🤖 Dependency update

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
node		major	12.18.3 -> 18.17.1
		lockFileMaintenance	All locks refreshed
@types/node (source)	devDependencies	major	14.14.28 -> 20.5.1
@types/react (source)	devDependencies	major	17.0.2 -> 18.2.20
@types/react-copy-to-clipboard (source)	devDependencies	patch	5.0.0 -> 5.0.4
@types/styled-components (source)	devDependencies	patch	5.1.7 -> 5.1.26
axios (source)	dependencies	patch	0.21.1 -> 0.21.2
babel-plugin-styled-components (source)	devDependencies	major	1.12.0 -> 2.1.4
circleci/node	docker	major	12.18.3 -> 17.2.0
eslint (source)	devDependencies	major	7.20.0 -> 8.47.0
eslint-config-airbnb	devDependencies	major	18.2.1 -> 19.0.4
eslint-config-prettier	devDependencies	major	7.2.0 -> 9.0.0
eslint-plugin-import	devDependencies	minor	2.22.1 -> 2.28.1
eslint-plugin-jest	devDependencies	major	24.1.3 -> 27.2.3
eslint-plugin-jsx-a11y	devDependencies	minor	6.4.1 -> 6.7.1
eslint-plugin-prettier	devDependencies	major	3.3.1 -> 5.0.0
eslint-plugin-react	devDependencies	minor	7.22.0 -> 7.33.2
jest (source)	devDependencies	major	26.6.3 -> 29.6.2
next (source)	dependencies	major	10.0.6 -> 12.1.0
node	engines	major	12.20.1 -> 18.17.1
prettier (source)	dependencies	major	2.2.1 -> 3.0.2
prettier (source)	devDependencies	major	2.2.1 -> 3.0.2
prop-types (source)	dependencies	minor	15.7.2 -> 15.8.1
react (source)	dependencies	major	17.0.1 -> 18.2.0
react-copy-to-clipboard	dependencies	minor	5.0.3 -> 5.1.0
react-dom (source)	dependencies	major	17.0.1 -> 18.2.0
react-dropzone	dependencies	major	11.3.1 -> 14.2.3
svgo	dependencies	major	1.3.2 -> 3.0.2
styled-components (source)	dependencies	major	5.2.1 -> 6.0.7
typescript (source)	devDependencies	major	4.1.5 -> 5.1.6

GitHub Vulnerability Alerts

CVE-2021-3749

axios before v0.21.2 is vulnerable to Inefficient Regular Expression Complexity.

CVE-2021-39178

Impact

• Affected: All of the following must be true to be affected
  • Next.js between version 10.0.0 and 11.1.0
  • The next.config.js file has images.domains array assigned
  • The image host assigned in images.domains allows user-provided SVG
• Not affected: The next.config.js file has images.loader assigned to something other than default
• Not affected: Deployments on Vercel are not affected

Patches

Next.js v11.1.1

CVE-2022-23646

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change next.config.js to use a different loader configuration other than the default.

Impact

• Affected: All of the following must be true to be affected
  • Next.js between version 10.0.0 and 12.0.10
  • The next.config.js file has images.domains array assigned
  • The image host assigned in images.domains allows user-provided SVG
• Not affected: The next.config.js file has images.loader assigned to something other than default

Patches

Next.js 12.1.0

Workarounds

Change next.config.js to use a different loader configuration other than the default, for example:

module.exports = {
  images: {
    loader: 'imgix',
    path: 'https://example.com/myaccount/',
  },
}

Or if you want to use the loader prop on the component, you can use custom:

module.exports = {
  images: {
    loader: 'custom',
  },
}

CVE-2021-43803

Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version 0.9.9 package next hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.

CVE-2021-37699

Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated, allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although it can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain.

Impact

• Affected: Users of Next.js between 10.0.5 and 10.2.0
• Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js without getInitialProps
• Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js and next export
• Not affected: Deployments on Vercel (vercel.com) are not affected
• Not affected: Deployments with pages/404.js
• Note that versions prior to 0.9.9 package next npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.

We recommend upgrading to the latest version of Next.js to improve the overall security of your application.

