Skip to content

chore(deps): update dependency tsup to v8.3.5 [security] #444

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency tsup to v8.3.5 [security] #444

wants to merge 1 commit into from

Conversation

svc-secops
Copy link
Contributor

@svc-secops svc-secops commented Mar 6, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
tsup (source) 8.0.2 -> 8.3.5 age adoption passing confidence

tsup DOM Clobbering vulnerability

CVE-2024-53384 / GHSA-3mv9-4h5g-vhg3

More information

Details

A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

egoist/tsup (tsup)

v8.3.5

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v8.3.4

Compare Source

No significant changes

    View changes on GitHub

v8.3.0

Compare Source

Bug Fixes
Features

v8.2.4

Compare Source

Bug Fixes

v8.2.3

Compare Source

Bug Fixes
  • get metafile on windows (048c93b)

v8.2.2

Compare Source

Bug Fixes
  • Revert "refactor: replace globby with faster alternative (#​1158)" (2de6dd5)

v8.2.1

Compare Source

Bug Fixes

v8.2.0

Compare Source

Features
  • add option to retain node protocol (e7ced34)

v8.1.2

Compare Source

Bug Fixes

v8.1.1

Compare Source

  • Upgrade bunch of dependencies (esbuild v0.23).

v8.1.0

Compare Source

Features

Configuration

📅 Schedule: Branch creation - "" in timezone Etc/UTC, Automerge - "after 8am and before 4pm on tuesday" in timezone Etc/UTC.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Renovate Bot.

@svc-secops svc-secops requested a review from a team as a code owner March 6, 2025 13:56
@svc-secops svc-secops added dependencies Pull requests that update a dependency file vulnerability labels Mar 6, 2025
@vercel Vercel
Copy link

vercel bot commented Mar 6, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Updated (UTC)
apollo__client-integration-react-router Error Error Aug 22, 2025 11:13am
apollo__client-integration-tanstack-start Error Error Aug 22, 2025 11:13am

@svc-secops
Copy link
Contributor Author

svc-secops commented Mar 6, 2025
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock
➤ YN0000: · Yarn 4.9.1
➤ YN0000: ┌ Resolution step
➤ YN0085: │ + tsup@npm:8.3.5, @rollup/rollup-android-arm-eabi@npm:4.47.1, @rollup/rollup-android-arm64@npm:4.47.1, @rollup/rollup-darwin-arm64@npm:4.47.1, and 22 more.
➤ YN0085: │ - bundle-require@npm:4.0.2, tsup@npm:8.0.2
➤ YN0000: └ Completed in 1s 697ms
➤ YN0000: ┌ Post-resolution validation
➤ YN0060: │ @types/react is listed by your project with version 19.0.2 (peddff), which doesn't satisfy what react-focus-lock (via @chakra-ui/react) and other dependencies request (but they have non-overlapping ranges!).
➤ YN0060: │ @yarnpkg/core is listed by your project with version 4.2.0 (p4e948), which doesn't satisfy what @yarnpkg/cli and other dependencies request (^4.4.1).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p1eb2e), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p1ecf7), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p2be3d), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p38093), which doesn't satisfy what @apollo/client and other dependencies request (^16.6.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p4b3c5), which doesn't satisfy what @apollo/client and other dependencies request (^16.6.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p74662), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p7c14e), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p9d845), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (pa1182), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (pc1d15), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (pc49da), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (pd4beb), which doesn't satisfy what @apollo/client and other dependencies request (^16.6.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (pd9955), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (pf0659), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ react is listed by your project with version 19.0.0 (pd410a), which doesn't satisfy what framer-motion and other dependencies request (but they have non-overlapping ranges!).
➤ YN0060: │ react is listed by your project with version 19.0.0 (pf06e9), which doesn't satisfy what ssr-only-secrets and other dependencies request (but they have non-overlapping ranges!).
➤ YN0060: │ react-dom is listed by your project with version 19.0.0 (p21a4c), which doesn't satisfy what framer-motion and other dependencies request (^18.2.0).
➤ YN0002: │ @apollo/client-integration-tanstack-start@workspace:packages/tanstack-start doesn't provide vite (p58222), requested by @tanstack/start.
➤ YN0002: │ @apollo/client-react-streaming@workspace:packages/client-react-streaming [fc55e] doesn't provide webpack (p25bda), requested by react-server-dom-webpack.
➤ YN0002: │ @apollo/client-react-streaming@workspace:packages/client-react-streaming doesn't provide webpack (p5ca41), requested by react-server-dom-webpack.
➤ YN0002: │ @integration-test/jest@workspace:integration-test/jest doesn't provide @testing-library/dom (p47416), requested by @testing-library/react and other dependencies.
➤ YN0002: │ @integration-test/tanstack-start@workspace:integration-test/tanstack-start doesn't provide @tanstack/react-router (p21743), requested by @tanstack/router-devtools.
➤ YN0002: │ @integration-test/tanstack-start@workspace:integration-test/tanstack-start doesn't provide vite (p9e1e8), requested by @tanstack/start and other dependencies.
➤ YN0002: │ @integration-test/vitest@workspace:integration-test/vitest doesn't provide @testing-library/dom (p1caec), requested by @testing-library/react.
➤ YN0002: │ @integration-test/vitest@workspace:integration-test/vitest doesn't provide vite (pc1d9a), requested by @vitejs/plugin-react.
➤ YN0002: │ @internal/test-utils@workspace:packages/test-utils doesn't provide @jest/globals (pc7d0f), requested by @testing-library/react-render-stream.
➤ YN0002: │ @internal/test-utils@workspace:packages/test-utils doesn't provide expect (p25412), requested by @testing-library/react-render-stream.
➤ YN0002: │ @internal/test-utils@workspace:packages/test-utils doesn't provide jsdom (p35d94), requested by global-jsdom.
➤ YN0002: │ monorepo@workspace:. doesn't provide webpack (p5bc50), requested by @size-limit/webpack-why.
➤ YN0002: │ packages-shared@workspace:packages doesn't provide typescript (p496ab), requested by @typescript-eslint/eslint-plugin and other dependencies.
➤ YN0086: │ Some peer dependencies are incorrectly met by your project; run yarn explain peer-requirements <hash> for details, where <hash> is the six-letter p-prefixed code.
➤ YN0086: │ Some peer dependencies are incorrectly met by dependencies; run yarn explain peer-requirements for details.
➤ YN0000: └ Completed
➤ YN0000: ┌ Fetch step
➤ YN0013: │ 2352 packages were added to the project (+ 320.51 MiB).
➤ YN0000: └ Completed in 1m 41s
➤ YN0000: ┌ Link step

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Mar 6, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: ce235c1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@netlify Netlify
Copy link

netlify bot commented Mar 6, 2025
edited
Loading

Deploy Preview for apollo-client-nextjs-docmodel failed.

Name Link
🔨 Latest commit 44cf999
🔍 Latest deploy log https://app.netlify.com/sites/apollo-client-nextjs-docmodel/deploys/67ee7ac29e04d7000889a442

@svc-secops svc-secops force-pushed the renovate/npm-tsup-vulnerability branch from a2e0f45 to 44cf999 Compare April 3, 2025 12:10
@svc-secops svc-secops force-pushed the renovate/npm-tsup-vulnerability branch from 44cf999 to ce235c1 Compare August 22, 2025 11:11
@netlify Netlify
Copy link

netlify bot commented Aug 22, 2025
edited
Loading

Deploy Preview for apollo-client-nextjs-docmodel failed.

Name Link
🔨 Latest commit ce235c1
🔍 Latest deploy log https://app.netlify.com/projects/apollo-client-nextjs-docmodel/deploys/68a850762a5cfc0008ec00a2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@svc-secops