Sourced from jsonwebtoken's changelog.

9.0.0 - 2022-12-21

Breaking changes: See Migration from v8 to v9

Breaking changes

• Removed support for Node versions 11 and below.
• The verify() function no longer accepts unsigned tokens by default. ([834503079514b72264fd13023a3b8d648afd6a16]https://github.com/auth0/node-jsonwebtoken/commit/834503079514b72264fd13023a3b8d648afd6a16)
• RSA key size must be 2048 bits or greater. ([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]https://github.com/auth0/node-jsonwebtoken/commit/ecdf6cc6073ea13a7e71df5fad043550f08d0fa6)
• Key types must be valid for the signing / verification algorithm

Security fixes

• security: fixes Arbitrary File Write via verify function - CVE-2022-23529
• security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
• security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
• security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

• e1fa9dc Merge pull request from GHSA-8cf7-32gw-wr33
• 5eaedbf chore(ci): remove github test actions job (#861)
• cd4163e chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
• ecdf6cc fix!: Prevent accidental use of insecure key sizes & misconfiguration of secr...
• 8345030 fix(sign&verify)!: Remove default none support from sign and verify met...
• 7e6a86b Upload OpsLevel YAML (#849)
• 74d5719 docs: update references vercel/ms references (#770)
• d71e383 docs: document "invalid token" error
• 3765003 docs: fix spelling in README.md: Peak -> Peek (#754)
• a46097e docs: make decode impossible to discover before verify
• Additional commits viewable in compare view

This version was pushed to npm by julien.wollscheid, a new releaser for jsonwebtoken since your current version.

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from decode-uri-component's releases.

v0.2.2

• Prevent overwriting previously decoded tokens 980e0bf

https://github.com/SamVerschueren/decode-uri-component/compare/v0.2.1...v0.2.2

v0.2.1

• Switch to GitHub workflows 76abc93
• Fix issue where decode throws - fixes #6 746ca5d
• Update license (#1) 486d7e2
• Tidelift tasks a650457
• Meta tweaks 66e1c28

https://github.com/SamVerschueren/decode-uri-component/compare/v0.2.0...v0.2.1

• a0eea46 0.2.2
• 980e0bf Prevent overwriting previously decoded tokens
• 3c8a373 0.2.1
• 76abc93 Switch to GitHub workflows
• 746ca5d Fix issue where decode throws - fixes #6
• 486d7e2 Update license (#1)
• a650457 Tidelift tasks
• 66e1c28 Meta tweaks
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from decode-uri-component's releases.

v0.2.2

• Prevent overwriting previously decoded tokens 980e0bf

https://github.com/SamVerschueren/decode-uri-component/compare/v0.2.1...v0.2.2

v0.2.1

• Switch to GitHub workflows 76abc93
• Fix issue where decode throws - fixes #6 746ca5d
• Update license (#1) 486d7e2
• Tidelift tasks a650457
• Meta tweaks 66e1c28

https://github.com/SamVerschueren/decode-uri-component/compare/v0.2.0...v0.2.1

• a0eea46 0.2.2
• 980e0bf Prevent overwriting previously decoded tokens
• 3c8a373 0.2.1
• 76abc93 Switch to GitHub workflows
• 746ca5d Fix issue where decode throws - fixes #6
• 486d7e2 Update license (#1)
• a650457 Tidelift tasks
• 66e1c28 Meta tweaks
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from socket.io-parser's changelog.

3.3.3 (2022-11-09)

Bug Fixes

• check the format of the index of each attachment (fb21e42)

3.4.2 (2022-11-09)

Bug Fixes

• check the format of the index of each attachment (04d23ce)

4.2.1 (2022-06-27)

Bug Fixes

• check the format of the index of each attachment (b5d0cb7)

4.0.5 (2022-06-27)

Bug Fixes

• check the format of the index of each attachment (b559f05)

4.2.0 (2022-04-17)

Features

• allow the usage of custom replacer and reviver (#112) (b08bc1a)

4.1.2 (2022-02-17)

Bug Fixes

... (truncated)

• cd11e38 chore(release): 3.3.3
• fb21e42 fix: check the format of the index of each attachment
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from vite's releases.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

Sourced from vite's changelog.

3.0.0-alpha.0 (2022-05-13)

See 3.0.0-alpha.0 changelog

2.9.14 (2022-07-08)

• fix: re-encode url to prevent fs.allow bypass (fixes #8498) (#8990) (adb61c5), closes #8498 #8990
• fix: reverts #8471, fix css content (da77dee), closes #8874
• fix(css): preserve dynamic import css code (fixes #5348) (d4d89b9), closes #5348 #7746
• fix(css): always use css module content (#8977) (84ec02a), closes #8936 #8977

2.9.13 (2022-06-27)

• fix: /@fs/ dir traversal with escaped chars (fixes #8498) (#8805) (e109d64), closes #8498 #8805
• fix(wasm): support decoding data URL in Node < v16 (#8668) (1afc1c2), closes #8668

2.9.12 (2022-06-10)

• fix: outdated optimized dep removed from module graph (#8534) (c0d6c60), closes #8534

2.9.11 (2022-06-10)

• fix: respect server.headers in static middlewares (#8481) (ab7dc1c), closes #8481
• fix(dev): avoid FOUC when swapping out link tag (fix #7973) (#8495) (01fa807), closes #7973 #8495

2.9.10 (2022-06-06)

• feat: treat Astro file scripts as TS (#8151) (9fdd0a3), closes #8151
• feat: new hook configurePreviewServer (#7658) (#8437) (7b972bc), closes #7658 #8437
• fix: remove empty chunk css imports when using esnext (#8345) (9fbc1a9), closes #8345
• fix: EPERM error on Windows when processing dependencies (#8235) (dfe4307), closes #8235
• fix(css): remove ?used hack (fixes #6421, #8245) (#8278) (#8471) (8d7bac4), closes #6421 #8245 #8278 #8471
• chore(lint): sort for imports (#8113) (4bd1531), closes #8113

2.9.9 (2022-05-11)

• fix: add direct query to html-proxy css (fixes #8091) (#8094) (a24b5e3), closes #8091 #8094
• fix: graceful rename in windows (#8036) (84496f8), closes #8036

... (truncated)

• d93ac8e release: v2.9.13
• e109d64 fix: backport #8804, /@fs/ dir traversal with escaped chars (fixes #8498) (#8...
• 1afc1c2 fix(wasm): support decoding data URL in Node < v16 (#8668)
• 86a55d3 release: v2.9.12
• c0d6c60 fix: backport outdated optimized dep removed from module graph (#8534)
• 078a7dc release: v2.9.11
• 01fa807 fix(dev): avoid FOUC when swapping out link tag (fix #7973) (#8495)
• ab7dc1c fix: backport respect server.headers in static middlewares (#8481)
• ced0374 release: v2.9.10
• 9fdd0a3 feat: backport treat Astro file scripts as TS (#8151)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from undici's releases.

v5.9.1

What's Changed

• fix: don't timeout while waiting for client to send request (#1604)
• Fix array headers by @​mateonunez in nodejs/undici#1598
• fix(fetch): implement fully read body algorithm by @​KhafraDev in nodejs/undici#1597
• fix: add support for integrity option to Fetch by @​jelmervdl in nodejs/undici#1596
• fix(File): respect typed array byteOffset and byteLength by @​mrbbot in nodejs/undici#1601

New Contributors

• @​mateonunez made their first contribution in nodejs/undici#1598
• @​jelmervdl made their first contribution in nodejs/undici#1596
• @​mrbbot made their first contribution in nodejs/undici#1601

Full Changelog: https://github.com/nodejs/undici/compare/v5.8.2...v5.9.1

v5.8.2

⚠️ Security Release ⚠️

• CRLF Injection in Nodejs ‘undici’ via Content-Type GHSA-f772-66g8-q5h3 CVE-2022-35948
• undici.request vulnerable to SSRF using absolute URL on pathname GHSA-8qr4-xgw6-wmr3 CVE-2022-35949

What's Changed

• docs: mock different endpoints in a single file by @​ritvik130 in nodejs/undici#1589
• feat(webidl): better error message for ByteString converter by @​KhafraDev in nodejs/undici#1591

New Contributors

• @​ritvik130 made their first contribution in nodejs/undici#1589

Full Changelog: https://github.com/nodejs/undici/compare/v5.8.1...v5.8.2

v5.8.1

What's Changed

• Do not decode the body while we are following a redirect by @​mcollina in nodejs/undici#1554
• docs: Fix spelling/grammar in "Mocking Request" by @​meyfa in nodejs/undici#1555
• fix(MockInterceptor): callback options.headers w/ fetch by @​KhafraDev in nodejs/undici#1559
• fix(fetch): ByteString checks & conversion in Headers by @​KhafraDev in nodejs/undici#1560
• test: update client certificates with ones that expires in 100 years by @​jodevsa in nodejs/undici#1566
• fix: x-www-form-urlencoded parser keep the BOM by @​cola119 in nodejs/undici#1563
• fix: prioritise error events over timeouts by @​jodevsa in nodejs/undici#1551
• fix: add isErrorLike by @​KhafraDev in nodejs/undici#1570
• fix(types): add missing pool stats by @​SkeLLLa in nodejs/undici#1573
• fix: fetch a long base64 url will crash and nothing happens (close: #1574) by @​ahaoboy in nodejs/undici#1575
• fix: follow signal.reason in Request by @​LiviaMedeiros in nodejs/undici#1580
• docs: Fix DiagnosticsChannel sidebar link by @​trentm in nodejs/undici#1582
• fix: make mock headers case-insensitive by @​cola119 in nodejs/undici#1585

New Contributors

• @​meyfa made their first contribution in nodejs/undici#1555
• @​cola119 made their first contribution in nodejs/undici#1563
• @​SkeLLLa made their first contribution in nodejs/undici#1573

... (truncated)

• 5890e16 5.9.1
• ecae314 fix: don't timeout while waiting for client to send request (#1604)
• fa9fd90 fix(File): respect typed array byteOffset and byteLength (#1601)
• ae6f554 fix: add support for integrity option to Fetch (#1596)
• deed628 fix(fetch): implement fully read body algorithm (#1597)
• 0d1419c Fix array headers (#1598)
• 52d1ce5 Bumped v5.8.2
• 66165d6 Merge pull request from GHSA-f772-66g8-q5h3
• 124f7eb Merge pull request from GHSA-8qr4-xgw6-wmr3
• aef314c feat(webidl): better error message for ByteString converter (#1591)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from @​openzeppelin/contracts's releases.

v4.7.3

:warning: This is a patch for a high severity issue. For more information visit the security advisory.

Breaking changes

• ECDSA: recover(bytes32,bytes) and tryRecover(bytes32,bytes) no longer accept compact signatures to prevent malleability. Compact signature support remains available using recover(bytes32,bytes32,bytes32) and tryRecover(bytes32,bytes32,bytes32).

v4.7.2

:warning: This is a patch for three issues, including a high severity issue in GovernorVotesQuorumFraction. For more information visit the security advisories (1, 2, 3).

1. GovernorVotesQuorumFraction: Fixed quorum updates so they do not affect past proposals that failed due to lack of quorum. (#3561)
2. ERC165Checker: Added protection against large returndata. (#3587)
3. LibArbitrumL2, CrossChainEnabledArbitrumL2: Fixed detection of cross-chain calls for EOAs. Previously, calls from EOAs would be classified as cross-chain calls. (#3578)

Sourced from @​openzeppelin/contracts's changelog.

4.7.3

Breaking changes

• ECDSA: recover(bytes32,bytes) and tryRecover(bytes32,bytes) no longer accept compact signatures to prevent malleability. Compact signature support remains available using recover(bytes32,bytes32,bytes32) and tryRecover(bytes32,bytes32,bytes32).

4.7.2

• LibArbitrumL2, CrossChainEnabledArbitrumL2: Fixed detection of cross-chain calls for EOAs. Previously, calls from EOAs would be classified as cross-chain calls. (#3578)
• GovernorVotesQuorumFraction: Fixed quorum updates so they do not affect past proposals that failed due to lack of quorum. (#3561)
• ERC165Checker: Added protection against large returndata. (#3587)

• ecd2ca2 4.7.3
• e1878ac Fix ECDSA signature malleability (#3610)
• 64e4820 4.7.2
• b66fe16 Update changelog
• 8fb5f57 Avoid returnbomb in ERC165Checker (#3587)
• 67b2572 Keep track of historical quorum values (#3561)
• 4337192 Fix arbitrum L1 to L2 crosschain call detection (#3578)
• 41c7b25 Fix error in documentation and typo (#3567)
• e15862f Remove test for feature not in 4.7
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from moment's changelog.

2.29.4

• Release Jul 6, 2022
  • #6015 [bugfix] Fix ReDoS in preprocessRFC2822 regex

2.29.3 Full changelog

• Release Apr 17, 2022
  • #5995 [bugfix] Remove const usage
  • #5990 misc: fix advisory link

• 000ac18 Build 2.24.4
• f2006b6 Bump version to 2.24.4
• 536ad0c Update changelog for 2.29.4
• 9a3b589 [bugfix] Fix redos in preprocessRFC2822 regex (#6015)
• 6374fd8 Merge branch 'master' into develop
• b4e6153 Revert "[bugfix] Fix redos in preprocessRFC2822 regex (#6015)"
• 7aebb16 [bugfix] Fix redos in preprocessRFC2822 regex (#6015)
• 57c9062 Build 2.29.3
• aaf50b6 Fixup release complaints
• 26f4aef Bump version to 2.29.3
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from @​openzeppelin/contracts's releases.

v4.7.2

:warning: This is a patch for three issues, including a high severity issue in GovernorVotesQuorumFraction. For more information visit the security advisories (1, 2, 3).

1. GovernorVotesQuorumFraction: Fixed quorum updates so they do not affect past proposals that failed due to lack of quorum. (#3561)
2. ERC165Checker: Added protection against large returndata. (#3587)
3. LibArbitrumL2, CrossChainEnabledArbitrumL2: Fixed detection of cross-chain calls for EOAs. Previously, calls from EOAs would be classified as cross-chain calls. (#3578)

Sourced from @​openzeppelin/contracts's changelog.

4.7.2

• LibArbitrumL2, CrossChainEnabledArbitrumL2: Fixed detection of cross-chain calls for EOAs. Previously, calls from EOAs would be classified as cross-chain calls. (#3578)
• GovernorVotesQuorumFraction: Fixed quorum updates so they do not affect past proposals that failed due to lack of quorum. (#3561)
• ERC165Checker: Added protection against large returndata. (#3587)

• 64e4820 4.7.2
• b66fe16 Update changelog
• 8fb5f57 Avoid returnbomb in ERC165Checker (#3587)
• 67b2572 Keep track of historical quorum values (#3561)
• 4337192 Fix arbitrum L1 to L2 crosschain call detection (#3578)
• 41c7b25 Fix error in documentation and typo (#3567)
• e15862f Remove test for feature not in 4.7
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from @​openzeppelin/contracts's releases.

v4.7.1

:warning: This is a patch for a medium severity issue affecting SignatureChecker and a high severity issue affecting ERC165Checker. For more information visit the security advisories (1, 2).

• SignatureChecker: Fix an issue that causes isValidSignatureNow to revert when the target contract returns ill-encoded data. (#3552)
• ERC165Checker: Fix an issue that causes supportsInterface to revert when the target contract returns ill-encoded data. (#3552)

v4.7.0

• TimelockController: Migrate _call to _execute and allow inheritance and overriding similar to Governor. (#3317)
• CrossChainEnabledPolygonChild: replace the require statement with the custom error NotCrossChainCall. (#3380)
• ERC20FlashMint: Add customizable flash fee receiver. (#3327)
• ERC4626: add an extension of ERC20 that implements the ERC4626 Tokenized Vault Standard. (#3171)
• SafeERC20: add safePermit as mitigation against phantom permit functions. (#3280)
• Math: add a mulDiv function that can round the result either up or down. (#3171)
• Math: Add a sqrt function to compute square roots of integers, rounding either up or down. (#3242)
• Strings: add a new overloaded function toHexString that converts an address with fixed length of 20 bytes to its not checksummed ASCII string hexadecimal representation. (#3403)
• EnumerableMap: add new UintToUintMap map type. (#3338)
• EnumerableMap: add new Bytes32ToUintMap map type. (#3416)
• SafeCast: add support for many more types, using procedural code generation. (#3245)
• MerkleProof: add multiProofVerify to prove multiple values are part of a Merkle tree. (#3276)
• MerkleProof: add calldata versions of the functions to avoid copying input arrays to memory and save gas. (#3200)
• ERC721, ERC1155: simplified revert reasons. (#3254, (#3438))
• ERC721: removed redundant require statement. (#3434)
• PaymentSplitter: add releasable getters. (#3350)
• Initializable: refactored implementation of modifiers for easier understanding. (#3450)
• Proxies: remove runtime check of ERC1967 storage slots. (#3455)

Breaking changes

• Initializable: functions decorated with the modifier reinitializer(1) may no longer invoke each other.

v4.7.0-rc.0

This prerelease is now available for open review! Let us know your feedback and if you find any security issues.

We have a bug bounty with rewards of up to USD $25,000 and a special POAP for submitting a valid issue.

See the announcement for more details.

v4.6.0

• crosschain: Add a new set of contracts for cross-chain applications. CrossChainEnabled is a base contract with instantiations for several chains and bridges, and AccessControlCrossChain is an extension of access control that allows cross-chain operation. (#3183)
• AccessControl: add a virtual _checkRole(bytes32) function that can be overridden to alter the onlyRole modifier behavior. (#3137)
• EnumerableMap: add new AddressToUintMap map type. (#3150)
• EnumerableMap: add new Bytes32ToBytes32Map map type. (#3192)
• ERC20FlashMint: support infinite allowance when paying back a flash loan. (#3226)
• ERC20Wrapper: the decimals() function now tries to fetch the value from the underlying token instance. If that calls revert, then the default value is used. (#3259)
• draft-ERC20Permit: replace immutable with constant for _PERMIT_TYPEHASH since the keccak256 of string literals is treated specially and the hash is evaluated at compile time. (#3196)
• ERC1155: Add a _afterTokenTransfer hook for improved extensibility. (#3166)
• ERC1155URIStorage: add a new extension that implements a _setURI behavior similar to ERC721's _setTokenURI. (#3210)
• DoubleEndedQueue: a new data structure that supports efficient push and pop to both front and back, useful for FIFO and LIFO queues. (#3153)
• Governor: improved security of onlyGovernance modifier when using an external executor contract (e.g. a timelock) that can operate without necessarily going through the governance protocol. (#3147)
• Governor: Add a way to parameterize votes. This can be used to implement voting systems such as fractionalized voting, ERC721 based voting, or any number of other systems. The params argument added to _countVote method, and included in the newly added _getVotes method, can be used by counting and voting modules respectively for such purposes. (#3043)

... (truncated)

Sourced from @​openzeppelin/contracts's changelog.

4.7.1

• SignatureChecker: Fix an issue that causes isValidSignatureNow to revert when the target contract returns ill-encoded data. (#3552)
• ERC165Checker: Fix an issue that causes supportsInterface to revert when the target contract returns ill-encoded data. (#3552)

4.7.0 (2022-06-29)

• TimelockController: Migrate _call to _execute and allow inheritance and overriding similar to Governor. (#3317)
• CrossChainEnabledPolygonChild: replace the require statement with the custom error NotCrossChainCall. (#3380)
• ERC20FlashMint: Add customizable flash fee receiver. (#3327)
• ERC4626: add an extension of ERC20 that implements the ERC4626 Tokenized Vault Standard. (#3171)
• SafeERC20: add safePermit as mitigation against phantom permit functions. (#3280)
• Math: add a mulDiv function that can round the result either up or down. (#3171)
• Math: Add a sqrt function to compute square roots of integers, rounding either up or down. (#3242)
• Strings: add a new overloaded function toHexString that converts an address with fixed length of 20 bytes to its not checksummed ASCII string hexadecimal representation. (#3403)
• EnumerableMap: add new UintToUintMap map type. (#3338)
• EnumerableMap: add new Bytes32ToUintMap map type. (#3416)
• SafeCast: add support for many more types, using procedural code generation. (#3245)
• MerkleProof: add multiProofVerify to prove multiple values are part of a Merkle tree. (#3276)
• MerkleProof: add calldata versions of the functions to avoid copying input arrays to memory and save gas. (#3200)
• ERC721, ERC1155: simplified revert reasons. (#3254, (#3438))
• ERC721: removed redundant require statement. (#3434)
• PaymentSplitter: add releasable getters. (#3350)
• Initializable: refactored implementation of modifiers for easier understanding. (#3450)
• Proxies: remove runtime check of ERC1967 storage slots. (#3455)

Breaking changes

• Initializable: functions decorated with the modifier reinitializer(1) may no longer invoke each other.

4.6.0 (2022-04-26)

• crosschain: Add a new set of contracts for cross-chain applications. CrossChainEnabled is a base contract with instantiations for several chains and bridges, and AccessControlCrossChain is an extension of access control that allows cross-chain operation. (#3183)
• AccessControl: add a virtual _checkRole(bytes32) function that can be overridden to alter the onlyRole modifier behavior. (#3137)
• EnumerableMap: add new AddressToUintMap map type. (#3150)
• EnumerableMap: add new Bytes32ToBytes32Map map type. (#3192)
• ERC20FlashMint: support infinite allowance when paying back a flash loan. (#3226)
• ERC20Wrapper: the decimals() function now tries to fetch the value from the underlying token instance. If that calls revert, then the default value is used. (#3259)
• draft-ERC20Permit: replace immutable with constant for _PERMIT_TYPEHASH since the keccak256 of string literals is treated specially and the hash is evaluated at compile time. (#3196)
• ERC1155: Add a _afterTokenTransfer hook for improved extensibility. (#3166)
• ERC1155URIStorage: add a new extension that implements a _setURI behavior similar to ERC721's _setTokenURI. (#3210)
• DoubleEndedQueue: a new data structure that supports efficient push and pop to both front and back, useful for FIFO and LIFO queues. (#3153)
• Governor: improved security of onlyGovernance modifier when using an external executor contract (e.g. a timelock) that can operate without necessarily going through the governance protocol. (#3147)
• Governor: Add a way to parameterize votes. This can be used to implement voting systems such as fractionalized voting, ERC721 based voting, or any number of other systems. The params argument added to _countVote method, and included in the newly added _getVotes method, can be used by counting and voting modules respectively for such purposes. (#3043)
• Governor: rewording of revert reason for consistency. (#3275)
• Governor: fix an inconsistency in data locations that could lead to invalid bytecode being produced. (#3295)
• Governor: Implement IERC721Receiver and IERC1155Receiver to improve token custody by governors. (#3230)
• TimelockController: Implement IERC721Receiver and IERC1155Receiver to improve token custody by timelocks. (#3230)
• TimelockController: Add a separate canceller role for the ability to cancel. (#3165)
• Initializable: add a reinitializer modifier that enables the initialization of new modules, added to already initialized contracts through upgradeability. (#3232)

... (truncated)

• 3b8b4ba 4.7.1
• 212de08 Fix issues caused by abi.decode reverting (#3552)
• 8c49ad7 4.7.0
• 0b238a5 Minor wording fixes ERC4626 contract (#3510)
• e4748fb Support memory arrays in MerkleTree multiproof (#3493)
• b971092 Make ERC4626 _deposit and _withdraw internal virtual (#3504)
• 4307d74 Add a caution note to ERC4626 about EOA access (#3503)
• 1e7d735 Clarify PaymentSplitter shares are static
• 029706d Fix check for generated code when last updated is a release candidate
• 97c46a7 Output diff when test:generation fails
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from undici's releases.

v5.8.0

⚠️ Security Fixes ⚠️

• CRLF injection in request path, method, and headers https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc, CVE CVE-2022-31150, reported by @​Haxatron
• Cookies uncleared on cross-host / cross-origin redirect https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp, CVE CVE-2022-31150, reported by @​Haxatron

What's Changed

• Drop PR title validation by @​mcollina in nodejs/undici#1543
• chore: exclude windows node 16 by @​mcollina in nodejs/undici#1542
• feat: use weighted round robin in balancedPool by @​jodevsa in nodejs/undici#1069
• Fix up exclude in CI by @​dominykas in nodejs/undici#1544
• fix(mock utils): set Readable.abort by @​KhafraDev in nodejs/undici#1549
• fix(body mixin): only allow Uint8Array chunks by @​KhafraDev in nodejs/undici#1550
• docs: updated proxy docs - renamed already used const proxy to proxyServer by @​dancastillo in nodejs/undici#1552

New Contributors

• @​jodevsa made their first contribution in nodejs/undici#1069
• @​dancastillo made their first contribution in nodejs/undici#1552

Full Changelog: https://github.com/nodejs/undici/compare/v5.7.0...v5.7.1

v5.7.0

What's Changed

• fix(fetch): re-add support for node v16.8.0+ by @​KhafraDev in nodejs/undici#1534
• fix(Headers): lowercase name in Headers.prototype.set by @​KhafraDev in nodejs/undici#1535
• fix: allow optional body for mock reply by @​JustinBeckwith in nodejs/undici#1536
• fix: faster direct read approach by @​jimmywarting in nodejs/undici#1537
• feat: update to llhttp v6.0.7 by @​mcollina in nodejs/undici#1539

New Contributors

• @​jimmywarting made their first contribution in nodejs/undici#1537

Full Changelog: https://github.com/nodejs/undici/compare/v5.6.1...v5.7.0

v5.6.1

What's Changed

• docs: add example with HEAD method to garbage collection section by @​mrkldshv in nodejs/undici#1522
• fix: improper handling of relative location header by @​PrincessRavy in nodejs/undici#1523
• build(deps-dev): bump tsd from 0.21.0 to 0.22.0 by @​dependabot in nodejs/undici#1530
• fix(fetch): do not assign default value to RequestInit.method by @​KhafraDev in nodejs/undici#1529

New Contributors

• @​mrkldshv made their first contribution in nodejs/undici#1522
• @​PrincessRavy made their first contribution in nodejs/undici#1523

Full Changelog: https://github.com/nodejs/undici/compare/v5.6.0...v5.6.1

v5.6.0

What's Changed

• build(deps-dev): bump tsd from 0.20.0 to 0.21.0 by @​dependabot in nodejs/undici#1493

... (truncated)

• 26f60b7 Bumped v5.8.0
• 0a5bee9 Merge pull request from GHSA-q768-x9m6-m9qp
• a29a151 Merge pull request from GHSA-3cvr-822r-rqcc
• 722976c docs: updated proxy docs - renamed already used const proxy to proxyServer (#...
• b6af4e6 fix(body mixin): only allow Uint8Array chunks (#1550)
• 6c9e634 fix(mock utils): set Readable.abort (#1549)
• 22e2f39 ci: fix up exclude (#1544)
• 99205ec feat: use weighted round robin in balancedPool (#1069)
• 5b57e8c chore: exclude windows node 16 (#1542)
• 93e31a2 Drop PR title validation (#1543)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.