[Snyk] Upgrade core-js from 3.12.1 to 3.36.0 #256

BitcoinOutput · 2024-03-07T04:36:53Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade core-js from 3.12.1 to 3.36.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 76 versions ahead of your current version.
The recommended version was released 22 days ago, on 2024-02-14.

The recommended version fixes:

Issue	PriorityScore (*)	Exploit Maturity
Arbitrary File Overwrite SNYK-JS-TAR-1536528	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Prototype Pollution SNYK-JS-Y18N-1021887	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Prototype Pollution SNYK-JS-CACHEDPATHRELATIVE-2342653	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Prototype Poisoning SNYK-JS-QS-3153490	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Prototype Poisoning SNYK-JS-QS-3153490	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Prototype Poisoning SNYK-JS-QS-3153490	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Denial of Service (DoS) SNYK-JS-ENGINEIO-3136336	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Arbitrary File Overwrite SNYK-JS-TAR-1536531	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Arbitrary File Write SNYK-JS-TAR-1579147	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Arbitrary File Write SNYK-JS-TAR-1579152	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Arbitrary File Write SNYK-JS-TAR-1579155	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-ES5EXT-6095076	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Improper Privilege Management SNYK-JS-SHELLJS-2332187	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Information Exposure SNYK-JS-SIMPLEGET-2361683	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Information Exposure SNYK-JS-SIMPLEGET-2361683	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-5596892	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Prototype Pollution SNYK-JS-LOADERUTILS-3043105	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Improper Input Validation SNYK-JS-FOLLOWREDIRECTS-6141137	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-GETFUNCNAME-5923417	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-NORMALIZEURL-1296539	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Improper Verification of Cryptographic Signature SNYK-JS-BROWSERIFYSIGN-6037026	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Cross-site Scripting (XSS) SNYK-JS-PARSEURL-2942134	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIMOFFNEWLINES-1296850	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Information Exposure SNYK-JS-LOG4JS-2348757	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-CONVENTIONALCOMMITSPARSER-1766960	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Prototype Pollution SNYK-JS-JSON5-3182856	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-COOKIEJAR-3149984	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-TERSER-2806366	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Prototype Pollution SNYK-JS-JSON5-3182856	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Open Redirect SNYK-JS-GOT-2932019	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Open Redirect SNYK-JS-GOT-2932019	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Information Exposure SNYK-JS-NODEFETCH-2342118	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Cross-site Scripting (XSS) SNYK-JS-PARSEURL-2935944	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Information Exposure SNYK-JS-PARSEURL-2935947	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Prototype Pollution SNYK-JS-MINIMIST-2429795	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	624/1000 Why? Has a fix available, CVSS 8.2	No Known Exploit
Server-side Request Forgery (SSRF) SNYK-JS-PARSEURL-2936249	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept
Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	624/1000 Why? Has a fix available, CVSS 8.2	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: core-js

3.36.0 - 2024-02-14
- ArrayBuffer.prototype.transfer and friends proposal:
  - Built-ins:
    - ArrayBuffer.prototype.detached
    - ArrayBuffer.prototype.transfer
    - ArrayBuffer.prototype.transferToFixedLength
  - Moved to stable ES, Febrary 2024 TC39 meeting
  - Added es. namespace modules, /es/ and /stable/ namespaces entries
- Uint8Array to / from base64 and hex proposal:
  - Methods:
    - Uint8Array.fromBase64
    - Uint8Array.fromHex
    - Uint8Array.prototype.toBase64
    - Uint8Array.prototype.toHex
  - Moved to stage 3, Febrary 2024 TC39 meeting
  - Added /actual/ namespace entries
  - Skipped adding new methods of writing to existing arrays to clarification some moments
- Promise.try proposal has been resurrected and moved to stage 2, Febrary 2024 TC39 meeting
- Added an entry point for the new TC39 proposals stage - core-js/stage/2.7 - still empty
- Fixed regression in Set.prototype.intersection feature detection
- Fixed a missed check in Array.prototype.{ indexOf, lastIndexOf, includes }, #1325, thanks @ minseok-choe
- Fixed a missed check in Array.prototype.{ reduce, reduceRight }, #1327, thanks @ minseok-choe
- Fixed Array.from and some other methods with proxy targets, #1322, thanks @ minseok-choe
- Fixed dependencies loading for modules from ArrayBuffer.prototype.transfer and friends proposal in some specific cases in IE10-
- Dropped context workaround from collection static methods entries since with current methods semantic it's no longer required
- Added instance methods polyfills to entries of collections static methods that produce collection instances
- Added missed Date.prototype.toJSON to JSON.stringify entries dependencies
- Added debugging info in some missed cases
- Compat data improvements:
  - { Map, Object }.groupBy, Promise.withResolvers, ArrayBuffer.prototype.transfer and friends marked as supported from Safari 17.4
  - New Set methods fixed and marked as supported from V8 ~ Chrome 123
  - Added Deno 1.40 compat data mapping
  - Symbol.metadata marked as supported from Deno 1.40.4
  - Updated Electron 30 compat data mapping
3.35.1 - 2024-01-20
- Fixed internal ToLength operation with bigints, #1318
- Removed significant redundant code from String#split polyfill
- Fixed setting names of methods with symbol keys in some old engines
- Minor fix of prototype methods export logic in the pure version
- Compat data improvements:
  - Iterator helpers proposal methods marked as supported from V8 ~ Chrome 122
  - Note that V8 ~ Chrome 122 add Set methods, but they have a bug similar to Safari
  - self marked as fixed from Bun 1.0.22
  - SuppressedError and Symbol.{ dispose, asyncDispose } marked as supported from Bun 1.0.23
  - Added Oculus Quest Browser 31 compat data mapping
  - Updated Electron 29 and added Electron 30 compat data mapping
3.35.0 - 2023-12-28
- { Map, Set, WeakMap, WeakSet }.{ from, of } became non-generic, following this and some other notes. Now they can be invoked without this, but no longer return subclass instances
- Fixed handling some cases of non-enumerable symbol keys from Symbol polyfill
- Removed unneeded NodeJS domains-related logic from queueMicrotask polyfill
- Fixed subclassing of wrapped ArrayBuffer
- Refactoring, many different minor optimizations
- Compat data improvements:
  - Array.fromAsync marked as supported from V8 ~ Chrome 121
  - It seems that the ancient Array.prototype.push bug is fixed in V8 ~ Chrome 122 (Hallelujah!)
  - ArrayBuffer.prototype.transfer and friends proposal features marked as supported from FF 122 and Bun 1.0.19
  - Object.groupBy and Map.groupBy marked as supported from Bun 1.0.19
  - Since Iterator helpers proposal methods are still not disabled in Deno, the web compatibility issue why it was disabled in Chromium makes no sense for Deno and fixed in the spec, they marked as supported from Deno 1.37
  - Added Opera Android 80 and updated Opera Android 79 compat data mapping
  - Added Samsung Internet 24 compat data mapping
3.34.0 - 2023-12-05
- Array grouping proposal:
  - Methods:
    - Object.groupBy
    - Map.groupBy
  - Moved to stable ES, November 2023 TC39 meeting
  - Added es. namespace modules, /es/ and /stable/ namespaces entries
- Promise.withResolvers proposal:
  - Method:
    - Promise.withResolvers
  - Moved to stable ES, November 2023 TC39 meeting
  - Added es. namespace module, /es/ and /stable/ namespaces entries
- Fixed a web incompatibility issue of Iterator helpers proposal, proposal-iterator-helpers/287 and some following changes, November 2023 TC39 meeting
- Added Uint8Array to / from base64 and hex stage 2 proposal:
  - Methods:
    - Uint8Array.fromBase64
    - Uint8Array.fromHex
    - Uint8Array.prototype.toBase64
    - Uint8Array.prototype.toHex
- Relaxed some specific cases of Number.fromString validation before clarification of proposal-number-fromstring/24
- Fixed @@ toStringTag property descriptors on DOM collections, #1312
- Fixed the order of arguments validation in Array iteration methods, #1313
- Some minor atob / btoa improvements
- Compat data improvements:
  - Promise.withResolvers marked as shipped from FF121
3.33.3 - 2023-11-19
- Fixed an issue getting the global object on Duktape, #1303
- Avoid sharing internal [[DedentMap]] from String.dedent proposal between core-js instances before stabilization of the proposal
- Some internal untangling
- Compat data improvements:
  - Added Deno 1.38 compat data mapping
  - Array.fromAsync marked as supported from Deno 1.38
  - Symbol.{ dispose, asyncDispose } marked as supported from Deno 1.38
  - Added Opera Android 79 compat data mapping
  - Added Oculus Quest Browser 30 compat data mapping
  - Updated Electron 28 and 29 compat data mapping
3.33.2 - 2023-10-30
- Simplified structuredClone polyfill, avoided second tree pass in cases of transferring
- Added support of SuppressedError to structuredClone polyfill
- Removed unspecified unnecessary ArrayBuffer and DataView dependencies of structuredClone lack of which could cause errors in some entries in IE10-
- Fixed handling of fractional number part in Number.fromString
- Compat data improvements:
  - URL.canParse marked as supported from Chromium 120
  - Updated Opera Android 78 compat data mapping
  - Added Electron 29 compat data mapping
3.33.1 - 2023-10-20
- Added one more workaround of possible error with Symbol polyfill on global object, #1289
- Directly specified type: commonjs in package.json of all packages to avoid potential breakage in future Node versions, see this issue
- Prevented potential issue with lack of some dependencies after automatic optimization polyfills of some methods in the pure version
- Some minor internal fixes and optimizations
- Compat data improvements:
  - String.prototype.{ isWellFormed, toWellFormed } marked as supported from FF119
  - Added React Native 0.73 Hermes compat data, mainly fixes of some issues
  - Added NodeJS 21.0 compat data mapping
3.33.0 - 2023-10-01
- Re-introduced RegExp escaping stage 2 proposal, September 2023 TC39 meeting:
  - Added RegExp.escape method with the new set of symbols for escaping
  - Some years ago, it was presented in core-js, but it was removed after rejecting the old version of this proposal
- Added ArrayBuffer.prototype.{ transfer, transferToFixedLength } and support transferring of ArrayBuffers via structuredClone to engines with MessageChannel
- Optimized Math.f16round polyfill
- Fixed some conversion cases of Math.f16round and DataView.prototype.{ getFloat16, setFloat16 }
- Fully forced polyfilling of the TC39 Observable proposal because of incompatibility with the new WHATWG Observable proposal
- Added an extra workaround of errors with exotic environment objects in Symbol polyfill, #1289
- Some minor fixes and stylistic changes
- Compat data improvements:
  - V8 unshipped Iterator helpers because of some Web compatibility issues
  - Promise.withResolvers marked as supported from V8 ~ Chrome 119
  - Array grouping proposal features marked as supported from FF119
  - value argument of URLSearchParams.prototype.{ has, delete } marked as properly supported from V8 ~ Chrome 118
  - URL.canParse and URLSearchParams.prototype.size marked as supported from Bun 1.0.2
  - Added Deno 1.37 compat data mapping
  - Added Electron 28 compat data mapping
  - Added Opera Android 78 compat data mapping
3.32.2 - 2023-09-07
- Fixed structuredClone feature detection [email protected] bug, #1288
- Added a workaround of old WebKit + eval bug, #1287
- Compat data improvements:
  - Added Samsung Internet 23 compat data mapping
  - Added Quest Browser 29 compat data mapping
3.32.1 - 2023-08-18
3.32.0 - 2023-07-27
3.31.1 - 2023-07-06
3.31.0 - 2023-06-11
3.30.2 - 2023-05-06
3.30.1 - 2023-04-13
3.30.0 - 2023-04-03
3.29.1 - 2023-03-13
3.29.0 - 2023-02-26
3.28.0 - 2023-02-13
3.27.2 - 2023-01-18
3.27.1 - 2022-12-29
3.27.0 - 2022-12-25
3.26.1 - 2022-11-13
3.26.0 - 2022-10-23
3.25.5 - 2022-10-03
3.25.4 - 2022-10-02
3.25.3 - 2022-09-25
3.25.2 - 2022-09-18
3.25.1 - 2022-09-07
3.25.0 - 2022-08-24
3.24.1 - 2022-07-29
3.24.0 - 2022-07-25
3.23.5 - 2022-07-17
3.23.4 - 2022-07-09
3.23.3 - 2022-06-25
3.23.2 - 2022-06-20
3.23.1 - 2022-06-14
3.23.0 - 2022-06-13
3.22.8 - 2022-06-01
3.22.7 - 2022-05-24
3.22.6 - 2022-05-22
3.22.5 - 2022-05-10
3.22.4 - 2022-05-02
3.22.3 - 2022-04-28
3.22.2 - 2022-04-21
3.22.1 - 2022-04-19
3.22.0 - 2022-04-15
3.21.1 - 2022-02-16
3.21.0 - 2022-02-01
3.20.3 - 2022-01-15
3.20.2 - 2022-01-01
3.20.1 - 2021-12-23
3.20.0 - 2021-12-15
3.19.3 - 2021-12-06
3.19.2 - 2021-11-29
3.19.1 - 2021-11-02
3.19.0 - 2021-10-25
3.18.3 - 2021-10-12
3.18.2 - 2021-10-05
3.18.1 - 2021-09-26
3.18.0 - 2021-09-19
3.17.3 - 2021-09-09
3.17.2 - 2021-09-02
3.17.1 - 2021-09-01
3.17.0 - 2021-09-01
3.16.4 - 2021-08-29
3.16.3 - 2021-08-24
3.16.2 - 2021-08-17
3.16.1 - 2021-08-08
3.16.0 - 2021-07-30
3.15.2 - 2021-06-29
3.15.1 - 2021-06-22
3.15.0 - 2021-06-20
3.14.0 - 2021-06-05
3.13.1 - 2021-05-29
3.13.0 - 2021-05-25
3.12.1 - 2021-05-08

from core-js GitHub release notes

Commit messages

Package name: core-js

77123c4 3.36.0
a3d51ed fix dependencies loading for modules from `ArrayBuffer.prototype.transfer` and friends proposal
9eace59 update dependencies
9d59934 update the readme
b90f2f5 add an entry point for the new TC39 proposals stage - `core-js/stage/2.7` - still empty
874d23a update dependencies
5090287 drop `Math` extensions from the readme since it's withdrawn
72fdd49 drop `Math.signbit` from the readme since it's withdrawn
5e68a01 move `Uint8Array` to / from base64 and hex proposal to stage 3
4207afd update a link
8beb1a0 update dependencies
e65a810 update dependencies
c98d3f2 update dependencies
bc29e6a update dependencies
0774eb9 mark `Symbol.metadata` as supported from Deno 1.40.4
f340a9f update dependencies
e1e6871 update the readme
4c51d71 move `ArrayBuffer.prototype.transfer` and friends to stable ES
582e4e1 update dependencies
c9ce874 clarify a note
3348b1a move `Promise.try` to stage 2
7ec37c1 update the changelog
e7f6af0 use a constant as a error message
b36ca26 Merge pull request #1328 from minseok-choe/fix/issue-flat, close #1327

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Snyk has created this PR to upgrade core-js from 3.12.1 to 3.36.0. See this package in npm: https://www.npmjs.com/package/core-js See this project in Snyk: https://app.snyk.io/org/debuggineffect/project/cb6ca896-c5e8-406d-97c0-b95d0818e84c?utm_source=github&utm_medium=referral&page=upgrade-pr

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Snyk] Upgrade core-js from 3.12.1 to 3.36.0 #256

[Snyk] Upgrade core-js from 3.12.1 to 3.36.0 #256

Uh oh!

BitcoinOutput commented Mar 7, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

[Snyk] Upgrade core-js from 3.12.1 to 3.36.0 #256

Are you sure you want to change the base?

[Snyk] Upgrade core-js from 3.12.1 to 3.36.0 #256

Uh oh!

Conversation

BitcoinOutput commented Mar 7, 2024

Snyk has created this PR to upgrade core-js from 3.12.1 to 3.36.0.

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants