Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade: cheerio, mkdirp, slug, superagent #552

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

WontonSam
Copy link
Owner

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Name Versions Released on

cheerio
from 1.0.0-rc.3 to 1.0.0 | 10 versions ahead of your current version | a month ago
on 2024-08-09
mkdirp
from 0.5.5 to 3.0.1 | 16 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | a year ago
on 2023-04-24
slug
from 1.1.0 to 9.1.0 | 47 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 4 months ago
on 2024-05-24
superagent
from 5.2.2 to 10.1.0 | 34 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | a month ago
on 2024-08-24

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Code Injection
SNYK-JS-LODASH-1040724
58 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASH-567746
58 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASH-608086
58 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASH-6139239
58 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-NTHCHECK-1586032
58 Proof of Concept
high severity Prototype Poisoning
SNYK-JS-QS-3153490
58 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795
58 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-COOKIEJAR-3149984
58 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905
58 Proof of Concept
low severity Regular Expression Denial of Service (ReDoS)
npm:debug:20170905
58 Proof of Concept
low severity Prototype Pollution
SNYK-JS-MINIMIST-2429795
58 Proof of Concept
Release notes
Package name: cheerio
  • 1.0.0 - 2024-08-09

    Cheerio 1.0 is here! 🎉

    Announcement Blog Post

    Breaking Changes

    • The minimum NodeJS version is now 18.17 or higher #3959

    • Import paths were simplified. For example, use cheerio/slim instead of
      cheerio/lib/slim. #3970

    • The deprecated default Cheerio instance and static methods were removed. #3974

      Before, it was possible to write code like this:

      import cheerio, { html } from 'cheerio';

      html(cheerio('<test></test>')); // ~ '<test></test>' -- NO LONGER WORKS

      Make sure to always load documents first:

      import * as cheerio from 'cheerio';

      cheerio.load('<test></test>').html();

    • Node types previously re-exported by Cheerio must now be imported directly
      from (domhandler)(https://github.com/fb55/domhandler). #3969

    • htmlparser2 options now reside exclusively under the xml key (#2916):

      const $ = cheerio.load('<html>', {
        xml: {
          withStartIndices: true,
        },
      });

    New Features

    • Add functions to load buffers, streams & URLs in NodeJS by @ fb55 in #2857
    • Add extract method by @ fb55 in #2750

    Fixes

    Other

    Full Changelog: v1.0.0-rc.12...v1.0.0

  • 1.0.0-rc.12 - 2022-06-26

    Bugfix release. Fixed issues:

    • Align prop undefined handling with jQuery by @ fb55 in #2557
    • Allow deep imports of cheerio/lib/utils by @ blixt in #2601

    New Contributors

    Full Changelog: v1.0.0-rc.11...v1.0.0-rc.12

  • 1.0.0-rc.11 - 2022-05-20

    [email protected] is hopefully the last RC before the 1.0.0 release of Cheerio. There are two APIs that will be added for the next major release: An exract method (#2523) and NodeJS specific loader methods (#2051). These are still in flux and I'd appreciate feedback on the proposals.

    A big thank you to everyone that contributed to this release! This includes code contributors, as well as the amazing financial support on GitHub Sponsors!

    Under the hood, a lot of work for this release went into updating parse5, cheerio's default HTML parser. Have a look at parse5's release notes to see what has changed there.

    Breaking

    • Cheerio is now a dual CommonJS and ESM module. That means that deep imports will now fail in newer versions of Node. #2508
    • script and style contents are added again in .text() #2509
      • To keep the old behavior, switch .text() to .prop('innerText')
    • The TypeScript types inherited from upstream dependencies have changed. #2503
      • Node types are now using tagged unions, which will make consumption a bit easier.

