Sourced from async's changelog.

v2.6.4

• Fix potential prototype pollution exploit (#1828)

• c6bdaca Version 2.6.4
• 8870da9 Update built files
• 4df6754 update changelog
• 8f7f903 Fix prototype pollution vulnerability (#1828)
• See full diff in compare view

This version was pushed to npm by hargasinski, a new releaser for async since your current version.

Sourced from googleapis's changelog.

v39.2.0

04-03-2019 16:17 PDT

This release has a few hot new APIs:

• healthcare_v1beta1
• run_v1
• run_v1alpha1
• securitycenter_v1
• securitycenter_v1beta1

New Features

• feat: run the generator (#1668)

Internal / Testing Changes

• chore(deps): update dependency typescript to ~3.4.0
• chore(deps): update dependency @​types/tmp to ^0.1.0

v39.1.0

03-28-2019 16:17 PDT

This release has security fixes.. Versions 36.0.0 => 39.0.0 have a potential vulnerability where the scope of auth objects may be shared across different clients. This was addressed in #1660, and is part of this minor release. All clients should be updated to the latest version.

Bug Fixes

• fix: move context from namespace to class scope (#1660)

New Features

• feat: run the generator (#1659)

Internal / Testing Changes

• fix: README should not be generated (#1657)

v39.0.0

03-26-2019 22:05 PDT

This release had breaking changes. There have been a variety of TypeScript type changes. There have also been a variety of changes to the Google Plus API, and the OAuth2 API. Please take care!

There are also some sweet new APIs:

• cloudasset_v1
• cloudtasks_v2
• factchecktools_v1alpha1
• servicenetworking_v1
• websecurityscanner_v1beta

New Features

• feat: run the generator (#1653)
• feat: run the generator (#1644)

... (truncated)

• 976fe1b Release v39.2.0 (#1669)
• 7953bce feat: run the generator (#1668)
• d20edbf chore(deps): update dependency typescript to ~3.4.0
• a6d9321 chore(deps): update dependency @​types/tmp to ^0.1.0
• f29dfd0 Release v39.1.0 (#1661)
• db5e0f2 fix: move context from namespace to class scope (#1660)
• 73eab9b feat: run the generator (#1659)
• d69c920 fix: README should not be generated (#1657)
• 32279b5 Release v39.0.0 (#1655)
• fd49c03 fix: remove the plus samples (#1654)
• Additional commits viewable in compare view

This version was pushed to npm by google-wombot, a new releaser for googleapis since your current version.

• See full diff in compare view

Sourced from jws's releases.

v3.2.3

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 1.4.2, addressing a compatibility issue for Node >= 25.

Sourced from jws's changelog.

[3.2.3]

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

• BREAKING: jwt.verify now requires an algorithm parameter, and jws.createVerify requires an algorithm option. The "alg" field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by jwt.verify. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ for details.

2.0.0 - 2015-01-30

Changed

• BREAKING: Default payload encoding changed from binary to utf8. utf8 is a is a more sensible default than binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. (6b6de48)

• Code reorganization, thanks @​fearphage! (7880050)

Added

• Option in all relevant methods for encoding. For those few users that might be depending on a binary encoding of the messages, this is for them. (6b6de48)

• 4f6e73f Merge commit from fork
• bd0fea5 version 3.2.3
• 7c3b4b4 Enhance tests for HMAC streaming sign and verify
• a9b8ed9 Improve secretOrKey initialization in VerifyStream
• 6707fde Improve secret handling in SignStream
• See full diff in compare view

This version was pushed to npm by julien.wollscheid, a new releaser for jws since your current version.

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Sourced from node-fetch's releases.

v2.7.0

2.7.0 (2023-08-23)

Features

• AbortError (#1744) (9b9d458)

v2.6.13

2.6.13 (2023-08-18)

Bug Fixes

• Remove the default connection close header (#1765) (65ae25a), closes #1735 #1473 #1736

v2.6.12

2.6.12 (2023-06-29)

Bug Fixes

• socket variable testing for undefined (#1726) (8bc3a7c)

v2.6.11

2.6.11 (2023-05-09)

Reverts

• Revert "fix: handle bom in text and json (#1739)" (#1741) (afb36f6), closes #1739 #1741

v2.6.10

2.6.10 (2023-05-08)

Bug Fixes

• handle bom in text and json (#1739) (29909d7)

v2.6.9

2.6.9 (2023-01-30)

Bug Fixes

• "global is not defined" (#1704) (70f592d)

v2.6.8

2.6.8 (2023-01-13)

... (truncated)

• 9b9d458 feat: AbortError (#1744)
• 65ae25a fix: Remove the default connection close header (#1765)
• 8bc3a7c fix: socket variable testing for undefined (#1726)
• afb36f6 Revert "fix: handle bom in text and json (#1739)" (#1741)
• 29909d7 fix: handle bom in text and json (#1739)
• 70f592d fix: "global is not defined" (#1704)
• 0f1ebb0 Prevent error when response is null (#1699)
• 6e9464d ci(release): install dependencies
• dd2a0ba ci(release): install dependencies
• 49bef02 ci(release): use latest Node LTS
• Additional commits viewable in compare view

This version was pushed to npm by node-fetch-bot, a new releaser for node-fetch since your current version.

Sourced from node-forge's changelog.

0.10.0 - 2020-09-01

Changed

• BREAKING: Node.js 4 no longer supported. The code may still work, and non-invasive patches to keep it working will be considered. However, more modern tools no longer support old Node.js versions making testing difficult.

Removed

• BREAKING: Remove util.getPath, util.setPath, and util.deletePath. util.setPath had a potential prototype pollution security issue when used with unsafe inputs. These functions are not used by forge itself. They date from an early time when forge was targeted at providing general helper functions. The library direction changed to be more focused on cryptography. Many other excellent libraries are more suitable for general utilities. If you need a replacement for these functions, consider get, set, and unset from lodash. But also consider the potential similar security issues with those APIs.

0.9.2 - 2020-09-01

Changed

• Added util.setPath security note to function docs and to README.

Notes

• SECURITY: The util.setPath function has the potential to cause prototype pollution if used with unsafe input.
  • This function is not used internally by forge.
  • The rest of the library is unaffected by this issue.
  • Do not use unsafe input with this function.
  • Usage with known input should function as expected. (Including input intentionally using potentially problematic keys.)
  • No code changes will be made to address this issue in 0.9.x. The current behavior could be considered a feature rather than a security issue. 0.10.0 will be released that removes util.getPath and util.setPath. Consider get and set from lodash if you need replacements. But also consider the potential similar security issues with those APIs.
  • https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720

0.9.1 - 2019-09-26

Fixed

• Ensure DES-CBC given IV is long enough for block size.

0.9.0 - 2019-09-04

Added

• Add ed25519.publicKeyFromAsn1 and ed25519.privateKeyFromAsn1 APIs.
• A few OIDs used in EV certs.

... (truncated)

• 8018c3e Release 0.10.0.
• 6a1e3ef Remove object path functions.
• 30d560c Remove Node.js 4 support.
• 1ba83ec Update dependencies.
• 81abd87 Improve linting.
• 7b59028 Test on Node.js 14.
• ba13a1c Update webpack.
• c8d5395 Add travis browser test names.
• afc5a72 Update dependencies.
• ba0207f Test on Node.js 12.
• Additional commits viewable in compare view

Sourced from qs's changelog.

6.14.1

• [Fix] ensure arrayLength applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
• [Tests] increase coverage

6.13.1

• [Fix] stringify: avoid a crash when a filter key is null
• [Fix] utils.merge: functions should not be stringified into keys
• [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
• [Fix] stringify: ensure a non-string filter does not crash
• [Refactor] use __proto__ syntax instead of Object.create for null objects
• [Refactor] misc cleanup
• [Tests] utils.merge: add some coverage
• [Tests] fix a test case
• [actions] split out node 10-20, and 20+
• [Dev Deps] update es-value-fixtures, mock-property, object-inspect, tape

6.13.0

• [New] parse: add strictDepth option (#511)
• [Tests] use npm audit instead of aud

6.12.3

• [Fix] parse: properly account for strictNullHandling when allowEmptyArrays
• [meta] fix changelog indentation

6.12.2

• [Fix] parse: parse encoded square brackets (#506)
• [readme] add CII best practices badge

6.12.1

• [Fix] parse: Disable decodeDotInKeys by default to restore previous behavior (#501)
• [Performance] utils: Optimize performance under large data volumes, reduce memory usage, and speed up processing (#502)
• [Refactor] utils: use +=
• [Tests] increase coverage

6.12.0

... (truncated)

• 3fa11a5 v6.14.1
• a626704 [Dev Deps] update npmignore
• 3086902 [Fix] ensure arrayLength applies to [] notation as well
• fc7930e [Dev Deps] update eslint, @ljharb/eslint-config
• 0b06aac [Dev Deps] update @ljharb/eslint-config
• 64951f6 [Refactor] parse: extract key segment splitting helper
• e1bd259 [Dev Deps] update @ljharb/eslint-config
• f4b3d39 [eslint] add eslint 9 optional peer dep
• 6e94d95 [Dev Deps] update eslint, @ljharb/eslint-config, npmignore
• 973dc3c [actions] add workflow permissions
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.