Bump the npm_and_yarn group across 2 directories with 9 updates

[dependabot]

Bumps the npm_and_yarn group with 5 updates in the /Example01_JavaScript directory:

Package	From	To
express-jwt	0.1.3	6.0.0
jsonwebtoken	0.4.0	9.0.0
libxmljs2	0.32.0	0.35.0
sanitize-html	1.4.2	2.12.1
socket.io	3.1.2	4.8.1

Bumps the npm_and_yarn group with 4 updates in the /Example04_DockerPull_Build_Scan/client directory: graphiql, minimatch, minimist and ua-parser-js.

Updates express-jwt from 0.1.3 to 6.0.0

Commits

• 678f3b0 6.0.0
• 7ecab5f Merge pull request from GHSA-6g6m-m6h5-w9gf
• 304a1c5 Made algorithms mandatory
• e9ed6d2 5.3.3
• 8662579 Make clearer sections in the Readme
• d3e86bf Update README.md
• c5d8419 Add a note about OAuth2 bearer tokens
• 888f0e9 Update Readme and use a consistent JS style for code examples
• 6591014 5.3.2
• f4f4d1d fix license field
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by yacine-b, a new releaser for express-jwt since your current version.

Updates jsonwebtoken from 0.4.0 to 9.0.0

Changelog

Sourced from jsonwebtoken's changelog.

9.0.0 - 2022-12-21

Breaking changes: See Migration from v8 to v9

Breaking changes

• Removed support for Node versions 11 and below.
• The verify() function no longer accepts unsigned tokens by default. ([834503079514b72264fd13023a3b8d648afd6a16]auth0/node-jsonwebtoken@8345030)
• RSA key size must be 2048 bits or greater. ([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]auth0/node-jsonwebtoken@ecdf6cc)
• Key types must be valid for the signing / verification algorithm

Security fixes

• security: fixes Arbitrary File Write via verify function - CVE-2022-23529
• security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
• security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
• security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

8.5.1 - 2019-03-18

Bug fix

• fix: ensure correct PS signing and verification (#585) (e5874ae428ffc0465e6bd4e660f89f78b56a74a6), closes #585

Docs

• README: fix markdown for algorithms table (84e03ef70f9c44a3aef95a1dc122c8238854f683)

8.5.0 - 2019-02-20

New Functionality

• feat: add PS JWA support for applicable node versions (#573) (eefb9d9c6eec54718fa6e41306bda84788df7bec), closes #573
• Add complete option in jwt.verify (#522) (8737789dd330cf9e7870f4df97fd52479adbac22), closes #522

Test Improvements

• Add tests for private claims in the payload (#555) (5147852896755dc1291825e2e40556f964411fb2), closes #555
• Force use_strict during testing (#577) (7b60c127ceade36c33ff33be066e435802001c94), closes #577
• Refactor tests related to jti and jwtid (#544) (7eebbc75ab89e01af5dacf2aae90fe05a13a1454), closes #544
• ci: remove nsp from tests (#569) (da8f55c3c7b4dd0bfc07a2df228500fdd050242a), closes #569

Docs

• Fix 'cert' token which isn't a cert (#554) (0c24fe68cd2866cea6322016bf993cd897fefc98), closes #554

8.4.0 - 2018-11-14

New Functionality

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jsonwebtoken since your current version.

Updates libxmljs2 from 0.32.0 to 0.35.0

Release notes

Sourced from libxmljs2's releases.

v0.35.0

No release notes provided.

v0.33.0

support node 21

BREAKING Drop node 16 & 19

Commits

• 478d57d chore: support node 22
• 28c7258 fix: correct prebuild stuff
• 7ef018c NO LONGER MAINTAINED
• 9b42607 fix: correct artifact path to upload
• 0dbbcf2 chore: test prebuild as node-pre-gyp is no longer working
• e0eb378 chore: bump to 0.33.0
• c028a85 chore: support node21 (#201)
• See full diff in compare view

Updates sanitize-html from 1.4.2 to 2.12.1

Changelog

Sourced from sanitize-html's changelog.

2.12.1 (2024-02-22)

• Do not parse sourcemaps in post-css. This fixes a vulnerability in which information about the existence or non-existence of files on a server could be disclosed via properly crafted HTML input when the style attribute is allowed by the configuration. Thanks to the Snyk Security team for the disclosure and to Dylan Armstrong for the fix.

2.12.0 (2024-02-21)

• Introduced the allowedEmptyAttributes option, enabling explicit specification of empty string values for select attributes, with the default attribute set to alt. Thanks to Na for the contribution.

• Clarified the use of SVGs with a new test and changes to documentation. Thanks to Gauav Kumar for the contribution.

• Do not process source maps when processing style tags with PostCSS.

2.11.0 (2023-06-21)

• Fix to allow false in allowedClasses attributes. Thanks to Kevin Jiang for this fix!
• Upgrade mocha version
• Apply small linter fixes in tests
• Add .idea temp files to .gitignore
• Thanks to Vitalii Shpital for the updates!
• Show parseStyleAttributes warning in browser only. Thanks to mog422 for this update!
• Remove empty non-boolean attributes via an exhaustive, configurable list of known non-boolean attributes. Thanks to Dylan Armstrong for this update!

2.10.0 (2023-02-17)

• Fix auto-adding escaped closing tags. In other words, do not add implied closing tags to disallowed tags when disallowedTagMode is set to any variant of escape -- just escape the disallowed tags that are present. This fixes [issue #464](apostrophecms/sanitize-html#464). Thanks to Daniel Liebner
• Add tagAllowed() helper function which takes a tag name and checks it against options.allowedTags and returns true if the tag is allowed and false if it is not.

2.9.0 (2023-01-27)

• Add option parseStyleAttributes to skip style parsing. This fixes [issue #547](apostrophecms/sanitize-html#547). Thanks to Bert Verhelst.

2.8.1 (2022-12-21)

• If the argument is a number, convert it to a string, for backwards compatibility. Thanks to Alexander Schranz.

2.8.0 (2022-12-12)

• Upgrades htmlparser2 to new major version ^8.0.0. Thanks to Kedar Chandrayan for this contribution.

2.7.3 (2022-10-24)

• If allowedTags is falsy but not exactly false, then do not assume that all tags are allowed. Rather, allow no tags in this case, to be on the safe side. This matches the existing documentation and fixes [issue #176](apostrophecms/sanitize-html#176). Thanks to Kedar Chandrayan for the fix.

2.7.2 (2022-09-15)

• Closing tags must agree with opening tags. This fixes [issue #549](apostrophecms/sanitize-html#549), in which closing tags not associated with any permitted opening tag could be passed through. No known exploit exists, but it's better not to permit this. Thanks to Kedar Chandrayan for the report and the fix.

2.7.1 (2022-07-20)

... (truncated)

Commits

• See full diff in compare view

Updates socket.io from 3.1.2 to 4.8.1

Release notes

Sourced from socket.io's releases.

[email protected]

Due to a change in the bundler configuration, the production bundle (socket.io.min.js) did not support sending and receiving binary data in version 4.8.0. This is now fixed.

Dependencies

• engine.io@~6.6.0 (no change)
• ws@~8.17.1 (no change)

[email protected]

Bug Fixes

• bundle: do not mangle the "_placeholder" attribute (ca9e994)

Dependencies

• engine.io-client@~6.6.1 (no change)
• ws@~8.17.1 (no change)

[email protected]

Features

Custom transport implementations

The transports option now accepts an array of transport implementations:

import { io } from "socket.io-client";
import { XHR, WebSocket } from "engine.io-client";
const socket = io({
transports: [XHR, WebSocket]
});

Here is the list of provided implementations:

Transport	Description
Fetch	HTTP long-polling based on the built-in fetch() method.
NodeXHR	HTTP long-polling based on the XMLHttpRequest object provided by the xmlhttprequest-ssl package.
XHR	HTTP long-polling based on the built-in XMLHttpRequest object.
NodeWebSocket	WebSocket transport based on the WebSocket object provided by the ws package.
WebSocket	WebSocket transport based on the built-in WebSocket object.
WebTransport	WebTransport transport based on the built-in WebTransport object.

Usage:

Transport	browser	Node.js	Deno	Bun

... (truncated)

Commits

• 91e1c8b chore(release): [email protected]
• 8d5528a chore(release): [email protected]
• 71387e5 refactor(sio-client): reexport transports from the engine
• aead835 refactor(sio): make Namespace._fns private (#5196)
• 029e010 chore(release): [email protected]
• 4ca6ddb docs(nuxt): update example with latest version
• ca9e994 fix(sio-client): do not mangle the "_placeholder" attribute
• 4865f2e fix(eio-client): prevent infinite loop with Node.js built-in WebSocket
• d4b3dde ci: use Node.js 22
• 3b68658 chore: bump @​fails-components/webtransport to version 1.1.4 (dev)
• Additional commits viewable in compare view

Updates graphiql from 0.5.0 to 1.4.7

Changelog

Sourced from graphiql's changelog.

1.4.7

Patch Changes

• 130ddad6 Thanks @​acao! - CRITICAL SECURITY PATCH for the GraphiQL introspection schema template injection attack

1.4.6

Patch Changes

• d3a88283 #1934 Thanks @​tonyfromundefined! - add react 17, 18 in peerDependencies

• afaa36c1 #1883 Thanks @​Sweetabix1! - Updating font colors for line numbers, comments & brackets from #999 to #666 for accessibility purposes. #666 passes AA accessibility standards for small text, with a contrast ratio of over 5:1.

• 75dbb0b1 #1777 Thanks @​dwwoelfel! - adopt block string parsing for variables in language parser

• Updated dependencies [0e2c1a02, 75dbb0b1]:

  • [email protected]
  • [email protected]

1.4.5

Patch Changes

• 86795d5f Thanks @​acao! - Remove bad type definition from subscriptions-transport-ws #1992 closes #1989

• Updated dependencies [86795d5f]:

  • @​graphiql/toolkit@​0.3.2

1.4.4

Patch Changes

• 62e786b5 #1990 Thanks @​acao! - Remove type definition from subscriptions-transport-ws

• Updated dependencies [62e786b5]:

  • @​graphiql/toolkit@​0.3.1

1.4.3

Patch Changes

• 6a459f4c #1968 Thanks @​acao! - Remove optionalDependencies entirely, remove subscriptions-transport-ws which introduces vulnerabilities, upgrade @n1ru4l/push-pull-async-iterable-iterator to 3.0.0, upgrade graphql-ws several minor versions - the [email protected] upgrade will come in a later minor release.

• eb2d91fa #1914 Thanks @​harshithpabbati! - fix: history can now be saved even when query history panel is not opened feat: create a new maxHistoryLength prop to allow more than 20 queries in history panel

• 04fad79c #1889 Thanks @​henryqdineen! - feat: export ToolbarSelectOption and ToolbarMenuItem

• cd685435 #1923 Thanks @​cgarnier! - Fix result window theme

... (truncated)

Commits

• 8680b75 Version Packages (#2003)
• cb237ee Merge pull request from GHSA-x4r7-m2q9-69c8
• 672aadf Version Packages (#1994)
• afaa36c fix: updating #999 font colors to #666 (#1883)
• d3a8828 fix(graphiql): add react 17, 18 in peerDependencies (#1934)
• 877a74a Version Packages (#1993)
• 8577c7e Version Packages (#1991)
• 8ad2c0c Version Packages (#1893)
• 6a459f4 fix: @​graphiql/toolkit dependencies (#1968)
• 0436594 Fix typo in README.md (#1948)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by acao, a new releaser for graphiql since your current version.

Updates minimatch from 3.0.4 to 3.1.2

Commits

• 699c459 3.1.2
• 2f2b5ff fix: trim pattern
• 25d7c0d 3.1.1
• 55dda29 fix: treat nocase:true as always having magic
• 5e1fb8d 3.1.0
• f8145c5 Add 'allowWindowsEscape' option
• 570e8b1 add publishConfig for v3 publishes
• 5b7cd33 3.0.6
• 20b4b56 [fix] revert all breaking syntax changes
• 2ff0388 document, expose, and test 'partial:true' option
• Additional commits viewable in compare view

Updates minimist from 1.2.5 to 1.2.8

Changelog

Sourced from minimist's changelog.

v1.2.8 - 2023-02-09

Merged

• [Fix] Fix long option followed by single dash [#17](https://github.com/minimistjs/minimist/issues/17)
• [Tests] Remove duplicate test [#12](https://github.com/minimistjs/minimist/issues/12)
• [Fix] opt.string works with multiple aliases [#10](https://github.com/minimistjs/minimist/issues/10)

Fixed

• [Fix] Fix long option followed by single dash (#17) [#15](https://github.com/minimistjs/minimist/issues/15)
• [Tests] Remove duplicate test (#12) [#8](https://github.com/minimistjs/minimist/issues/8)
• [Fix] Fix long option followed by single dash [#15](https://github.com/minimistjs/minimist/issues/15)
• [Fix] opt.string works with multiple aliases (#10) [#9](https://github.com/minimistjs/minimist/issues/9)
• [Fix] Fix handling of short option with non-trivial equals [#5](https://github.com/minimistjs/minimist/issues/5)
• [Tests] Remove duplicate test [#8](https://github.com/minimistjs/minimist/issues/8)
• [Fix] opt.string works with multiple aliases [#9](https://github.com/minimistjs/minimist/issues/9)

Commits

• Merge tag 'v0.2.3' a026794
• [eslint] fix indentation and whitespace 5368ca4
• [eslint] fix indentation and whitespace e5f5067
• [eslint] more cleanup 62fde7d
• [eslint] more cleanup 36ac5d0
• [meta] add auto-changelog 73923d2
• [actions] add reusable workflows d80727d
• [eslint] add eslint; rules to enable later are warnings 48bc06a
• [eslint] fix indentation 34b0f1c
• [readme] rename and add badges 5df0fe4
• [Dev Deps] switch from covert to nyc a48b128
• [Dev Deps] update covert, tape; remove unnecessary tap f0fb958
• [meta] create FUNDING.yml; add funding in package.json 3639e0c
• [meta] use npmignore to autogenerate an npmignore file be2e038
• Only apps should have lockfiles 282b570
• isConstructorOrProto adapted from PR ef9153f
• [Dev Deps] update @ljharb/eslint-config, aud 098873c
• [Dev Deps] update @ljharb/eslint-config, aud 3124ed3
• [meta] add safe-publish-latest 4b927de
• [Tests] add aud in posttest b32d9bd
• [meta] update repo URLs f9fdfc0
• [actions] Avoid 0.6 tests due to build failures ba92fe6
• [Dev Deps] update tape 950eaa7
• [Dev Deps] add missing npmignore dev dep 3226afa
• Merge tag 'v0.2.2' 980d7ac

v1.2.7 - 2022-10-10

Commits

... (truncated)

Commits

• 6901ee2 v1.2.8
• a026794 Merge tag 'v0.2.3'
• c0b2661 v0.2.3
• 63b8fee [Fix] Fix long option followed by single dash (#17)
• 72239e6 [Tests] Remove duplicate test (#12)
• 34b0f1c [eslint] fix indentation
• 3226afa [Dev Deps] add missing npmignore dev dep
• 098873c [Dev Deps] update @ljharb/eslint-config, aud
• 9ec4d27 [Fix] Fix long option followed by single dash
• ba92fe6 [actions] Avoid 0.6 tests due to build failures
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for minimist since your current version.

Updates ua-parser-js from 0.7.31 to 0.7.40

Release notes

Sourced from ua-parser-js's releases.

v0.7.38

Version 0.7.38

• Fix error on getOS() when userAgentData.platform is undefined
• Add new browser: Opera GX, Twitter
• Improve browser detection: DuckDuckGo
• Improve device detection: OPPO Pad, Oculus Quest

v0.7.37

Version 0.7.37

• Fix misidentified WebView token as device model
• Increase UA_MAX_LENGTH to 500
• Add new browser: Alipay, Klarna, Smart Lenovo Browser, Vivo Browser
• Add new device: Ulefone
• Improve device detection: Realme, Xiaomi Redmi
• Rename browser: Avant, Baidu, Samsung Internet, Sogou Explorer, Sogou Mobile, WeChat

Changelog

Sourced from ua-parser-js's changelog.

Version 0.7.40 / 1.0.40

• Add new browser: 115, LibreWolf, Slimboat, Slimjet
• Add new device: Advan, Cat, Energizer, IMO, Micromax, Smartfren
• Add new engine: ArkWeb, Servo
• Add new os: OpenHarmony
• Improve browser detection: 2345, 360, Dragon, Iron, Maxthon
• Recognize Honor as a separate device vendor from Huawei
• Fix Python Request mistakenly identified as Meta Quest

Version 0.7.39 / 1.0.39

• Add new feature: executable command using npx ua-parser-js "[INSERT-UA-HERE]"
• Add new browser: Helio, Pico Browser, Wolvic
• Add new device vendor: itel, Nothing, TCL
• Improve browser detection: ICEBrowser, Klar, QQBrowser, Quark, Rekonq, Sleipnir
• Improve device detection: Xiaomi Pro, Amazon Echo Show, Samsung Galaxy Watch
• Removed from browser: Viera

Version 0.7.38 / 1.0.38

• Fix error on getOS() when userAgentData.platform is undefined
• Add new browser: Opera GX, Twitter
• Improve browser detection: DuckDuckGo
• Improve device detection: OPPO Pad, Oculus Quest

Version 0.7.37 / 1.0.37

• Fix misidentified WebView token as device model
• Increase UA_MAX_LENGTH to 500
• Add new browser: Alipay, Klarna, Smart Lenovo Browser, Vivo Browser
• Add new device: Ulefone
• Improve device detection: Realme, Xiaomi Redmi
• Rename browser: Avant, Baidu, Samsung Internet, Sogou Explorer, Sogou Mobile, WeChat

Version 0.7.36 / 1.0.36

• Add new browser: Snapchat
• Add new devices: Infinix, Tecno
• Improve device detection: Amazon Fire TV, Xiaomi POCO
• Improve OS detection: iOS

Version 0.7.35 / 1.0.35

• Fix result from user-supplied user-agent being altered
• Add new browser: Heytap, TikTok
• Add new engine: LibWeb
• Add new OS: SerenityOS
• Improve browser detection: Yandex
• Improve device detection: iPhone, Amazon Echo
• Improve OS detection: iOS

Version 0.7.34 / 1.0.34

• Fix Sharp Mobile detected as Huawei Tablet
• Fix IE8 bug
• Add new devices : Kobo e-Reader, Apple Watch, and some new SmartTV devices

... (truncated)

Commits

• 5c811b8 Bump version 0.7.40
• 88fa66d Backport - Fix #747: Python Request mistakenly identified as Meta Quest
• 1665684 Backport - Add new device vendors: Advan, IMO, Smartfren
• a10add1 Backport - Add new device vendors: Cat, Energizer, Micromax
• bb7558f Backport - Add new browser engine: Servo
• ee77fcb Backport - Added support for honor separated from Huawei (#749)
• 92da592 Backport - Add new browser: LibreWolf
• dcca2eb Backport - Improve browser detection: Maxthon
• d9c68a7 Backport - Add new browser: 115 Browser
• e32cf13 Backport - Improve browser detection: 2345 & 360
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.