Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade cheerio from 1.0.0-rc.2 to 1.0.0 #40

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

[Snyk] Upgrade cheerio from 1.0.0-rc.2 to 1.0.0 #40

wants to merge 1 commit into from

Conversation

YoshiWalsh
Copy link
Owner

snyk-top-banner

Snyk has created this PR to upgrade cheerio from 1.0.0-rc.2 to 1.0.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 11 versions ahead of your current version.

  • The recommended version was released on 2 months ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
medium severity Information Exposure
SNYK-JS-PARSEURL-2935947		 561 Proof of Concept
critical severity Server-side Request Forgery (SSRF)
SNYK-JS-PARSEURL-2936249		 561 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 561 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 561 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 561 Proof of Concept
high severity Server-side Request Forgery (SSRF)
SNYK-JS-IP-6240864		 561 Proof of Concept
high severity Prototype Pollution
SNYK-JS-Y18N-1021887		 561 Proof of Concept
high severity Prototype Pollution
SNYK-JS-NCONF-2395478		 561 Proof of Concept
high severity Server-side Request Forgery (SSRF)
SNYK-JS-NETMASK-1089716		 561 Proof of Concept
high severity Server-side Request Forgery (SSRF)
SNYK-JS-NETMASK-6056519		 561 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-NTHCHECK-1586032		 561 Proof of Concept
high severity Remote Code Execution (RCE)
SNYK-JS-PACRESOLVER-1564857		 561 Proof of Concept
high severity Authorization Bypass Through User-Controlled Key
SNYK-JS-PARSEPATH-2936439		 561 Proof of Concept
high severity Remote Memory Exposure
SNYK-JS-BL-608877		 561 Proof of Concept
high severity Prototype Pollution
SNYK-JS-INI-1048974		 561 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795		 561 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795		 561 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795		 561 Proof of Concept
high severity Code Injection
SNYK-JS-LODASH-1040724		 561 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASH-567746		 561 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASH-608086		 561 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASH-6139239		 561 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASHSET-1320032		 561 Proof of Concept
medium severity Code Injection
SNYK-JS-SNYK-3111871		 561 No Known Exploit
medium severity Command Injection
SNYK-JS-SNYKDOCKERPLUGIN-3039679		 561 Proof of Concept
medium severity Server-Side Request Forgery (SSRF)
SNYK-JS-IP-7148531		 561 Proof of Concept
medium severity Denial of Service (DoS)
SNYK-JS-JSZIP-1251497		 561 Proof of Concept
medium severity Arbitrary File Write via Archive Extraction (Zip Slip)
SNYK-JS-JSZIP-3188562		 561 No Known Exploit
medium severity Prototype Pollution
SNYK-JS-XML2JS-5414874		 561 Proof of Concept
medium severity Command Injection
SNYK-JS-SNYKGOPLUGIN-3037316		 561 Proof of Concept
medium severity Command Injection
SNYK-JS-SNYKGRADLEPLUGIN-3038624		 561 Proof of Concept
medium severity Command Injection
SNYK-JS-SNYKMVNPLUGIN-3038623		 561 Proof of Concept
medium severity Command Injection
SNYK-JS-SNYKPYTHONPLUGIN-3039677		 561 Proof of Concept
medium severity Command Injection
SNYK-JS-SNYKSBTPLUGIN-3038626		 561 Proof of Concept
medium severity Command Injection
SNYK-JS-SNYKSNYKCOCOAPODSPLUGIN-3038625		 561 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-XML2JS-5414874		 561 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-MINIMIST-559764		 561 Proof of Concept
medium severity Cross-site Scripting (XSS)
SNYK-JS-PARSEURL-2935944		 561 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-CSSWHAT-3035488		 561 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-DOTPROP-543489		 561 Proof of Concept
medium severity Open Redirect
SNYK-JS-GOT-2932019		 561 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-HOSTEDGITINFO-1088355		 561 Proof of Concept
medium severity Missing Release of Resource after Effective Lifetime
SNYK-JS-INFLIGHT-6095116		 561 Proof of Concept
medium severity Cross-site Scripting (XSS)
SNYK-JS-PARSEURL-2942134		 561 Proof of Concept
medium severity Server-side Request Forgery (SSRF)
SNYK-JS-PARSEURL-3023021		 561 Proof of Concept
medium severity Improper Input Validation
SNYK-JS-PARSEURL-3024398		 561 Proof of Concept
medium severity Command Injection
SNYK-JS-SNYK-3037342		 561 Proof of Concept
medium severity Command Injection
SNYK-JS-SNYK-3038622		 561 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905		 561 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MINIMATCH-3050818		 561 No Known Exploit
low severity Regular Expression Denial of Service (ReDoS)
npm:debug:20170905		 561 Proof of Concept
low severity Regular Expression Denial of Service (ReDoS)
npm:debug:20170905		 561 Proof of Concept
low severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-WORDWRAP-3149973		 561 Proof of Concept
low severity Prototype Pollution
SNYK-JS-MINIMIST-2429795		 561 Proof of Concept
Release notes
Package name: cheerio
  • 1.0.0 - 2024-08-09

