-
Notifications
You must be signed in to change notification settings - Fork 376
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update dependency mathjs to v7 [security] #10841
Open
renovate
wants to merge
1
commit into
master
Choose a base branch
from
renovate/npm-mathjs-vulnerability
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
force-pushed
the
renovate/npm-mathjs-vulnerability
branch
2 times, most recently
from
December 22, 2023 17:31
0029a7e
to
dc6061f
Compare
renovate
bot
force-pushed
the
renovate/npm-mathjs-vulnerability
branch
7 times, most recently
from
January 9, 2024 11:24
a5c487f
to
d7c53a2
Compare
renovate
bot
force-pushed
the
renovate/npm-mathjs-vulnerability
branch
9 times, most recently
from
January 17, 2024 11:23
82bc066
to
f30f451
Compare
renovate
bot
force-pushed
the
renovate/npm-mathjs-vulnerability
branch
3 times, most recently
from
January 23, 2024 17:58
c983823
to
f322b37
Compare
renovate
bot
force-pushed
the
renovate/npm-mathjs-vulnerability
branch
5 times, most recently
from
February 1, 2024 15:14
13729a3
to
593196f
Compare
renovate
bot
changed the base branch from
release/core-contracts/10
to
release/core-contracts/11
June 21, 2024 08:05
renovate
bot
force-pushed
the
renovate/npm-mathjs-vulnerability
branch
from
June 21, 2024 08:09
60ffe67
to
7484416
Compare
renovate
bot
force-pushed
the
renovate/npm-mathjs-vulnerability
branch
2 times, most recently
from
June 25, 2024 12:50
31ec7d0
to
74c2ae7
Compare
renovate
bot
changed the title
fix(deps): update dependency mathjs to v7 [security] (release/core-contracts/11)
fix(deps): update dependency mathjs to v7 [security]
Jun 25, 2024
renovate
bot
force-pushed
the
renovate/npm-mathjs-vulnerability
branch
4 times, most recently
from
July 2, 2024 10:20
8ab873f
to
3314812
Compare
renovate
bot
force-pushed
the
renovate/npm-mathjs-vulnerability
branch
2 times, most recently
from
July 4, 2024 18:56
98d3f22
to
571f2de
Compare
renovate
bot
force-pushed
the
renovate/npm-mathjs-vulnerability
branch
2 times, most recently
from
July 29, 2024 12:19
1dee7da
to
9688166
Compare
renovate
bot
force-pushed
the
renovate/npm-mathjs-vulnerability
branch
2 times, most recently
from
August 19, 2024 15:05
41fbf5d
to
6c4399d
Compare
renovate
bot
force-pushed
the
renovate/npm-mathjs-vulnerability
branch
2 times, most recently
from
September 13, 2024 16:18
29be941
to
293398e
Compare
renovate
bot
force-pushed
the
renovate/npm-mathjs-vulnerability
branch
2 times, most recently
from
September 23, 2024 18:04
6f282ec
to
9900825
Compare
renovate
bot
changed the title
fix(deps): update dependency mathjs to v7 [security]
fix(deps): update dependency mathjs to v7 [security] - autoclosed
Dec 8, 2024
renovate
bot
changed the title
fix(deps): update dependency mathjs to v7 [security] - autoclosed
fix(deps): update dependency mathjs to v7 [security]
Dec 8, 2024
renovate
bot
force-pushed
the
renovate/npm-mathjs-vulnerability
branch
from
December 8, 2024 22:15
8f05525
to
9900825
Compare
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate
bot
force-pushed
the
renovate/npm-mathjs-vulnerability
branch
from
December 20, 2024 18:20
9900825
to
58ddca8
Compare
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
🚮 Removed packages: npm/[email protected] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^5.0.4
->^7.0.0
GitHub Vulnerability Alerts
CVE-2020-7743
The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates.
Prototype Pollution in mathjs
CVE-2020-7743 / GHSA-x2fc-mxcx-w4mf / SNYK-JAVA-ORGWEBJARS-1017113 / SNYK-JAVA-ORGWEBJARSBOWER-1017112 / SNYK-JAVA-ORGWEBJARSNPM-1017111 / SNYK-JS-MATHJS-1016401
More information
Details
The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
josdejong/mathjs (mathjs)
v7.5.1
Compare Source
math.config
. Thanks Snyk.v7.5.0
Compare Source
pickRandom
now allows randomly picking elements from matriceswith 2 or more dimensions instead of only from a vector, see #1974.
Thanks @KonradLinkowski.
v7.4.0
Compare Source
ceil
,floor
,and
fix
, similar toround
, see #1967, #1901. Thanks @rnd-debug.rotationMatrix
, see #1160, #1984. Thanks @rnd-debug.sqrtm
with a matrix havingmore than two dimensions. Thanks @KonradLinkowski.
decimal.js
to10.2.1
.v7.3.0
Compare Source
usolveAll
andlsolveAll
, see #1916. Thanks @m93a.std
andvariance
, see #1950.Thanks @rnd-debug.
expression parser, and implemented functions
bin
,oct
, andhex
forformatting. Thanks @clnhlzmn.
BigNumber
andFraction
. Thanks @ovk.v7.2.0
Compare Source
diff
, see #1634, #1920. Thanks @Veeloxfire.norm
.Thanks @rnd-debug.
v7.1.0
Compare Source
new in
[email protected]
. This fixes #1885: functions which whereextended with a new data type did not always work. Thanks @nickewing.
math.expression.node.*
instead ofmath.*
.v7.0.2
Compare Source
DenseMatrix.resize
andSparseMatrix.resize
acceptDenseMatrix
andSparseMatrix
as inputs too, not onlyArray
.sum
,prod
,min
, andmax
not throwing a conversion errorwhen passing a single string, like
sum("abc")
.v7.0.1
Compare Source
eigs
. Thanks @Lazersmoke.math.nthRoots(x)
.v7.0.0
Compare Source
Breaking changes:
dot
product of complex values.The first argument is now conjugated. See #1761. Thanks @m93a.
To upgrade smoothly from v5 to v7 or higher, upgrade to v6 first
and resolve all deprecation warnings.
v6.6.5
Compare Source
Infinity
cannot be serialized and deserialized.This is solved now with a new
math.replacer
function used asJSON.stringify(value, math.replacer)
.Infinity
not turned into the latex symbol\\infty
.v6.6.4
Compare Source
v6.6.3
Compare Source
format
,sometimes resulting in needless trailing zeros.
.toNumber()
and.toNumeric()
not working on aunitless unit.
mod
,and
,not
,or
,xor
,to
,in
as object keys. Thanks @Veeloxfire.eigs
not usingconfig.epsilon
.v6.6.2
Compare Source
eigs
not calculating with BigNumber precisionwhen input contains BigNumbers.
prepare
, so you can use the librarydirectly when installing directly from git. See #1751. Thanks @cinderblock.
v6.6.1
Compare Source
a/(b/c)
. Thanks @dbramwell.row
andcolumn
.v6.6.0
Compare Source
eigs
, see #1705, #542 #1175. Thanks @arkajitmandal.DenseMatrix
usingfromJSON
.DenseMatrix.map
copying the size and datatype from the originalmatrix instead of checking the returned dimensions and type of the callback.
^1.2.3
) to allow downstream updateswithout having to await a new release of mathjs.
v6.5.0
Compare Source
baseName
option forcreateUnit
, see #1707.Thanks @ericman314.
v6.4.0
Compare Source
dimension
with support for n-dimensional points.Thanks @Veeloxfire.
v6.3.0
Compare Source
factorial
forBigNumber
up to a factor two,see #1687. Thanks @kmdrGroch.
v6.2.5
Compare Source
IndexNode
using a hardcoded, one-based implementation ofindex
,making it impossible to instantiate a zero-based version of the expression
parser. See #782.
v6.2.4
Compare Source
thanks @kevinkelleher12 and @harrysarson.
sign(0)
returns complex NaN.Thanks @harrysarson.
v6.2.3
Compare Source
mean
not working for units. Thanks @clintonc.min
listed twice in the "See also" section of theembedded docs of function
std
.isPrime
, see #1641. Thanks @arguiot.v6.2.2
Compare Source
map
andclone
not copying thedotNotation
property ofIndexNode
. Thanks @rianmcguire.toHTML
. Thanks @maytanthegeek.isNumeric
.0
.v6.2.1
Compare Source
format
not working for expressions.v6.2.0
Compare Source
combinationsWithRep
. Thanks @waseemyusuf.bit
andbyte
.bit
andbyte
instead ofbits
andbytes
.[email protected]
.v6.1.0
Compare Source
combinationsWithRep
(see #1329). Thanks @waseemyusuf.v6.0.4
Compare Source
old browsers. Thanks @mockdeep for helping to find a solution.
v6.0.3
Compare Source
unpkg
andjsdelivr
fields in package.json pointing to UMD build.Thanks @tmcw.
outer user defined function.
v6.0.2
Compare Source
import
(regression since v6.0.0).
v6.0.1
Compare Source
evaluate
andparse
missing in generated docs.v6.0.0
Compare Source
!!! BE CAREFUL: BREAKING CHANGES !!!
Most notable changes
Full support for ES modules. Support for tree-shaking out of the box.
Load all functions:
Use a few functions:
Load all functions with custom configuration:
Load a few functions with custom configuration:
Support for lightweight, number-only implementations of all functions:
New dependency injection solution used under the hood.
Breaking changes
Node 6 is no longer supported.
Functions
config
andimport
are not available anymore in the globalcontext:
Instead, create your own mathjs instance and pass config and imports
there:
Renamed function
typeof
totypeOf
,var
tovariance
,and
eval
toevaluate
. (the old function names are reserved keywordswhich can not be used as a variable name).
Deprecated the
Matrix.storage
function. Usemath.matrix
instead to createa matrix.
Deprecated function
math.expression.parse
, usemath.parse
instead.Was used before for example to customize supported characters by replacing
math.parse.isAlpha
.Moved all classes like
math.type.Unit
andmath.expression.Parser
tomath.Unit
andmath.Parser
respectively.Fixed #1428: transform iterating over replaced nodes. New behavior
is that it stops iterating when a node is replaced.
Dropped support for renaming factory functions when importing them.
Dropped fake BigNumber support of function
erf
.Removed all index.js files used to load specific functions instead of all, like:
Individual functions are now loaded simply like:
To set a specific configuration on the functions:
See example
advanced/custom_loading.js
.Updated the values of all physical units to their latest official values.
See #1529. Thanks @ericman314.
Non breaking changes
t
,tonne
,bel
,decibel
,dB
, and prefixesfor
candela
. Thanks @mcvladthegoat.epsilon
setting being applied globally to Complex numbers.math.simplify('add(2, 3)')
throwing an error.lowerExp
andupperExp
and after that rounded the value instead of the other way around.
'use strict'
in every file, not needed anymore.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.