[Snyk] Upgrade core-js from 3.12.1 to 3.34.0

[BitcoinOutput]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade core-js from 3.12.1 to 3.34.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 73 versions ahead of your current version.
• The recommended version was released 21 days ago, on 2023-12-05.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Arbitrary File Write SNYK-JS-TAR-1579155	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-NORMALIZEURL-1296539	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Prototype Poisoning SNYK-JS-QS-3153490	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Prototype Pollution SNYK-JS-LOADERUTILS-3043105	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Information Exposure SNYK-JS-SIMPLEGET-2361683	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Information Exposure SNYK-JS-SIMPLEGET-2361683	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-5596892	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Arbitrary File Overwrite SNYK-JS-TAR-1536528	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Prototype Pollution SNYK-JS-Y18N-1021887	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Improper Privilege Management SNYK-JS-SHELLJS-2332187	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Arbitrary File Overwrite SNYK-JS-TAR-1536531	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Arbitrary File Write SNYK-JS-TAR-1579147	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Arbitrary File Write SNYK-JS-TAR-1579152	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Denial of Service (DoS) SNYK-JS-ENGINEIO-3136336	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-GETFUNCNAME-5923417	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Improper Verification of Cryptographic Signature SNYK-JS-BROWSERIFYSIGN-6037026	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-TERSER-2806366	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Information Exposure SNYK-JS-NODEFETCH-2342118	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CONVENTIONALCOMMITSPARSER-1766960	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Prototype Pollution SNYK-JS-CACHEDPATHRELATIVE-2342653	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Open Redirect SNYK-JS-GOT-2932019	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Open Redirect SNYK-JS-GOT-2932019	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Prototype Pollution SNYK-JS-JSON5-3182856	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Prototype Pollution SNYK-JS-JSON5-3182856	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIMOFFNEWLINES-1296850	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-PARSEURL-2935944	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Information Exposure SNYK-JS-PARSEURL-2935947	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-PARSEURL-2936249	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-PARSEURL-2942134	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Information Exposure SNYK-JS-LOG4JS-2348757	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-COOKIEJAR-3149984	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Prototype Pollution SNYK-JS-MINIMIST-2429795	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	639/1000 Why? Has a fix available, CVSS 8.5	No Known Exploit
	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	639/1000 Why? Has a fix available, CVSS 8.5	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: core-js

• 3.34.0 - 2023-12-05
  
  • Array grouping proposal:
    • Methods:
      • Object.groupBy
      • Map.groupBy
    • Moved to stable ES, November 2023 TC39 meeting
    • Added es. namespace modules, /es/ and /stable/ namespaces entries
  • Promise.withResolvers proposal:
    • Method:
      • Promise.withResolvers
    • Moved to stable ES, November 2023 TC39 meeting
    • Added es. namespace module, /es/ and /stable/ namespaces entries
  • Fixed a web incompatibility issue of Iterator helpers proposal, proposal-iterator-helpers/287 and some following changes, November 2023 TC39 meeting
  • Added Uint8Array to / from base64 and hex stage 2 proposal:
    • Methods:
      • Uint8Array.fromBase64
      • Uint8Array.fromHex
      • Uint8Array.prototype.toBase64
      • Uint8Array.prototype.toHex
  • Relaxed some specific cases of Number.fromString validation before clarification of proposal-number-fromstring/24
  • Fixed @@ toStringTag property descriptors on DOM collections, #1312
  • Fixed the order of arguments validation in Array iteration methods, #1313
  • Some minor atob / btoa improvements
  • Compat data improvements:
    • Promise.withResolvers marked as shipped from FF121
• 3.33.3 - 2023-11-19
  
  • Fixed an issue getting the global object on Duktape, #1303
  • Avoid sharing internal [[DedentMap]] from String.dedent proposal between core-js instances before stabilization of the proposal
  • Some internal untangling
  • Compat data improvements:
    • Added Deno 1.38 compat data mapping
    • Array.fromAsync marked as supported from Deno 1.38
    • Symbol.{ dispose, asyncDispose } marked as supported from Deno 1.38
    • Added Opera Android 79 compat data mapping
    • Added Oculus Quest Browser 30 compat data mapping
    • Updated Electron 28 and 29 compat data mapping
• 3.33.2 - 2023-10-30
  
  • Simplified structuredClone polyfill, avoided second tree pass in cases of transferring
  • Added support of SuppressedError to structuredClone polyfill
  • Removed unspecified unnecessary ArrayBuffer and DataView dependencies of structuredClone lack of which could cause errors in some entries in IE10-
  • Fixed handling of fractional number part in Number.fromString
  • Compat data improvements:
    • URL.canParse marked as supported from Chromium 120
    • Updated Opera Android 78 compat data mapping
    • Added Electron 29 compat data mapping
• 3.33.1 - 2023-10-20
  
  • Added one more workaround of possible error with Symbol polyfill on global object, #1289
  • Directly specified type: commonjs in package.json of all packages to avoid potential breakage in future Node versions, see this issue
  • Prevented potential issue with lack of some dependencies after automatic optimization polyfills of some methods in the pure version
  • Some minor internal fixes and optimizations
  • Compat data improvements:
    • String.prototype.{ isWellFormed, toWellFormed } marked as supported from FF119
    • Added React Native 0.73 Hermes compat data, mainly fixes of some issues
    • Added NodeJS 21.0 compat data mapping
• 3.33.0 - 2023-10-01
  
  • Re-introduced RegExp escaping stage 2 proposal, September 2023 TC39 meeting:
    • Added RegExp.escape method with the new set of symbols for escaping
    • Some years ago, it was presented in core-js, but it was removed after rejecting the old version of this proposal
  • Added ArrayBuffer.prototype.{ transfer, transferToFixedLength } and support transferring of ArrayBuffers via structuredClone to engines with MessageChannel
  • Optimized Math.f16round polyfill
  • Fixed some conversion cases of Math.f16round and DataView.prototype.{ getFloat16, setFloat16 }
  • Fully forced polyfilling of the TC39 Observable proposal because of incompatibility with the new WHATWG Observable proposal
  • Added an extra workaround of errors with exotic environment objects in Symbol polyfill, #1289
  • Some minor fixes and stylistic changes
  • Compat data improvements:
    • V8 unshipped Iterator helpers because of some Web compatibility issues
    • Promise.withResolvers marked as supported from V8 ~ Chrome 119
    • Array grouping proposal features marked as supported from FF119
    • value argument of URLSearchParams.prototype.{ has, delete } marked as properly supported from V8 ~ Chrome 118
    • URL.canParse and URLSearchParams.prototype.size marked as supported from Bun 1.0.2
    • Added Deno 1.37 compat data mapping
    • Added Electron 28 compat data mapping
    • Added Opera Android 78 compat data mapping
• 3.32.2 - 2023-09-07
  
  • Fixed structuredClone feature detection core-js@3.32.1 bug, #1288
  • Added a workaround of old WebKit + eval bug, #1287
  • Compat data improvements:
    • Added Samsung Internet 23 compat data mapping
    • Added Quest Browser 29 compat data mapping
• 3.32.1 - 2023-08-18
  
  • Fixed some cases of IEEE754 rounding, #1279, thanks @ petamoriken
  • Prevented injection process polyfill to core-js via some bundlers or esm.sh, #1277
  • Some minor fixes and stylistic changes
  • Compat data improvements:
    • Promise.withResolvers marked as supported from Bun 0.7.1
    • Added Opera Android 77 compat data mapping
    • Updated Electron 27 compat data mapping
• 3.32.0 - 2023-07-27
  
  • Array grouping proposal, July 2023 TC39 meeting updates:
    • Moved back to stage 3
    • Added /actual/ namespaces entries, unconditional forced replacement changed to feature detection
  • Promise.withResolvers proposal, July 2023 TC39 meeting updates:
    • Moved to stage 3
    • Added /actual/ namespaces entries, unconditional forced replacement changed to feature detection
  • Set methods stage 3 proposal, July 2023 TC39 meeting updates::
    • Throw on negative Set sizes, proposal-set-methods/88
    • Removed IsCallable check in GetKeysIterator, proposal-set-methods/101
  • Iterator Helpers stage 3 proposal:
    • Avoid creating observable String wrapper objects, July 2023 TC39 meeting update, proposal-iterator-helpers/281
    • Iterator is not constructible from the active function object (works as an abstract class)
  • Async explicit resource management:
    • Moved back into the initial proposal -> moved to stage 3, proposal-explicit-resource-management/154
    • Added /actual/ namespace entries, unconditional forced replacement changed to feature detection
    • Ignore return value of [@@ dispose]() method when hint is async-dispose, proposal-explicit-resource-management/180
    • Added ticks for empty resources, proposal-explicit-resource-management/163
  • Added some methods from Float16Array stage 3 proposal:
    • There are some reason why I don't want to add Float16Array right now, however, make sense to add some methods from this proposal.
    • Methods:
      • Math.f16round
      • DataView.prototype.getFloat16
      • DataView.prototype.setFloat16
  • Added DataView get / set Uint8Clamped methods stage 1 proposal:
    • Methods:
      • DataView.prototype.getUint8Clamped
      • DataView.prototype.setUint8Clamped
  • Used strict mode in some missed cases, #1269
  • Fixed a Chromium 117 bug in value argument of URLSearchParams.prototype.{ has, delete }
  • Fixed early WebKit ~ Safari 17.0 beta Set methods implementation by the actual spec
  • Fixed incorrect Symbol.{ dispose, asyncDispose } descriptors from NodeJS 20.4 / transpilers helpers / userland code
  • Fixed forced polyfilling of some iterator helpers that should return wrapped iterator in the pure version
  • Fixed and exposed AsyncIteratorPrototype core-js/configurator option, #1268
  • Compat data improvements:
    • Sync Iterator helpers proposal features marked as supported from V8 ~ Chrome 117
    • Array grouping proposal features marked as supported from V8 ~ Chrome 117
    • Mark Symbol.{ dispose, asyncDispose } as supported from NodeJS 20.5.0 (as mentioned above, NodeJS 20.4.0 add it, but with incorrect descriptors)
    • Added Electron 27 compat data mapping
• 3.31.1 - 2023-07-06
  
  • Fixed a structuredClone bug with cloning views of transferred buffers, #1265
  • Fixed the order of arguments validation in DataView methods
  • Allowed cloning of Float16Array in structuredClone
  • Compat data improvements:
    • Set methods proposal marked as supported from Safari 17.0
    • New URL features: URL.canParse, URLSearchParams.prototype.size and value argument of URLSearchParams.prototype.{ has, delete } marked as supported from Safari 17.0
    • value argument of URLSearchParams.prototype.{ has, delete } marked as supported from Deno 1.35
    • AggregateError and well-formed JSON.stringify marked as supported React Native 0.72 Hermes
    • Added Deno 1.35 compat data mapping
    • Added Quest Browser 28 compat data mapping
    • Added missing NodeJS 12.16-12.22 compat data mapping
    • Updated Opera Android 76 compat data mapping
• 3.31.0 - 2023-06-11
  Read more
• 3.30.2 - 2023-05-06
• 3.30.1 - 2023-04-13
• 3.30.0 - 2023-04-03
• 3.29.1 - 2023-03-13
• 3.29.0 - 2023-02-26
• 3.28.0 - 2023-02-13
• 3.27.2 - 2023-01-18
• 3.27.1 - 2022-12-29
• 3.27.0 - 2022-12-25
• 3.26.1 - 2022-11-13
• 3.26.0 - 2022-10-23
• 3.25.5 - 2022-10-03
• 3.25.4 - 2022-10-02
• 3.25.3 - 2022-09-25
• 3.25.2 - 2022-09-18
• 3.25.1 - 2022-09-07
• 3.25.0 - 2022-08-24
• 3.24.1 - 2022-07-29
• 3.24.0 - 2022-07-25
• 3.23.5 - 2022-07-17
• 3.23.4 - 2022-07-09
• 3.23.3 - 2022-06-25
• 3.23.2 - 2022-06-20
• 3.23.1 - 2022-06-14
• 3.23.0 - 2022-06-13
• 3.22.8 - 2022-06-01
• 3.22.7 - 2022-05-24
• 3.22.6 - 2022-05-22
• 3.22.5 - 2022-05-10
• 3.22.4 - 2022-05-02
• 3.22.3 - 2022-04-28
• 3.22.2 - 2022-04-21
• 3.22.1 - 2022-04-19
• 3.22.0 - 2022-04-15
• 3.21.1 - 2022-02-16
• 3.21.0 - 2022-02-01
• 3.20.3 - 2022-01-15
• 3.20.2 - 2022-01-01
• 3.20.1 - 2021-12-23
• 3.20.0 - 2021-12-15
• 3.19.3 - 2021-12-06
• 3.19.2 - 2021-11-29
• 3.19.1 - 2021-11-02
• 3.19.0 - 2021-10-25
• 3.18.3 - 2021-10-12
• 3.18.2 - 2021-10-05
• 3.18.1 - 2021-09-26
• 3.18.0 - 2021-09-19
• 3.17.3 - 2021-09-09
• 3.17.2 - 2021-09-02
• 3.17.1 - 2021-09-01
• 3.17.0 - 2021-09-01
• 3.16.4 - 2021-08-29
• 3.16.3 - 2021-08-24
• 3.16.2 - 2021-08-17
• 3.16.1 - 2021-08-08
• 3.16.0 - 2021-07-30
• 3.15.2 - 2021-06-29
• 3.15.1 - 2021-06-22
• 3.15.0 - 2021-06-20
• 3.14.0 - 2021-06-05
• 3.13.1 - 2021-05-29
• 3.13.0 - 2021-05-25
• 3.12.1 - 2021-05-08

from core-js GitHub release notes

Commit messages

Package name: core-js

• bc16b93 3.34.0
• 9c26a2d it's a duplicative logic
• 19bd058 fix `RegExp` named capture groups object prototype
• 572d8d4 update dependencies
• bedf292 relax some specific cases of `Number.fromString` validation before clarification of https://github.com/Edge cases, some questions tc39/proposal-number-fromstring#24
• 27ce99b fix `an-uint8-array` validation with polyfilled typed arrays
• 98f3276 fix a web incompatibility issue of `Iterator` helpers proposal
• dd99d83 Merge pull request #1308 from zloirock/arraybuffer-base64
• d27aa04 some stylistic changes
• 86f6f87 add some tests
• 9d67637 add to changelog
• 6ea90d5 add some tests
• 776b2ff add docs
• bcb3297 add some entries
• a75c128 add `.fromBase64` method
• 319c69a add `.toBase64` method
• bc82b7e add `.fromHex` / `.toHex` methods
• a0572be update dependencies
• 0308f3d drop an unnecessary `hasOwn` check
• d9148aa update dependencies
• 9d3b597 update dependencies
• ffe4d2d update dependencies
• 8eeedd4 update `eslint-plugin-es-x`
• 7298628 fix one more case related to #1313

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs