build(deps): bump sha.js from 2.4.8 to 2.4.12 in /examples/hot #170

dependabot · 2025-08-22T03:46:35Z

Bumps sha.js from 2.4.8 to 2.4.12.

Changelog

v2.4.12 - 2025-07-01

Commits

[eslint] switch to eslint 7acadfb

[meta] add auto-changelog b46e711

[eslint] fix package.json indentation df9d521

[Tests] migrate from travis to GHA c43c64a

[Fix] support multi-byte wide typed arrays f2a258e

[meta] reorder package.json d8d77c0

[meta] add npmignore 35aec35

[Tests] avoid console logs 73e33ae

[Tests] fix tests run in batch 2629130

[Tests] drop node requirement to 0.10 00c7f23

[Dev Deps] update buffer, hash-test-vectors, standard, tape, typedarray 92b5de5

[Tests] drop node requirement to v3 9b5eca8

[meta] set engines to >= 4 807084c

Only apps should have lockfiles c72789c

[Deps] update inherits, safe-buffer 5428cfc

[Dev Deps] update @ljharb/eslint-config 2dbe0aa

update README to reflect LICENSE 8938256

[Dev Deps] add missing peer dep d528896

[Dev Deps] remove unused buffer dep 94ca724

v2.4.11 - 2018-03-20

Merged

Project is bound by MIT AND BSD-3-Clause licenses. [#55](https://github.com/crypto-browserify/sha.js/issues/55)

v2.4.10 - 2018-01-22

Merged

Modified greater than uint32 bits data test [#53](https://github.com/crypto-browserify/sha.js/issues/53)

convert lowBits to unsigned in hash.js [#51](https://github.com/crypto-browserify/sha.js/issues/51)

Commits

Simplify bigData allocation 107141a

Modified large file test 9d037bd

v2.4.9 - 2017-09-25

Merged

Buffer: use alloc/allocUnsafe/from instead new [#50](https://github.com/crypto-browserify/sha.js/issues/50)

Change "new shajs.SHA256()" to lowercase to make it actually work. [#48](https://github.com/crypto-browserify/sha.js/issues/48)

drop Node <4 [#46](https://github.com/crypto-browserify/sha.js/issues/46)

hash: _update never returns anything [#45](https://github.com/crypto-browserify/sha.js/issues/45)

... (truncated)

Commits

eb4ea2f v2.4.12
d8d77c0 [meta] reorder package.json
df9d521 [eslint] fix package.json indentation
35aec35 [meta] add npmignore
d528896 [Dev Deps] add missing peer dep
b46e711 [meta] add auto-changelog
94ca724 [Dev Deps] remove unused buffer dep
2dbe0aa [Dev Deps] update @ljharb/eslint-config
73e33ae [Tests] avoid console logs
f2a258e [Fix] support multi-byte wide typed arrays
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for sha.js since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [sha.js](https://github.com/crypto-browserify/sha.js) from 2.4.8 to 2.4.12. - [Changelog](https://github.com/browserify/sha.js/blob/master/CHANGELOG.md) - [Commits](browserify/sha.js@v2.4.8...v2.4.12) --- updated-dependencies: - dependency-name: sha.js dependency-version: 2.4.12 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>

ibcheckmarx · 2025-08-22T03:59:32Z

Checkmarx One – Scan Summary & Details – b200ae9b-a517-4c22-a4b6-f102a613e202

New Issues (539)

