cactus GitHub

PR #2263 fix(security): vulnerabilities found in keychain-vault-server
Fixes #2058 Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
Created At 2023-01-11 12:50:57 +0000 UTC
PR #2262 build(deps): bump debug from 2.6.9 to 3.1.0
dependenciesjavascript Bumps [debug](https://github.com/debug-js/debug) from 2.6.9 to 3.1.0.
Release notes

Sourced from debug's releases.

3.1.0

Minor Changes

  • Ignore package-lock.json: e7e568a24736486721882282eb21beb31c741647
  • Remove component.json: 47747f329fe159e94262318b52b87a48f6c0acd4
  • Remove "component" from package.json: bdb7e0137f84dc8bcfc95daede7c694799d38dbf
  • Add DEBUG_HIDE_DATE env var: #486

Patches

  • Correct spelling mistake: daf1a7c8c0f62f5dbc8d48158d6748d0527cc551
  • Examples: fix colors printout: 7cd9e539ce571fc3314d34d9d1dac3124839dbac
  • Fix browser detection: fdfa0f5f6cc7e83fd60b6cf1e7b990cbf6388621
  • Remove ReDoS regexp in %o formatter: #504

Credits

Huge thanks to @​amejiarosario and @​zhuangya for their help!

3.0.0

Featuring pretty new colors!

Major Changes

  • Remove DEBUG_FD: #406
  • Make millisecond timer namespace specific and allow 'always enabled' output: #408
  • Use Date#toISOString() instead to Date#toUTCString() when output is not a TTY: #418
  • enabled() updates existing debug instances: #440

Minor Changes

  • Add destroy() function: #440
  • Document enabled flag: #465
  • Support 256 colors: #481
  • Update "browserify" to v14.4.0: 826fd94639efeaa3c5701b50d335caead084a5d6
  • Separate Node.js and web browser examples: 87880f6ae1f48b12d9f3346bce564a66cba6b93e
  • Example: use %o formatter: 31f3343de76cb8687041387a1b811745c6e84473
  • More readme screenshots replaced: 25eb545324912dd2863658d0ba35426c0f617619
  • Add Namespace Colors section to readme: 8b5c438a222167bd0cc66db046bac073f01b3c01
  • Separate the Node and Browser tests in Travis: f178d861df18abacac6e9e4607c7306a1147bf3d

Patches

  • Readme: fix typo: #473
  • Component: update "ms" to v2.0.0: d2dd80aeaf1b037f0b3be21838c4594bbedc4a9c

Credits

... (truncated)

Changelog

Sourced from debug's changelog.

3.1.0 / 2017-09-26

  • Add DEBUG_HIDE_DATE env var (#486)
  • Remove ReDoS regexp in %o formatter (#504)
  • Remove "component" from package.json
  • Remove component.json
  • Ignore package-lock.json
  • Examples: fix colors printout
  • Fix: browser detection
  • Fix: spelling mistake (#496, @​EdwardBetts)

3.0.1 / 2017-08-24

  • Fix: Disable colors in Edge and Internet Explorer (#489)

3.0.0 / 2017-08-08

  • Breaking: Remove DEBUG_FD (#406)
  • Breaking: Use Date#toISOString() instead to Date#toUTCString() when output is not a TTY (#418)
  • Breaking: Make millisecond timer namespace specific and allow 'always enabled' output (#408)
  • Addition: document enabled flag (#465)
  • Addition: add 256 colors mode (#481)
  • Addition: enabled() updates existing debug instances, add destroy() function (#440)
  • Update: component: update "ms" to v2.0.0
  • Update: separate the Node and Browser tests in Travis-CI
  • Update: refactor Readme, fixed documentation, added "Namespace Colors" section, redid screenshots
  • Update: separate Node.js and web browser examples for organization
  • Update: update "browserify" to v14.4.0
  • Fix: fix Readme typo (#473)
Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=debug&package-manager=npm_and_yarn&previous-version=2.6.9&new-version=3.1.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hyperledger/cactus/network/alerts).
Created At 2023-01-11 11:00:10 +0000 UTC
PR #2261 build(deps): bump knex from 2.0.0 to 2.4.0
dependenciesjavascript Bumps [knex](https://github.com/knex/knex) from 2.0.0 to 2.4.0.
Release notes

Sourced from knex's releases.

2.4.0

New features:

  • Support partial unique indexes #5316
  • Make compiling SQL in error message optional #5282

Bug fixes

  • Insert array into json column #5321
  • Fix unexpected max acquire-timeout #5377
  • Fix: orWhereJson #5361
  • MySQL: Add assertion for basic where clause not to be object or array #1227
  • SQLite: Fix changing the default value of a boolean column in SQLite #5319

Typings:

  • add missing type for 'expirationChecker' on PgConnectionConfig #5334

2.3.0

New features:

  • PostgreSQL: Explicit jsonb support for custom pg clients #5201
  • SQLite: Support returning with sqlite3 and better-sqlite3 #5285
  • MSSQL: Implement mapBinding mssql dialect option #5292

Typings:

  • Update types for TS 4.8 #5279
  • Fix typo #5267
  • Fix WhereJsonObject withCompositeTableType #5306
  • Fix AnalyticFunction type #5304
  • Infer specific column value type in aggregations #5297

2.2.0

New features:

  • Inline primary key creation for postgres flavours #5233
  • SQLite: Add warning for undefined connection file #5223
  • MSSQL: Add JSON parameter support for connection #5200

Bug fixes:

  • PostgreSQL: add primaryKey option for uuid #5212

Typings:

  • Add promisable and better types #5222
  • Update raw query bind parameter type #5208

2.1.0 - 26 May, 2022

... (truncated)

Changelog

Sourced from knex's changelog.

2.4.0 - 06 January, 2022

New features:

  • Support partial unique indexes #5316
  • Make compiling SQL in error message optional #5282

Bug fixes

  • Insert array into json column #5321
  • Fix unexpected max acquire-timeout #5377
  • Fix: orWhereJson #5361
  • MySQL: Add assertion for basic where clause not to be object or array #1227
  • SQLite: Fix changing the default value of a boolean column in SQLite #5319

Typings:

  • add missing type for 'expirationChecker' on PgConnectionConfig #5334

2.3.0 - 31 August, 2022

New features:

  • PostgreSQL: Explicit jsonb support for custom pg clients #5201
  • SQLite: Support returning with sqlite3 and better-sqlite3 #5285
  • MSSQL: Implement mapBinding mssql dialect option #5292

Typings:

  • Update types for TS 4.8 #5279
  • Fix typo #5267
  • Fix WhereJsonObject withCompositeTableType #5306
  • Fix AnalyticFunction type #5304
  • Infer specific column value type in aggregations #5297

2.2.0 - 19 July, 2022

New features:

  • Inline primary key creation for postgres flavours #5233
  • SQLite: Add warning for undefined connection file #5223
  • MSSQL: Add JSON parameter support for connection #5200

Bug fixes:

  • PostgreSQL: add primaryKey option for uuid #5212

Typings:

  • Add promisable and better types #5222

... (truncated)

Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=knex&package-manager=npm_and_yarn&previous-version=2.0.0&new-version=2.4.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hyperledger/cactus/network/alerts).
Created At 2023-01-11 04:31:46 +0000 UTC
PR #2260 build(deps): bump convict from 6.2.3 to 6.2.4
dependenciesjavascript Bumps [convict](https://github.com/mozilla/node-convict) from 6.2.3 to 6.2.4.
Changelog

Sourced from convict's changelog.

6.2.4 (2023-01-07)

Bug Fixes

  • Fix imperfect prototype pollution fix (#410) (#411). Thanks to Captain-K-101
Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=convict&package-manager=npm_and_yarn&previous-version=6.2.3&new-version=6.2.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hyperledger/cactus/network/alerts).
Created At 2023-01-10 22:22:11 +0000 UTC
PR #2259 feat(cactus-plugin-persistence-ethereum): add new persistence plugin
- Add a new plugin for storing ledger data into a database (or any other storage in the future). - Add functional tests for plugin and data access layer operations. - Increase gas limit on openethereum contract to solve occasional issues in automatic tests. - Tests assume any postgres database, but for final deployment supabase is assumed. - Data fed by this plugin can later by visualized by a GUI application or analyzed directly. Depends on: https://github.com/hyperledger/cactus/pull/2254 Depends on: https://github.com/hyperledger/cactus/pull/2256 Signed-off-by: Michal Bajer <michal.bajer@fujitsu.com>
Created At 2023-01-10 14:41:17 +0000 UTC
PR #2257 build(deps): bump jsonwebtoken from 8.5.1 to 9.0.0
dependenciesjavascript Bumps [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) from 8.5.1 to 9.0.0.
Changelog

Sourced from jsonwebtoken's changelog.

9.0.0 - 2022-12-21

Breaking changes: See Migration from v8 to v9

Breaking changes

Security fixes

  • security: fixes Arbitrary File Write via verify function - CVE-2022-23529
  • security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
  • security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
  • security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539
Commits
  • e1fa9dc Merge pull request from GHSA-8cf7-32gw-wr33
  • 5eaedbf chore(ci): remove github test actions job (#861)
  • cd4163e chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
  • ecdf6cc fix!: Prevent accidental use of insecure key sizes & misconfiguration of secr...
  • 8345030 fix(sign&verify)!: Remove default none support from sign and verify met...
  • 7e6a86b Upload OpsLevel YAML (#849)
  • 74d5719 docs: update references vercel/ms references (#770)
  • d71e383 docs: document "invalid token" error
  • 3765003 docs: fix spelling in README.md: Peak -> Peek (#754)
  • a46097e docs: make decode impossible to discover before verify
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jsonwebtoken since your current version.


