You are viewing a plain text version of this content. The canonical link for it is here.

Posted to pr@jena.apache.org by GitBox <gi...@apache.org> on 2023/01/08 03:52:19 UTC

[GitHub] [jena] dependabot[bot] opened a new pull request, #1712: Bump json5 from 1.0.1 to 1.0.2 in /jena-fuseki2/jena-fuseki-ui

dependabot[bot] opened a new pull request, #1712:
URL: https://github.com/apache/jena/pull/1712

   Bumps [json5](https://github.com/json5/json5) from 1.0.1 to 1.0.2.
   <details>
   <summary>Release notes</summary>
   <p><em>Sourced from <a href="https://github.com/json5/json5/releases">json5's releases</a>.</em></p>
   <blockquote>
   <h2>v1.0.2</h2>
   <ul>
   <li>Fix: Properties with the name <code>__proto__</code> are added to objects and arrays. (<a href="https://github-redirect.dependabot.com/json5/json5/issues/199">#199</a>) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (<a href="https://github-redirect.dependabot.com/json5/json5/issues/295">#295</a>). This has been backported to v1. (<a href="https://github-redirect.dependabot.com/json5/json5/issues/298">#298</a>)</li>
   </ul>
   </blockquote>
   </details>
   <details>
   <summary>Changelog</summary>
   <p><em>Sourced from <a href="https://github.com/json5/json5/blob/main/CHANGELOG.md">json5's changelog</a>.</em></p>
   <blockquote>
   <h3>Unreleased [<a href="https://github.com/json5/json5/tree/main">code</a>, <a href="https://github.com/json5/json5/compare/v2.2.3...HEAD">diff</a>]</h3>
   <h3>v2.2.3 [<a href="https://github.com/json5/json5/tree/v2.2.3">code</a>, <a href="https://github.com/json5/json5/compare/v2.2.2...v2.2.3">diff</a>]</h3>
   <ul>
   <li>Fix: json5@2.2.3 is now the 'latest' release according to npm instead of
   v1.0.2. (<a href="https://github-redirect.dependabot.com/json5/json5/issues/299">#299</a>)</li>
   </ul>
   <h3>v2.2.2 [<a href="https://github.com/json5/json5/tree/v2.2.2">code</a>, <a href="https://github.com/json5/json5/compare/v2.2.1...v2.2.2">diff</a>]</h3>
   <ul>
   <li>Fix: Properties with the name <code>__proto__</code> are added to objects and arrays.
   (<a href="https://github-redirect.dependabot.com/json5/json5/issues/199">#199</a>) This also fixes a prototype pollution vulnerability reported by
   Jonathan Gregson! (<a href="https://github-redirect.dependabot.com/json5/json5/issues/295">#295</a>).</li>
   </ul>
   <h3>v2.2.1 [<a href="https://github.com/json5/json5/tree/v2.2.1">code</a>, <a href="https://github.com/json5/json5/compare/v2.2.0...v2.2.1">diff</a>]</h3>
   <ul>
   <li>Fix: Removed dependence on minimist to patch CVE-2021-44906. (<a href="https://github-redirect.dependabot.com/json5/json5/issues/266">#266</a>)</li>
   </ul>
   <h3>v2.2.0 [<a href="https://github.com/json5/json5/tree/v2.2.0">code</a>, <a href="https://github.com/json5/json5/compare/v2.1.3...v2.2.0">diff</a>]</h3>
   <ul>
   <li>New: Accurate and documented TypeScript declarations are now included. There
   is no need to install <code>@types/json5</code>. (<a href="https://github-redirect.dependabot.com/json5/json5/issues/236">#236</a>, <a href="https://github-redirect.dependabot.com/json5/json5/issues/244">#244</a>)</li>
   </ul>
   <h3>v2.1.3 [<a href="https://github.com/json5/json5/tree/v2.1.3">code</a>, <a href="https://github.com/json5/json5/compare/v2.1.2...v2.1.3">diff</a>]</h3>
   <ul>
   <li>Fix: An out of memory bug when parsing numbers has been fixed. (<a href="https://github-redirect.dependabot.com/json5/json5/issues/228">#228</a>,
   <a href="https://github-redirect.dependabot.com/json5/json5/issues/229">#229</a>)</li>
   </ul>
   <h3>v2.1.2 [<a href="https://github.com/json5/json5/tree/v2.1.2">code</a>, <a href="https://github.com/json5/json5/compare/v2.1.1...v2.1.2">diff</a>]</h3>
   <!-- raw HTML omitted -->
   </blockquote>
   <p>... (truncated)</p>
   </details>
   <details>
   <summary>Commits</summary>
   <ul>
   <li><a href="https://github.com/json5/json5/commit/a62db1e51e1031d92ac260f5bb38bbed1fdbc754"><code>a62db1e</code></a> 1.0.2</li>
   <li><a href="https://github.com/json5/json5/commit/e0c23fe458a77c0b2cdb271376be5d8d0908133c"><code>e0c23fe</code></a> docs: update CHANGELOG for v1.0.2</li>
   <li><a href="https://github.com/json5/json5/commit/62a65408408d40aeea14c7869ed327acead12972"><code>62a6540</code></a> fix: add <strong>proto</strong> to objects and arrays</li>
   <li>See full diff in <a href="https://github.com/json5/json5/compare/v1.0.1...v1.0.2">compare view</a></li>
   </ul>
   </details>
   <br />
   