Checkmarx found the following issues in this Pull Request

Issue	Source File / Package	Checkmarx Insight
CVE-2017-16042	Npm-growl-1.9.2	details Recommended version: 1.10.0 Description: Growl adds growl notification support to nodejs. Growl versions prior to 1.10.0 does not properly sanitize input before passing it to exec, allowin... Attack Vector: NETWORK Attack Complexity: LOW `ID: DGrOl%2BtFRw1J3IKUoMMl3ii0pBmK12%2BxqcyKOs8J9cA%3D` Vulnerable Package
CVE-2018-11499	Npm-node-sass-4.5.3	details Description: A Use-After-Free vulnerability exists in "handle_error()" in "sass_context.cpp" in LibSass 3.4.x and 3.5.x through 3.5.5 that could be leveraged to... Attack Vector: NETWORK Attack Complexity: LOW `ID: xE91d%2B6PZC5Gf%2FS9%2Buy9Fpkhmpj0Hu6Jp1%2BXW5%2B6qv4%3D` Vulnerable Package
CVE-2018-16492	Npm-extend-3.0.0	details Recommended version: 3.0.2 Description: A Prototype Pollution vulnerability was found in module extend that allows an attacker to inject arbitrary properties onto "Object.Prototype". This... Attack Vector: NETWORK Attack Complexity: LOW `ID: 4enhMzUJsToTPdUv83rSfFlscMgc%2FCcCJ0eQOakydg0%3D` Vulnerable Package
CVE-2018-16492	Npm-extend-3.0.1	details Recommended version: 3.0.2 Description: A Prototype Pollution vulnerability was found in module extend that allows an attacker to inject arbitrary properties onto "Object.Prototype". This... Attack Vector: NETWORK Attack Complexity: LOW `ID: IigQ1%2B%2B33nCUvxI4SiYhLRiFNPaw3sjoAq0%2Bviq839M%3D` Vulnerable Package
CVE-2018-3739	Npm-https-proxy-agent-1.0.0	details Recommended version: 2.2.0 Description: https-proxy-agent before 2.2.0 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory ... Attack Vector: NETWORK Attack Complexity: LOW `ID: Bn4U555scjQK6UuNGfeYygtxRWdFhlZM%2BvJgAds0JZ4%3D` Vulnerable Package
CVE-2018-3739	Npm-https-proxy-agent-2.1.0	details Recommended version: 2.2.0 Description: https-proxy-agent before 2.2.0 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory ... Attack Vector: NETWORK Attack Complexity: LOW `ID: O6aY3w56TrUF58%2BsbRtrxCC67KuZiBVBcWB52bKfaFs%3D` Vulnerable Package
CVE-2018-3750	Npm-deep-extend-0.4.1	details Recommended version: 0.5.1 Description: The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attac... Attack Vector: NETWORK Attack Complexity: LOW `ID: 7E2H3Ej7Z5CrVy7ksg9LqIwL1MoGLWhIF3sh3UoGr%2B4%3D` Vulnerable Package
CVE-2018-3750	Npm-deep-extend-0.4.2	details Recommended version: 0.5.1 Description: The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attac... Attack Vector: NETWORK Attack Complexity: LOW `ID: q%2FBa3rhYpl8iVvyEDk%2B9UzvfXPP9TVGzeaOhXodjB98%3D` Vulnerable Package
CVE-2019-10747	Npm-set-value-0.4.3	details Recommended version: 2.0.1 Description: set-value is vulnerable to Prototype Pollution before 2.0.1 and 3.x before 3.0.1. The function mixin-deep could be tricked into adding or modifying... Attack Vector: NETWORK Attack Complexity: LOW `ID: %2FdrkXCEspSi8NWnA2sUhPuecQyEhzeOMvtFaP0BgrnQ%3D` Vulnerable Package
CVE-2019-10747	Npm-set-value-2.0.0	details Recommended version: 2.0.1 Description: set-value is vulnerable to Prototype Pollution before 2.0.1 and 3.x before 3.0.1. The function mixin-deep could be tricked into adding or modifying... Attack Vector: NETWORK Attack Complexity: LOW `ID: eUqnrujC68gdaXLKLejIGY2q8NDsP5y83G9%2FJZUT0%2Fs%3D` Vulnerable Package
CVE-2019-15657	Npm-eslint-utils-1.3.1	details Recommended version: 1.4.1 Description: In eslint-utils versions 1.2.0 through 1.4.0, the "getStaticValue" function can execute arbitrary code. Attack Vector: NETWORK Attack Complexity: LOW `ID: geBfNAVpXbABzKR6v35N6XG7BZbsMHH0yKbRjkqd0ac%3D` Vulnerable Package
CVE-2019-19919	Npm-handlebars-4.0.10	details Recommended version: 4.7.7 Description: Versions of handlebars prior to 3.0.8 and 4.x prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may ... Attack Vector: NETWORK Attack Complexity: LOW `ID: Ln7HbO31WrI5DcZ5W07G80emNtg42CdCjjM3fvDpi8o%3D` Vulnerable Package