    Cheerio 1.0 is here! 🎉

    Announcement Blog Post

    Breaking Changes

    • The minimum NodeJS version is now 18.17 or higher #3959

    • Import paths were simplified. For example, use cheerio/slim instead of
      cheerio/lib/slim. #3970

    • The deprecated default Cheerio instance and static methods were removed. #3974

      Before, it was possible to write code like this:

      import cheerio, { html } from 'cheerio';

      html(cheerio('<test></test>')); // ~ '<test></test>' -- NO LONGER WORKS

      Make sure to always load documents first:

      import * as cheerio from 'cheerio';

      cheerio.load('<test></test>').html();

    • Node types previously re-exported by Cheerio must now be imported directly
      from (domhandler)(https://github.com/fb55/domhandler). #3969

    • htmlparser2 options now reside exclusively under the xml key (#2916):

      const $ = cheerio.load('<html>', {
  xml: {
    withStartIndices: true,
  },
});

    New Features

    • Add functions to load buffers, streams & URLs in NodeJS by @ fb55 in #2857
    • Add extract method by @ fb55 in #2750

    Fixes

    Other

    Full Changelog: v1.0.0-rc.12...v1.0.0

  • 1.0.0-rc.12 - 2022-06-26

    Bugfix release. Fixed issues:

    • Align prop undefined handling with jQuery by @ fb55 in #2557
    • Allow deep imports of cheerio/lib/utils by @ blixt in #2601

    New Contributors

    Full Changelog: v1.0.0-rc.11...v1.0.0-rc.12

  • 1.0.0-rc.11 - 2022-05-20

    [email protected] is hopefully the last RC before the 1.0.0 release of Cheerio. There are two APIs that will be added for the next major release: An exract method (#2523) and NodeJS specific loader methods (#2051). These are still in flux and I'd appreciate feedback on the proposals.

    A big thank you to everyone that contributed to this release! This includes code contributors, as well as the amazing financial support on GitHub Sponsors!

    Under the hood, a lot of work for this release went into updating parse5, cheerio's default HTML parser. Have a look at parse5's release notes to see what has changed there.

    Breaking

    • Cheerio is now a dual CommonJS and ESM module. That means that deep imports will now fail in newer versions of Node. #2508
    • script and style contents are added again in .text() #2509
      • To keep the old behavior, switch .text() to .prop('innerText')
    • The TypeScript types inherited from upstream dependencies have changed. #2503
      • Node types are now using tagged unions, which will make consumption a bit easier.

