🚨 [security] Update chai 4.3.8 → 4.5.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ chai (4.3.8 → 4.5.0) · Repo · Changelog

Release Notes

4.5.0

• Update type detect (#1631) 1a36d35

v4.4.1...v4.5.0

What's Changed

• Update type detect by @koddsson in #1631

Full Changelog: v4.4.1...v4.5.0

4.4.1

What's Changed

• fix: removes ?? for node compat by @43081j in #1574

Full Changelog: v4.4.0...v4.4.1

4.3.10

This release simply bumps all dependencies to their latest non-breaking versions.

What's Changed

• upgrade all dependencies by @keithamus in #1540

Full Changelog: v4.3.9...v4.3.10

4.3.9

Upgrade dependencies.

This release upgrades dependencies to address CVE-2023-43646 where a large function name can cause "catastrophic backtracking" (aka ReDOS attack) which can cause the test suite to hang.

Full Changelog: v4.3.8...v4.3.9

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

• 4.5.0
• Update type detect (#1631)
• fix: removes `??` for node compat (#1574)
• bump version
• Allow deepEqual fonction to be configured globally (#1553)
• 4.3.10
• upgrade all dependencies (#1540)
• 4.3.9
• make
• upgrade deps

↗️ check-error (indirect, 1.0.2 → 1.0.3) · Repo

Commits

See the full diff on Github. The new version differs by 8 commits:

• 1.0.3
• upgrade deps
• Merge pull request #12 from lucasfcosta/external-get-func-name
• chore: use external get-func-name module
• fix: adapt getConstructorName to work with more robust version of getFunctionName
• Merge pull request #10 from vieiralucas/patch-1
• Add @vieiralucas to MAINTAINERS
• fix: anonymous functions on node 6.5 and above

↗️ deep-eql (indirect, 4.1.2 → 4.1.4) · Repo

Commits

See the full diff on Github. The new version differs by 2 commits:

• fix: catch fake collections throwing (#100) (#101)
• feat: only compare enumerable symbols (#91)

↗️ get-func-name (indirect, 2.0.0 → 2.0.2) · Repo

Security Advisories 🚨

🚨 Chaijs/get-func-name vulnerable to ReDoS

The current regex implementation for parsing values in the module is susceptible to excessive backtracking, leading to potential DoS attacks. The regex implementation in question is as follows:

const functionNameMatch = /\s*function(?:\s|\s*\/\*[^(?:*/)]+\*\/\s*)*([^\s(/]+)/;

This vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input:

'\t'.repeat(54773) + '\t/function/i'

Here is a simple PoC code to demonstrate the issue:

const protocolre = /\sfunction(?:\s|\s/*[^(?:*\/)]+*/\s*)*([^\(\/]+)/;
const startTime = Date.now();

const maliciousInput = '\t'.repeat(54773) + '\t/function/i'
protocolre.test(maliciousInput);
const endTime = Date.now();
console.log("process time: ", endTime - startTime, "ms");

Commits

See the full diff on Github. The new version differs by 29 commits:

• 2.0.2
• fix GHSA-4q6p-r6v2-jvc5
• Merge pull request #23 from lucasfcosta/release-return-null-for-non-function
• chore: getFuncName returns null for non function.
• Merge pull request #22 from lucasfcosta/return-null-for-non-function-release
• chore: BREAKING CHANGE getFuncName returning null for non-function arguments
• Merge pull request #20 from lucasfcosta/return-null-for-non-function
• chore: return null when passed a non-function argument
• Merge pull request #21 from chaijs/remove-lgtm
• Delete MAINTAINERS
• Merge pull request #19 from chaijs/vieiralucas-patch-1
• Center repo name on README
• Merge pull request #14 from vieiralucas/refact-tests
• chore(test): split single test into multiple tests
• Merge pull request #9 from chaijs/greenkeeper-mocha-3.1.2
• chore(package): update mocha to version 3.1.2
• Merge pull request #12 from lucasfcosta/fix-eslint-version
• chore: fix eslint dependency version
• Merge pull request #2 from chaijs/greenkeeper-update-all
• Merge pull request #7 from lucasfcosta/new-repo-name
• fix(repo-name): fix whole repo structure for releasing with the new name
• Merge pull request #8 from chaijs/add-travis-keys
• chore(travis): configure secure vars
• Merge pull request #5 from lucasfcosta/new-repo-name
• feat: get available name on NPM
• chore(package): update dependencies
• Merge pull request #1 from lucasfcosta/full-repo
• chore: initial implementation
• Initial Commit

↗️ loupe (indirect, 2.3.1 → 2.3.7) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 8 commits:

• upgrade get-func-name for CVE-2023-43646 (#66)
• run build on main
• ci
• fix: use a FakeMap to support IE10 (#60)
• fix: invalid Date object will throw a TypeError (#58) (#59)
• fix: inspect null prototype objects (#57)
• fix: ensure es5 target is bundle-compatible (#55)
• fix: support older browsers (closes #53) (#54)

↗️ type-detect (indirect, 4.0.8 → 4.1.0) · Repo

Release Notes

4.1.0

What's Changed

• remove xvfb pre-test step in travis by @koddsson in #136
• Clarify browser usage. #139 by @bricksphd in #140
• docs: add type-detect logo to README by @keithamus in #128
• Update README.md by @keithamus in #141
• Switch to TypeScript, add support for Deno by @keithamus in #142
• Fix deno link by @koddsson in #149
• Update dependencies by @koddsson in #148
• Add a GitHub action for CI by @koddsson in #147

New Contributors

• @koddsson made their first contribution in #136
• @bricksphd made their first contribution in #140

Full Changelog: v4.0.9...v4.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 18 commits:

• Add a GitHub action for CI (#147)
• Update dependencies (#148)
• Fix deno link (#149)
• Merge pull request #142 from chaijs/feat-add-support-for-deno
• Merge pull request #141 from chaijs/readme-tweaks
• docs: pre-empt 4.1.0 release in deno import statement
• docs: use deno.land/x/ proxy for import
• docs: fix deno import statement
• chore: npm audit fix
• feat: add support for Deno
• fix: use globalThis polyfill to get globalObject
• feat: switch to typescript
• Update README.md
• Merge pull request #128 from chaijs/add-type-detect-logo-readme
• Merge pull request #140 from bricksphd/bricksphd-patch-1
• Clarify browser usage. #139
• Merge pull request #136 from koddsson/patch-1
• chore: remove xvfb pre-test step in travis

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)