🚨 [security] Update enmap 5.9.8 → 6.0.5 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ enmap (5.9.8 → 6.0.5) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ better-sqlite3 (indirect, 8.7.0 → 11.10.0) · Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ detect-libc (indirect, 2.0.2 → 2.0.4) · Repo

Commits

See the full diff on Github. The new version differs by 12 commits:

• Release v2.0.4
• TypeScript: Add types field to package.json (#28)
• CI: remove Node.js 22
• CI: Add Node.js 20/22, remove CentOS (EOL)
• Release v2.0.3
• Improve getReport performance (#21)
• Improve filesystem-based detection of glibc (#22)
• CI: Latest Void Linux provides glibc 2.39
• CI: bump unit test actions
• Tests: include missing coverage in summary
• CI: Update integration test environments/expectations
• chore: refactor by removing a couple variables (#20)

↗️ napi-build-utils (indirect, 1.0.2 → 2.0.0) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ node-abi (indirect, 3.56.0 → 3.75.0) · Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 59 commits:

• feat: update ABI registry
• feat: update ABI registry
• feat: update ABI registry
• feat: update ABI registry
• feat: update ABI registry
• build: allow releases on the `3-x-y` branch
• build(deps): bump actions/cache from 4.2.2 to 4.2.3 (#203)
• build(deps): bump actions/setup-node from 4.2.0 to 4.3.0 (#204)
• build(deps): bump actions/cache from 4.2.0 to 4.2.2 (#201)
• build(deps): bump actions/setup-node from 4.1.0 to 4.2.0 (#200)
• feat: update ABI registry
• feat: update ABI registry
• feat: update ABI registry
• build(deps): bump actions/cache from 4.1.2 to 4.2.0 (#198)
• build(deps): bump continuousauth/action from 1.0.4 to 1.0.5 (#197)
• build(deps): bump continuousauth/action from 1.0.3 to 1.0.4 (#196)
• ci: switch to GHA (#194)
• build(deps): bump actions/cache from 4.0.2 to 4.1.2 (#192)
• build(deps): bump actions/checkout from 4.2.0 to 4.2.2 (#193)
• build(deps): bump actions/setup-node from 4.0.4 to 4.1.0 (#191)
• chore: bump electronjs/node in .circleci/config.yml to 2.3.1 (#190)
• chore: remove got dependency (#188)
• feat: update ABI registry
• feat: update ABI registry
• feat: update ABI registry
• chore: bump continuousauth/npm in .circleci/config.yml to 2.1.1 (#187)
• build(deps): bump actions/checkout from 4.1.7 to 4.2.0 (#185)
• build(deps): bump actions/setup-node from 4.0.3 to 4.0.4 (#186)
• feat: update ABI registry
• build: fix repository.url in package.json (#184)
• build(deps): bump dsanders11/github-app-commit-action (#183)
• feat: update ABI registry
• feat: update ABI registry
• feat: update ABI registry
• build(deps): bump actions/setup-node from 4.0.2 to 4.0.3 (#182)
• build(deps): bump actions/checkout from 4.1.6 to 4.1.7 (#180)
• build(deps): bump amannn/action-semantic-pull-request (#181)
• feat: update ABI registry
• chore: bump electronjs/node in .circleci/config.yml to 2.3.0 (#179)
• feat: update ABI registry
• build(deps): bump actions/checkout from 4.1.4 to 4.1.6 (#178)
• feat: update ABI registry
• chore: bump electronjs/node in .circleci/config.yml to 2.2.3 (#177)
• chore: bump electronjs/node in .circleci/config.yml to 2.2.2 (#176)
• build(deps): bump amannn/action-semantic-pull-request (#175)
• build(deps): bump actions/checkout from 4.1.2 to 4.1.4 (#174)
• feat: update ABI registry
• feat: update ABI registry
• feat: update ABI registry
• feat: update ABI registry
• feat: update ABI registry
• build(deps): bump actions/checkout from 4.1.1 to 4.1.2 (#172)
• build(deps): bump dsanders11/github-app-commit-action (#173)
• build(deps): bump actions/cache from 4.0.1 to 4.0.2 (#171)
• feat: update ABI registry
• build(deps): bump dsanders11/github-app-commit-action (#168)
• build(deps): bump actions/setup-node from 4.0.1 to 4.0.2 (#169)
• build(deps): bump actions/cache from 4.0.0 to 4.0.1 (#170)
• ci: make signed commits (#167)

↗️ prebuild-install (indirect, 7.1.2 → 7.1.3) · Repo · Changelog

Release Notes

7.1.3

Fixed

• Bump napi-build-utils from 1 to 2 (#204) (1bf4a15) (Bailey Pearson)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 2 commits:

• 7.1.3
• Bump napi-build-utils from 1 to 2 (#204)

↗️ pump (indirect, 3.0.0 → 3.0.2) · Repo

Commits

See the full diff on Github. The new version differs by 9 commits:

• 3.0.2
• Fix for catch syntax issue (#60)
• 3.0.1
• work in envs where no fs is defined
• Create SECURITY.md
• fix link for reals
• fix tidelift link
• add funding
• Update README.md

↗️ semver (indirect, 7.6.0 → 7.7.2) · Repo · Changelog

Release Notes

7.7.2

7.7.2 (2025-05-12)

Bug Fixes

• fcafb61 #780 add missing 'use strict' directives (#780) (@Fdawgs)
• c99f336 #781 prerelease identifier starting with digits (#781) (@mbtools)

Chores

• c760403 #784 template-oss-apply for workflow permissions (#784) (@wraithgar)
• 2677f2a #778 bump @npmcli/template-oss from 4.23.6 to 4.24.3 (#778) (@dependabot[bot], @npm-cli-bot)

