v18.2.23

7273656 (Replace resin-discoverable-services with bonjour-service, 2024-07-09)

v18.2.22

1749937 (Remove unused dependency minimatch, 2024-07-10)

v18.2.21

6c89ba4 (Bump resin-discoverable-services from 2.0.4 to 2.0.5, 2024-07-09)

v18.2.20

b6d1afa (Audit fix dependencies, 2024-07-05)

v18.2.19

93e597a (Remove unused package publish-release, 2024-07-05)

v18.2.18

Update actions/setup-node action to v4

Notable changes

actions/setup-node (actions/setup-node)

v4

Compare Source

List of commits

c30a1dc (Update actions/setup-node action to v4, 2024-07-02)

v18.2.17

Update dependency etcher-sdk to v9.1.0

Notable changes

• patch: etcher-sdk is not yet compatible with node22 [JOASSART Edwin]
• minor: allow passing custom assets to start SB protected CM4 [Edwin Joassart]

balena-io-modules/etcher-sdk (etcher-sdk)

v9.1.0

Compare Source

• patch: etcher-sdk is not yet compatible with node22 [JOASSART Edwin]
• minor: allow passing custom assets to start SB protected CM4 [Edwin Joassart]

List of commits

2d47eb5 (Update dependency etcher-sdk to v9.1.0, 2024-07-02)

v18.2.16

Update dependency etcher-sdk to v9.0.11

Notable changes

• patch: use http2 to fix issues with url source [Edwin Joassart]
• patch: remove CI workaround [Edwin Joassart]
• patch: add option to allow listing virtual drive on Mac [JOASSART Edwin]

balena-io-modules/etcher-sdk (etcher-sdk)

v9.0.11

Compare Source

• patch: use http2 to fix issues with url source [Edwin Joassart]

v9.0.10

Compare Source

• patch: remove CI workaround [Edwin Joassart]

v9.0.9

Compare Source

• patch: add option to allow listing virtual drive on Mac [JOASSART Edwin]

List of commits

6b56576 (Update dependency etcher-sdk to v9.0.11, 2024-07-02)

v18.2.15

Update dependency event-stream to v3.3.5

Notable changes

dominictarr/event-stream (event-stream)

v3.3.5

Compare Source

List of commits

b518067 (Update dependency event-stream to v3.3.5, 2024-07-02)

v18.2.14

Update dependency jsonwebtoken to v9 [SECURITY]

Notable changes

• Removed support for Node versions 11 and below.
• The verify() function no longer accepts unsigned tokens by default. ([8345030]auth0/node-jsonwebtoken@8345030)
• RSA key size must be 2048 bits or greater. ([ecdf6cc]auth0/node-jsonwebtoken@ecdf6cc)
• Key types must be valid for the signing / verification algorithm
• security: fixes Arbitrary File Write via verify function - CVE-2022-23529
• security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
• security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
• security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

auth0/node-jsonwebtoken (jsonwebtoken)

v9.0.0

Compare Source

Breaking changes: See Migration from v8 to v9

Breaking changes

• Removed support for Node versions 11 and below.
• The verify() function no longer accepts unsigned tokens by default. ([8345030]auth0/node-jsonwebtoken@8345030)
• RSA key size must be 2048 bits or greater. ([ecdf6cc]auth0/node-jsonwebtoken@ecdf6cc)
• Key types must be valid for the signing / verification algorithm

Security fixes

• security: fixes Arbitrary File Write via verify function - CVE-2022-23529
• security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
• security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
• security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

List of commits

f05e499 (Update dependency jsonwebtoken to v9 [SECURITY], 2024-07-02)