 312a88f New: Add grouped-accessor-pairs rule (fixes #12277) (#12331) (Milos Djermanovic)
• 5c68f5f Update: Add 'lexicalBindings' to no-implicit-globals and change messages (#11996) (Milos Djermanovic)
• 6eaad96 New: Add suggestions API (#12384) (Will Douglas)
• b336fbe Fix: indent rule with JSX spread props (#12581) (Nathan Woltman)
• 97c745d Update: Report assignment expression location in no-cond-assign (#12465) (Milos Djermanovic)
• 0f01f3d Update: Check member expressions with this in operator-assignment (#12495) (Milos Djermanovic)
• 62c7038 Fix: invalid token checking in computed-property-spacing (fixes #12198) (#12533) (YeonJuan)
• 4f8a1ee Update: Add enforceForClassMembers option to no-useless-computed-key (#12110) (ark120202)
• 1a2eb99 New: new rule no-constructor-return (fixes #12481) (#12529) (Pig Fang)
• ca3b2a6 New: ignorePatterns in config files (refs eslint/rfcs#22) (#12274) (Toru Nagashima)
• 60204a3 Docs: Added another Textmate 2 bundle. (#12580) (Ryan Fitzer)
• 62623f9 Fix: preserve whitespace in multiline-comment-style (fixes #12312) (#12316) (Kai Cataldo)
• 17a8849 New: Add no-dupe-else-if rule (fixes #12469) (#12504) (Milos Djermanovic)
• 41a78fd Update: improve location for semi and comma-dangle (#12380) (Chiawen Chen)
• 0a480f8 Docs: Change "Code Conventions" link in pull-requests.md (#12401) (Denis Sikuler)
• fed20bb Fix: require-await crash on global await (#12571) (Brad Zacher)
• b8030fc Update: deprecate personal config (fixes #11914, refs eslint/rfcs#32) (#12426) (Toru Nagashima)
• 40c8c32 Fix: improve report location for object-curly-spacing (#12563) (Milos Djermanovic)
• 1110045 Fix: ignore marker-only comments in spaced-comment (fixes #12036) (#12558) (Milos Djermanovic)
• 6503cb8 Update: Fix uglified object align in key-spacing (fixes #11414) (#12472) (YeonJuan)
• 40791af Docs: clarify ignoreDestructuring option in the camelcase rule (#12553) (Milos Djermanovic)
• 07d398d Chore: Add GitHub organization to Sponsor button (#12562) (Brandon Mills)
• a477707 Chore: Format style guide links so they can be clicked (#12189) (Ivan V)
• 0f7edef Update: add react plugin config for eslint init (#12446) (Ibrahim Rouis)
• 448ff1e Update: Report '\08' and '\09' in no-octal-escape (fixes #12080) (#12526) (Milos Djermanovic)
• 45aa6a3 New: Add no-setter-return rule (fixes #12285) (#12346) (Milos Djermanovic)
• 0afb518 Fix: invalid autofix in function-call-argument-newline (fixes #12454) (#12539) (YeonJuan)
• 90305e0 Update: Depcrecate isSpaceBetweenTokens() (#12519) (Kai Cataldo)
• 41b1e43 New: add option for camelcase (fixes #12527) (#12528) (Pig Fang)
• f49f1e0 Upgrade: upgrade optionator to avoid license issue (fixes #11536) (#12537) (Pig Fang)
• 0286b57 Docs: Clean up Getting Started Guide (#12544) (Nicholas C. Zakas)
• 575a98d Chore: Add funding field to package.json (#12543) (Nicholas C. Zakas)
• 9e29e18 Fix: sourceCode#isSpaceBetweenTokens() checks non-adjacent tokens (#12491) (Kai Cataldo)
• 5868550 Docs: add notice about function keyword in keyword-spacing (#12524) (Pig Fang)
• bb556d5 Fix: curly multi reports single lexical declarations (fixes #11908) (#12513) (Milos Djermanovic)
• ac60621 Fix: unexpected autofix in prefer-const (fixes #12514) (#12521) (YeonJuan)
• 990065e Update: curly multi-or-nest flagging semis on next line (fixes #12370) (#12378) (cherryblossom000)
• 084a8a6 Fix: no-cond-assign with always option reports switch case clauses (#12470) (Milos Djermanovic)
• 7e41355 Update: improve report location for space-infix-ops (#12324) (Chiawen Chen)
• 94ff921 Update: Add capIsConstructor option to no-invalid-this (fixes #12271) (#12308) (Milos Djermanovic)
• de65de6 New: Add prefer-exponentiation-operator rule (fixes #10482) (#12360) (Milos Djermanovic)
• c78f4a7 Update: Allow JSX exception in no-inline-comments (fixes #11270) (#12388) (Milos Djermanovic)
• e17fb90 New: allowAfterThisConstructor for no-underscore-dangle (fixes #11488) (#11489) (sripberger)
• 287ca56 Build: update CI for Node.js 13 (#12496) (Toru Nagashima)
• 98e1d50 Upgrade: globals to v12.1.0 (#12296) (Tony Brix)
• 8ac71a3 Sponsors: Sync README with website (ESLint Jenkins)
• 4e142ea Docs: Update README team and sponsors (ESLint Jenkins)