Patches

https://github.com/vercel/next.js/releases/tag/v11.1.0

---

Release Notes

nodejs/node (node)

v18.17.1: 2023-08-09, Version 18.17.1 'Hydrogen' (LTS), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

• CVE-2023-32002: Policies can be bypassed via Module._load (High)
• CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
• CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
• OpenSSL Security Releases
  • OpenSSL security advisory 14th July.
  • OpenSSL security advisory 19th July.
  • OpenSSL security advisory 31st July

More detailed information on each of the vulnerabilities can be found in August 2023 Security Releases blog post.

Commits

• [fe3abdf82e] - deps: update archs files for openssl-3.0.10+quic1 (Node.js GitHub Bot) #​49036
• [2c5a522d9c] - deps: upgrade openssl sources to quictls/openssl-3.0.10+quic1 (Node.js GitHub Bot) #​49036
• [15bced0bde] - policy: handle Module.constructor and main.extensions bypass (RafaelGSS) nodejs-private/node-private#417
• [d4570fae35] - policy: disable process.binding() when enabled (Tobias Nießen) nodejs-private/node-private#460

v18.17.0: 2023-07-18, Version 18.17.0 'Hydrogen' (LTS), @​danielleadams

Compare Source

Notable Changes

Ada 2.0

Node.js v18.17.0 comes with the latest version of the URL parser, Ada. This update brings significant performance improvements
to URL parsing, including enhancements to the url.domainToASCII and url.domainToUnicode functions in node:url.

Ada 2.0 has been integrated into the Node.js codebase, ensuring that all parts of the application can benefit from the
improved performance. Additionally, Ada 2.0 features a significant performance boost over its predecessor, Ada 1.0.4,
while also eliminating the need for the ICU requirement for URL hostname parsing.

Contributed by Yagiz Nizipli and Daniel Lemire in #​47339

Web Crypto API

Web Crypto API functions' arguments are now coerced and validated as per their WebIDL definitions like in other Web Crypto API implementations.
This further improves interoperability with other implementations of Web Crypto API.

Contributed by Filip Skokan in #​46067

• crypto:
  • update root certificates to NSS 3.89 (Node.js GitHub Bot) #​47659
• dns:
  • (SEMVER-MINOR) expose getDefaultResultOrder (btea) #​46973
• doc:
  • add ovflowd to collaborators (Claudio Wunder) #​47844
  • add KhafraDev to collaborators (Matthew Aitken) #​47510
• events:
  • (SEMVER-MINOR) add getMaxListeners method (Matthew Aitken) #​47039
• fs:
  • (SEMVER-MINOR) add support for mode flag to specify the copy behavior (Tetsuharu Ohzeki) #​47084
  • (SEMVER-MINOR) add recursive option to readdir and opendir (Ethan Arrowood) #​41439
  • (SEMVER-MINOR) add support for mode flag to specify the copy behavior (Tetsuharu Ohzeki) #​47084
  • (SEMVER-MINOR) implement byob mode for readableWebStream() (Debadree Chatterjee) #​46933
• http:
  • (SEMVER-MINOR) prevent writing to the body when not allowed by HTTP spec (Gerrard Lindsay) #​47732
  • (SEMVER-MINOR) remove internal error in assignSocket (Matteo Collina) #​47723
  • (SEMVER-MINOR) add highWaterMark opt in http.createServer (HinataKah0) #​47405
• lib:
  • (SEMVER-MINOR) add webstreams to Duplex.from() (Debadree Chatterjee) #​46190
  • (SEMVER-MINOR) implement AbortSignal.any() (Chemi Atlow) #​47821
• module:
  • change default resolver to not throw on unknown scheme (Gil Tayar) #​47824
• node-api:
  • (SEMVER-MINOR) define version 9 (Chengzhong Wu) #​48151
  • (SEMVER-MINOR) deprecate napi_module_register (Vladimir Morozov) #​46319
• stream:
  • (SEMVER-MINOR) preserve object mode in compose (Raz Luvaton) #​47413
  • (SEMVER-MINOR) add setter & getter for default highWaterMark (#​46929) (Robert Nagy) #​46929
• test:
  • unflake test-vm-timeout-escape-nexttick (Santiago Gimeno) #​48078
• test_runner:
  • (SEMVER-MINOR) add shorthands to test (Chemi Atlow) #​47909
  • (SEMVER-MINOR) support combining coverage reports (Colin Ihrig) #​47686
  • (SEMVER-MINOR) execute before hook on test (Chemi Atlow) #​47586
  • (SEMVER-MINOR) expose reporter for use in run api (Chemi Atlow) #​47238
• tools:
  • update LICENSE and license-builder.sh (Santiago Gimeno) #​48078
• url:
  • (SEMVER-MINOR) implement URL.canParse (Matthew Aitken) #​47179
• wasi:
  • (SEMVER-MINOR) no longer require flag to enable wasi (Michael Dawson) #​47286

Commits

• [2ba08ac002] - benchmark: use cluster.isPrimary instead of cluster.isMaster (Deokjin Kim) #​48002
• [60ca69d96c] - benchmark: add eventtarget creation bench (Rafael Gonzaga) #​47774
• [d8233d96bb] - benchmark: add a benchmark for defaultResolve (Antoine du Hamel) #​47543
• [a1aabb6912] - benchmark: fix invalid requirementsURL (Deokjin Kim) #​47378
• [394c61caf9] - bootstrap: support namespaced builtins in snapshot scripts (Joyee Cheung) #​47467
• [0165a765a0] - bootstrap: do not expand process.argv[1] for snapshot entry points (Joyee Cheung) #​47466
• [cca557cdd9] - buffer: combine checking range of sourceStart in buf.copy (Deokjin Kim) #​47758
• [4c69be467c] - buffer: use private properties for brand checks in File (Matthew Aitken) #​47154
• [d002f9b6e2] - build: revert unkonwn ruff selector (Moshe Atlow) #​48753
• [93f77cb762] - build: set v8_enable_webassembly=false when lite mode is enabled (Cheng Shao) #​48248
• [1662e894f3] - build: add action to close stale PRs (Michael Dawson) #​48051
• [5ca437b288] - build: use pathlib for paths (Mohammed Keyvanzadeh) #​47581
• [72443bc54b] - build: refactor configure.py (Mohammed Keyvanzadeh) #​47667
• [d4eecb5be9] - build: add devcontainer configuration (Tierney Cyren) #​40825
• [803ed41144] - build: bump ossf/scorecard-action from 2.1.2 to 2.1.3 (dependabot[bot]) #​47367
• [48468c4413] - build: replace Python linter flake8 with ruff (Christian Clauss) #​47519
• [3ceb2c4387] - build: add node-core-utils to setup (Jiawen Geng) #​47442
• [fdc59b8e14] - build: bump github/codeql-action from 2.2.6 to 2.2.9 (dependabot[bot]) #​47366
• [3924893023] - build: update stale action from v7 to v8 (Rich Trott) #​47357
• [753185c5b0] - build: remove Python pip --no-user option (Christian Clauss) #​47372
• [67af0a6a2b] - build: avoid usage of pipes library (Mohammed Keyvanzadeh) #​47271
• [db910dd6b2] - build, deps, tools: avoid excessive LTO (Konstantin Demin) #​47313
• [35d1def891] - child_process: use signal.reason in child process abort (Debadree Chatterjee) #​47817
• [7692d2e7b9] - cluster: use ObjectPrototypeHasOwnProperty (Daeyeon Jeong) #​48141
• [7617772762] - crypto: use openssl's own memory BIOs in crypto_context.cc (GauriSpears) #​47160
• [8cabfe7c6e] - crypto: fix setEngine() when OPENSSL_NO_ENGINE set (Tobias Nießen) #​47977
• [de1338da05] - crypto: fix webcrypto private/secret import with empty usages (Filip Skokan) #​47877
• [27a696fda9] - crypto: update root certificates to NSS 3.89 (Node.js GitHub Bot) #​47659
• [e2292f936e] - crypto: remove INT_MAX restriction in randomBytes (Tobias Nießen) #​47559
• [a5f214c00c] - crypto: replace THROW with CHECK for scrypt keylen (Tobias Nießen) #​47407
• [dd42214fd4] - crypto: unify validation of checkPrime checks (Tobias Nießen) #​47165
• [76e4d12fb3] - crypto: re-add padding for AES-KW wrapped JWKs (Filip Skokan) #​46563
• [9d894c17dd] - crypto: use WebIDL converters in WebCryptoAPI (Filip Skokan) #​46067
• [6f3a8b45a5] - deps: update ada to 2.5.0 (Node.js GitHub Bot) #​48223
• [075b6db919] - deps: update ada to 2.4.2 (Node.js GitHub Bot) #​48092
• [a4ee1f652c] - deps: update ada to 2.4.1 (Node.js GitHub Bot) #​48036
• [81b514d3f0] - deps: update ada to 2.4.0 (Node.js GitHub Bot) #​47922
• [575ddf694f] - deps: update ada to 2.3.1 (Node.js GitHub Bot) #​47893
• [2d03d5f458] - deps: update ada to 2.3.0 (Node.js GitHub Bot) #​47737
• [42e690f2d5] - deps: update ada to 2.2.0 (Node.js GitHub Bot) #​47678
• [08dd271521] - deps: update ada to 2.1.0 (Node.js GitHub Bot) #​47598
• [96c50ba71f] - deps: update ada to 2.0.0 (Node.js GitHub Bot) #​47339
• [4d1c38b758] - deps: update zlib to 337322d (Node.js GitHub Bot) #​48218
• [74206b2549] - deps: update histogram 0.11.8 (Marco Ippolito) #​47742
• [fbb4b3775d] - deps: update histogram to 0.11.7 (Marco Ippolito) #​47742
• [e88c079022] - deps: update simdutf to 3.2.12 (Node.js GitHub Bot) #​48118
• [48bd1248b9] - deps: update minimatch to 9.0.1 (Node.js GitHub Bot) #​48094
• [d4572d31fa] - deps: update corepack to 0.18.0 (Node.js GitHub Bot) #​48091
• [8090d29dc4] - deps: update uvwasi to 0.0.18 (Node.js GitHub Bot) #​47866
• [169c8eea2e] - deps: update uvwasi to 0.0.17 (Node.js GitHub Bot) #​47866
• [6acbb23380] - deps: upgrade npm to 9.6.7 (npm team) #​48062
• [e8f2c0a58b] - deps: update undici to 5.22.1 (Node.js GitHub Bot) #​47994
• [9309fd3120] - deps: update simdutf to 3.2.9 (Node.js GitHub Bot) #​47983
• [b796d3560a] - deps: upgrade npm to 9.6.6 (npm team) #​47862
• [cce372e14e] - deps: V8: cherry-pick c5ab3e4 (Richard Lau) #​47736
• [7283486adb] - deps: update undici to 5.22.0 (Node.js GitHub Bot) #​47679
• [2ea6e03003] - deps: add minimatch as a dependency (Moshe Atlow) #​47499
• [261e1d23d1] - deps: update ICU to 73.1 release (Steven R. Loomis) #​47456
• [f532f9df5f] - deps: update undici to 5.21.2 (Node.js GitHub Bot) #​47508
• [dcb8c038b9] - deps: update simdutf to 3.2.8 (Node.js GitHub Bot) #​47507
• [6c8456d61f] - deps: update undici to 5.21.1 (Node.js GitHub Bot) #​47488
• [d3b2e8a438] - deps: update simdutf to 3.2.7 (Node.js GitHub Bot) #​47473
• [64a5fe0499] - deps: update corepack to 0.17.2 (Node.js GitHub Bot) #​47474
• [6f0f61a7d3] - deps: upgrade npm to 9.6.4 (npm team) #​47432
• [443a72e207] - deps: update zlib to upstream 5edb52d (Luigi Pinca) #​47151
• [dc3bc46914] - deps: update simdutf to 3.2.3 (Node.js GitHub Bot) #​47331
• [b2f2bebbc2] - deps: update timezone to 2023c (Node.js GitHub Bot) #​47302
• [c10729ffa7] - deps: upgrade npm to 9.6.3 (npm team) #​47325
• [420deac1de] - deps: update corepack to 0.17.1 (Node.js GitHub Bot) #​47156
• [966ba28491] - deps: V8: cherry-pick 3e4952c (Richard Lau) #​47236
• [fc6ab26824] - deps: update timezone to 2023b (Node.js GitHub Bot) #​47256
• [2700e70215] - deps: upgrade npm to 9.6.2 (npm team) #​47108
• [29ba98a0a5] - deps: V8: cherry-pick 975ff4d (Debadree Chatterjee) #​47209
• [be34777be8] - deps: cherry-pick win/arm64/clang fixes (Cheng Zhao) #​47011
• [b52aacb614] - deps: update uvwasi to v0.0.16 (Michael Dawson) #​46434
