🚨 [security] Update cspell 6.18.0 → 8.15.7 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ cspell (6.18.0 → 8.15.7) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ braces (indirect, 3.0.2 → 3.0.3) · Repo · Changelog

Security Advisories 🚨

🚨 Uncontrolled resource consumption in braces

The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ chalk (indirect, 5.0.1 → 5.3.0) · Repo

Release Notes

5.3.0

• Add sideEffects field to package.json 5aafc0a
• Add support for Gitea Actions (#603) 29b8569

v5.2.0...v5.3.0

5.2.0

• Improve Deno compatibility (#579) 7443e9f
• Detect true-color support for GitHub Actions (#579) 7443e9f
• Detect true-color support for Kitty terminal (#579) 7443e9f
• Fix test for Azure DevOps environment (#579) 7443e9f

v5.1.2...v5.2.0

5.1.2

• Fix exported styles names (#569) a34bcf6

v5.1.1...v5.1.2

5.1.1

• Improved the names of exports introduced in 5.1.0 (#567) 6e0df05
  • We of course preserved the old names.

v5.1.0...v5.1.1

5.1.0

• Expose style names (#566) d7d7571

v5.0.1...v5.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ commander (indirect, 9.4.1 → 12.1.0) · Repo · Changelog

Release Notes

12.1.0

Added

• auto-detect special node flags node --eval and node --print when call .parse() with no arguments (#2164)

Changed

• prefix require of Node.js core modules with node: (#2170)
• format source files with Prettier (#2180)
• switch from StandardJS to directly calling ESLint for linting (#2153)
• extend security support for previous major version of Commander (#2150)

Removed

• removed unimplemented Option.fullDescription from TypeScript definition (#2191)

12.0.0

Added

• .addHelpOption() as another way of configuring built-in help option (#2006)
• .helpCommand() for configuring built-in help command (#2087)

Fixed

• Breaking: use non-zero exit code when spawned executable subcommand terminates due to a signal (#2023)
• Breaking: check passThroughOptions constraints when using .addCommand and throw if parent command does not have .enablePositionalOptions() enabled (#1937)

Changed

• Breaking: Commander 12 requires Node.js v18 or higher (#2027)
• Breaking: throw an error if add an option with a flag which is already in use (#2055)
• Breaking: throw an error if add a command with name or alias which is already in use (#2059)
• Breaking: throw error when calling .storeOptionsAsProperties() after setting an option value (#1928)
• replace non-standard JSDoc of @api private with documented @private (#1949)
• .addHelpCommand() now takes a Command (passing string or boolean still works as before but deprecated) (#2087)
• refactor internal implementation of built-in help option (#2006)
• refactor internal implementation of built-in help command (#2087)

Deprecated

• .addHelpCommand() passing string or boolean (use .helpCommand() or pass a Command) (#2087)

Removed

• Breaking: removed default export of a global Command instance from CommonJS (use the named program export instead) (#2017)

Migration Tips

global program

If you are using the deprecated default import of the global Command object, you need to switch to using a named import (or create a new Command).

// const program = require('commander');
const { program } = require('commander');

option and command clashes

A couple of configuration problems now throw an error, which will pick up issues in existing programs:

• adding an option which uses the same flag as a previous option
• adding a command which uses the same name or alias as a previous command

11.1.0

Fixed

• TypeScript: update OptionValueSource to allow any string, to match supported use of custom sources (#1983)
• TypeScript: add that Command.version() can also be used as getter (#1982)
• TypeScript: add null return type to Commands.executableDir(), for when not configured (#1965)
• subcommands with an executable handler and only a short help flag are now handled correctly by the parent's help command (#1930)

Added

• registeredArguments property on Command with the array of defined Argument (like Command.options for Option) (#2010)
• TypeScript declarations for Option properties: envVar, presetArg (#2019)
• TypeScript declarations for Argument properties: argChoices, defaultValue, defaultValueDescription (#2019)
• example file which shows how to configure help to display any custom usage in the list of subcommands (#1896)

Changed

• (developer) refactor TypeScript configs for multiple use-cases, and enable checks in JavaScript files in supporting editors (#1969)

Deprecated

• Command._args was private anyway, but now available as registeredArguments (#2010)

11.0.0

Fixed

• help command works when help option is disabled (#1864)

Changed

• leading and trailing spaces are now ignored by the .arguments() method (#1874)
• refine "types" exports for ESM to follow TypeScript guidelines (#1886)
• Breaking: Commander 11 requires Node.js v16 or higher

10.0.1

Added

• improvements to documentation (#1858, #1859, #1860)

Fixed

• remove unused Option.optionFlags property from TypeScript definition (#1844)

