This is a Tailwind CSS plugin to generate utility classes for RFS

By Michael Aerni
Last update: Dec 22, 2022
Comments: 17

RFS Plugin for Tailwind CSS

This plugin generates RFS variants of Tailwind utility classes.

Requirements

This plugin requires a working PostCSS setup of the RFS PostCSS plugin. You can check out the webpack.mix.js file for a working setup using Laravel Mix.

Installation

npm install tailwindcss-rfs

Usage

Add tailwindcss-rfs to the plugins array of your Tailwind config
Add the rfs variant to the desired core plugins

// tailwind.config.js

module.exports = {
    variants: {
        extend: {
            fontSize: ['rfs'],
            padding: ['rfs'],
            margin: ['rfs'],
            gap: ['rfs'],
        },
    },
    plugins: [
        require('tailwindcss-rfs')
    ],
}

Example Output

/* Original */

.text-6xl {
  font-size: 3.75rem;
  line-height: 1;
}

.p-24 {
  padding: 6rem;
}


/* RFS Variant */

.rfs\:text-6xl {
  font-size: calc(1.5rem + 3vw);
  line-height: 1;
}

.rfs\:p-24 {
  padding: calc(1.725rem + 5.7vw);
}

Github

https://github.com/aerni/tailwindcss-rfs

Comments(17)

prefix option doesn't seem to work

I set the prefix to ''. I also tried setting the prefix to 'something-else-'.

However the prefix remained as 'rfs-'

This is my tailwind.config.js

module.exports = {
  future: {
    // removeDeprecatedGapUtilities: true,
    // purgeLayersByDefault: true,
  },
  purge: [],
  theme: {
    extend: {},
  },
  variants: {},
  corePlugins: {
    fontSize: false, // defer to rfs
    padding: false, // defer to rfs
    margin: false, // defer to rfs
  },
  plugins: [
    require('tailwindcss-rfs')({
      prefix: '',
      fontSizeUtilities: true,
      paddingUtilities: true,
      marginUtilities: true,
    })
  ]
}

2

Bump loader-utils from 1.4.0 to 1.4.1
Bumps loader-utils from 1.4.0 to 1.4.1.
Release notes

Sourced from loader-utils's releases.
v1.4.1

1.4.1 (2022-11-07)

Bug Fixes
- security problem (#220) (4504e34)
Changelog

Sourced from loader-utils's changelog.
1.4.1 (2022-11-07)

Bug Fixes
- security problem (#220) (4504e34)
Commits
- 8f082b3 chore(release): 1.4.1
- 4504e34 fix: security problem (#220)
- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
- @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
- @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
- @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page.
3

Bump postcss from 7.0.35 to 7.0.39
Bumps postcss from 7.0.35 to 7.0.39.
Release notes

Sourced from postcss's releases.
7.0.39
- Reduce package size.
- Backport nanocolors to picocolors migration.
7.0.38
- Update Processor#version.
7.0.37
- Backport chalk to nanocolors migration.
7.0.36
- Backport ReDoS vulnerabilities from PostCSS 8.
Changelog

Sourced from postcss's changelog.
7.0.39
- Reduce package size.
- Backport nanocolors to picocolors migration.
7.0.38
- Update Processor#version.
7.0.37
- Backport chalk to nanocolors migration.
7.0.36
- Backport ReDoS vulnerabilities from PostCSS 8.
Commits
- e17c1ef Release 7.0.39 version
- 6791bd3 Reduce npm package
- 44c581a Replace nanocolors with picocolors
- 8ba21fd Remove eslint-ci
- 3994c4a Release 7.0.38 version
- 6944e1d Remove development keys from package.json
- 4dd0af0 Release 7.0.37 version
- 8408eb4 Add compilation step
- 0c68063 Move tests to GitHub Actions
- 98b61ba Replace chalk to nanocolors
- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
- @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
- @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
- @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page.
4

Bump url-parse from 1.4.7 to 1.5.10
Bumps url-parse from 1.4.7 to 1.5.10.
Commits
- 8cd4c6c 1.5.10
- ce7a01f [fix] Improve handling of empty port
- 0071490 [doc] Update JSDoc comment
- a7044e3 [minor] Use more descriptive variable name
- d547792 [security] Add credits for CVE-2022-0691
- ad23357 1.5.9
- 0e3fb54 [fix] Strip all control characters from the beginning of the URL
- 61864a8 [security] Add credits for CVE-2022-0686
- bb0104d 1.5.8
- d5c6479 [fix] Handle the case where the port is specified but empty
- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
- @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
- @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
- @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page.
5

Bump follow-redirects from 1.13.1 to 1.14.9
Bumps follow-redirects from 1.13.1 to 1.14.9.
Commits
- 13136e9 Release version 1.14.9 of the npm package.
- 2ec9b0b Keep headers when upgrading from HTTP to HTTPS.
- 5fc74dd Reduce nesting.
- 3d81dc3 Release version 1.14.8 of the npm package.
- 62e546a Drop confidential headers across schemes.
- 2ede36d Release version 1.14.7 of the npm package.
- 8b347cb Drop Cookie header across domains.
- 6f5029a Release version 1.14.6 of the npm package.
- af706be Ignore null headers.
- d01ab7a Release version 1.14.5 of the npm package.
- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
- @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
- @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
- @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page.
6

Tailwind issue, invalid font size value

I seem to be getting an issue where tailwind is appending [object Object] to the end of font sizes. I'm currently using Gatsby with Tailwind CSS compatibility version. Below is a screenshot of the problem:
7

RFS as Variant

This PR is a complete rewrite of this plugin. You can now add rfs as a variant to any of Tailwind's core plugins. This makes this plugin infinitely more powerful, as you're not limited to a few provided utilities anymore. It also completely removes any plugin configuration.
8

Bump ini from 1.3.5 to 1.3.8
Bumps ini from 1.3.5 to 1.3.8.
Commits
- a2c5da8 1.3.8
- af5c6bb Do not use Object.create(null)
- 8b648a1 don't test where our devdeps don't even work
- c74c8af 1.3.7
- 024b8b5 update deps, add linting
- 032fbaf Use Object.create(null) to avoid default object property hazards
- 2da9039 1.3.6
- cfea636 better git push script, before publish instead of after
- 56d2805 do not allow invalid hazardous string as section name
- See full diff in compare view
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for ini since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
- @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
- @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
- @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page.
9

Bump elliptic from 6.5.2 to 6.5.3
Bumps elliptic from 6.5.2 to 6.5.3.
Commits
- 8647803 6.5.3
- 856fe4d signature: prevent malleability and overflows
- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
- @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
- @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
- @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page.
10

Bump lodash from 4.17.15 to 4.17.19
Bumps lodash from 4.17.15 to 4.17.19.

Release notes

Sourced from lodash's releases.

4.17.16
Commits
- d7fbc52 Bump to v4.17.19
- 2e1c0f2 Add npm-package
- 1b6c282 Bump to v4.17.18
- a370ac8 Bump to v4.17.17
- 1144918 Rebuild lodash and docs
- 3a3b0fd Bump to v4.17.16
- c84fe82 fix(zipObjectDeep): prototype pollution (#4759)
- e7b28ea Sanitize sourceURL so it cannot affect evaled code (#4518)
- 0cec225 Fix lodash.isEqual for circular references (#4320) (#4515)
- 94c3a81 Document matches* shorthands for over* methods (#4510) (#4514)
- Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by mathias, a new releaser for lodash since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
- @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
- @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
- @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page.
11

Bump websocket-extensions from 0.1.3 to 0.1.4
Bumps websocket-extensions from 0.1.3 to 0.1.4.
Changelog

Sourced from websocket-extensions's changelog.
0.1.4 / 2020-06-02
- Remove a ReDoS vulnerability in the header parser (CVE-2020-7662, reported by Robert McLaughlin)
- Change license from MIT to Apache 2.0
Commits
- 8efd0cd Bump version to 0.1.4
- 3dad4ad Remove ReDoS vulnerability in the Sec-WebSocket-Extensions header parser
- 4a76c75 Add Node versions 13 and 14 on Travis
- 44a677a Formatting change: {...} should have spaces inside the braces
- f6c50ab Let npm reformat package.json
- 2d211f3 Change markdown formatting of docs.
- 0b62083 Update Travis target versions.
- 729a465 Switch license to Apache 2.0.
- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
- @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
- @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
- @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page.
12

Bump json5 from 1.0.1 to 1.0.2
Bumps json5 from 1.0.1 to 1.0.2.
Release notes

Sourced from json5's releases.
v1.0.2
- Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295). This has been backported to v1. (#298)
Changelog

Sourced from json5's changelog.
Unreleased [code, diff]

v2.2.3 [code, diff]
- Fix: [email protected] is now the 'latest' release according to npm instead of v1.0.2. (#299)
v2.2.2 [code, diff]
- Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).
v2.2.1 [code, diff]
- Fix: Removed dependence on minimist to patch CVE-2021-44906. (#266)
v2.2.0 [code, diff]
- New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)
v2.1.3 [code, diff]
- Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)
v2.1.2 [code, diff]
... (truncated)
Commits
- a62db1e 1.0.2
- e0c23fe docs: update CHANGELOG for v1.0.2
- 62a6540 fix: add proto to objects and arrays
- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
- @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
- @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
- @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page.
13

Bump loader-utils from 1.4.0 to 1.4.2
Bumps loader-utils from 1.4.0 to 1.4.2.
Release notes

Sourced from loader-utils's releases.
v1.4.2

1.4.2 (2022-11-11)

Bug Fixes
- ReDoS problem (#226) (17cbf8f)
v1.4.1

1.4.1 (2022-11-07)

Bug Fixes
- security problem (#220) (4504e34)
Changelog

Sourced from loader-utils's changelog.
1.4.2 (2022-11-11)

Bug Fixes
- ReDoS problem (#226) (17cbf8f)
1.4.1 (2022-11-07)

Bug Fixes
- security problem (#220) (4504e34)
Commits
- 331ad50 chore(release): 1.4.2
- 17cbf8f fix: ReDoS problem (#226)
- 8f082b3 chore(release): 1.4.1
- 4504e34 fix: security problem (#220)
- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
- @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
- @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
- @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page.
14

Bump terser from 4.8.0 to 4.8.1
Bumps terser from 4.8.0 to 4.8.1.
Changelog

Sourced from terser's changelog.
v4.8.1 (backport)
- Security fix for RegExps that should not be evaluated (regexp DDOS)
Commits
- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
- @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
- @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
- @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page.
15

Bump async from 2.6.3 to 2.6.4
Bumps async from 2.6.3 to 2.6.4.
Changelog

Sourced from async's changelog.
v2.6.4
- Fix potential prototype pollution exploit (#1828)
Commits
- c6bdaca Version 2.6.4
- 8870da9 Update built files
- 4df6754 update changelog
- 8f7f903 Fix prototype pollution vulnerability (#1828)
- See full diff in compare view
Maintainer changes

This version was pushed to npm by hargasinski, a new releaser for async since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
- @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
- @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
- @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page.
16

Bump minimist from 1.2.5 to 1.2.6
Bumps minimist from 1.2.5 to 1.2.6.
Commits
- 7efb22a 1.2.6
- ef88b93 security notice for additional prototype pollution issue
- c2b9819 isConstructorOrProto adapted from PR
- bc8ecee test from prototype pollution PR
- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
- @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
- @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
- @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page.
17

Bump node-forge from 1.2.1 to 1.3.0
Bumps node-forge from 1.2.1 to 1.3.0.
Changelog

Sourced from node-forge's changelog.
1.3.0 - 2022-03-17

Security
- Three RSA PKCS#1 v1.5 signature verification issues were reported by Moosa Yahyazadeh ([email protected]).
- HIGH: Leniency in checking digestAlgorithm structure can lead to signature forgery.
  
  The code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.
  
  CVE ID: CVE-2022-24771
  
  GHSA ID: GHSA-cfm4-qjh2-4765
- HIGH: Failing to check tailing garbage bytes can lead to signature forgery.
  
  The code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.
  
  CVE ID: CVE-2022-24772
  
  GHSA ID: GHSA-x4jg-mjrx-434g
- MEDIUM: Leniency in checking type octet.
  
  DigestInfo is not properly checked for proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.
  
  CVE ID: CVE-2022-24773
  
  GHSA ID: GHSA-2r2c-g63r-vccr
Fixed
- [asn1] Add fallback to pretty print invalid UTF8 data.
- [asn1] fromDer is now more strict and will default to ensuring all input bytes are parsed or throw an error. A new option parseAllBytes can disable this behavior.
  
  NOTE: The previous behavior is being changed since it can lead to security issues with crafted inputs. It is possible that code doing custom DER parsing may need to adapt to this new behavior and optional flag.
- [rsa] Add and use a validator to check for proper structure of parsed ASN.1 RSASSA-PKCS-v1_5 DigestInfo data. Additionally check that the hash algorithm identifier is a known value from RFC 8017 PKCS1-v1-5DigestAlgorithms. An invalid DigestInfo or algorithm identifier will now throw an error.
  
  NOTE: The previous lenient behavior is being changed to be more strict since it could lead to security issues with crafted inputs. It is possible that code may have to handle the errors from these stricter checks.
... (truncated)
Commits
- 6c5b901 Release 1.3.0.
- 0f3972a Update changelog.
- dc77b39 Fix error checking.
- bb822c0 Add advisory links.
- d4395fe Update changelog.
- a4405bb Improve signature verification tests.
- aa9372d Add missing RFC 8017 algorithm identifiers.
- 3f0b49a Fix signature verification issues.
- c20f309 Adjust remaining length.
- e27f612 Remove unused option.
- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
- @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
- @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
- @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page.