CVE-2019-19919	Npm-handlebars-4.1.2	details Recommended version: 4.7.7 Description: Versions of handlebars prior to 3.0.8 and 4.x prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may ... Attack Vector: NETWORK Attack Complexity: LOW `ID: zVyQapjrn3IsDukwFctIk9oNgIP%2F3YHeRcAHyptOX%2B0%3D` Vulnerable Package
CVE-2020-7788	Npm-ini-1.3.4	details Recommended version: 1.3.6 Description: The package ini versions prior to 1.3.6 have a Prototype Pollution vulnerability. If an attacker submits a malicious INI file to an application tha... Attack Vector: NETWORK Attack Complexity: LOW `ID: BxOMfEYM17a689eMJoketIT7nyCeSfzCRIHPqV97Jzs%3D` Vulnerable Package
CVE-2020-7788	Npm-ini-1.3.5	details Recommended version: 1.3.6 Description: The package ini versions prior to 1.3.6 have a Prototype Pollution vulnerability. If an attacker submits a malicious INI file to an application tha... Attack Vector: NETWORK Attack Complexity: LOW `ID: %2Fdvr9%2BHoI9Q%2BOMXQ%2FZRbTVYJyLZf6bua56cqepinPkM%3D` Vulnerable Package
CVE-2021-21353	Npm-pug-code-gen-2.0.0	details Recommended version: 3.0.3 Description: In pug-code-gen before version 2.0.3 and 3.x before 3.0.2, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. i... Attack Vector: NETWORK Attack Complexity: HIGH `ID: jimBhvadzGa10qL0jL5n%2Br6XhvdAhuCONdT0wcuR3IE%3D` Vulnerable Package
CVE-2021-23406	Npm-degenerator-1.0.4	details Recommended version: 3.0.1 Description: A Code Injection vulnerability is present in the degenerator package. This affects the degenerator package versions prior to 3.0.1. This can occur ... Attack Vector: NETWORK Attack Complexity: LOW `ID: SOZszKi9lIwHaYRsnEY%2BPpKIqjpXs1ThP64zyzZopQo%3D` Vulnerable Package
CVE-2021-23406	Npm-pac-resolver-2.0.0	details Recommended version: 5.0.0 Description: A Code Injection vulnerability is present in the degenerator package. This affects the degenerator package versions prior to 3.0.1. This can occur ... Attack Vector: NETWORK Attack Complexity: LOW `ID: u8SwQ0nTiSjrmLuxC7PsbCnO9NfFEWB8HTCQuQVpX3I%3D` Vulnerable Package
CVE-2021-23440	Npm-set-value-0.4.3	details Recommended version: 2.0.1 Description: A Type-Confusion vulnerability in set-value package can lead to a bypass of CVE-2019-10747 when the user-provided keys are used in the `path` para... Attack Vector: NETWORK Attack Complexity: LOW `ID: fjpFrSn%2BJ%2FWgaP5CF7%2Fw%2B6lijrKfq93KekPVbVdvrho%3D` Vulnerable Package
CVE-2021-23440	Npm-set-value-2.0.0	details Recommended version: 2.0.1 Description: A Type-Confusion vulnerability in set-value package can lead to a bypass of CVE-2019-10747 when the user-provided keys are used in the `path` para... Attack Vector: NETWORK Attack Complexity: LOW `ID: zn4lmdT6GG%2BLxMRapJiQbbaOkFdqnmRhyVQuFeaftyg%3D` Vulnerable Package
CVE-2021-23555	Npm-vm2-3.5.0	details Recommended version: 3.9.6 Description: The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation... Attack Vector: NETWORK Attack Complexity: LOW `ID: 1rqMvIW6eYqMGPI2DT2Sg5LHXp8foaRRxc2HjE%2Bk7Gs%3D` Vulnerable Package
CVE-2021-23555	Npm-vm2-3.6.0	details Recommended version: 3.9.6 Description: The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation... Attack Vector: NETWORK Attack Complexity: LOW `ID: JeoZlLopEOkd7Sk8OUJ56mwim%2FwDDYG9h8RJq4HsAeg%3D` Vulnerable Package
CVE-2021-23807	Npm-jsonpointer-4.0.1	details Recommended version: 5.0.0 Description: A Type Confusion vulnerability in jsonpointer can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays. Th... Attack Vector: NETWORK Attack Complexity: LOW `ID: AbOK8Z7u7PjzTO5q6qzU0Ve7vIrT28ZWyfZy2IFVcDQ%3D` Vulnerable Package
CVE-2021-28918	Npm-netmask-1.0.6	details Recommended version: 2.0.1 Description: Improper input validation of octal strings in the netmask npm package versions through 1.0.6 allows unauthenticated remote attackers to perform ind... Attack Vector: NETWORK Attack Complexity: LOW `ID: %2FQPiuF%2FU8%2FpOWIZ27uQh7PJWrSYj22PZrVCNBHtyneE%3D` Vulnerable Package
CVE-2021-31597	Npm-xmlhttprequest-ssl-1.5.5	details Recommended version: 1.6.2 Description: The xmlhttprequest-ssl package versions prior to 1.6.1 for Node.js disable SSL certificate validation by default. This occurs because the "rejectUn... Attack Vector: NETWORK Attack Complexity: LOW `ID: kym7JiNi9BctRwQWB8mMZDvtv2hqbYDJPYLrkSv4xZk%3D` Vulnerable Package
CVE-2021-3918	Npm-json-schema-0.2.3	details Recommended version: 0.4.0 Description: json-schema before 0.4.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Attack Vector: NETWORK Attack Complexity: LOW `ID: Yb0J%2FWkPc8bDebcoxSCW%2FxzSS50SWJLrP3ZsfzwBEzg%3D` Vulnerable Package
CVE-2021-42740	Npm-shell-quote-1.6.1	details Recommended version: 1.7.3 Description: The shell-quote package versions prior to 1.7.3 for Node.js allow Command Injection. An attacker can inject unescaped shell metacharacters through ... Attack Vector: NETWORK Attack Complexity: LOW `ID: q5qHvuTUMgu3HIZ%2BmeA6zUTg2n8aUcg2m8rc%2BIFT7Kw%3D` Vulnerable Package
CVE-2022-0686	Npm-url-parse-1.4.7	details Recommended version: 1.5.9 Description: The package url-parse has a vulnerability of Authorization Bypass through User-Controlled Key in When no port number is provided in the "URL", is u... Attack Vector: NETWORK Attack Complexity: LOW `ID: 4CdzX%2BHtNIjS%2FEFsNSaTKxwuSwiAiz%2BLan80EaHREiw%3D` Vulnerable Package
CVE-2022-0686	Npm-url-parse-1.4.4	details Recommended version: 1.5.9 Description: The package url-parse has a vulnerability of Authorization Bypass through User-Controlled Key in When no port number is provided in the "URL", is u... Attack Vector: NETWORK Attack Complexity: LOW `ID: 7U72y0UezLMjM0MSeyvvWUUgEr%2FKL1PEqBq4yWukBTE%3D` Vulnerable Package
CVE-2022-0686	Npm-url-parse-1.0.5	details Recommended version: 1.5.9 Description: The package url-parse has a vulnerability of Authorization Bypass through User-Controlled Key in When no port number is provided in the "URL", is u... Attack Vector: NETWORK Attack Complexity: LOW `ID: EpEv4rW6f3VV9H6OSXFbXKl5COFCx8pmCVjTriUw%2F6g%3D` Vulnerable Package
CVE-2022-0686	Npm-url-parse-1.1.9	details Recommended version: 1.5.9 Description: The package url-parse has a vulnerability of Authorization Bypass through User-Controlled Key in When no port number is provided in the "URL", is u... Attack Vector: NETWORK Attack Complexity: LOW `ID: LvvtDk6n3BbPA3mx%2F%2FIa05M4d7Zg3AtzELhLH1PROUU%3D` Vulnerable Package
CVE-2022-0686	Npm-url-parse-1.1.8	details Recommended version: 1.5.9 Description: The package url-parse has a vulnerability of Authorization Bypass through User-Controlled Key in When no port number is provided in the "URL", is u... Attack Vector: NETWORK Attack Complexity: LOW `ID: mfZ9%2BRPAwlNaxJ0Qbf1O8laBJUt%2B3May5CMp4lHgSaA%3D` Vulnerable Package
CVE-2022-0691	Npm-url-parse-1.4.7	details Recommended version: 1.5.9 Description: Authorization Bypass through User-Controlled Key in NPM url-parse versions 1.4.5 through 1.5.8. Bypasses "https://hackerone\.com/reports/496293" via... Attack Vector: NETWORK Attack Complexity: LOW `ID: ccph18tyBR46rOiGtR3J833pHTKLqizgb3xHkySyz6I%3D` Vulnerable Package
CVE-2022-25893	Npm-vm2-3.6.0	details Recommended version: 3.9.10 Description: The package vm2 versions prior to 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the ''WeakMap.prototyp... Attack Vector: NETWORK Attack Complexity: LOW `ID: 8MlmQwYMjzNlZjQw4VvjJ9f4TTLKh7CoEqJldZXJTO4%3D` Vulnerable Package

More results are available on the CxOne platform

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	~~Cx29ea9bf3-a8eb~~	Npm-macaddress-0.2.8

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Aug 22, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

build(deps): bump sha.js from 2.4.8 to 2.4.12 in /examples/hot #170

build(deps): bump sha.js from 2.4.8 to 2.4.12 in /examples/hot #170

Uh oh!

dependabot bot commented on behalf of github Aug 22, 2025

Uh oh!

ibcheckmarx commented Aug 22, 2025

Uh oh!

Uh oh!

build(deps): bump sha.js from 2.4.8 to 2.4.12 in /examples/hot #170

Are you sure you want to change the base?

build(deps): bump sha.js from 2.4.8 to 2.4.12 in /examples/hot #170

Uh oh!

Conversation

dependabot bot commented on behalf of github Aug 22, 2025

v2.4.12 - 2025-07-01

Commits

v2.4.11 - 2018-03-20

Merged

v2.4.10 - 2018-01-22

Merged

Commits

v2.4.9 - 2017-09-25

Merged

Uh oh!

ibcheckmarx commented Aug 22, 2025

Uh oh!

Uh oh!