    Features

    • Relevant options are now forwarded to cheerio-select #2511
    • For the .prop() method:
      • Add textContent and innerText props #2214
      • Users can now specify a baseURI option, which will lead to href and src props to be resolved as URLs. #2510
    • Added a slim export, which will always use htmlparser2 #1960

    Fixes

    • Have text turn passed values to strings #2047
    • Include undefined in the return type of get by @ glen-84 in #2392
    • Recognise comments as HTML #2504
    • Add missing undefined return value #2505
    • Export missing static methods #2506
    • Have style parsing add malformed fields to previous field #2521

    Refactor

    • Use domutils module directly #1928
    • Hand-roll isHTML #1935
    • Move initialization logic to load #1951
    • Only return elements in closest #2057
    • Remove unnecessary code, be more explicit #2279
    • Use stricter TS, ESLint configs #2507
    • Update exported values #2512

    Development Experience

    Docs

    New Contributors

    Full Changelog: v1.0.0-rc.10...v1.0.0-rc.11

  • 1.0.0-rc.10 - 2021-06-08

    Fixes:

    Documentation:

    Refactors:

    v1.0.0-rc.9...v1.0.0-rc.10

  • 1.0.0-rc.9 - 2021-05-06

    Port to TypeScript

    Cheerio has been ported entirely to TypeScript (in #1816)! This eliminates a lot of edge-cases within Cheerio and will allow you to use Cheerio with confidence. This release also features a new documentation website based on TypeDoc, allowing you to quickly navigate all available methods: https://cheerio.js.org

    Breaking change: If you were using the function exported by Cheerio directly instead of first load()ing a document, you will now have to update the require to use the default export.

    - const cheerio = require("cheerio");
    + const cheerio = require("cheerio").default;

    cheerio('div', dom)

    Please note that this way of using Cheerio is deprecated and might be removed in a future version. Please consider updating your code to:

    const cheerio = require("cheerio");

    const $ = cheerio.load(dom)
    $('div')

    Note: Cheerio uses template literal types to determine return types. These are available starting with TypeScript 4.1, so you might have to bump your TypeScript version.

    For TypeScript types, Cheerio now implements the ArrayLike<T> interface. That means that Cheerio instances can contain objects of arbitrary types, but not all methods can be called on them.

    The TypeScript compiler will figure out what structures you are operating on:

    • When calling a loaded Cheerio instance with an HTML string like $('<div>'), it will product a Cheerio<Node> type.
      • Node is the base class for DOM elements and includes eg. comment and text nodes.
    • When calling Cheerio with a selector like $('.foo'), it will produce a Cheerio<Element>, as only Elements can be part of the result set.
      • Element is the class representing tags.
    • You can still use $('...').map() to map to arbitrary values, and will get a compiler error when trying to call method that are not supported.
      • Eg. $('.foo').map((i, el) => $(el).text()).attr('test') will no longer be possible, as .attr is not allowed to be called on a Cheerio<string>.

    This release does not contain other changes to functionality. Feedback is greatly appreciated; if you encounter a problem, please file an issue!

    v1.0.0-rc.6...v1.0.0-rc.9

  • 1.0.0-rc.8 - 2021-05-06

    Second botched release. Please use v1.0.0-rc.9 instead.

  • 1.0.0-rc.7 - 2021-05-06

    Published without a lib directory — please ignore.

  • 1.0.0-rc.6 - 2021-04-08

    Breaking:

    • Fixed the ordering of the output of several methods, including prevAll, prevUntil and parentsUntil. The new order matches jQuery.

    This release contains three breaking changes inherited from dependencies.

    • Selectors (see [email protected]):
      • Several pseudo selectors are now stricter, in line with the HTML spec.
      • Some attributes are now case-insensitive based on the HTML spec.
    • DOM:
      • In XML mode, all elements will have type: 'tag'.

    New features:

    Types:

@snyk-bot
fix: upgrade cheerio from 1.0.0-rc.2 to 1.0.0
22a1fbe 
Snyk has created this PR to upgrade cheerio from 1.0.0-rc.2 to 1.0.0.

See this package in npm:
cheerio

See this project in Snyk:
https://app.snyk.io/org/joshuawalsh/project/f429e8ca-f9cd-4ebf-a425-40a0d88abc3c?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@YoshiWalsh @snyk-bot