v2.0.74

Update dependency balena-io/balena-cli to v18.2.33

Notable changes

-actions/setup-node (actions/setup-node)

• patch: etcher-sdk is not yet compatible with node22 [JOASSART Edwin]
• minor: allow passing custom assets to start SB protected CM4 [Edwin Joassart]
  -balena-io-modules/etcher-sdk (etcher-sdk)
• patch: use http2 to fix issues with url source [Edwin Joassart]
• patch: remove CI workaround [Edwin Joassart]
• patch: add option to allow listing virtual drive on Mac [JOASSART Edwin]
  -dominictarr/event-stream (event-stream)
• Removed support for Node versions 11 and below.
• The verify() function no longer accepts unsigned tokens by default. ([8345030]auth0/node-jsonwebtoken@8345030)
• RSA key size must be 2048 bits or greater. ([ecdf6cc]auth0/node-jsonwebtoken@ecdf6cc)
• Key types must be valid for the signing / verification algorithm
• security: fixes Arbitrary File Write via verify function - CVE-2022-23529
• security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
• security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
• security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539
  -auth0/node-jsonwebtoken (jsonwebtoken)
• Update @​​actions/artifact dependency by @​​bethanyj28 in https://github.com/actions/download-artifact/pull/325
• updating @actions/artifact dependency to v2.1.6 by @​​eggyhead in https://github.com/actions/download-artifact/pull/324
• Update readme with v3/v2/v1 deprecation notice by @​​robherley in https://github.com/actions/download-artifact/pull/322
• Update dependencies @actions/core to v1.10.1 and @actions/artifact to v2.1.5
• Update @​​actions/artifact by @​​bethanyj28 in https://github.com/actions/download-artifact/pull/307
• Update release-new-action-version.yml by @​​konradpabjan in https://github.com/actions/download-artifact/pull/292
• Update toolkit dependency with updated unzip logic by @​​bethanyj28 in https://github.com/actions/download-artifact/pull/299
• Update @​​actions/artifact by @​​bethanyj28 in https://github.com/actions/download-artifact/pull/303
• @​​bethanyj28 made their first contribution in https://github.com/actions/download-artifact/pull/299
• Bump @​​actions/artifacts to latest version to include updated GHES host check
• Fix transient request timeouts https://github.com/actions/download-artifact/issues/249
• Bump @actions/artifacts to latest version
  -actions/download-artifact (actions/download-artifact)

balena-io/balena-cli (balena-io/balena-cli)

v18.2.33

Compare Source

v18.2.32

Compare Source

v18.2.31

Compare Source

a39a772 (Deduplicate dependencies, 2024-07-15)
efa0d67 (deploy: Use the sdk's pine instance with balena-compose, 2024-07-15)
232b967 (Update balena-sdk to 19.7.3, 2024-07-13)

v18.2.30

Compare Source

4e101e2 (Omit unicode control character escapes from test logs, 2024-07-13)
9f9fd97 (Deduplicate dependencies, 2024-07-13)

v18.2.29

Compare Source

3c64e13 (Update balena-preload from 15.0.5 to 15.0.6, 2024-07-11)

v18.2.28

Compare Source

79fcd95 (Downgrade pinejs-client-request to 7.4.2 to unblock the sdk update, 2024-07-12)
33199ac (Update balena-sdk to 19.7.2, 2024-07-12)

v18.2.27

Compare Source

1702f8b (Update balena-sdk to 19.5.5, 2024-07-12)

v18.2.26

Compare Source

1bc0f74 (Drop unused dependencies, 2024-07-11)
f65215e (Move dependencies that should be dev only as devDependencies, 2024-07-11)

v18.2.25

Compare Source

b1073ca (Fix complete generation intermitency, 2024-07-10)
e659e35 (Bump oclif to v4, 2024-07-10)

v18.2.24

Compare Source

19a60bb (Update mocha from 8.4.0 to 10.6.0, 2024-07-10)
d1a6f75 (Override inline-source-cli with non-vulnerable dependency, 2024-07-10)

v18.2.23

Compare Source

7273656 (Replace resin-discoverable-services with bonjour-service, 2024-07-09)

v18.2.22

Compare Source

1749937 (Remove unused dependency minimatch, 2024-07-10)

v18.2.21

Compare Source

6c89ba4 (Bump resin-discoverable-services from 2.0.4 to 2.0.5, 2024-07-09)

v18.2.20

Compare Source

b6d1afa (Audit fix dependencies, 2024-07-05)

v18.2.19

Compare Source

93e597a (Remove unused package publish-release, 2024-07-05)

v18.2.18

Compare Source

Update actions/setup-node action to v4

Notable changes

actions/setup-node (actions/setup-node)

v4

Compare Source

List of commits

c30a1dc (Update actions/setup-node action to v4, 2024-07-02)

v18.2.17

[Compare Source](https://github.com/balena-i...

v2.0.73

Update Node.js to v18.20.4

Notable changes

• CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
• CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
• [85abedf1ff] - lib,esm: handle bypass network-import via data: (RafaelGSS) nodejs-private/node-private#522
• [eccd63b865] - src: handle permissive extension on cmd check (RafaelGSS) nodejs-private/node-private#596

nodejs/node (node)

v18.20.4: 2024-07-08, Version 18.20.4 'Hydrogen' (LTS), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

• CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
• CVE-2024-22020 - Bypass network import restriction via data URL (Medium)

Commits

• [85abedf1ff] - lib,esm: handle bypass network-import via data: (RafaelGSS) nodejs-private/node-private#522
• [eccd63b865] - src: handle permissive extension on cmd check (RafaelGSS) nodejs-private/node-private#596

List of commits

45ef26f (Update Node.js to v18.20.4, 2024-07-25)

v2.0.72

66f6534 (Lock file maintenance, 2024-06-17)

v2.0.71

633d4c3 (Lock file maintenance, 2024-06-10)

v2.0.70

6af37d0 (Lock file maintenance, 2024-06-03)

v2.0.69

bbe7bc1 (Lock file maintenance, 2024-05-27)

v2.0.66

e50348c (Lock file maintenance, 2024-05-13)

v2.0.65

5fad53b (Lock file maintenance, 2024-05-06)

v2.0.64

f141b0c (Update dependency balena-io/balena-cli to v18.2.2, 2024-04-30)

v2.0.63

85d30a2 (Lock file maintenance, 2024-04-29)