A agnostic UI components library based on Web Components, made with Bulma & Stencil.

  • By Thomas Marrec
  • Last update: Dec 16, 2022
  • Comments: 13

bulmil

Built with Stencil Code Style npm version License MIT
dependencies Circle CI npm downloads Package Phobia Bundle Phobia

Bulmil is an agnostic UI library based on Web Components, made with Bulma.io & Stencil.js.

Bulmil was created as a proof of concept to introduce an easy way to consume common reusable web components for use with various modern application frameworks (Angular, Vue, React, Ember) or simply with pure Javascript.

⚠️ Currently in Alpha, beta will be available once this issue is resolved.

Why Stencil?

Stencil is a compiler for building fast web apps using Web Components.

Stencil combines the best concepts of the most popular frontend frameworks into a compile-time rather than run-time tool. Stencil takes TypeScript, JSX, a tiny virtual DOM layer, efficient one-way data binding, an asynchronous rendering pipeline (similar to React Fiber), and lazy-loading out of the box, and generates 100% standards-based Web Components that run in any browser supporting the Custom Elements v1 spec.

Stencil components are just Web Components, so they work in any major framework or with no framework at all.

Getting Started

# Using npm
npm i @bulmil/core

# Using yarn
yarn add @bulmil/core

Usage

Without a javascript framework

Integrating a component built with Stencil to a project without a JavaScript framework is straight forward. If you're using a simple HTML page, you can add your component via a script tag. For example, if we published a component to npm, we could load the component through a CDN like this:

Button ">
>
<html lang="en">
  <head>
    <link rel="stylesheet" href="https://unpkg.com/@bulmil/[email protected]/dist/css/bulmil.min.css" />
    <script src="https://unpkg.com/@bulmil/[email protected]/dist/bulmil/bulmil.js">script>
  head>
  <body>
    <bm-button>Buttonbm-button>
  body>
html>

Alternatively, if you wanted to take advantage of ES Modules, you could include the components using an import statement. Note that in this scenario applyPolyfills is needed if you are targeting Edge or IE11.

Button ">
>
<html lang="en">
  <head>
    <link rel="stylesheet" href="https://unpkg.com/@bulmil/[email protected]/dist/css/bulmil.min.css" />
    <script type="module">
      import {
        applyPolyfills,
        defineCustomElements,
      } from 'https://unpkg.com/@bulmil/[email protected]/dist/loader/index.es2017.js';
      applyPolyfills().then(() => {
        defineCustomElements(window);
      });
    script>
  head>
  <body>
    <bm-button>Buttonbm-button>
  body>
html>

Try this example on Codesandbox


Frameworks

Unfortunately the experience of integrating web components into existing applications can be tricky at times. More about this can be read at https://custom-elements-everywhere.com/. In order to accommodate the various issues the Stencil team has created new output target plugins to make the process simpler.

The plugins add additional output targets for each framework binding that is included. This output target will emit a native angular/react/vue library, just like if your components were originally written using any of these frameworks.

There are framework specific bindings for:

Keep in mind, that at its core Bulmil is still simply web components. Even if your framework is not mentioned in the list above, it most likely still supports Bulmil natively. You can check here if your framework has complete support for web components.

There are also examples for loading and using Bulmil with:


React

Unfortunately React has poor web components support ... but we have you covered with our @bulmil/react package, which wraps all the Bulmil web components inside React components so it feels natural to interact with, and it removes all the limitations of working with web components inside React.

Let's first load the CSS for the application, the css file includes:

  • Bulma base
  • Bulma helpers
  • Other components & elements not fitting in any components or not implemented yet.

Add the following to the root of your application:

// Global CSS (includes base & helpers). ~50KB
// We recommend to use purgecss to remove the unused css styles from your application.
import '@bulmil/core/dist/css/bulmil.min.css';

Now let's install the @bulmil/react package by running the following in your terminal:

# Using npm
npm i @bulmil/react

# Using yarn
yarn add @bulmil/react

And ... we're all done 🎉

Vue

You have two options with Vue due to it having perfect web components support. You can either follow the instructions here for loading the web components in their natural form, or you can use the Vue bindings from the @bulmil/vue package, which wraps all the web components inside Vue components so you can feel right at home. Some other advantages for using @bulmil/vue include typed + documented components, and additional helpers for extending Bulmil with custom components.

Let's first load the CSS for the application, the css file includes:

  • Bulma base
  • Bulma helpers
  • Other components & elements not fitting in any components or not implemented yet.