Does any of this look wrong? Please let us know.

✳️ chart.js (2.9.1 → 2.9.4) · Repo

Security Advisories 🚨

🚨 Prototype pollution in chart.js

This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.

Release Notes

2.9.4

This is the last release of v2 and focused on fixing bugs identified in the v2.9.3 release.

Bugs Fixed

• #7404 - Preserve prototypes when cloning. Thanks @iddings
• #7587 - Fix docs for external moment.js. Thanks @mojoaxel
• #7853 - Fix box recursion when dimensions are NaN. Thanks @alessandroasm
• #7883 - Fix call stack exception when computing label sizes. Thanks @silentmatt
• #7918 - Prevent global prototype pollution via the merge helper
• #7920 - Use Object.create(null) as merge target, to prevent prototype pollution

2.9.3

Bug Fixes

• #6698 Fix undefined variable
• #6719 Don't make legend empty when fill is false

Thanks to the maintainers and collaborators for their help to improve and test Chart.js (@kurkle, @benmccann, and @etimberg).

2.9.2

Bug Fixes

• #6641 IE11 & Edge compatible style injection
• #6655 Backwards compatible default fill for radar charts
• #6660 Improve clipping of line charts when border widths are large
• #6661 When a legend item is clicked, make sure the correct item is hidden
• #6663 Refresh package-lock file to pick up new dependency

Performance

• #6671 Stop unnecessary line calculations

Documentation

• #6643 Combine performance documentation sections

Thanks to the maintainers and collaborators for their help to improve and test Chart.js (@nagix, @kurkle, @benmccann, @etimberg and @simonbrunel).

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ acorn-jsx (indirect, 5.1.0 → 5.3.2) · Repo

Release Notes

5.2.0

Forbid } and > in JSX text (#108). This was previously allowed, but went against the spec (#106).

Does any of this look wrong? Please let us know.

Sorry, we couldn't find anything useful about this release.

↗️ ansi-escapes (indirect, 4.2.1 → 4.3.2) · Repo

Release Notes

4.3.2

• Upgrade dependencies (#24) 0cbc92b

v4.3.1...v4.3.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ cli-width (indirect, 2.2.0 → 3.0.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ deep-is (indirect, 0.1.3 → 0.1.4) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ eslint-scope (indirect, 5.0.0 → 5.1.1) · Repo · Changelog

Release Notes

5.1.1

• 9b528d7 Upgrade: esrecurse version to ^4.3.0 (#64) (Timofey Kachalov)
• f758bbc Chore: fix definiton -> definition typo in comments (#63) (Kevin Kirsche)
• 7513734 Chore: move to GitHub Actions (#62) (Kai Cataldo)

5.1.0

• d4a3764 Update: support new export syntax (#56) (Toru Nagashima)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ eslint-visitor-keys (indirect, 1.1.0 → 1.3.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ espree (indirect, 6.1.2 → 6.2.1) · Repo · Changelog

Release Notes

6.2.1

• d6d7480 Upgrade: acorn 7.1.1, Regex DOS vuln (fixes #435) (#434) (James)

6.2.0

• ced1b68 Update: update acorn-jsx and fix failing test (#432) (Kai Cataldo)
• acb8776 Update: add latestEcmaVersion & supportedEcmaVersions (#430) (Kai Cataldo)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ esquery (indirect, 1.0.1 → 1.7.0) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ esrecurse (indirect, 4.2.1 → 4.3.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ figures (indirect, 3.1.0 → 3.2.0) · Repo

Release Notes

3.2.0

• Export platform-specific symbol sets (#32) f1ad9fe

v3.1.0...v3.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ flatted (indirect, 2.0.1 → 2.0.2) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ glob-parent (indirect, 5.1.0 → 5.1.2) · Repo · Changelog

