Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade @headlessui/vue from 1.7.14 to 1.7.16 #4

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade @headlessui/vue from 1.7.14 to 1.7.16 #4

wants to merge 1 commit into from

Conversation

naiba4
Copy link
Owner

@naiba4 naiba4 commented Jan 24, 2024

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to upgrade @headlessui/vue from 1.7.14 to 1.7.16.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 2 versions ahead of your current version.
  • The recommended version was released 5 months ago, on 2023-08-17.
Release notes
Package name: @headlessui/vue
  • 1.7.16 - 2023-08-17

    Fixed

    • Fix form elements for uncontrolled <Listbox multiple> and <Combobox multiple> (#2626)
    • Use correct value when resetting <Listbox multiple> and <Combobox multiple> (#2626)
    • Render <MainTreeNode /> in PopoverGroup component only (#2634)
    • Disable smooth scrolling when opening/closing Dialog components on iOS (#2635)
    • Don't assume <Tab /> components are available when setting the next index (#2642)
    • Improve SSR of the Disclosure component (#2645)
    • Fix incorrectly focused ComboboxInput component on page load (#2654)
    • Improve resetting values when using the nullable prop on the Combobox component (#2660)
    • Prevent scrolling when focusing a tab (#2674)
  • 1.7.15 - 2023-07-27

    Fixed

    • Ensure the caret is in a consistent position when syncing the Combobox.Input value (#2568)
    • Improve "outside click" behaviour in combination with 3rd party libraries (#2572)
    • Improve performance of Combobox component (#2574)
    • Ensure IME works on Android devices (#2580)
    • Calculate aria-expanded purely based on the open/closed state (#2610)
    • Submit form on Enter even if no submit-like button was found (#2613)
  • 1.7.14 - 2023-06-01
from @headlessui/vue GitHub release notes
Commit messages
Package name: @headlessui/vue
  • 8505d7a 1.7.16 - @ headlessui/vue
  • 0b8bd32 1.7.17 - @ headlessui/react
  • c2bf9dd Prevent scrolling when focusing a tab (#2674)
  • a317866 Fix hydration of components inside `<Suspense>` (#2663)
  • 88b068c Improve resetting values when using the `nullable` prop on the `Combobox` component (#2660)
  • 842890d Ensure `appear` works using the `Transition` component (even when used with SSR) (#2646)
  • 88a0138 Fix incorrectly focused `Combobox.Input` component on page load (#2654)
  • cc163ea Improve SSR of the `Disclosure` component (#2645)
  • c22a8c1 Don't assume `<Tab />` components are available when setting the next index (#2642)
  • 6f9de89 Disable smooth scrolling when opening/closing `Dialog` components on iOS (#2635)
  • 34275da Revert "Fix hydration of components inside `<Suspense>` (#2633)"
  • 3501289 Fix hydration of components inside `<Suspense>` (#2633)
  • 4f6f67c only check if `_mainTreeNodeRef` is passed in (Vue)
  • a3fa86b only check if `_mainTreeNodeRef` is passed in
  • 8a37854 Render `<MainTreeNode />` indicators in `Popover.Group` only (#2634)
  • b380d03 Use correct value when resetting `<Listbox multiple>` and `<Combobox multiple>` (#2626)
  • 9b42daf improve `attemptSubmit` submission (#2625)
  • 954a3ac 0.2.0 - @ headlessui/tailwindcss
  • e4fc1b0 1.7.15 - @ headlessui/vue
  • 0501475 1.7.16 - @ headlessui/react
  • 510cb6e update changelog
  • d29b3cd add test for the `ui-not-focus-visible` variant
  • e644d97 update changelog
  • 685a6a8 Add `not-focus-visible` variant to Tailwind plugin (#2618)

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

@pull-request-quantifier-deprecated Pull Request Quantifier (deprecated)
Copy link

This PR has 2 quantified lines of changes. In general, a change size of upto 200 lines is ideal for the best PR experience!

Quantification details 

Label      : Extra Small
Size       : +1 -1
Percentile : 0.8%

Total files changed: 2

Change summary by file extension:
.json : +1 -1

Change counts above are quantified counts, based on the PullRequestQuantifier customizations.

Why proper sizing of changes matters

Optimal pull request sizes drive a better predictable PR flow as they strike a
balance between between PR complexity and PR review overhead. PRs within the
optimal size (typical small, or medium sized PRs) mean:

  • Fast and predictable releases to production:
    • Optimal size changes are more likely to be reviewed faster with fewer
      iterations.
    • Similarity in low PR complexity drives similar review times.
  • Review quality is likely higher as complexity is lower:
    • Bugs are more likely to be detected.
    • Code inconsistencies are more likely to be detected.
  • Knowledge sharing is improved within the participants:
    • Small portions can be assimilated better.
  • Better engineering practices are exercised:
    • Solving big problems by dividing them in well contained, smaller problems.
    • Exercising separation of concerns within the code changes.

What can I do to optimize my changes

  • Use the PullRequestQuantifier to quantify your PR accurately
    • Create a context profile for your repo using the context generator
    • Exclude files that are not necessary to be reviewed or do not increase the review complexity. Example: Autogenerated code, docs, project IDE setting files, binaries, etc. Check out the Excluded section from your prquantifier.yaml context profile.
    • Understand your typical change complexity, drive towards the desired complexity by adjusting the label mapping in your prquantifier.yaml context profile.
    • Only use the labels that matter to you, see context specification to customize your prquantifier.yaml context profile.
  • Change your engineering behaviors
    • For PRs that fall outside of the desired spectrum, review the details and check if:
      • Your PR could be split in smaller, self-contained PRs instead
      • Your PR only solves one particular issue. (For example, don't refactor and code new features in the same PR).

How to interpret the change counts in git diff output

  • One line was added: +1 -0
  • One line was deleted: +0 -1
  • One line was modified: +1 -1 (git diff doesn't know about modified, it will
    interpret that line like one addition plus one deletion)
  • Change percentiles: Change characteristics (addition, deletion, modification)
    of this PR in relation to all other PRs within the repository.

Was this comment helpful? 👍  :ok_hand:  :thumbsdown: (Email)
Customize PullRequestQuantifier for this repository.

@guardrails GuardRails
Copy link

guardrails bot commented Jan 24, 2024

⚠️ We detected 7 security issues in this pull request:

Vulnerable Libraries (7)
Severity Details
Medium pkg:npm/[email protected] (t) upgrade to: > 8.29.0
Medium pkg:npm/[email protected] (t) upgrade to: > 9.8.0
Medium pkg:npm/@typescript-eslint/[email protected] (t) upgrade to: > 5.46.1
High pkg:npm/[email protected] (t) upgrade to: > 2.6.3
High pkg:npm/[email protected] (t) upgrade to: > 2.0.0-beta.59
High pkg:npm/[email protected] (t) upgrade to: > 2.0.0-beta.143
Medium pkg:npm/@typescript-eslint/[email protected] (t) upgrade to: > 5.46.1

More info on how to fix Vulnerable Libraries in JavaScript.

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

@socket-security Socket Security
Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@headlessui/[email protected] environment Transitive: eval, filesystem, unsafe +20 13.9 MB thecrypticace
npm/@sentry/[email protected] network +7 9.77 MB sentry-bot

🚮 Removed packages: npm/@headlessui/[email protected], npm/@sentry/[email protected]

View full report↗︎

@socket-security Socket Security
Copy link

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSource
Chronological version anomaly npm/@headlessui/[email protected]
New author npm/@headlessui/[email protected]
Minified code npm/@headlessui/[email protected]
Environment variable access npm/@headlessui/[email protected]
Network access npm/@sentry/[email protected]
No tests npm/@sentry-internal/[email protected]
Network access npm/@sentry-internal/[email protected]
No tests npm/@sentry-internal/[email protected]
Long strings npm/@sentry-internal/[email protected]
No tests npm/@sentry-internal/[email protected]
Unpopular package npm/@sentry-internal/[email protected]

View full report↗︎

Next steps

What is a chronological version anomaly?

Semantic versions published out of chronological order.

This could either indicate dependency confusion or a patched vulnerability.

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

What's wrong with minified code?

This package contains minified code. This may be harmless in some cases where minified code is included in packaged libraries, however packages on npm should not minify code.

In many cases minified code is harmless, however minified code can be used to hide a supply chain attack. Consider not shipping minified code on npm.

What is environment variable access?

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

What is network access?

This module accesses the network.

Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

What does no tests mean?

Package does not have any tests. This is a strong signal of a poorly maintained or low quality package.

Add tests and publish a new version of the package. Consumers may look for an alternative package with better testing.

What's wrong with long strings?

Contains long string literals, which may be a sign of obfuscated or packed code.

Avoid publishing or consuming obfuscated or bundled code. It makes dependencies difficult to audit and undermines the module resolution system.

What are unpopular packages?

This package is not very popular.

Unpopular packages may have less maintenance and contain other problems.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Extra Small
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@naiba4 @snyk-bot