7.7.1

7.7.1 (2025-02-03)

Bug Fixes

• af761c0 #764 inc: fully capture prerelease identifier (#764) (@wraithgar)

7.7.0

7.7.0 (2025-01-29)

Features

• 0864b3c #753 add "release" inc type (#753) (@mbtools)

Bug Fixes

• d588e37 #755 diff: fix prerelease to stable version diff logic (#755) (@eminberkayd, berkay.daglar)
• 8a34bde #754 add identifier validation to inc() (#754) (@mbtools)

Documentation

• 67e5478 #756 readme: added missing period for consistency (#756) (@shaymolcho)
• 868d4bb #749 clarify comment about obsolete prefixes (#749) (@mbtools, @ljharb)

Chores

• 145c554 #741 bump @npmcli/eslint-config from 4.0.5 to 5.0.0 (@dependabot[bot])
• 753e02b #747 bump @npmcli/template-oss from 4.23.3 to 4.23.4 (#747) (@dependabot[bot], @npm-cli-bot)
• 0b812d5 #744 postinstall for dependabot template-oss PR (@hashtagchris)

7.6.3

7.6.3 (2024-07-16)

Bug Fixes

• 73a3d79 #726 optimize Range parsing and formatting (#726) (@jviide)

Documentation

• 2975ece #719 fix extra backtick typo (#719) (@stdavis)

7.6.2

7.6.2 (2024-05-09)

Bug Fixes

• 6466ba9 #713 lru: use map.delete() directly (#713) (@negezor, @lukekarrys)

7.6.1

7.6.1 (2024-05-04)

Bug Fixes

• c570a34 #704 linting: no-unused-vars (@wraithgar)
• ad8ff11 #704 use internal cache implementation (@mbtools)
• ac9b357 #682 typo in compareBuild debug message (#682) (@mbtools)

Dependencies

• 988a8de #709 uninstall lru-cache (#709)
• 3fabe4d #704 remove lru-cache

Chores

• dd09b60 #705 bump @npmcli/template-oss to 4.22.0 (@lukekarrys)
• ec49cdc #701 chore: chore: postinstall for dependabot template-oss PR (@lukekarrys)
• b236c3d #696 add benchmarks (#696) (@H4ad)
• 692451b #688 various improvements to README (#688) (@mbtools)
• 5feeb7f #705 postinstall for dependabot template-oss PR (@lukekarrys)
• 074156f #701 bump @npmcli/template-oss from 4.21.3 to 4.21.4 (@dependabot[bot])

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 37 commits:

• chore: release 7.7.2 (#783)
• fix: add missing `'use strict'` directives (#780)
• chore: template-oss-apply for workflow permissions (#784)
• fix: prerelease identifier starting with digits (#781)
• chore: bump @npmcli/template-oss from 4.23.6 to 4.24.3 (#778)
• chore: bump @npmcli/template-oss from 4.23.4 to 4.23.6 (#760)
• chore: release 7.7.1 (#765)
• fix(inc): fully capture prerelease identifier (#764)
• chore: release 7.7.0 (#750)
• fix(diff): fix prerelease to stable version diff logic (#755)
• chore: bump @npmcli/template-oss from 4.23.3 to 4.23.4 (#747)
• fix: add identifier validation to `inc()` (#754)
• feat: add "release" inc type (#753)
• docs(readme): added missing period for consistency (#756)
• docs: clarify comment about obsolete prefixes (#749)
• chore: bump @npmcli/eslint-config from 4.0.5 to 5.0.0
• chore: postinstall for dependabot template-oss PR
• chore: bump @npmcli/template-oss from 4.23.1 to 4.23.3
• chore: bump @npmcli/template-oss from 4.22.0 to 4.23.1
• chore: bump @npmcli/template-oss from 4.22.0 to 4.23.1
• chore: release 7.6.3 (#720)
• fix: optimize Range parsing and formatting (#726)
• docs: fix extra backtick typo (#719)
• chore: release 7.6.2 (#714)
• fix(lru): use map.delete() directly (#713)
• chore: release 7.6.1 (#706)
• deps: uninstall `lru-cache` (#709)
• chore: postinstall for dependabot template-oss PR
• chore: bump @npmcli/template-oss to 4.22.0
• fix(linting): no-unused-vars
• fix: use internal cache implementation
• deps: remove lru-cache
• chore: chore: chore: postinstall for dependabot template-oss PR
• chore: bump @npmcli/template-oss from 4.21.3 to 4.21.4
• chore: add benchmarks (#696)
• chore: various improvements to README (#688)
• fix: typo in compareBuild debug message (#682)

↗️ tar-fs (indirect, 2.1.1 → 2.1.3) · Repo

Security Advisories 🚨

🚨 tar-fs can extract outside the specified dir with a specific tarball

Impact

v3.0.8, v2.1.2, v1.16.4 and below

Patches

Has been patched in 3.0.9, 2.1.3, and 1.16.5

Workarounds

You can use the ignore option to ignore non files/directories.

  ignore (_, header) {
    // pass files & directories, ignore e.g. symlinks
    return header.type !== 'file' && header.type !== 'directory'
  }

Credit

Thank you Caleb Brown from Google Open Source Security Team for reporting this in detail.

🚨 tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File

An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.

This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.7.

Commits

See the full diff on Github. The new version differs by 4 commits:

• 2.1.3
• hardlink tweak from main
• 2.1.2
• symlink tweak from main

🆕 better-serialize (added, 1.0.0)

🆕 lodash-es (added, 4.17.21)

🗑️ lodash (removed)

🗑️ lru-cache (removed)

🗑️ randombytes (removed)

🗑️ serialize-javascript (removed)

🗑️ yallist (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #84.