   
   [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=json5&package-manager=npm_and_yarn&previous-version=1.0.1&new-version=1.0.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
   
   Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
   
   [//]: # (dependabot-automerge-start)
   [//]: # (dependabot-automerge-end)
   
   ---
   
   <details>
   <summary>Dependabot commands and options</summary>
   <br />
   
   You can trigger Dependabot actions by commenting on this PR:
   - `@dependabot rebase` will rebase this PR
   - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
   - `@dependabot merge` will merge this PR after your CI passes on it
   - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
   - `@dependabot cancel merge` will cancel a previously requested merge and block automerging
   - `@dependabot reopen` will reopen this PR if it is closed
   - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
   - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
   - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
   - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
   You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/jena/network/alerts).
   
   </details>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org
For additional commands, e-mail: pr-help@jena.apache.org

[GitHub] [jena] dependabot[bot] closed pull request #1712: Bump json5 from 1.0.1 to 1.0.2 in /jena-fuseki2/jena-fuseki-ui

Posted by GitBox <gi...@apache.org>.

dependabot[bot] closed pull request #1712: Bump json5 from 1.0.1 to 1.0.2 in /jena-fuseki2/jena-fuseki-ui
URL: https://github.com/apache/jena/pull/1712


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org
For additional commands, e-mail: pr-help@jena.apache.org

[GitHub] [jena] afs commented on pull request #1712: Bump json5 from 1.0.1 to 1.0.2 in /jena-fuseki2/jena-fuseki-ui

Posted by GitBox <gi...@apache.org>.

afs commented on PR #1712:
URL: https://github.com/apache/jena/pull/1712#issuecomment-1374780649

   json5 seems to be a dependency of babel-core.
   
   Should we do a general update of versions across the UI?
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org
For additional commands, e-mail: pr-help@jena.apache.org

[GitHub] [jena] kinow commented on pull request #1712: Bump json5 from 1.0.1 to 1.0.2 in /jena-fuseki2/jena-fuseki-ui

Posted by GitBox <gi...@apache.org>.

kinow commented on PR #1712:
URL: https://github.com/apache/jena/pull/1712#issuecomment-1374882989

   >and we can hope there's a cypress fix for the e2e test issue
   
   :crossed_fingers:  !


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org
For additional commands, e-mail: pr-help@jena.apache.org

[GitHub] [jena] kinow commented on pull request #1712: Bump json5 from 1.0.1 to 1.0.2 in /jena-fuseki2/jena-fuseki-ui

Posted by GitBox <gi...@apache.org>.

kinow commented on PR #1712:
URL: https://github.com/apache/jena/pull/1712#issuecomment-1377979994

   Some time ago devs started moving from Cypress to another solution: https://playwright.dev/
   
   Cypress is a lot better than Selenium was. From what others are saying Playwright fixes some issues from Cypress (e.g. https://news.ycombinator.com/item?id=33047136).
   
   But I have been holding back from migrating e2e tests to Playwright simply because things move too fast in JS and there's a lot of times things start to get a lot of users and then poof... no more dev support, community is gone, dependencies outdated... and I am waiting to see if Cypress will gain traction again and start copying some things from Playwright.
   
   It's not too hard to move our tests to Playwright as we have only a few. I might try that later, as that could solve our intermittent failures with these tests. But it will depend on how well maintained Playwright is...


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org
For additional commands, e-mail: pr-help@jena.apache.org

[GitHub] [jena] dependabot[bot] commented on pull request #1712: Bump json5 from 1.0.1 to 1.0.2 in /jena-fuseki2/jena-fuseki-ui

Posted by GitBox <gi...@apache.org>.

dependabot[bot] commented on PR #1712:
URL: https://github.com/apache/jena/pull/1712#issuecomment-1377948019

   Looks like json5 is up-to-date now, so this is no longer needed.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org
For additional commands, e-mail: pr-help@jena.apache.org

[GitHub] [jena] afs commented on pull request #1712: Bump json5 from 1.0.1 to 1.0.2 in /jena-fuseki2/jena-fuseki-ui

Posted by GitBox <gi...@apache.org>.

afs commented on PR #1712:
URL: https://github.com/apache/jena/pull/1712#issuecomment-1374864229

   vue@3.2.45 is current - and we can hope there's a cypress fix for the e2e test issue.
   
   ```
   Package                        Current   Wanted  Latest
   @cypress/vue                     4.2.2    4.2.2   5.0.3
   @cypress/webpack-preprocessor   5.15.5   5.16.1  5.16.1
   @fortawesome/vue-fontawesome     3.0.2    3.0.2   2.0.9
   @vue/test-utils                  2.2.3    2.2.7   2.2.7
   axios                           0.27.2   0.27.2   1.2.2
   bootstrap                        5.2.2    5.2.3   5.2.3
   concurrently                     7.5.0    7.6.0   7.6.0
   core-js                         3.26.1   3.27.1  3.27.1
   cypress                        10.11.0  10.11.0  12.3.0
   eslint                          8.27.0   8.31.0  8.31.0
   eslint-plugin-vue                9.7.0    9.8.0   9.8.0
   sass                            1.56.1   1.57.1  1.57.1
   sinon                           14.0.2   14.0.2  15.0.1
   vue-upload-component             3.1.6    3.1.6  2.8.23
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org
For additional commands, e-mail: pr-help@jena.apache.org

[GitHub] [jena] kinow commented on pull request #1712: Bump json5 from 1.0.1 to 1.0.2 in /jena-fuseki2/jena-fuseki-ui

Posted by GitBox <gi...@apache.org>.

kinow commented on PR #1712:
URL: https://github.com/apache/jena/pull/1712#issuecomment-1374796850

   >json5 seems to be a dependency of babel-core.
   >
   >Should we do a general update of versions across the UI?
   
   Yup, we can bump every dependency as long as unit and e2e tests work afterwards.
   
   >And I see two errors (which don't look too serious):
   
   Ah, yes. I've seen these two before. I believe we have only a dependency to `yasqe` and `yasr`. `yasgui` is a [peer dependency](https://nodejs.org/es/blog/npm/peer-dependencies/) of these two.
   
   Their [dev docs](https://triply.cc/docs/yasgui-api) show YASGUI as a binding dependency to both YASQE and YASR, but we do not use YASGUI directly. I **think** you need to install the peer dependency if you use the YAS* plug-ins,
   
   >Triply provides additional plugins that are only free to use via https://yasgui.triply.cc/ or [TriplyDB](https://triplydb.com/)
   
   But it won't hurt adding `yasgui` directly to remove these warnings.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org
For additional commands, e-mail: pr-help@jena.apache.org

[GitHub] [jena] afs commented on pull request #1712: Bump json5 from 1.0.1 to 1.0.2 in /jena-fuseki2/jena-fuseki-ui

Posted by GitBox <gi...@apache.org>.

afs commented on PR #1712:
URL: https://github.com/apache/jena/pull/1712#issuecomment-1377961162

   cypress 11.2.0 might have a fix. 11.0.0 failed.
   cypress 12 does not have the `server()` function so the e2e tests need updating - maybe the area has been rewritten.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org
For additional commands, e-mail: pr-help@jena.apache.org