[Snyk] Upgrade core-js from 3.23.4 to 3.34.0 #3

3tternp · 2024-01-10T16:40:20Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade core-js from 3.23.4 to 3.34.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 30 versions ahead of your current version.
The recommended version was released a month ago, on 2023-12-05.

The recommended version fixes:

Issue	PriorityScore (*)	Exploit Maturity
Sandbox Bypass SNYK-JS-WEBPACK-3358798	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	Proof of Concept
Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	Proof of Concept
Improper Input Validation SNYK-JS-FOLLOWREDIRECTS-6141137	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	Proof of Concept
Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-5596892	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	No Known Exploit
Prototype Pollution SNYK-JS-LOADERUTILS-3043105	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-TERSER-2806366	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	No Known Exploit
Improper Input Validation SNYK-JS-POSTCSS-5926692	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	No Known Exploit
Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	Proof of Concept
Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	Proof of Concept
Prototype Pollution SNYK-JS-JSON5-3182856	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	No Known Exploit
Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: core-js

3.34.0 - 2023-12-05
- Array grouping proposal:
  - Methods:
    - Object.groupBy
    - Map.groupBy
  - Moved to stable ES, November 2023 TC39 meeting
  - Added es. namespace modules, /es/ and /stable/ namespaces entries
- Promise.withResolvers proposal:
  - Method:
    - Promise.withResolvers
  - Moved to stable ES, November 2023 TC39 meeting
  - Added es. namespace module, /es/ and /stable/ namespaces entries
- Fixed a web incompatibility issue of Iterator helpers proposal, proposal-iterator-helpers/287 and some following changes, November 2023 TC39 meeting
- Added Uint8Array to / from base64 and hex stage 2 proposal:
  - Methods:
    - Uint8Array.fromBase64
    - Uint8Array.fromHex
    - Uint8Array.prototype.toBase64
    - Uint8Array.prototype.toHex
- Relaxed some specific cases of Number.fromString validation before clarification of proposal-number-fromstring/24
- Fixed @@ toStringTag property descriptors on DOM collections, #1312
- Fixed the order of arguments validation in Array iteration methods, #1313
- Some minor atob / btoa improvements
- Compat data improvements:
  - Promise.withResolvers marked as shipped from FF121
3.33.3 - 2023-11-19
- Fixed an issue getting the global object on Duktape, #1303
- Avoid sharing internal [[DedentMap]] from String.dedent proposal between core-js instances before stabilization of the proposal
- Some internal untangling
- Compat data improvements:
  - Added Deno 1.38 compat data mapping
  - Array.fromAsync marked as supported from Deno 1.38
  - Symbol.{ dispose, asyncDispose } marked as supported from Deno 1.38
  - Added Opera Android 79 compat data mapping
  - Added Oculus Quest Browser 30 compat data mapping
  - Updated Electron 28 and 29 compat data mapping
3.33.2 - 2023-10-30
- Simplified structuredClone polyfill, avoided second tree pass in cases of transferring
- Added support of SuppressedError to structuredClone polyfill
- Removed unspecified unnecessary ArrayBuffer and DataView dependencies of structuredClone lack of which could cause errors in some entries in IE10-
- Fixed handling of fractional number part in Number.fromString
- Compat data improvements:
  - URL.canParse marked as supported from Chromium 120
  - Updated Opera Android 78 compat data mapping
  - Added Electron 29 compat data mapping
3.33.1 - 2023-10-20
- Added one more workaround of possible error with Symbol polyfill on global object, #1289
- Directly specified type: commonjs in package.json of all packages to avoid potential breakage in future Node versions, see this issue
- Prevented potential issue with lack of some dependencies after automatic optimization polyfills of some methods in the pure version
- Some minor internal fixes and optimizations
- Compat data improvements:
  - String.prototype.{ isWellFormed, toWellFormed } marked as supported from FF119
  - Added React Native 0.73 Hermes compat data, mainly fixes of some issues
  - Added NodeJS 21.0 compat data mapping
3.33.0 - 2023-10-01
- Re-introduced RegExp escaping stage 2 proposal, September 2023 TC39 meeting:
  - Added RegExp.escape method with the new set of symbols for escaping
  - Some years ago, it was presented in core-js, but it was removed after rejecting the old version of this proposal
- Added ArrayBuffer.prototype.{ transfer, transferToFixedLength } and support transferring of ArrayBuffers via structuredClone to engines with MessageChannel
- Optimized Math.f16round polyfill
- Fixed some conversion cases of Math.f16round and DataView.prototype.{ getFloat16, setFloat16 }
- Fully forced polyfilling of the TC39 Observable proposal because of incompatibility with the new WHATWG Observable proposal
- Added an extra workaround of errors with exotic environment objects in Symbol polyfill, #1289
- Some minor fixes and stylistic changes
- Compat data improvements:
  - V8 unshipped Iterator helpers because of some Web compatibility issues
  - Promise.withResolvers marked as supported from V8 ~ Chrome 119
  - Array grouping proposal features marked as supported from FF119
  - value argument of URLSearchParams.prototype.{ has, delete } marked as properly supported from V8 ~ Chrome 118
  - URL.canParse and URLSearchParams.prototype.size marked as supported from Bun 1.0.2
  - Added Deno 1.37 compat data mapping
  - Added Electron 28 compat data mapping
  - Added Opera Android 78 compat data mapping
3.32.2 - 2023-09-07
- Fixed structuredClone feature detection core-js@3.32.1 bug, #1288
- Added a workaround of old WebKit + eval bug, #1287
- Compat data improvements:
  - Added Samsung Internet 23 compat data mapping
  - Added Quest Browser 29 compat data mapping
3.32.1 - 2023-08-18
- Fixed some cases of IEEE754 rounding, #1279, thanks @ petamoriken
- Prevented injection process polyfill to core-js via some bundlers or esm.sh, #1277
- Some minor fixes and stylistic changes
- Compat data improvements:
  - Promise.withResolvers marked as supported from Bun 0.7.1
  - Added Opera Android 77 compat data mapping
  - Updated Electron 27 compat data mapping
3.32.0 - 2023-07-27
- Array grouping proposal, July 2023 TC39 meeting updates:
  - Moved back to stage 3
  - Added /actual/ namespaces entries, unconditional forced replacement changed to feature detection
- Promise.withResolvers proposal, July 2023 TC39 meeting updates:
  - Moved to stage 3
  - Added /actual/ namespaces entries, unconditional forced replacement changed to feature detection
- Set methods stage 3 proposal, July 2023 TC39 meeting updates::
  - Throw on negative Set sizes, proposal-set-methods/88
  - Removed IsCallable check in GetKeysIterator, proposal-set-methods/101
- Iterator Helpers stage 3 proposal:
  - Avoid creating observable String wrapper objects, July 2023 TC39 meeting update, proposal-iterator-helpers/281
  - Iterator is not constructible from the active function object (works as an abstract class)
- Async explicit resource management:
  - Moved back into the initial proposal -> moved to stage 3, proposal-explicit-resource-management/154
  - Added /actual/ namespace entries, unconditional forced replacement changed to feature detection
  - Ignore return value of [@@ dispose]() method when hint is async-dispose, proposal-explicit-resource-management/180
  - Added ticks for empty resources, proposal-explicit-resource-management/163
- Added some methods from Float16Array stage 3 proposal:
  - There are some reason why I don't want to add Float16Array right now, however, make sense to add some methods from this proposal.
  - Methods:
    - Math.f16round
    - DataView.prototype.getFloat16
    - DataView.prototype.setFloat16
- Added DataView get / set Uint8Clamped methods stage 1 proposal:
  - Methods:
    - DataView.prototype.getUint8Clamped
    - DataView.prototype.setUint8Clamped
- Used strict mode in some missed cases, #1269
- Fixed a Chromium 117 bug in value argument of URLSearchParams.prototype.{ has, delete }
- Fixed early WebKit ~ Safari 17.0 beta Set methods implementation by the actual spec
- Fixed incorrect Symbol.{ dispose, asyncDispose } descriptors from NodeJS 20.4 / transpilers helpers / userland code
- Fixed forced polyfilling of some iterator helpers that should return wrapped iterator in the pure version
- Fixed and exposed AsyncIteratorPrototype core-js/configurator option, #1268
- Compat data improvements:
  - Sync Iterator helpers proposal features marked as supported from V8 ~ Chrome 117
  - Array grouping proposal features marked as supported from V8 ~ Chrome 117
  - Mark Symbol.{ dispose, asyncDispose } as supported from NodeJS 20.5.0 (as mentioned above, NodeJS 20.4.0 add it, but with incorrect descriptors)
  - Added Electron 27 compat data mapping
3.31.1 - 2023-07-06
- Fixed a structuredClone bug with cloning views of transferred buffers, #1265
- Fixed the order of arguments validation in DataView methods
- Allowed cloning of Float16Array in structuredClone
- Compat data improvements:
  - Set methods proposal marked as supported from Safari 17.0
  - New URL features: URL.canParse, URLSearchParams.prototype.size and value argument of URLSearchParams.prototype.{ has, delete } marked as supported from Safari 17.0
  - value argument of URLSearchParams.prototype.{ has, delete } marked as supported from Deno 1.35
  - AggregateError and well-formed JSON.stringify marked as supported React Native 0.72 Hermes
  - Added Deno 1.35 compat data mapping
  - Added Quest Browser 28 compat data mapping
  - Added missing NodeJS 12.16-12.22 compat data mapping
  - Updated Opera Android 76 compat data mapping
3.31.0 - 2023-06-11
Read more
3.30.2 - 2023-05-06
3.30.1 - 2023-04-13
3.30.0 - 2023-04-03
3.29.1 - 2023-03-13
3.29.0 - 2023-02-26
3.28.0 - 2023-02-13
3.27.2 - 2023-01-18
3.27.1 - 2022-12-29
3.27.0 - 2022-12-25
3.26.1 - 2022-11-13
3.26.0 - 2022-10-23
3.25.5 - 2022-10-03
3.25.4 - 2022-10-02
3.25.3 - 2022-09-25
3.25.2 - 2022-09-18
3.25.1 - 2022-09-07
3.25.0 - 2022-08-24
3.24.1 - 2022-07-29
3.24.0 - 2022-07-25
3.23.5 - 2022-07-17
3.23.4 - 2022-07-09

from core-js GitHub release notes

Commit messages

Package name: core-js

bc16b93 3.34.0
9c26a2d it's a duplicative logic
19bd058 fix `RegExp` named capture groups object prototype
572d8d4 update dependencies
bedf292 relax some specific cases of `Number.fromString` validation before clarification of https://github.com/Edge cases, some questions tc39/proposal-number-fromstring#24
27ce99b fix `an-uint8-array` validation with polyfilled typed arrays
98f3276 fix a web incompatibility issue of `Iterator` helpers proposal
dd99d83 Merge pull request #1308 from zloirock/arraybuffer-base64
d27aa04 some stylistic changes
86f6f87 add some tests
9d67637 add to changelog
6ea90d5 add some tests
776b2ff add docs
bcb3297 add some entries
a75c128 add `.fromBase64` method
319c69a add `.toBase64` method
bc82b7e add `.fromHex` / `.toHex` methods
a0572be update dependencies
0308f3d drop an unnecessary `hasOwn` check
d9148aa update dependencies
9d3b597 update dependencies
ffe4d2d update dependencies
8eeedd4 update `eslint-plugin-es-x`
7298628 fix one more case related to #1313