Add the following to the root of your application:

// Global CSS (includes base & helpers). ~50KB
// We recommend to use purgecss to remove the unused css styles from your application.
import '@bulmil/core/dist/css/bulmil.min.css';

Now let's install the @bulmil/vue package by running the following in your terminal:

# Using npm
npm i @bulmil/vue

# Using yarn
yarn add @bulmil/vue

And ... we're all done 🎉

Using Nuxt

Create a plugin, (e.g plugins/bulmil.ts):

import Vue from 'vue';

import { applyPolyfills, defineCustomElements } from '@bulmil/core/dist/loader';

Vue.config.productionTip = false;
Vue.config.ignoredElements = [/bm-\w*/];

// Bind the custom elements to the window object
applyPolyfills().then(() => {
  defineCustomElements(window);
});
// nuxt.config.ts
{
  plugins: [
    { src: '~/plugins/bulmil.ts', mode: 'client' },
  ],
}

The components should then be available in any of the Vue components

render() {
  return (
    <div>
      <bm-button>Button</bm-button>
    </div>
  )
}

Angular

You have two options with Angular due to it having perfect web components support. You can either follow the instructions here for loading the web components in their natural form, or you can use the Angular bindings from the @bulmil/angular package, which wraps all the web components inside Angular components so you can feel right at home. Some other advantages for using @bulmil/angular include typed + documented components, and additional helpers for extending Bulmil with custom components.

Let's first load the CSS for the application, the css file includes:

  • Bulma base
  • Bulma helpers
  • Other components & elements not fitting in any components or not implemented yet.

Add the following to the root of your application styles:

// Global CSS (includes base & helpers). ~50KB
// We recommend to use purgecss to remove the unused css styles from your application.
import '@bulmil/core/dist/css/bulmil.min.css';

Now let's install the @bulmil/angular package by running the following in your terminal:

# Using npm
npm i @bulmil/angular

# Using yarn
yarn add @bulmil/angular

And ... we're all done 🎉

Svelte

You have two options with Svelte due to it having perfect web components support. You can either follow the instructions for loading it from the CDN and use the Bulmil web components in their natural form, or you can use the Svelte bindings from the @bulmil/svelte package, which wraps all the web components inside Svelte components so you can feel right at home. Some other advantages for using @bulmil/svelte include typed + documented components, and additional helpers for extending Bulmil with custom components.

Let's first load the CSS for the application, the css file includes:

  • Bulma base
  • Bulma helpers
  • Other components & elements not fitting in any components or not implemented yet.

Add the following to the element of your HTML file:

// Global CSS (includes base & helpers). ~50KB
// We recommend to use purgecss to remove the unused css styles from your application.
import '@bulmil/core/dist/css/bulmil.min.css';

Now let's install the @bulmil/svelte package by running the following in your terminal:

# Using npm
npm i @bulmil/svelte

# Using yarn
yarn add @bulmil/svelte

And ... we're all done 🎉

Ember

Working with Stencil components in Ember is really easy thanks to the ember-cli-stencil addon. It handles:

  • Importing the required files into your vendor.js
  • Copying the component definitions into your assets directory
  • Optionally generating a wrapper component for improved compatibility with older Ember versions

Start off by installing the Ember addon

ember install ember-cli-stencil

Now, when you build your application, Stencil collections in your dependencies will automatically be discovered and pulled into your application. You can just start using the custom elements in your hbs files with no further work needed. For more information, check out the ember-cli-stencil documentation.


Development

  1. Clone this repository
  2. Install dependencies using yarn install or npm install
  3. Start development server using yarn storybook or npm run storybook

📑 License

MIT License

Github

https://github.com/gomah/bulmil

Comments(13)

  • 1

    chore(deps-dev): bump @types/puppeteer from 1.20.2 to 2.0.0

    Bumps @types/puppeteer from 1.20.2 to 2.0.0.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    If all status checks pass Dependabot will automatically merge this pull request.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
  • 2

    chore(deps): [security] bump color-string from 1.5.4 to 1.5.5

    Bumps color-string from 1.5.4 to 1.5.5. This update includes a security fix.

    Vulnerabilities fixed

    Sourced from The GitHub Security Advisory Database.

    Regular Expression Denial of Service (ReDOS) A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.

    Affected versions: < 1.5.5

    Release notes

    Sourced from color-string's releases.