• [27a76cf5e0] - deps,test: update postject to 1.0.0-alpha.6 (Node.js GitHub Bot) #​48072
• [b171c1a3a4] - dgram: convert macro to template (Tobias Nießen) #​47891
• [709bf1c758] - (SEMVER-MINOR) dns: expose getDefaultResultOrder (btea) #​46973
• [2f202c93e7] - doc: clarify array args to Buffer.from() (Bryan English) #​48274
• [27f195f8d8] - doc: document watch option for node:test run() (Moshe Atlow) #​48256
• [7558ef350a] - doc: update documentation for FIPS support (Richard Lau) #​48194
• [f2bb1919e5] - doc: improve the documentation of the stdio option (Kumar Arnav) #​48110
• [a2aa52ba92] - doc: update Buffer.allocUnsafe description (sinkhaha) #​48183
• [19ad471d52] - doc: update codeowners with website team (Claudio Wunder) #​48197
• [67b2c2a98f] - doc: fix broken link to new folder doc/contributing/maintaining (Andrea Fassina) #​48205
• [795ca70815] - doc: add atlowChemi to triagers (Chemi Atlow) #​48104
• [e437a0aff1] - doc: fix typo in readline completer function section (Vadym) #​48188
• [92e0ea496d] - doc: remove broken link for keygen (Rich Trott) #​48176
• [fe15dae8e6] - doc: add auto intrinsic height to prevent jitter/flicker (Daniel Holbert) #​48195
• [230335e21f] - doc: add version info on the SEA docs (Antoine du Hamel) #​48173
• [e6f37d1b80] - doc: add Ruy to list of TSC members (Michael Dawson) #​48172
• [69205a250c] - doc: update socket.remote* properties documentation (Saba Kharanauli) #​48139
• [e4a5d6298c] - doc: update outdated section on TLSv1.3-PSK (Tobias Nießen) #​48123
• [d14018ed99] - doc: improve HMAC key recommendations (Tobias Nießen) #​48121
• [e9d4baf770] - doc: clarify mkdir() recursive behavior (Stephen Odogwu) #​48109
• [3e4a469139] - doc: fix typo in crypto legacy streams API section (Tobias Nießen) #​48122
• [bdf366ab88] - doc: update SEA source link (Rich Trott) #​48080
• [2a4f79a75f] - doc: clarify tty.isRaw (Roberto Vidal) #​48055
• [98c6e4be03] - doc: use secure key length for HMAC generateKey (Tobias Nießen) #​48052
• [8ae5c8cf9d] - doc: update broken EVP_BytesToKey link (Rich Trott) #​48064
• [3c713e7caa] - doc: update broken spkac link (Rich Trott) #​48063
• [c22f739e94] - doc: document node-api version process (Chengzhong Wu) #​47972
• [ce859f9f9f] - doc: fix typo in binding functions (Deokjin Kim) #​48003
• [070c3457b7] - doc: mark Node.js 14 as End-of-Life (Richard Lau) #​48023
• [3611027d8e] - doc: clarify CRYPTO_CUSTOM_ENGINE_NOT_SUPPORTED (Tobias Nießen) #​47976
• [dbffad958c] - doc: add missing deprecated blocks to cluster (Tobias Nießen) #​47981
• [035356f711] - doc: update description of global (Tobias Nießen) #​47969
• [081a6ffaea] - doc: update measure memory rejection information (Yash Ladha) #​41639
• [3460cf9c23] - doc: fix broken link to TC39 import attributes proposal (Rich Trott) #​47954
• [3b018c8aa9] - doc: fix broken link (Rich Trott) #​47953
• [[244db960a9](https://togithub.com/nodejs/node/commit/244d

---

Configuration

📅 Schedule: Branch creation - "before 5am on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
svg2jsx	❌ Failed (Inspect)		Aug 21, 2023 1:57am