chore(deps): update dependency ua-parser-js to v0.7.33 [security] (#2…

…5561) * chore(deps): update dependency ua-parser-js to v0.7.33 [security] * chore(deps): update dependency ua-parser-js to v0.7.33 [security] * chore: add CHANGELOG entry for ua-parser-js update [run ci] * [run ci] Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Bill Glesias <[email protected]>
cypress-io · Jan 25, 2023 · 8d3a6ee · 8d3a6ee · cypress-bot · Jan 25, 2023
1 parent 3eb3a16
commit 8d3a6ee
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 5 deletions.
diff --git a/cli/CHANGELOG.md b/cli/CHANGELOG.md
@@ -8,6 +8,15 @@ _Released 01/31/2023 (PENDING)_
 - Fixed an issue where alternative Microsoft Edge Beta and Canary binary names were not being discovered by Cypress. 
   Fixes [#25455](https://github.com/cypress-io/cypress/issues/25455).
 
+**Dependency Updates:**
+
+- Upgraded [`ua-parser-js`](https://github.com/faisalman/ua-parser-js) from `0.7.24`
+  to `0.7.33` to address this
+  [security vulnerability](https://github.com/faisalman/ua-parser-js/security/advisories/GHSA-fhg7-m89q-25r3)
+  where crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to 
+  get stuck processing for a very long time which results in a denial of service (DoS) condition. 
+  Addressed in [#25561](https://github.com/cypress-io/cypress/pull/25561).
+
 ## 12.4.0
 
 _Released 1/24/2023_

diff --git a/package.json b/package.json
@@ -271,7 +271,7 @@
     "**/pretty-format": "26.4.0",
     "**/sharp": "0.29.3",
     "**/socket.io-parser": "4.0.5",
-    "**/ua-parser-js": "0.7.24",
+    "**/ua-parser-js": "0.7.33",
     "@typescript-eslint/eslint-plugin": "4.18.0",
     "sharp": "0.29.3",
     "vue-template-compiler": "2.6.12"

diff --git a/yarn.lock b/yarn.lock
@@ -29055,10 +29055,10 @@ typescript@^4.7.4:
   resolved "https://registry.yarnpkg.com/typescript/-/typescript-4.7.4.tgz#1a88596d1cf47d59507a1bcdfb5b9dfe4d488235"
   integrity sha512-C0WQT0gezHuw6AdY1M2jxUO83Rjf0HP7Sk1DtXj6j1EwkQNZrHAg2XPWlq62oqEhYvONq5pkC2Y9oPljWToLmQ==
 
-[email protected].24, ua-parser-js@^0.7.18:
-  version "0.7.24"
-  resolved "https://registry.yarnpkg.com/ua-parser-js/-/ua-parser-js-0.7.24.tgz#8d3ecea46ed4f1f1d63ec25f17d8568105dc027c"
-  integrity sha512-yo+miGzQx5gakzVK3QFfN0/L9uVhosXBBO7qmnk7c2iw1IhL212wfA3zbnI54B0obGwC/5NWub/iT9sReMx+Fw==
+[email protected].33, ua-parser-js@^0.7.18:
+  version "0.7.33"
+  resolved "https://registry.yarnpkg.com/ua-parser-js/-/ua-parser-js-0.7.33.tgz#1d04acb4ccef9293df6f70f2c3d22f3030d8b532"
+  integrity sha512-s8ax/CeZdK9R/56Sui0WM6y9OFREJarMRHqLB2EwkovemBxNQ+Bqu8GAsUnVcXKgphb++ghr/B2BZx4mahujPw==
 
 uc.micro@^1.0.1, uc.micro@^1.0.5:
   version "1.0.6"