    1.5.5 (Patch/Security Release) - hwb() ReDos patch (low-severity)

    Release notes copied verbatim from the commit message, which can be found here: 0789e21284c33d89ebc4ab4ca6f759b9375ac9d3

    Discovered by Yeting Li, c/o Colin Ife via Snyk.io.
    

    A ReDos (Regular Expression Denial of Service) vulnerability was responsibly disclosed to me via email by Colin on Mar 5 2021 regarding an exponential time complexity for linearly increasing input lengths for hwb() color strings.

    Strings reaching more than 5000 characters would see several milliseconds of processing time; strings reaching more than 50,000 characters began seeing 1500ms (1.5s) of processing time.

    The cause was due to a the regular expression that parses hwb() strings - specifically, the hue value - where the integer portion of the hue value used a 0-or-more quantifier shortly thereafter followed by a 1-or-more quantifier.

    This caused excessive backtracking and a cartesian scan, resulting in exponential time complexity given a linear increase in input length.

    Thank you Yeting Li and Colin Ife for bringing this to my attention in a secure, responsible and professional manner.

    A CVE will not be assigned for this vulnerability.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    If all status checks pass Dependabot will automatically merge this pull request.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
  • 3

    chore(deps): [security] bump ssri from 6.0.2 to 8.0.1

    Bumps ssri from 6.0.2 to 8.0.1. This update includes a security fix.

    Vulnerabilities fixed

    Sourced from The GitHub Security Advisory Database.

    Regular Expression Denial of Service (ReDoS) ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

    Affected versions: >= 5.2.2 < 8.0.1

    Changelog

    Sourced from ssri's changelog.

    8.0.1 (2021-01-27)

    Bug Fixes

    • simplify regex for strict mode, add tests (76e2233)

    8.0.0 (2020-02-18)

    ⚠ BREAKING CHANGES

    • SRI values with ../ in the algorithm name now throw as invalid (which they always probably should have!)
    • adds a new error that will be thrown. Empty SRIs are no longer considered valid for checking, only when using integrityStream to calculate the SRI value.

    PR-URL: npm/ssri#12 Credit: @​claudiahdz

    Features

    Bug Fixes

    • harden SRI parsing against ../ funny business (4062735)
    • IntegrityStream responds to mutating opts object mid-stream (4a963e5)
    • throw null when sri is empty or bad (a6811cb), closes #12

    7.1.0 (2019-10-24)

    Bug Fixes

    • Do not blow up if the opts object is mutated (806e8c8)

    Features

    • Add Integrity#merge method (0572c1d), closes #4

    7.0.1 (2019-09-30)

    7.0.0 (2019-09-18)

    ⚠ BREAKING CHANGES

    ... (truncated)

    Commits
    • 3eec7a3 chore(release): 8.0.1
    • 2083289 chore: update package-lock and dev dependencies
    • 76e2233 fix: simplify regex for strict mode, add tests
    • 41b764f chore(release): 8.0.0
    • 4062735 fix: harden SRI parsing against ../ funny business
    • a6811cb fix: throw null when sri is empty or bad
    • 1727a7c chore: consistent project setup
    • 4a963e5 fix: IntegrityStream responds to mutating opts object mid-stream
    • 0e78fd7 feat: remove figgy-pudding
    • 79ba4ec chore(release): 7.1.0
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    If all status checks pass Dependabot will automatically merge this pull request.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
  • 4

    chore(deps-dev): bump @babel/core from 7.7.4 to 7.7.5

    Bumps @babel/core from 7.7.4 to 7.7.5.

    Release notes

    Sourced from @babel/core's releases.

    v7.7.5 (2019-12-06)

    :bug: Bug Fix

    • babel-plugin-transform-modules-commonjs, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2
    • babel-cli
      • #10283 babel --watch should have equivalent file selection logic with babel (@​JLHwung)
    • babel-parser
    • babel-parser, babel-plugin-proposal-optional-chaining, babel-plugin-transform-modules-amd
    • babel-helper-module-transforms, babel-plugin-transform-modules-amd

    :nail_care: Polish

    :house: Internal

    Committers: 8

    Changelog

    Sourced from @babel/core's changelog.

    v7.7.5 (2019-12-06)

    :bug: Bug Fix

    • babel-plugin-transform-modules-commonjs, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2
    • babel-cli
      • #10283 babel --watch should have equivalent file selection logic with babel (@​JLHwung)
    • babel-parser
    • babel-parser, babel-plugin-proposal-optional-chaining, babel-plugin-transform-modules-amd
    • babel-helper-module-transforms, babel-plugin-transform-modules-amd

    :nail_care: Polish

    :house: Internal

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    If all status checks pass Dependabot will automatically merge this pull request.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
  • 5

    chore(deps-dev): bump eslint from 6.5.1 to 6.6.0

    Bumps eslint from 6.5.1 to 6.6.0.

    Release notes

    Sourced from eslint's releases.

    v6.6.0

    • 39dfe08 Update: false positives in function-call-argument-newline (fixes #12123) (#12280) (Scott O'Hara)
    • 4d84210 Update: improve report location for no-trailing-spaces (fixes #12315) (#12477) (Milos Djermanovic)
    • c6a7745 Update: no-trailing-spaces false negatives after comments (fixes #12479) (#12480) (Milos Djermanovic)
    • 0bffe95 Fix: no-misleading-character-class crash on invalid regex (fixes #12169) (#12347) (Milos Djermanovic)
    • c6a9a3b Update: Add enforceForIndexOf option to use-isnan (fixes #12207) (#12379) (Milos Djermanovic)
    • 364877b Update: measure plugin loading time and output in debug message (#12395) (Victor Homyakov)
    • 1744fab Fix: operator-assignment removes and duplicates comments (#12485) (Milos Djermanovic)
    • 52ca11a Fix: operator-assignment invalid autofix with adjacent tokens (#12483) (Milos Djermanovic)
    • 0f6d0dc Fix: CLIEngine#addPlugin reset lastConfigArrays (fixes #12425) (#12468) (Toru Nagashima)
    • 923a8cb Chore: Fix lint failure in JSDoc comment (#12489) (Brandon Mills)
    • aac3be4 Update: Add ignored prop regex no-param-reassign (#11275) (Luke Bennett)
    • e5382d6 Chore: Remove unused parameter in dot-location (#12464) (Milos Djermanovic)
    • 49faefb Fix: no-obj-calls false positive (fixes #12437) (#12467) (Toru Nagashima)
    • b3dbd96 Fix: problematic installation issue (fixes #11018) (#12309) (Toru Nagashima)
    • cd7c29b Sponsors: Sync README with website (ESLint Jenkins)
    • 8233873 Docs: Add note about Node.js requiring SSL support (fixes #11413) (#12475) (Nicholas C. Zakas)
    • 89e8aaf Fix: improve report location for no-tabs (#12471) (Milos Djermanovic)
    • 7dffe48 Update: Enable function string option in comma-dangle (fixes #12058) (#12462) (YeonJuan)
    • e15e1f9 Docs: fix doc for no-unneeded-ternary rule (fixes #12098) (#12410) (Sam Rae)
    • b1dc58f Sponsors: Sync README with website (ESLint Jenkins)
    • 61749c9 Chore: Provide debug log for parser errors (#12474) (Brad Zacher)
    • 7c8bbe0 Update: enforceForOrderingRelations no-unsafe-negation (fixes #12163) (#12414) (Sam Rae)
    • 349ed67 Update: improve report location for no-mixed-operators (#12328) (Chiawen Chen)
    • a102eaa Fix: prefer-numeric-literals invalid autofix with adjacent tokens (#12387) (Milos Djermanovic)
    • 6e7c18d Update: enforceForNewInMemberExpressions no-extra-parens (fixes #12428) (#12436) (Milos Djermanovic)
    • 51fbbd7 Fix: array-bracket-newline consistent error with comments (fixes #12416) (#12441) (Milos Djermanovic)
    • e657d4c Fix: report full dot location in dot-location (#12452) (Milos Djermanovic)
    • 2d6e345 Update: make isSpaceBetweenTokens() ignore newline in comments (#12407) (YeonJuan)
    • 84f71de Update: remove default overrides in keyword-spacing (fixes #12369) (#12411) (YeonJuan)
    • 18a0b0e Update: improve report location for no-space-in-parens (#12364) (Chiawen Chen)
    • d61c8a5 Update: improve report location for no-multi-spaces (#12329) (Chiawen Chen)
    • 561093f Upgrade: bump inquirer to ^7.0.0 (#12440) (Joe Graham)
    • fb633b2 Chore: Add a script for testing with more control (#12444) (Eric Wang)
    • 012ec51 Sponsors: Sync README with website (ESLint Jenkins)
    • 874fe16 New: pass cwd from cli engine (#12389) (Eric Wang)
    • b962775 Update: no-self-assign should detect member expression with this (#12279) (Tibor Blenessy)
    • 02977f2 Docs: Clarify eslint:recommended semver policy (#12429) (Kevin Partington)
    • 97045ae Docs: Fixes object type for rules in "Use a Plugin" (#12409) (Daisy Develops)
    • 24ca088 Docs: Fix typo in v6 migration guide (#12412) (Benjamim Sonntag)
    • b094008 Chore: update version parameter name (#12402) (Toru Nagashima)
    • e5637ba Chore: enable jsdoc/require-description (#12365) (Kai Cataldo)
    • d31f337 Sponsors: Sync README with website (ESLint Jenkins)
    • 7ffb22f Chore: Clean up inline directive parsing (#12375) (Jordan Eldredge)
    • 84467c0 Docs: fix wrong max-depth example (fixes #11991) (#12358) (Gabriel R Sezefredo)
    • 3642342 Docs: Fix minor formatting/grammar errors (#12371) (cherryblossom000)
    • c47fa0d Docs: Fix missing word in sentence (#12361) (Dan Boulet)
    • 8108f49 Chore: enable additional eslint-plugin-jsdoc rules (#12336) (Kai Cataldo)
    • b718d2e Chore: update issue template with --eslint-fix flag (#12352) (James George)
    • 20ba14d Sponsors: Sync README with website (ESLint Jenkins)
    ... (truncated)
    Changelog