Changed

• assume boolean option intended if caller passes string instead of hash to .implies() (#1854)

10.0.0

Added

• wrap command description in help (#1804)

Changed

• Breaking: Commander 10 requires Node.js v14 or higher

9.5.0

Added

• .getOptionValueSourceWithGlobals() (#1832)
• showGlobalOptions for .configureHelp{} and Help (#1828)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ comment-json (indirect, 4.2.3 → 4.2.5) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ fast-equals (indirect, 4.0.3 → 5.0.1) · Repo · Changelog

Release Notes

5.0.1

• Fix references to metaOverride (#100) (19327e5)
• Bump webpack from 5.75.0 to 5.76.0 (#99) (0698037)
• Add several tests (#98) (eb76f52)

5.0.0

• Version 5 (#95) (acd7bcb)
• Bump http-cache-semantics from 4.1.0 to 4.1.1 (#94) (e6b76c8)
• Bump json5 from 1.0.1 to 1.0.2 (#92) (9d15c86)
• Bump vm2 from 3.9.10 to 3.9.11 (#90) (342d9a1)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ fill-range (indirect, 7.0.1 → 7.1.1) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ flatted (indirect, 3.2.0 → 3.3.1) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ micromatch (indirect, 4.0.5 → 4.0.8) · Repo · Changelog

Security Advisories 🚨

🚨 Regular Expression Denial of Service (ReDoS) in micromatch

The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to #266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ semver (indirect, 7.3.8 → 7.6.3) · Repo · Changelog

Security Advisories 🚨

🚨 semver vulnerable to Regular Expression Denial of Service

Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Release Notes

7.6.3

7.6.3 (2024-07-16)

Bug Fixes

• 73a3d79 #726 optimize Range parsing and formatting (#726) (@jviide)

Documentation

• 2975ece #719 fix extra backtick typo (#719) (@stdavis)

7.6.2

7.6.2 (2024-05-09)

Bug Fixes

• 6466ba9 #713 lru: use map.delete() directly (#713) (@negezor, @lukekarrys)

7.6.1

7.6.1 (2024-05-04)

Bug Fixes

• c570a34 #704 linting: no-unused-vars (@wraithgar)
• ad8ff11 #704 use internal cache implementation (@mbtools)
• ac9b357 #682 typo in compareBuild debug message (#682) (@mbtools)

Dependencies

• 988a8de #709 uninstall lru-cache (#709)
• 3fabe4d #704 remove lru-cache

Chores

• dd09b60 #705 bump @npmcli/template-oss to 4.22.0 (@lukekarrys)
• ec49cdc #701 chore: chore: postinstall for dependabot template-oss PR (@lukekarrys)
• b236c3d #696 add benchmarks (#696) (@H4ad)
• 692451b #688 various improvements to README (#688) (@mbtools)
• 5feeb7f #705 postinstall for dependabot template-oss PR (@lukekarrys)
• 074156f #701 bump @npmcli/template-oss from 4.21.3 to 4.21.4 (@dependabot[bot])

7.6.0

7.6.0 (2024-01-31)

Features

• a7ab13a #671 preserve pre-release and build parts of a version on coerce (#671) (@madtisa, madtisa, @wraithgar)

Chores

• 816c7b2 #667 postinstall for dependabot template-oss PR (@lukekarrys)
• 0bd24d9 #667 bump @npmcli/template-oss from 4.21.1 to 4.21.3 (@dependabot[bot])
• e521932 #652 postinstall for dependabot template-oss PR (@lukekarrys)
• 8873991 #652 chore: chore: postinstall for dependabot template-oss PR (@lukekarrys)
• f317dc8 #652 bump @npmcli/template-oss from 4.19.0 to 4.21.0 (@dependabot[bot])
• 7303db1 #658 add clean() test for build metadata (#658) (@jethrodaniel)
• 6240d75 #656 add missing quotes in README.md (#656) (@zyxkad)
• 14d263f #625 postinstall for dependabot template-oss PR (@lukekarrys)
• 7c34e1a #625 bump @npmcli/template-oss from 4.18.1 to 4.19.0 (@dependabot[bot])
• 123e0b0 #622 postinstall for dependabot template-oss PR (@lukekarrys)
• 737d5e1 #622 bump @npmcli/template-oss from 4.18.0 to 4.18.1 (@dependabot[bot])
• cce6180 #598 postinstall for dependabot template-oss PR (@lukekarrys)
• b914a3d #598 bump @npmcli/template-oss from 4.17.0 to 4.18.0 (@dependabot[bot])

7.5.4

7.5.4 (2023-07-07)

Bug Fixes

• cc6fde2 #588 trim each range set before parsing (@lukekarrys)
• 99d8287 #583 correctly parse long build ids as valid (#583) (@lukekarrys)

7.5.3

7.5.3 (2023-06-22)

Bug Fixes

• abdd93d #571 set max lengths in regex for numeric and build identifiers (#571) (@lukekarrys)

Documentation

• bf53dd8 #569 add example for > comparator (#569) (@mbtools)

7.5.2

7.5.2 (2023-06-15)

Bug Fixes

• 58c791f #566 diff when detecting major change from prerelease (#566) (@lukekarrys)
• 5c8efbc #565 preserve build in raw after inc (#565) (@lukekarrys)
• 717534e #564 better handling of whitespace (#564) (@lukekarrys)

7.5.1

7.5.1 (2023-05-12)

Bug Fixes

• d30d25a #559 show type on invalid semver error (#559) (@tjenkinson)

7.5.0

7.5.0 (2023-04-17)

Features

• 503a4e5 #548 allow identifierBase to be false (#548) (@lsvalina)

Bug Fixes

• e219bb4 #552 throw on bad version with correct error message (#552) (@wraithgar)
• fc2f3df #546 incorrect results from diff sometimes with prerelease versions (#546) (@tjenkinson)
• 2781767 #547 avoid re-instantiating SemVer during diff compare (#547) (@macno)

7.4.0

7.4.0 (2023-04-10)

Features

• 113f513 #532 identifierBase parameter for .inc (#532) (@wraithgar, @b-bly)
• 48d8f8f #530 export new RELEASE_TYPES constant (@hcharley)

Bug Fixes

• 940723d #538 intersects with v0.0.0 and v0.0.0-0 (#538) (@wraithgar)
• aa516b5 #535 faster parse options (#535) (@H4ad)
• 61e6ea1 #536 faster cache key factory for range (#536) (@H4ad)
• f8b8b61 #541 optimistic parse (#541) (@H4ad)
• 796cbe2 #533 semver.diff prerelease to release recognition (#533) (@wraithgar, @dominique-blockchain)
• 3f222b1 #537 reuse comparators on subset (#537) (@H4ad)
• f66cc45 #539 faster diff (#539) (@H4ad)

Documentation

• c5d29df #530 Add "Constants" section to README (@hcharley)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ vscode-languageserver-textdocument (indirect, 1.0.8 → 1.0.12) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ vscode-uri (indirect, 3.0.7 → 3.0.8) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ xdg-basedir (indirect, 4.0.0 → 5.1.0) · Repo

Release Notes

5.1.0

• Add support for XDG_STATE_HOME (#6) 2bbd2ce

v5.0.1...v5.1.0

5.0.1

• Fix some mistakes in v5 1c00d3b

v5.0.0...v5.0.1

5.0.0

Breaking

• Require Node.js 12 e1b957d
• Changed from default export to named exports.
  See this diff for how to migrate.
• This package is now pure ESM. Please read this.

v4.0.0...v5.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ yaml (indirect, 2.1.1 → 2.6.0) · Repo

Security Advisories 🚨

🚨 Uncaught Exception in yaml

Uncaught Exception in GitHub repository eemeli/yaml starting at version 2.0.0-5 and prior to 2.2.2.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 @​cspell/cspell-json-reporter (added, 8.15.7)

🆕 @​cspell/cspell-resolver (added, 8.15.7)

🆕 @​cspell/dict-al (added, 1.0.3)

🆕 @​cspell/dict-data-science (added, 2.0.5)

🆕 @​cspell/dict-en-common-misspellings (added, 2.0.7)

🆕 @​cspell/dict-flutter (added, 1.0.3)

🆕 @​cspell/dict-fsharp (added, 1.0.4)

🆕 @​cspell/dict-google (added, 1.0.4)

🆕 @​cspell/dict-julia (added, 1.0.4)

🆕 @​cspell/dict-makefile (added, 1.0.3)

🆕 @​cspell/dict-markdown (added, 2.0.7)

🆕 @​cspell/dict-monkeyc (added, 1.0.9)

🆕 @​cspell/dict-terraform (added, 1.0.6)

🆕 @​cspell/dynamic-import (added, 8.15.7)

🆕 @​cspell/filetypes (added, 8.15.7)

🆕 @​cspell/url (added, 8.15.7)

🆕 chalk-template (added, 1.1.0)

🆕 cspell-config-lib (added, 8.15.7)

🆕 env-paths (added, 3.0.0)

🆕 find-up-simple (added, 1.0.0)

🆕 global-directory (added, 4.0.1)

🆕 import-meta-resolve (added, 4.1.0)

🆕 json-buffer (added, 3.0.1)

🆕 keyv (added, 4.5.4)

🆕 tinyglobby (added, 0.2.10)

🗑️ configstore (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #705.