Bump the npm_and_yarn group across 1 directory with 5 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates in the / directory: elliptic, ethers, fast-xml-parser and @aws-sdk/credential-providers.

Removes elliptic

Updates ethers from 5.7.2 to 6.13.2

Release notes

Sourced from ethers's releases.

ethers/v6.13.2 (2024-07-25 18:20)

• Prevent mutating transactions when signing (#4789; 1a51af8).

ethers/v6.13.1 (2024-06-18 02:37)

• Update ws package to address possible DoS vulnerability (a4b1d1f).

ethers/v6.13.0 (2024-06-04 01:38)

• Added Options for BrowserProvider (#4707; 33bb0bf).
• Fix Result deep toObject when a parent is an Array (#4681; d8cb849).
• Added consistent timeout and cancel behaviour to FetchRequest (#4122; a12a739).

ethers/v6.12.2 (2024-05-30 17:24)

• Copy EIP-4844 properties during estimateGas and call (#4728; cebe5ee).
• Use non-capturing regex for data to prevent memory exhaustion for long strings (#4741; 5463aa0).
• Added Base endpointsto EtherscanProvider (#4729; 7e1dc95).

ethers/v6.12.1 (2024-04-30 23:23)

• Prevent bad Interface clone when using two different versions of v6 (#4689; 4d2d90f).
• Fixed typo in error message for invalid quorum weight (#4149; 45b9b9c).
• Added matic-amoy to EtherescanProvider (#4711; 5c8d17a).
• Fix JsonRpcProvider ignoring pollingInterval in options (#4644; 7b7be0d).

ethers/v6.12.0 (2024-04-17 02:09)

• Added Linea Sepolia network and Infura endpoint (#4655; b4aaab8).
• Do not send unsubscribe messages to destroyed Providers (#4678; c45935e).
• Get definitive network from InfuraProvider when using InfuraWebSocketProvider (38e32d8).
• Better error messages for transaction field mismatch (#4659; 9230aa0).
• Added prevRandao to block (#3372; ec6a754).
• Added Polygon Amoy testnet (#4645; 1717abb).
• Added Chainstack provider (#2741; 014004d).
• Added deep convertion to Result for toObject and toArray (#4681; 03bfe2a).
• Added EIP-4844 broadcast support (92bad88).
• Fix ignored throttle parameters (#4663; 12772e9).

ethers/v6.12.0-beta.1 (2024-03-27 14:47)

• Added EIP-4844 broadcast support.
• Fix ignored throttle parameters (#4663; 12772e9).

ethers/v6.11.1 (2024-02-14 13:47)

• Throw an error when attempting to derive from a master path from a non-master node (#4551; 556fdd9).
• Allow ENS wildcards with labels up to 255 bytes wide; discussed with ENS and deemed safe (#4543; 7f14bde).
• Enforce string is passed to toUtf8Bytes (#4583; f45bb87).
• Fix transaction.index not being populated on some backends (#4591; 7f0e140).

ethers/v6.11.0 (2024-02-08 22:02)

• Allow transaction encoding for inferred type transactions (f02211d).
• Added EIP-4788, receipts root and state root fields to Block (#4570; c5f126f).
• Added EIP-4844 fields to Provider classes and formatter (#4570; 7b4f2c1).
• Assert BrowserProvider receives an EIP-1193 provider to fail early when passing undefined ethereum object (b69f43b).
• Add timeout to ContractTransactionResponse wait (#4497; 095de51).

... (truncated)

Changelog

Sourced from ethers's changelog.

ethers/v6.13.2 (2024-07-25 17:54)

• Prevent mutating transactions when signing (#4789; 1a51af8).

ethers/v6.13.1 (2024-06-18 02:09)

• Update ws package to address possible DoS vulnerability (a4b1d1f).

ethers/v6.13.0 (2024-06-04 01:01)

• Added Options for BrowserProvider (#4707; 33bb0bf).
• Fix Result deep toObject when a parent is an Array (#4681; d8cb849).
• Added consistent timeout and cancel behaviour to FetchRequest (#4122; a12a739).

ethers/v6.12.2 (2024-05-30 17:24)

• Copy EIP-4844 properties during estimateGas and call (#4728; cebe5ee).
• Use non-capturing regex for data to prevent memory exhaustion for long strings (#4741; 5463aa0).
• Added Base endpointsto EtherscanProvider (#4729; 7e1dc95).

ethers/v6.12.1 (2024-04-30 22:46)

• Prevent bad Interface clone when using two different versions of v6 (#4689; 4d2d90f).
• Fixed typo in error message for invalid quorum weight (#4149; 45b9b9c).
• Added matic-amoy to EtherescanProvider (#4711; 5c8d17a).
• Fix JsonRpcProvider ignoring pollingInterval in options (#4644; 7b7be0d).

ethers/v6.12.0 (2024-04-17 01:09)

• Added Linea Sepolia network and Infura endpoint (#4655; b4aaab8).
• Do not send unsubscribe messages to destroyed Providers (#4678; c45935e).
• Get definitive network from InfuraProvider when using InfuraWebSocketProvider (38e32d8).
• Better error messages for transaction field mismatch (#4659; 9230aa0).
• Added prevRandao to block (#3372; ec6a754).
• Added Polygon Amoy testnet (#4645; 1717abb).
• Added Chainstack provider (#2741; 014004d).
• Added deep convertion to Result for toObject and toArray (#4681; 03bfe2a).
• Added EIP-4844 broadcast support (92bad88).
• Fix ignored throttle parameters (#4663; 12772e9).

ethers/v6.11.1 (2024-02-14 13:13)

• Throw an error when attempting to derive from a master path from a non-master node (#4551; 556fdd9).

... (truncated)

Commits

• 1a51af8 Prevent mutating transactions when signing (#4789).
• fc66b8a admin: updated dist files
• c0b364b admin: minor change to force build to pickup nil change for ws upgrade
• a4b1d1f Update ws package to address possible DoS vulnerability.
• 16b8e18 docs: fixed paragraph leaking into code in migration docs
• 9276187 admin: updated dist files
• 90c196a Fix missing return for Result proxy (#4681).
• 5b8781d admin: updated dist files
• e97ca3b Merge branch 'wip-6.13'
• c2d5346 tests: added gasless testcase for RicMoo-controlled domain
• Additional commits viewable in compare view

Updates fast-xml-parser from 4.0.11 to 4.4.1

Release notes

Sourced from fast-xml-parser's releases.

Security Fix

Update to this release if you use entity parsing in Fast XML Parser.

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

4.4.1 / 2024-07-28

• v5 fix: maximum length limit to currency value
• fix #634: build attributes with oneListGroup and attributesGroupName (#653)(By Andreas Naziris)
• fix: get oneListGroup to work as expected for array of strings (#662)(By Andreas Naziris)

4.4.0 / 2024-05-18

• fix #654: parse attribute list correctly for self closing stop node.
• fix: validator bug when closing tag is not opened. (#647) (By Ryosuke Fukatani)
• fix #581: typings; return type of tagValueProcessor & attributeValueProcessor (#582) (By monholm)

4.3.6 / 2024-03-16

• Add support for parsing HTML numeric entities (#645) (By Jonas Schade )

4.3.5 / 2024-02-24

• code for v5 is added for experimental use

4.3.4 / 2024-01-10

• fix: Don't escape entities in CDATA sections (#633) (By wackbyte)

4.3.3 / 2024-01-10

• Remove unnecessary regex

4.3.2 / 2023-10-02

• fix jObj.hasOwnProperty when give input is null (By Arda TANRIKULU)

4.3.1 / 2023-09-24

• revert back "Fix typings for builder and parser to make return type generic" to avoid failure of existing projects. Need to decide a common approach.

4.3.0 / 2023-09-20

• Fix stopNodes to work with removeNSPrefix (#607) (#608) (By [Craig Andrews]https://github.com/candrews))
• Fix #610 ignore properties set to Object.prototype
• Fix typings for builder and parser to make return type generic (By Sarah Dayan)

4.2.7 / 2023-07-30

• Fix: builder should set text node correctly when only textnode is present (#589) (By qianqing)
• Fix: Fix for null and undefined attributes when building xml (#585) (#598). A null or undefined value should be ignored. (By Eugenio Ceschia)

4.2.6 / 2023-07-17

• Fix: Remove trailing slash from jPath for self-closing tags (#595) (By Maciej Radzikowski)

4.2.5 / 2023-06-22

• change code implementation

4.2.4 / 2023-06-06

• fix security bug

4.2.3 / 2023-06-05

• fix security bug

... (truncated)

Commits

• d40e29c update package detail and browser bundles
• d0bfe8a fix maxlength for currency value
• 2c14fcf Update bug-report-or-unexpected-output.md
• acf610f fix #634: build attributes with oneListGroup and attributesGroupName (#653)
• 931e910 fix: get oneListGroup to work as expected for array of strings (#662)
• b8e40c8 Update ISSUE_TEMPLATE.md
• a6265ba chore: add trend image (#658)
• db1c548 redesign README.md
• 338a2c6 Rename 1.Getting Started.md to 1.GettingStarted.md
• c762537 Rename v5 docs filenames (#659)
• Additional commits viewable in compare view

Updates @aws-sdk/credential-providers from 3.245.0 to 3.637.0

Release notes

Sourced from @​aws-sdk/credential-providers's releases.

v3.637.0

3.637.0(2024-08-22)

Chores

• util-endpoints: update aws partitions.json (9d2511b8)
• endpoints: update endpoints model (f7ad4c17)
• models: update API models (842bde9e)
• client-codestar: deprecate CodeStar (#6402) (5327273d)

Documentation Changes

• client-auto-scaling: Amazon EC2 Auto Scaling now provides EBS health check to manage EC2 instance replacement (041f6dd9)

New Features

• client-route-53: Amazon Route 53 now supports the Asia Pacific (Malaysia) Region (ap-southeast-5) for latency records, geoproximity records, and private DNS for Amazon VPCs in that region. (b3d22dec)
• client-emr-containers: Correct endpoint for FIPS is configured for US Gov Regions. (0cd9baec)
• client-inspector2: Add enums for Agentless scan statuses and EC2 enablement error states (52856e7f)
• client-quicksight: Explicit query for authors and dashboard viewing sharing for embedded users (18135bcc)
• client-bedrock: Amazon Bedrock Evaluation BatchDeleteEvaluationJob API allows customers to delete evaluation jobs under terminated evaluation job statuses - Stopped, Failed, or Completed. Customers can submit a batch of 25 evaluation jobs to be deleted at once. (06501cbb)

---

For list of updated packages, view updated-packages.md in assets-3.637.0.zip

v3.636.0

3.636.0(2024-08-21)

Chores

• turbo: simplify build scripts in package.json (#6366) (614d98e1)

Documentation Changes

• link to smithy/middleware-retry in Notable Changes (#6397) (31263194)

New Features

• clients: update client endpoints as of 2024-08-21 (f8aaf1df)
• client-ses: Enable email receiving customers to provide SES with access to their S3 buckets via an IAM role for "Deliver to S3 Action" (aafc6ebd)
• client-entityresolution: Increase the mapping attributes in Schema to 35. (d038be36)
• client-glue: Add optional field JobRunQueuingEnabled to CreateJob and UpdateJob APIs. (b3bbf579)
• client-securityhub: Security Hub documentation and definition updates (17db5f7e)
• client-lambda: Release FilterCriteria encryption for Lambda EventSourceMapping, enabling customers to encrypt their filter criteria using a customer-owned KMS key. (6fff3639)
• client-ec2: DescribeInstanceStatus now returns health information on EBS volumes attached to Nitro instances (1baa7ea8)

---

... (truncated)

Changelog

Sourced from @​aws-sdk/credential-providers's changelog.

3.637.0 (2024-08-22)

Note: Version bump only for package @​aws-sdk/credential-providers

3.635.0 (2024-08-20)

Note: Version bump only for package @​aws-sdk/credential-providers

3.632.0 (2024-08-15)

Note: Version bump only for package @​aws-sdk/credential-providers

3.631.0 (2024-08-14)

Note: Version bump only for package @​aws-sdk/credential-providers

3.630.0 (2024-08-13)

Features

• credential-providers: add custom credential chain helper (#6374) (1a479dc)

3.629.0 (2024-08-12)

Note: Version bump only for package @​aws-sdk/credential-providers

... (truncated)

Commits

• ee762fe Publish v3.637.0
• 2c0f590 Publish v3.635.0
• 704fc47 Publish v3.632.0
• 4825462 Publish v3.631.0
• e11e071 Publish v3.630.0
• 26788b9 docs(credential-providers): add longer explanation about credential function ...
• 1a479dc feat(credential-providers): add custom credential chain helper (#6374)
• 31e78b5 Publish v3.629.0
• 7b4b333 Publish v3.624.0
• 2acbcdb Publish v3.623.0
• Additional commits viewable in compare view

Updates ws from 7.4.6 to 8.17.1

Release notes

Sourced from ws's releases.

8.17.1

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1. Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size][] and/or the [maxHeaderSize][] options so that no more headers than the server.maxHeadersCount limit can be sent.

... (truncated)

Commits

• 3c56601 [dist] 8.17.1
• e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
• 6a00029 [test] Increase code coverage
• ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
• b73b118 [dist] 8.17.0
• 29694a5 [test] Use the highWaterMark variable
• 934c9d6 [ci] Test on node 22
• 1817bac [ci] Do not test on node 21
• 96c9b3d [major] Flip the default value of allowSynchronousEvents (#2221)
• e5f32c7 [fix] Emit at most one event per event loop iteration (#2218)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[changeset-bot]

⚠️ No Changeset found

Latest commit: c16bdf1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/ethers@6.13.2	network Transitive: environment	+7	19.8 MB	ricmoo

🚮 Removed packages: npm/ethers@5.7.2)

View full report↗︎