fix(deps): update dependency squirrelly to v9 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
squirrelly (source)	7.9.2 -> 9.0.0

GitHub Vulnerability Alerts

CVE-2021-32819

Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. Version 9.0.0 has a fix for this issue. For complete details refer to the referenced GHSL-2021-023.

---

Release Notes

squirrellyjs/squirrelly (squirrelly)

v9.0.0: Version 9.0.0

Compare Source

TL;DR

The main news in this commit is that the settings field in the data object is no longer merged with your configuration. This resolves several security issues.

This may cause changes in the way you use Express.js with Squirrelly, since you'll have to configure caching and the views directory for both Express and Squirrelly separately.

Example:

app.engine("sqrl", Sqrl.renderFile)
eta.configure({ views: "./views", cache: true })
app.set("views", "./views")
app.set("view cache", true)
app.set("view engine", "sqrl")

Commits

• chore: rebuild & format e1a554b
• Merge pull request #​254 from legobeat/fix-data-config af6018f
• Don't merge data.settings into the config option c12418a
• don't pass view options dca7a1e
• Merge pull request #​249 from squirrellyjs/dependabot/npm_and_yarn/qs-6.5.3 d460cc1
• Merge pull request #​234 from squirrellyjs/dependabot/npm_and_yarn/tmpl-1.0.5 ba66a3f
• Merge pull request #​235 from squirrellyjs/dependabot/npm_and_yarn/i-0.3.7 5d5b2fe
• Bump qs from 6.5.2 to 6.5.3 f51c304
• Bump i from 0.3.6 to 0.3.7 6400940
• Merge pull request #​248 from squirrellyjs/dependabot/npm_and_yarn/decode-uri-component-0.2.2 cbdd42f
• Merge pull request #​247 from squirrellyjs/dependabot/npm_and_yarn/loader-utils-1.4.2 31833df
• Merge pull request #​245 from squirrellyjs/dependabot/npm_and_yarn/terser-4.8.1 9b8afbe
• Merge pull request #​244 from squirrellyjs/dependabot/npm_and_yarn/jsdom-16.7.0 51dd9be
• Merge pull request #​243 from squirrellyjs/dependabot/npm_and_yarn/ajv-6.12.6 151bbd6
• Merge pull request #​242 from squirrellyjs/dependabot/npm_and_yarn/trim-off-newlines-1.0.3 8321eda
• Merge pull request #​239 from squirrellyjs/dependabot/npm_and_yarn/shelljs-0.8.5 75a8687
• Merge pull request #​232 from squirrellyjs/dependabot/npm_and_yarn/path-parse-1.0.7 c7fd5fe
• Merge pull request #​228 from squirrellyjs/dependabot/npm_and_yarn/normalize-url-4.5.1 5b5259f
• Merge pull request #​226 from squirrellyjs/dependabot/npm_and_yarn/browserslist-4.16.6 e148698
• Merge pull request #​225 from squirrellyjs/dependabot/npm_and_yarn/hosted-git-info-2.8.9 a9bdfe7
• Merge pull request #​224 from squirrellyjs/dependabot/npm_and_yarn/handlebars-4.7.7 021c6a5
• Merge pull request #​221 from squirrellyjs/dependabot/npm_and_yarn/ssri-6.0.2 6235b55
• Merge pull request #​219 from squirrellyjs/dependabot/npm_and_yarn/elliptic-6.5.4 d60d325
• Merge pull request #​216 from squirrellyjs/dependabot/npm_and_yarn/node-notifier-8.0.1 23008f0
• Merge pull request #​215 from squirrellyjs/dependabot/npm_and_yarn/ini-1.3.7 8a6f4fa
• Merge pull request #​213 from squirrellyjs/dependabot/npm_and_yarn/highlight.js-10.4.1 96eb062
• Bump decode-uri-component from 0.2.0 to 0.2.2 76c15ca
• Bump loader-utils from 1.4.0 to 1.4.2 9967601
• Bump terser from 4.6.7 to 4.8.1 ec3ebd6
• Bump jsdom from 16.4.0 to 16.7.0 20664b9
• Bump ajv from 6.12.0 to 6.12.6 b037db1
• Bump trim-off-newlines from 1.0.1 to 1.0.3 19e05ae
• Bump shelljs from 0.8.4 to 0.8.5 50652e6
• Bump tmpl from 1.0.4 to 1.0.5 3710f94
• Bump path-parse from 1.0.6 to 1.0.7 bd9106b
• Bump normalize-url from 4.5.0 to 4.5.1 44424c7
• Bump browserslist from 4.9.1 to 4.16.6 09b0dfe
• Bump hosted-git-info from 2.8.8 to 2.8.9 34476cc
• Bump handlebars from 4.7.6 to 4.7.7 f862efe
• Bump ssri from 6.0.1 to 6.0.2 1ee720c
• Bump elliptic from 6.5.3 to 6.5.4 fdae927
• Bump node-notifier from 8.0.0 to 8.0.1 8038a7d
• Bump ini from 1.3.5 to 1.3.7 e30a761
• Bump highlight.js from 10.1.2 to 10.4.1 df63f2e
• Re-add CodeShelter badge to README 72d6125
• Remove badge 5744f06
• Various work 817f325
• Create codeql-analysis.yml 07c994d
• Removed unnecessary build step 27fadf2
• Add np as a dev dependency 59b4a7f
• Merge pull request #​206 from jmclean-cnexus/master 3d333dd
• remove dist, add release script, and append dist to .gitignore 8318455

v8.0.8: Version 8.0.8

Compare Source

TL;DR

• Merged a PR by @​jmclean-cnexus that fixed the types of FilterFunction
• @​jmclean-cnexus also abstracted some utility functions in containers.ts into container-utils.ts, and wrote accompanying tests 🎉

Commits

• Rebuild 0383045
• Format, add specific examples of blocks & filters ad6fe3d
• Format d158e64
• Merge pull request #​205 from jmclean-cnexus/master 81c09e9
• update README to include tests tag in contributers as well as reference name 93d2997
• add test contribution since there are some unit tests in this latest push 56e8685
• add name to .allcontributors d200f89
• remove package lock from previous commit and add to .gitignore c1c71d5
• break out container to be more testable 4ba4f2b
• Merge pull request #​204 from squirrellyjs/all-contributors/add-jmclean-cnexus 4fd4a57
• docs: update .all-contributorsrc [skip ci] 08c72d2
• docs: update README.md [skip ci] bf3e9bd
• Rebuild after FilterFunction type fix 009073d
• Merge pull request #​203 from jmclean-cnexus/bugfix/update-filter-function-type-def db7ef0f
• remove package-lock b97041c
• change string type to any type 82fa1bf
• Allow any number of arguments that are strings 6211864

v8.0.7: Version 8.0.7

Compare Source

TL;DR

Mainly minor updates. One important fix by @​futurelucas4502 preventing renderFile from erroring if the data argument was undefined or null; see #​201.

Commits

• Merge pull request #​202 from squirrellyjs/all-contributors/add-futurelucas4502 a5b40f6
• docs: update .all-contributorsrc [skip ci] b310830
• docs: update README.md [skip ci] 9744133
• Fix link to contributor d15e60a
• Rebuild to remove carriage returns from map a62f36f
• Merge pull request #​201 from futurelucas4502/master 31d0268
• Update file handler renderFile function to allow for an undefined data parameter without erroring 4b9e964
• Update FUNDING.yml e9a023d
• Fix Travis Node version, eslint-plugin doesn't support v11 386c3aa

Contributors

• @​futurelucas4502
• @​nebrelbug

v8.0.6: Version 8.0.6

Compare Source

TL;DR

Nothing exciting here, just a little package cleanup! All our dev dependencies are now up-to-date.

Commits

• Lint with eslint instead of prettier-standard 4c66bdc
• chore: remove quickbuild script f15847b
• Rebuild 8a65881
• chore: update dev-deps. Modify eslintrc with new version 20f9a3e

v8.0.5: Version 8.0.5

Compare Source

TL;DR

This release just contains a few quick README updates.

Commits

• Update README for easier access to quick resources 9a0ee15
• Add txAdmin to list of projects using Squirrelly 519e4ef

v8.0.4: Version 8.0.4

Compare Source

TL;DR

Changes in this release:

• Updated development dependencies
• Squirrelly's XML-escape filter (e) is now applied after all other filters by default. See #​189 and #​198
  • This is potentially a slightly breaking change, but the chance of it affecting anyone is quite low

Commits

• Rebuild after dev-dependency update b61f2b0
• Update dependencies 623dc42
• Fix tests so XML-escape filter is on the outside 264c230
• Fix changes in making XML-escape the last filter 1e5d747
• Apply XML-escape filter after all other filters 0e511f0
• Merge pull request #​197 from squirrellyjs/dependabot/npm_and_yarn/elliptic-6.5.3 f6a4920
• Bump elliptic from 6.5.2 to 6.5.3 5bb49a7
• Add Cypress to list of projects using Squirrelly 0d647a1

v8.0.3: Version 8.0.3

Compare Source

TL;DR

Just updated the README to add a note about the contributors to Version 7 (who unfortunately aren't listed in the README) and removed the badge for David-DM (which has had downtime problems).

Commits

• Update README - add note about v7 contributors, remove David-DM badge e2f97a7

v8.0.2: Version 8.0.2

Compare Source

TL;DR

This commit merged #​195 (which fixes a compilation error thrown in newer versions of TypeScript), updated dev dependencies, and updated some unit tests to import functions from index.ts (to improve test coverage)

Commits

• Rebuilt 4ae327b
• Update some tests to import from index, to increase coverage 2092ec8
• Upgrade dev dependencies 57a9a9d
• Merge pull request #​195 from vinothbabu/master ffd9c9e
• Added // eslint-disable-next-line no-extra-boolean-cast to bypass the warnings. 0c534bc
• Revert "check if the function exists in the native object." e36ad3a
• check if the function exists in the native object. 4b9944d
• check if the native prototype method exists by evaluating it. 139a9d0

v8.0.1: Version 8.0.1

Compare Source

Commits

• Update README 0875563
• Add 'examples' to npm release 2a0dc7d

v8.0.0: Version 8

Compare Source

Version 8 is now stable!

Thank you to all those who helped with development or gave feedback!

Documentation is at https://squirrelly.js.org

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cypress-app-bot]

See the guidelines for reviewing dependency updates for info on how to review dependency update PRs.