Security Advisories 🚨

🚨 glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Release Notes

5.1.2

Bug Fixes

• eliminate ReDoS (#36) (f923116)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ import-fresh (indirect, 3.1.0 → 3.3.1) · Repo

Release Notes

3.3.1

• Fix Bun compatibility (#32) 972690b

---

v3.3.0...v3.3.1

3.3.0

• Generalize TypeScript declaration (#20) 66079d9

v3.2.2...v3.3.0

3.2.2

• Handle there being no parent module (#19) 3d27ebc

v3.2.1...v3.2.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ inquirer (indirect, 7.0.0 → 7.3.3) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ is-glob (indirect, 4.0.1 → 4.0.3) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ onetime (indirect, 5.1.0 → 5.1.2) · Repo

Release Notes

5.1.2

• Fix naming inconsistency 3f85cd4

v5.1.1...v5.1.2

5.1.1

• Documentation fixes

v5.1.0...v5.1.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rxjs (indirect, 6.5.3 → 6.6.7) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tslib (indirect, 1.10.0 → 1.14.1) · Repo

Release Notes

1.14.1

Long discussion in the webpack issues

1.13.0

This release reverts breaking changes in tslib that were not compatible with versions of TypeScript prior to 3.9. The behavior slightly diverges from that of TypeScript 3.9, but generally is compatible with previous versions of TypeScript-authored code.

The new behavior of TypeScript 3.9 will be available in tslib 2.0.0.

See this pull request for more details.

1.12.0

This release adds the __createBinding helper function which is used by non-ECMAScript module emit in TypeScript 3.9.

1.11.2

This release relicenses tslib to the 0BSD license which should allow projects that embed or bundle tslib to omit its license header.

1.11.1

This release updates tslib's declaration files so that users don't have to include declarations for WeakMap in their compilation.

1.11.0

This release provides the __classPrivateFieldGet and __classPrivateFieldSet helper functions to power ECMAScript private fields in TypeScript 3.8.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ type-fest (indirect, 0.5.2 → 0.8.1) · Repo

Release Notes

0.8.1

• Allow objects with non-existing keys in the PartialDeep type (#60) 1b34d7e

v0.8.0...v0.8.1

0.8.0

• Add RequireExactlyOne type (#55) 0a9d935
• Add PartialDeep type (#47) 80465bc
• Add SetRequired type (#48) b29c31a
• Add SetOptional type (#48) b29c31a

v0.7.1...v0.8.0

0.7.1

• Fix filename typo 9ffc7c8

v0.7.0...v0.7.1

0.6.0

Breaking:

• Rename the Omit type to Except (#44) cfac1de
  We had to rename this type because TypeScript 3.5 introduced a type with the same name, but less strict... Read more here.

Enhancements:

• Add Promisable type (#45) 670462c
• Document how to use JsonObject (#46) aa1ae3b

Fixes:

• Add missing Yarn field to the PackageJson type 5809b49

v0.5.2...v0.6.0

Does any of this look wrong? Please let us know.

Sorry, we couldn't find anything useful about this release.

↗️ v8-compile-cache (indirect, 2.1.0 → 2.4.0) · Repo · Changelog

Release Notes

2.4.0 (from changelog)

• Fix segmentation fault with Rosetta on Apple Silicon #45.

2.3.0 (from changelog)

• Fix use require.main instead of module.parent #34.

2.2.0 (from changelog)

• Added V8_COMPILE_CACHE_CACHE_DIR option #23.

2.1.1 (from changelog)

• Stop using process.umask() #28.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ word-wrap (indirect, 1.2.3 → 1.2.5) · Repo

Security Advisories 🚨

🚨 word-wrap vulnerable to Regular Expression Denial of Service

All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.

Release Notes

1.2.5

Changes:

Reverts default value for options.indent to two spaces ' '.

Full Changelog: 1.2.4...1.2.5

1.2.4

What's Changed

• Remove default indent by @mohd-akram in #24
• 🔒fix: CVE 2023 26115 (2) by @OlafConijn in #41
• 🔒 fix: CVE-2023-26115 by @aashutoshrathi in #33
• chore: publish workflow by @OlafConijn in #42

New Contributors

• @mohd-akram made their first contribution in #24
• @OlafConijn made their first contribution in #41
• @aashutoshrathi made their first contribution in #33

Full Changelog: 1.2.3...1.2.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)