    Sourced from eslint's changelog.

    v6.6.0 - October 25, 2019

    • 39dfe08 Update: false positives in function-call-argument-newline (fixes #12123) (#12280) (Scott O'Hara)
    • 4d84210 Update: improve report location for no-trailing-spaces (fixes #12315) (#12477) (Milos Djermanovic)
    • c6a7745 Update: no-trailing-spaces false negatives after comments (fixes #12479) (#12480) (Milos Djermanovic)
    • 0bffe95 Fix: no-misleading-character-class crash on invalid regex (fixes #12169) (#12347) (Milos Djermanovic)
    • c6a9a3b Update: Add enforceForIndexOf option to use-isnan (fixes #12207) (#12379) (Milos Djermanovic)
    • 364877b Update: measure plugin loading time and output in debug message (#12395) (Victor Homyakov)
    • 1744fab Fix: operator-assignment removes and duplicates comments (#12485) (Milos Djermanovic)
    • 52ca11a Fix: operator-assignment invalid autofix with adjacent tokens (#12483) (Milos Djermanovic)
    • 0f6d0dc Fix: CLIEngine#addPlugin reset lastConfigArrays (fixes #12425) (#12468) (Toru Nagashima)
    • 923a8cb Chore: Fix lint failure in JSDoc comment (#12489) (Brandon Mills)
    • aac3be4 Update: Add ignored prop regex no-param-reassign (#11275) (Luke Bennett)
    • e5382d6 Chore: Remove unused parameter in dot-location (#12464) (Milos Djermanovic)
    • 49faefb Fix: no-obj-calls false positive (fixes #12437) (#12467) (Toru Nagashima)
    • b3dbd96 Fix: problematic installation issue (fixes #11018) (#12309) (Toru Nagashima)
    • cd7c29b Sponsors: Sync README with website (ESLint Jenkins)
    • 8233873 Docs: Add note about Node.js requiring SSL support (fixes #11413) (#12475) (Nicholas C. Zakas)
    • 89e8aaf Fix: improve report location for no-tabs (#12471) (Milos Djermanovic)
    • 7dffe48 Update: Enable function string option in comma-dangle (fixes #12058) (#12462) (YeonJuan)
    • e15e1f9 Docs: fix doc for no-unneeded-ternary rule (fixes #12098) (#12410) (Sam Rae)
    • b1dc58f Sponsors: Sync README with website (ESLint Jenkins)
    • 61749c9 Chore: Provide debug log for parser errors (#12474) (Brad Zacher)
    • 7c8bbe0 Update: enforceForOrderingRelations no-unsafe-negation (fixes #12163) (#12414) (Sam Rae)
    • 349ed67 Update: improve report location for no-mixed-operators (#12328) (Chiawen Chen)
    • a102eaa Fix: prefer-numeric-literals invalid autofix with adjacent tokens (#12387) (Milos Djermanovic)
    • 6e7c18d Update: enforceForNewInMemberExpressions no-extra-parens (fixes #12428) (#12436) (Milos Djermanovic)
    • 51fbbd7 Fix: array-bracket-newline consistent error with comments (fixes #12416) (#12441) (Milos Djermanovic)
    • e657d4c Fix: report full dot location in dot-location (#12452) (Milos Djermanovic)
    • 2d6e345 Update: make isSpaceBetweenTokens() ignore newline in comments (#12407) (YeonJuan)
    • 84f71de Update: remove default overrides in keyword-spacing (fixes #12369) (#12411) (YeonJuan)
    • 18a0b0e Update: improve report location for no-space-in-parens (#12364) (Chiawen Chen)
    • d61c8a5 Update: improve report location for no-multi-spaces (#12329) (Chiawen Chen)
    • 561093f Upgrade: bump inquirer to ^7.0.0 (#12440) (Joe Graham)
    • fb633b2 Chore: Add a script for testing with more control (#12444) (Eric Wang)
    • 012ec51 Sponsors: Sync README with website (ESLint Jenkins)
    • 874fe16 New: pass cwd from cli engine (#12389) (Eric Wang)
    • b962775 Update: no-self-assign should detect member expression with this (#12279) (Tibor Blenessy)
    • 02977f2 Docs: Clarify eslint:recommended semver policy (#12429) (Kevin Partington)
    • 97045ae Docs: Fixes object type for rules in "Use a Plugin" (#12409) (Daisy Develops)
    • 24ca088 Docs: Fix typo in v6 migration guide (#12412) (Benjamim Sonntag)
    • b094008 Chore: update version parameter name (#12402) (Toru Nagashima)
    • e5637ba Chore: enable jsdoc/require-description (#12365) (Kai Cataldo)
    • d31f337 Sponsors: Sync README with website (ESLint Jenkins)
    • 7ffb22f Chore: Clean up inline directive parsing (#12375) (Jordan Eldredge)
    • 84467c0 Docs: fix wrong max-depth example (fixes #11991) (#12358) (Gabriel R Sezefredo)
    • 3642342 Docs: Fix minor formatting/grammar errors (#12371) (cherryblossom000)
    • c47fa0d Docs: Fix missing word in sentence (#12361) (Dan Boulet)
    • 8108f49 Chore: enable additional eslint-plugin-jsdoc rules (#12336) (Kai Cataldo)
    • b718d2e Chore: update issue template with --eslint-fix flag (#12352) (James George)
    ... (truncated)
    Commits
    • 879c373 6.6.0
    • c8ba30a Build: changelog update for 6.6.0
    • 39dfe08 Update: false positives in function-call-argument-newline (fixes #12123) (#12...
    • 4d84210 Update: improve report location for no-trailing-spaces (fixes #12315) (#12477)
    • c6a7745 Update: no-trailing-spaces false negatives after comments (fixes #12479) (#12...
    • 0bffe95 Fix: no-misleading-character-class crash on invalid regex (fixes #12169) (#12...
    • c6a9a3b Update: Add enforceForIndexOf option to use-isnan (fixes #12207) (#12379)
    • 364877b Update: measure plugin loading time and output in debug message (#12395)
    • 1744fab Fix: operator-assignment removes and duplicates comments (#12485)
    • 52ca11a Fix: operator-assignment invalid autofix with adjacent tokens (#12483)
    • Additional commits viewable in compare view
    Maintainer changes

    This version was pushed to npm by eslintbot, a new releaser for eslint since your current version.


    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot will merge this PR once it's up-to-date and CI passes on it, as requested by @Gomah.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
  • 6

    chore(deps-dev): bump @types/jest from 24.0.19 to 24.0.20

    Bumps @types/jest from 24.0.19 to 24.0.20.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot will merge this PR once CI passes on it, as requested by @Gomah.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
  • 7

    chore(deps-dev): bump puppeteer from 1.19.0 to 2.0.0

    Bumps puppeteer from 1.19.0 to 2.0.0.

    Release notes

    Sourced from puppeteer's releases.

    v2.0.0

    Big changes

    API changes

    Raw notes

    aa24697 - chore: mark version v2.0.0 (#5078) 360c1b4 - test: add page.screenshot viewport clipping test (#5079) 7f3e372 - docs(api): improve page.waitFor docs for the options object (#5021) 8132b39 - test: remove duplicate code from an example (#5072) 1248a19 - feat(api): add page.emulateTimezone(timezoneId) (#4949) a86363f - feat(api): add page.emulateMedia{Type,Features} (#5012) 06dbb72 - chore: use map instead of plain object (#5068) 81d2600 - feat(chromium): roll Chromium to r705776 (#5058) 3773229 - fix: avoid unnecessary zero-delays in input code (#4934) 11ff374 - chore: drop Node.js v6 support (#5045) c0ba8f9 - docs(troubleshooting): update Alpine Chromium versions (#4980) 2506169 - docs(contributing): mention manual docs/api updates (#5023) 83c327a - docs(readme): correct Slack link 4c62e09 - fix(comment): fix typo in Launcher.js (#4959) 7dbb108 - docs(api): list Chromium version for Puppeteer v1.20.0 (#5015) 5b34028 - chore: bump https-proxy-agent to mitigate a security issue (#5016) dc57d03 - docs(api): clarify type method examples (#5010) fff2737 - doc(contributing): clarify release instructions (#4940) 387a532 - chore: bump version to v1.20.0-post (#4939)

    v1.20.0

    Big changes

    API changes

    Added

    ... (truncated)
    Commits
    Maintainer changes

    This version was pushed to npm by mathias, a new releaser for puppeteer since your current version.


    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
  • 8

    chore(deps): [security] bump tar from 4.4.13 to 4.4.15

    Bumps tar from 4.4.13 to 4.4.15. This update includes security fixes.

    Vulnerabilities fixed

    Sourced from The GitHub Security Advisory Database.

    Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization

    Impact

    Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution

    node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc would turn into home/user/.bashrc.

    This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite.

    Patches

    3.2.2 || 4.4.14 || 5.0.6 || 6.1.1

    NOTE: an adjacent issue CVE-2021-32803 affects this release level. Please ensure you update to the latest patch levels that address CVE-2021-32803 as well if this adjacent issue affects your node-tar use case.

    Workarounds

    Users may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths.

    const path = require('path')
    </tr></table> 
    

    ... (truncated)

    Affected versions: >= 4.0.0 < 4.4.14

    Sourced from The GitHub Security Advisory Database.

    Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning

    Impact

    Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution

    node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.

    This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the node-tar directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where node-tar checks for symlinks occur.

    By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.

    This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.

    Patches

    3.2.3 || 4.4.15 || 5.0.7 || 6.1.2

    Workarounds

    Users may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.

    ... (truncated)

    Affected versions: >= 4.0.0 < 4.4.15

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    If all status checks pass Dependabot will automatically merge this pull request.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
  • 9

    chore(deps): [security] bump color-string from 1.5.4 to 1.6.0

    Bumps color-string from 1.5.4 to 1.6.0. This update includes a security fix.

    Vulnerabilities fixed

    Sourced from The GitHub Security Advisory Database.

    Regular Expression Denial of Service (ReDOS) A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.

    Affected versions: < 1.5.5

    Release notes

    Sourced from color-string's releases.

    1.6.0

    Minor release 1.6.0

    • #55 - Add support for space-separated HSL

    Thanks @​htunnicliff for the contribution :)

    1.5.5 (Patch/Security Release) - hwb() ReDos patch (low-severity)

    Release notes copied verbatim from the commit message, which can be found here: 0789e21284c33d89ebc4ab4ca6f759b9375ac9d3

    Discovered by Yeting Li, c/o Colin Ife via Snyk.io.
    

    A ReDos (Regular Expression Denial of Service) vulnerability was responsibly disclosed to me via email by Colin on Mar 5 2021 regarding an exponential time complexity for linearly increasing input lengths for hwb() color strings.

    Strings reaching more than 5000 characters would see several milliseconds of processing time; strings reaching more than 50,000 characters began seeing 1500ms (1.5s) of processing time.

    The cause was due to a the regular expression that parses hwb() strings - specifically, the hue value - where the integer portion of the hue value used a 0-or-more quantifier shortly thereafter followed by a 1-or-more quantifier.

    This caused excessive backtracking and a cartesian scan, resulting in exponential time complexity given a linear increase in input length.

    Thank you Yeting Li and Colin Ife for bringing this to my attention in a secure, responsible and professional manner.

    A CVE will not be assigned for this vulnerability.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    If all status checks pass Dependabot will automatically merge this pull request.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
  • 10

    chore(deps): [security] bump ws from 7.3.1 to 7.4.6

    Bumps ws from 7.3.1 to 7.4.6. This update includes security fixes.

    Vulnerabilities fixed

    Sourced from The GitHub Security Advisory Database.

    ReDoS in Sec-Websocket-Protocol header

    Impact

    A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.

    Proof of concept

    for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
      const value = 'b' + ' '.repeat(length) + 'x';
      const start = process.hrtime.bigint();
    

    value.trim().split(/ *, */);

    const end = process.hrtime.bigint();

    console.log('length = %d, time = %f ns', length, end - start); }

    Patches

    ... (truncated)

    Affected versions: >= 5.0.0 < 7.4.6

    Sourced from The GitHub Security Advisory Database.

    ReDoS in Sec-Websocket-Protocol header

    Impact

    A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.

    Proof of concept

    for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
      const value = 'b' + ' '.repeat(length) + 'x';
      const start = process.hrtime.bigint();
    

    value.trim().split(/ *, */);

    const end = process.hrtime.bigint();

    console.log('length = %d, time = %f ns', length, end - start); }

    Patches

    ... (truncated)

    Affected versions: >= 5.0.0 < 7.4.5

    Release notes

    Sourced from ws's releases.

    7.4.6

    Bug fixes

    • Fixed a ReDoS vulnerability (00c425ec).

    A specially crafted value of the Sec-Websocket-Protocol header could be used to significantly slow down a ws server.

    for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
      const value = 'b' + ' '.repeat(length) + 'x';
      const start = process.hrtime.bigint();
    

    value.trim().split(/ *, */);

    const end = process.hrtime.bigint();

    console.log('length = %d, time = %f ns', length, end - start); }

    The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.

    In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

    7.4.5

    Bug fixes

    • UTF-8 validation is now done even if utf-8-validate is not installed (23ba6b29).
    • Fixed an edge case where websocket.close() and websocket.terminate() did not close the connection (67e25ff5).

    7.4.4

    Bug fixes

    • Fixed a bug that could cause the process to crash when using the permessage-deflate extension (92774377).

    7.4.3

    Bug fixes

    • The deflate/inflate stream is now reset instead of reinitialized when context takeover is disabled (#1840).

    7.4.2

    Bug fixes

    ... (truncated)

    Commits
    • f5297f7 [dist] 7.4.6
    • 00c425e [security] Fix ReDoS vulnerability
    • 990306d [lint] Fix prettier error
    • 32e3a84 [security] Remove reference to Node Security Project
    • 8c914d1 [minor] Fix nits
    • fc7e27d [ci] Test on node 16
    • 587c201 [ci] Do not test on node 15
    • f672710 [dist] 7.4.5
    • 67e25ff [fix] Fix case where abortHandshake() does not close the connection
    • 23ba6b2 [fix] Make UTF-8 validation work even if utf-8-validate is not installed
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    If all status checks pass Dependabot will automatically merge this pull request.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
  • 11

    chore(deps): [security] bump hosted-git-info from 2.8.8 to 2.8.9

    Bumps hosted-git-info from 2.8.8 to 2.8.9. This update includes a security fix.

    Vulnerabilities fixed

    Sourced from The GitHub Security Advisory Database.

    Regular Expression Denial of Service in hosted-git-info The npm package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity

    Affected versions: < 2.8.9

    Changelog

    Sourced from hosted-git-info's changelog.

    2.8.9 (2021-04-07)

    Bug Fixes

    Commits
    Maintainer changes

    This version was pushed to npm by nlf, a new releaser for hosted-git-info since your current version.


    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    If all status checks pass Dependabot will automatically merge this pull request.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
  • 12

    Extending the Nuxt examples section with Nuxt routing / transitions

    I was wondering if it would be possible to extend the Nuxt router, maybe in nuxt-stencil, similar to the following implementation in Ionic Vue so the Nuxt Router could be used with the Web Components generated by Stencil?

    see https://github.com/ModusCreateOrg/ionic-vue/blob/master/src/router.ts or https://github.com/ModusCreateOrg/beep/blob/master/src/router.js

  • 13

    Use CSS variables

    At the moment, Bulmil is using bulma's scss variables (bulma-scss) to style stencil components.

    However, as components are built & then distributed, it becomes impossible to customize the styles dynamically.

    Using CSS variables will solve this issue, I'm currently working on an alternative, apparently, it is also a proposed feature in Bulma:

    • https://github.com/jgthms/bulma/issues/1837
    • https://github.com/jgthms/bulma/tree/css-variables