    Features

    • Relevant options are now forwarded to cheerio-select #2511
    • For the .prop() method:
      • Add textContent and innerText props #2214
      • Users can now specify a baseURI option, which will lead to href and src props to be resolved as URLs. #2510
    • Added a slim export, which will always use htmlparser2 #1960

    Fixes

    • Have text turn passed values to strings #2047
    • Include undefined in the return type of get by @ glen-84 in #2392
    • Recognise comments as HTML #2504
    • Add missing undefined return value #2505
    • Export missing static methods #2506
    • Have style parsing add malformed fields to previous field #2521

    Refactor

    • Use domutils module directly #1928
    • Hand-roll isHTML #1935
    • Move initialization logic to load #1951
    • Only return elements in closest #2057
    • Remove unnecessary code, be more explicit #2279
    • Use stricter TS, ESLint configs #2507
    • Update exported values #2512

    Development Experience

    Docs

    New Contributors

    Full Changelog: v1.0.0-rc.10...v1.0.0-rc.11

  • 1.0.0-rc.10 - 2021-06-08

    Fixes:

    Documentation:

    Refactors:

    v1.0.0-rc.9...v1.0.0-rc.10

  • 1.0.0-rc.9 - 2021-05-06

    Port to TypeScript

    Cheerio has been ported entirely to TypeScript (in #1816)! This eliminates a lot of edge-cases within Cheerio and will allow you to use Cheerio with confidence. This release also features a new documentation website based on TypeDoc, allowing you to quickly navigate all available methods: https://cheerio.js.org


    Breaking change: If you were using the function exported by Cheerio directly instead of first load()ing a document, you will now have to update the require to use the default export.

    - const cheerio = require("cheerio");
    + const cheerio = require("cheerio").default;

    cheerio('div', dom)

    Please note that this way of using Cheerio is deprecated and might be removed in a future version. Please consider updating your code to:

    const cheerio = require("cheerio");

    const $ = cheerio.load(dom)
    $('div')


    Note: Cheerio uses template literal types to determine return types. These are available starting with TypeScript 4.1, so you might have to bump your TypeScript version.

    For TypeScript types, Cheerio now implements the ArrayLike<T> interface. That means that Cheerio instances can contain objects of arbitrary types, but not all methods can be called on them.

    The TypeScript compiler will figure out what structures you are operating on:

    • When calling a loaded Cheerio instance with an HTML string like $('<div>'), it will product a Cheerio<Node> type.
      • Node is the base class for DOM elements and includes eg. comment and text nodes.
    • When calling Cheerio with a selector like $('.foo'), it will produce a Cheerio<Element>, as only Elements can be part of the result set.
      • Element is the class representing tags.
    • You can still use $('...').map() to map to arbitrary values, and will get a compiler error when trying to call method that are not supported.
      • Eg. $('.foo').map((i, el) => $(el).text()).attr('test') will no longer be possible, as .attr is not allowed to be called on a Cheerio<string>.

    This release does not contain other changes to functionality. Feedback is greatly appreciated; if you encounter a problem, please file an issue!

    v1.0.0-rc.6...v1.0.0-rc.9

  • 1.0.0-rc.8 - 2021-05-06

    Second botched release. Please use v1.0.0-rc.9 instead.

  • 1.0.0-rc.7 - 2021-05-06

    Published without a lib directory — please ignore.

  • 1.0.0-rc.6 - 2021-04-08

    Breaking:

    • Fixed the ordering of the output of several methods, including prevAll, prevUntil and parentsUntil. The new order matches jQuery.

    This release contains three breaking changes inherited from dependencies.

    • Selectors (see [email protected]):
      • Several pseudo selectors are now stricter, in line with the HTML spec.
      • Some attributes are now case-insensitive based on the HTML spec.
    • DOM:
      • In XML mode, all elements will have type: 'tag'.

    New features:

    Types:

    Bug fixes:

Snyk has created this PR to upgrade:
  - cheerio from 1.0.0-rc.3 to 1.0.0.
    See this package in npm: https://www.npmjs.com/package/cheerio
  - mkdirp from 0.5.5 to 3.0.1.
    See this package in npm: https://www.npmjs.com/package/mkdirp
  - slug from 1.1.0 to 9.1.0.
    See this package in npm: https://www.npmjs.com/package/slug
  - superagent from 5.2.2 to 10.1.0.
    See this package in npm: https://www.npmjs.com/package/superagent

See this project in Snyk:
https://app.snyk.io/org/cachiman/project/46d9e07b-e4e5-4657-b901-198aa256d3a9?utm_source=github&utm_medium=referral&page=upgrade-pr
Copy link

google-cla bot commented Sep 23, 2024

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants