Sourced from The GitHub Security Advisory Database.

Regular Expression Denial of Service (ReDOS) A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.

Affected versions: < 1.5.5

Sourced from color-string's releases.

1.5.5 (Patch/Security Release) - hwb() ReDos patch (low-severity)

Release notes copied verbatim from the commit message, which can be found here: 0789e21284c33d89ebc4ab4ca6f759b9375ac9d3

Discovered by Yeting Li, c/o Colin Ife via Snyk.io.
A ReDos (Regular Expression Denial of Service) vulnerability
was responsibly disclosed to me via email by Colin on
Mar 5 2021 regarding an exponential time complexity for
linearly increasing input lengths for hwb() color strings.
Strings reaching more than 5000 characters would see several
milliseconds of processing time; strings reaching more than
50,000 characters began seeing 1500ms (1.5s) of processing time.
The cause was due to a the regular expression that parses
hwb() strings - specifically, the hue value - where
the integer portion of the hue value used a 0-or-more quantifier
shortly thereafter followed by a 1-or-more quantifier.
This caused excessive backtracking and a cartesian scan,
resulting in exponential time complexity given a linear
increase in input length.
Thank you Yeting Li and Colin Ife for bringing this to my
attention in a secure, responsible and professional manner.
A CVE will not be assigned for this vulnerability.

• 966ae4d 1.5.5
• 0789e21 fix ReDos in hwb() parser (low-severity)
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

• a2c5da8 1.3.8
• af5c6bb Do not use Object.create(null)
• 8b648a1 don't test where our devdeps don't even work
• c74c8af 1.3.7
• 024b8b5 update deps, add linting
• 032fbaf Use Object.create(null) to avoid default object property hazards
• 2da9039 1.3.6
• cfea636 better git push script, before publish instead of after
• 56d2805 do not allow invalid hazardous string as section name
• See full diff in compare view

This version was pushed to npm by isaacs, a new releaser for ini since your current version.

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from The PHP Security Advisories Database.

CVE-2020-5255: Prevent cache poisoning via a Response Content-Type header

Affected versions: >=4.4.0, <4.4.7; >=5.0.0, <5.0.7

Sourced from symfony/http-foundation's releases.

v4.4.9

Changelog (https://github.com/symfony/http-foundation/compare/v4.4.8...v4.4.9)

• no changes

v4.4.8

Changelog (https://github.com/symfony/http-foundation/compare/v4.4.7...v4.4.8)

• bug #36490 workaround PHP bug in the session module (nicolas-grekas)
• bug #35656 Fixed session migration with custom cookie lifetime (Guite)

v4.4.7

Changelog (https://github.com/symfony/http-foundation/compare/v4.4.6...v4.4.7)

• no changes

v4.4.6

Changelog (https://github.com/symfony/http-foundation/compare/v4.4.5...v4.4.6)

• bug #36173 Fix clear cookie samesite (guillbdx)
• bug #36103 fix preloading script generation (nicolas-grekas)

v4.4.5

Changelog (https://github.com/symfony/http-foundation/compare/v4.4.4...v4.4.5)

• bug #35709 fix not sending Content-Type header for 204 responses (Tobion)
• bug #35583 Add missing use statements (fabpot)

• 3adfbd7 Merge branch '3.4' into 4.4
• 7c4bb04 Use ">=" for the "php" requirement
• fbd216d Properties $originalName and $mimeType are never null in UploadedFile
• c880e63 Execute docker dependent tests with github actions
• ec5bd25 Merge branch '3.4' into 4.4
• eded33d [HttpFoundation] workaround PHP bug in the session module
• 1055c11 Merge branch '3.4' into 4.4
• 940167f bug #35656 [HttpFoundation] Fixed session migration with custom cookie lifeti...
• 9a692b6 [HttpFoundation] Fixed session migration with custom cookie lifetime
• 7fd8435 No need to reconnect the bags to the session
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Sourced from The PHP Security Advisories Database.

CVE-2020-5255: Prevent cache poisoning via a Response Content-Type header

Affected versions: >=4.4.0, <4.4.7; >=5.0.0, <5.0.7

Sourced from symfony/http-foundation's releases.

v4.4.8

Changelog (https://github.com/symfony/http-foundation/compare/v4.4.7...v4.4.8)

• bug #36490 workaround PHP bug in the session module (nicolas-grekas)
• bug #35656 Fixed session migration with custom cookie lifetime (Guite)

v4.4.7

Changelog (https://github.com/symfony/http-foundation/compare/v4.4.6...v4.4.7)

• no changes

v4.4.6

Changelog (https://github.com/symfony/http-foundation/compare/v4.4.5...v4.4.6)

• bug #36173 Fix clear cookie samesite (guillbdx)
• bug #36103 fix preloading script generation (nicolas-grekas)

v4.4.5

Changelog (https://github.com/symfony/http-foundation/compare/v4.4.4...v4.4.5)

• bug #35709 fix not sending Content-Type header for 204 responses (Tobion)
• bug #35583 Add missing use statements (fabpot)

• ec5bd25 Merge branch '3.4' into 4.4
• eded33d [HttpFoundation] workaround PHP bug in the session module
• 1055c11 Merge branch '3.4' into 4.4
• 940167f bug #35656 [HttpFoundation] Fixed session migration with custom cookie lifeti...
• 9a692b6 [HttpFoundation] Fixed session migration with custom cookie lifetime
• 7fd8435 No need to reconnect the bags to the session
• 62f9250 [HttpFoundation] Do not set the default Content-Type based on the Accept header
• 67d0196 add missing gitattributes for phpunit-bridge
• 0a3b771 Merge branch '3.4' into 4.4
• a8833c5 [Http Foundation] Fix clear cookie samesite
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Sourced from The PHP Security Advisories Database.

CVE-2020-5255: Prevent cache poisoning via a Response Content-Type header

Affected versions: >=4.4.0, <4.4.7; >=5.0.0, <5.0.7

Sourced from symfony/http-foundation's releases.

v4.4.7

Changelog (https://github.com/symfony/http-foundation/compare/v4.4.6...v4.4.7)

• no changes

v4.4.6

Changelog (https://github.com/symfony/http-foundation/compare/v4.4.5...v4.4.6)

• bug #36173 Fix clear cookie samesite (guillbdx)
• bug #36103 fix preloading script generation (nicolas-grekas)

v4.4.5

Changelog (https://github.com/symfony/http-foundation/compare/v4.4.4...v4.4.5)

• bug #35709 fix not sending Content-Type header for 204 responses (Tobion)
• bug #35583 Add missing use statements (fabpot)

• 62f9250 [HttpFoundation] Do not set the default Content-Type based on the Accept header
• 67d0196 add missing gitattributes for phpunit-bridge
• 0a3b771 Merge branch '3.4' into 4.4
• a8833c5 [Http Foundation] Fix clear cookie samesite
• 109ac25 [DI] fix preloading script generation
• ff006c7 Fix more quotes in exception messages
• f4dc52b Fix quotes in exception messages
• 2d4d118 Merge branch '3.4' into 4.4
• 13f9b08 Fix quotes in exception messages
• 01887e8 Add missing dots at the end of exception messages
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Sourced from laravel/framework's releases.

v5.8.24

Added

• Added possibility to assert that the session contains a given piece of data using a closure in TestResponse::assertSessionHas() (#28837)
• Added TestResponse::assertUnauthorized() (#28851)
• Allowed to define port in ServeCommand via SERVER_PORT env variable (#28849, 6a18e73)
• Allowed console environment argument to be separated with a space (#28869)
• Added @endcomponentFirst directive (#28884)
• Added optional parameter $when to retry helper (85c0801)

Fixed

• Fixed Builder::dump() and Builder::dd() with global scopes (#28858)

Reverted

• Reverted: Automatically bind the viewAny method to the index controller action (#28865)

Changed

• Handle SuspiciousOperationException in router as NotFoundHttpException (#28866)

Sourced from laravel/framework's changelog.

v5.8.23 (2019-06-19)

Added

• Added possibility to assert that the session contains a given piece of data using a closure in TestResponse::assertSessionHas() (#28837)
• Added TestResponse::assertUnauthorized() (#28851)
• Allowed to define port in ServeCommand via SERVER_PORT env variable (#28849, 6a18e73)
• Allowed console environment argument to be separated with a space (#28869)
• Added @endcomponentFirst directive (#28884)
• Added optional parameter $when to retry helper (85c0801)

Fixed

• Fixed Builder::dump() and Builder::dd() with global scopes (#28858)

Reverted

• Reverted: Automatically bind the viewAny method to the index controller action (#28865)

Changed

• Handle SuspiciousOperationException in router as NotFoundHttpException (#28866)

• bb2a0af wip
• 024783a Merge pull request #28884 from browner12/endComponentFirst
• 44ee747 Merge pull request #28883 from mfn/patch-4
• 0e360b6 Merge pull request #28887 from kevindh89/fixDocblockCollectionFirst
• db220f5 Fixes method description in docblock for first method in Collection class
• 7ff698d compile @endcomponentFirst
• ef7198c Arr::get also accepts int for $key
• 21cb37d Merge pull request #28866 from katoni/5.8
• 2e98322 Merge pull request #28877 from omarkdev/5.8-test-assertNotFound
• d206574 Do not propagate exception message
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

Sourced from phpunit/phpunit's changelog.

[8.2.2] - 2019-06-15

Changed

• Scoped PHAR built with newer version of PHP-Scoper

• 24b6cfc Prepare release
• 7b8c2b6 Bump
• 256bfe6 Cleanup
• b320d2d Update tools
• 86ea092 Merge branch '7.5' into 8.2
• f028cbc Update tools
• 0fa1b07 Update php-scoper
• 7bf3fc4 Update php-scoper
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

Sourced from laravel/horizon's releases.

v3.2.3

Fixed

• Reverted "Display worker CPU and memory utilization in supervisor list" (#616, #614)

Sourced from laravel/horizon's changelog.

v3.2.3 (2019-06-14)

Fixed

• Reverted "Display worker CPU and memory utilization in supervisor list" (#616, #614)

• a6e4a89 Update CHANGELOG.md
• 4144aa1 Remove unnecessary type attribute
• e08225a compile
• 2b14e64 Merge pull request #616 from laravel/revert-589-stats-pr
• fb9df5b Revert "[3.0] Display worker CPU and memory utilization in supervisor list"
• ccb4036 Apply fixes from StyleCI (#615)
• 2f95209 Merge pull request #614 from laravel/revert-606-format-numeric-values
• af25487 Revert "[3.0] Properly format numeric values"
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

Sourced from laravel/framework's releases.

v5.8.22

v5.8.22 (2019-06-12)

Added

• Added @componentFirst directive (#28783)
• Added support for typed eager loads (#28647, d72e3cd)
• Added Related and Recommended to Pluralizer (#28749)
• Added Str::containsAll() method (#28806)
• Added: error handling for maintenance mode commands (#28765, 9e20849)
• Added message value assertion to TestResponse::assertJsonValidationErrors() (#28787)
• Added: Automatically bind the viewAny method to the index controller action (#28820)

Fixed

• Fixed database rules with where clauses (#28748)
• Fixed: MorphTo Relation ignores parent $timestamp when touching (#28670)
• Fixed: Sql Server issue during dropAllTables when foreign key constraints exist (#28750, #28770)
• Fixed Model::getConnectionName() when Model::cursor() used (#28804)

Changed

• Made force an optional feature when using ConfirmableTrait. (#28742)
• Suggest resolution when no relationship value is returned in the Model::getRelationshipFromMethod() (#28762)

Sourced from laravel/framework's changelog.

v5.8.22 (2019-06-12)

Added

• Added @componentFirst directive (#28783)
• Added support for typed eager loads (#28647, d72e3cd)
• Added Related and Recommended to Pluralizer (#28749)
• Added Str::containsAll() method (#28806)
• Added: error handling for maintenance mode commands (#28765, 9e20849)
• Added message value assertion to TestResponse::assertJsonValidationErrors() (#28787)
• Added: Automatically bind the viewAny method to the index controller action (#28820)

Fixed

• Fixed database rules with where clauses (#28748)
• Fixed: MorphTo Relation ignores parent $timestamp when touching (#28670)
• Fixed: Sql Server issue during dropAllTables when foreign key constraints exist (#28750, #28770)
• Fixed Model::getConnectionName() when Model::cursor() used (#28804)

Changed

• Made force an optional feature when using ConfirmableTrait. (#28742)
• Suggest resolution when no relationship value is returned in the Model::getRelationshipFromMethod() (#28762)

• f47d1a0 version
• 0c492b1 Merge pull request #28816 from Chris1904/fix/str-contains-all-tests
• 21da43f Merge pull request #28820 from clement-jacquet/abilityMap
• c9f957a add index => viewAny to resourceAbilityMap
• f964336 remove failing assertions
• a986126 Merge pull request #28806 from Chris1904/feature/add-str-contains-all
• 91d5cfd Update Str.php
• 5db5288 Apply fixes from StyleCI (#28812)
• a7332cc Merge pull request #28811 from Sergo96/5.8
• 3b3d747 Merge pull request #28795 from cybercog/add/app-facade-methods-hints
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

Sourced from sass's releases.

Dart Sass 1.20.1

To install Dart Sass 1.20.1, download one of the packages above and add it to your PATH, or see the Sass website for full installation instructions.

Changes

• No user-visible changes.

See the full changelog for changes in earlier releases.

Dart Sass 1.20.0

To install Dart Sass 1.20.0, download one of the packages above and add it to your PATH, or see the Sass website for full installation instructions.

Changes

• Support attribute selector modifiers, such as the i in [title="test" i].

Command-Line Interface

• When compilation fails, Sass will now write the error message to the CSS output as a comment and as the content property of a body::before rule so it will show up in the browser (unless compiling to standard output). This can be disabled with the --no-error-css flag, or forced even when compiling to standard output with the --error-css flag.

Dart API

• Added SassException.toCssString(), which returns the contents of a CSS stylesheet describing the error, as above.

See the full changelog for changes in earlier releases.

Dart Sass 1.19.0

To install Dart Sass 1.19.0, download one of the packages above and add it to your PATH, or see the Sass website for full installation instructions.

Changes

• Allow ! in url()s without quotes.

Dart API

• FilesystemImporter now doesn't change its effective directory if the working directory changes, even if it's passed a relative argument.

See the full changelog for changes in earlier releases.

Dart Sass 1.18.0

To install Dart Sass 1.18.0, download one of the packages above and add it to your PATH, or see the Sass website for full installation instructions.

Changes

• Avoid recursively listing directories when finding the canonical name of a file on case-insensitive filesystems.

• Fix importing files relative to package:-imported files.

• Don't claim that "package:" URLs aren't supported when they actually are.

... (truncated)

Sourced from sass's changelog.

1.20.1

• No user-visible changes.

1.20.0

• Support attribute selector modifiers, such as the i in [title="test" i].

Command-Line Interface

• When compilation fails, Sass will now write the error message to the CSS output as a comment and as the content property of a body::before rule so it will show up in the browser (unless compiling to standard output). This can be disabled with the --no-error-css flag, or forced even when compiling to standard output with the --error-css flag.

Dart API

• Added SassException.toCssString(), which returns the contents of a CSS stylesheet describing the error, as above.

1.19.0

• Allow ! in url()s without quotes.

Dart API

• FilesystemImporter now doesn't change its effective directory if the working directory changes, even if it's passed a relative argument.

1.18.0

• Avoid recursively listing directories when finding the canonical name of a file on case-insensitive filesystems.

• Fix importing files relative to package:-imported files.

• Don't claim that "package:" URLs aren't supported when they actually are.

Command-Line Interface

• Add a --no-charset flag. If this flag is set, Sass will never emit a @charset declaration or a byte-order mark, even if the CSS file contains non-ASCII characters.

Dart API

• Add a charset option to compile(), compileString(), compileAsync() and compileStringAsync(). If this option is set to false, Sass will never emit a @charset declaration or a byte-order mark, even if the CSS file contains

... (truncated)

• aa91790 Fix YAML syntax errors (#667)
• cf7da14 Merge pull request #666 from sass/travis
• 60fc306 Release 1.20.1
• 117b1b7 Add names to deploy steps
• 49c0562 Use Node.js when deploying to npm
• 9ff1e20 Run app-snapshot in the before-test grinder task (#660)
• 34c068a Generate a CSS file describing an error when one occurs (#659)
• 57260a9 Update color algorithm URLs (#664)
• 75ec924 Build standalone Mac OS releases on Mac OS bots (#662)
• 892f301 Remove a debugging print (#655)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

Sourced from The GitHub Security Advisory Database.

Regular Expression Denial of Service (ReDOS) A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.

Affected versions: < 1.5.5

Sourced from color-string's releases.

1.6.0

Minor release 1.6.0

• #55 - Add support for space-separated HSL

Thanks @​htunnicliff for the contribution :)

1.5.5 (Patch/Security Release) - hwb() ReDos patch (low-severity)

Release notes copied verbatim from the commit message, which can be found here: 0789e21284c33d89ebc4ab4ca6f759b9375ac9d3

Discovered by Yeting Li, c/o Colin Ife via Snyk.io.
A ReDos (Regular Expression Denial of Service) vulnerability
was responsibly disclosed to me via email by Colin on
Mar 5 2021 regarding an exponential time complexity for
linearly increasing input lengths for hwb() color strings.
Strings reaching more than 5000 characters would see several
milliseconds of processing time; strings reaching more than
50,000 characters began seeing 1500ms (1.5s) of processing time.
The cause was due to a the regular expression that parses
hwb() strings - specifically, the hue value - where
the integer portion of the hue value used a 0-or-more quantifier
shortly thereafter followed by a 1-or-more quantifier.
This caused excessive backtracking and a cartesian scan,
resulting in exponential time complexity given a linear
increase in input length.
Thank you Yeting Li and Colin Ife for bringing this to my
attention in a secure, responsible and professional manner.
A CVE will not be assigned for this vulnerability.

• 1a68f9e 1.6.0
• 2b6f59c Add additional HSL examples to README
• 6f73e20 Update HSL regular expression
• 0264546 Add tests for space-separated HSL syntax
• 966ae4d 1.5.5
• 0789e21 fix ReDos in hwb() parser (low-severity)
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Sourced from The PHP Security Advisories Database.

TOCTOU Race Condition enabling remote code execution

Affected versions: =2.0.0, <2.1.1

• f3ad691 Reject paths with funky whitespace.
• 1ac14e9 Added SharePoint community adapter
• 4347fe7 Remove ext-fileinfo from suggests, it's already in requires
• 1bf07fc Fix time-related tests failing in 2021
• 13352d2 Remove @​deprecated MountManager
• 2062a94 Adding AsyncAWS under community support
• 53f16fd More precise signatures
• 2323c98 Add missing emptyDir annotation
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Sourced from The GitHub Security Advisory Database.

Regular Expression Denial of Service in postcss The npm package postcss from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Affected versions: >= 7.0.0 < 7.0.36

Sourced from postcss's releases.

7.0.36

• Backport ReDoS vulnerabilities from PostCSS 8.

Sourced from postcss's changelog.

7.0.36

• Backport ReDoS vulnerabilities from PostCSS 8.

• 67e3d7b Release 7.0.36 version
• 54cbf3c Backport ReDoS vulnerabilities from PostCSS 8
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)