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=jsonwebtoken&package-manager=npm_and_yarn&previous-version=8.5.1&new-version=9.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hyperledger/cactus/network/alerts).
Created At 2023-01-10 09:59:23 +0000 UTC
PR #2256 feat(connector-go-ethereum): add getBlock and getTransactionReceipt methods to connector
- getBlock and getTransactionReceipt added in go-ethereum-socketio-connector - Added nullish coalescing in monitor options Closes: #2255 Signed-off-by: tomasz awramski <tomasz.awramski@fujitsu.com>
Created At 2023-01-09 16:07:24 +0000 UTC
PR #2254 feat(supabase-all-in-one): add docker image for test supabase instance
- Add a new docker image `supabase-all-in-one` that will setup supabase instance for tests. - Supabase is used as a backend for Cactus GUI. Closes: #2253 Signed-off-by: Michal Bajer <michal.bajer@fujitsu.com>
Created At 2023-01-09 15:27:37 +0000 UTC
PR #2252 feat(connector-iroha2): update to the new LTS image
- Change iroha2 setup docker and helper classes to work with the new LTS image. - Update Iroha SDK packages to the newest. - Fix some tests that were failing after upgrade. - Adjust SDK usage (new version doesn't create Torii client, arguments are provided with each method instead) ### WARNING - Wait for pinned image versions before merging! Signed-off-by: Michal Bajer <michal.bajer@fujitsu.com>
Created At 2023-01-09 11:53:45 +0000 UTC
PR #2251 feat(besu-test-ledger): send funds to already created address
Enable sending funds to an existing account. New method created: * sendEthToAccount closes #2250 Signed-off-by: André Augusto <andre.augusto@tecnico.ulisboa.pt>
Created At 2023-01-08 20:07:40 +0000 UTC
PR #2249 feat(fabric-test-ledger): add support to enrolling users in different Orgs
Created new methods to avoid breaking changes in the API exported. New methods created: * capitalizedMspIdOfOrg * enrollAdminV2 * enrollUserV2 * createCaClientV2 closes #2248 Signed-off-by: André Augusto <andre.augusto@tecnico.ulisboa.pt>
Created At 2023-01-08 19:51:48 +0000 UTC
PR #2247 build(deps): bump tokio from 1.19.2 to 1.20.3 in /packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/rust/gen
dependenciesrust Bumps [tokio](https://github.com/tokio-rs/tokio) from 1.19.2 to 1.20.3.
Release notes

Sourced from tokio's releases.

Tokio v1.20.2

1.20.2 (September 27, 2022)

This release removes the dependency on the once_cell crate to restore the MSRV of the 1.20.x LTS release. (#5048)

#5048: tokio-rs/tokio#5048

Tokio v1.20.1

1.20.1 (July 25, 2022)

Fixed

  • chore: fix version detection in build script (#4860)

#4860: tokio-rs/tokio#4860

Tokio v1.20.0

1.20.0 (July 12, 2022)

Added

Changed

  • time: remove src/time/driver/wheel/stack.rs (#4766)
  • rt: clean up arguments passed to basic scheduler (#4767)
  • net: be more specific about winapi features (#4764)
  • tokio: use const initialized thread locals where possible (#4677)
  • task: various small improvements to LocalKey (#4795)

Fixed

Documented

  • fs: warn about performance pitfall (#4762)
  • chore: fix spelling (#4769)
  • sync: document spurious failures in oneshot (#4777)
  • sync: add warning for watch in non-Send futures (#4741)
  • chore: fix typo (#4798)

Unstable

  • joinset: rename join_one to join_next (#4755)
  • rt: unhandled panic config for current thread rt (#4770)

#4677: tokio-rs/tokio#4677 #4741: tokio-rs/tokio#4741 #4755: tokio-rs/tokio#4755 #4758: tokio-rs/tokio#4758 #4762: tokio-rs/tokio#4762

... (truncated)

Commits
  • ba81945 chore: prepare Tokio 1.20.3 release
  • 763bdc9 ci: run WASI tasks using latest Rust
  • 9f98535 Merge remote-tracking branch 'origin/tokio-1.18.x' into fix-named-pipes-1.20
  • 9241c3e chore: prepare Tokio v1.18.4 release
  • 699573d net: fix named pipes server configuration builder
  • 3d95a46 chore: prepare Tokio v1.20.2 (#5055)
  • 2063d66 Merge 'tokio-1.18.3' into 'tokio-1.20.x' (#5054)
  • 5c76d07 chore: prepare Tokio v1.18.3 (#5051)
  • 05e6614 chore: don't use once_cell for 1.18.x LTS release (#5048)
  • c0746b6 chore: prepare Tokio v1.20.1 (#4861)
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=tokio&package-manager=cargo&previous-version=1.19.2&new-version=1.20.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hyperledger/cactus/network/alerts).
Created At 2023-01-06 21:49:02 +0000 UTC