Summary:
Bumps [engine.io](https://github.com/socketio/engine.io) from 3.6.0 to 3.6.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/socketio/engine.io/releases">engine.io's releases</a>.</em></p>
<blockquote>
<h2>3.6.1</h2>
<p>⚠️ This release contains an important security fix ⚠️</p>
<p>A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:</p>
<pre><code>Error: read ECONNRESET
at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
at emitErrorNT (internal/streams/destroy.js:106:8)
at emitErrorCloseNT (internal/streams/destroy.js:74:3)
at processTicksAndRejections (internal/process/task_queues.js:80:21) {
errno: -104,
code: 'ECONNRESET',
syscall: 'read'
}
</code></pre>
<p>Please upgrade as soon as possible.</p>
<h3>Bug Fixes</h3>
<ul>
<li>catch errors when destroying invalid upgrades (<a href="83c4071af8">83c4071</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/socketio/engine.io/blob/main/CHANGELOG.md">engine.io's changelog</a>.</em></p>
<blockquote>
<h2><a href="https://github.com/socketio/engine.io/compare/3.6.0...3.6.1">3.6.1</a> (2022-11-20)</h2>
<p>⚠️ This release contains an important security fix ⚠️</p>
<p>A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:</p>
<pre><code>Error: read ECONNRESET
at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
at emitErrorNT (internal/streams/destroy.js:106:8)
at emitErrorCloseNT (internal/streams/destroy.js:74:3)
at processTicksAndRejections (internal/process/task_queues.js:80:21) {
errno: -104,
code: 'ECONNRESET',
syscall: 'read'
}
</code></pre>
<p>Please upgrade as soon as possible.</p>
<h3>Bug Fixes</h3>
<ul>
<li>catch errors when destroying invalid upgrades (<a href="83c4071af8">83c4071</a>)</li>
</ul>
<h2><a href="https://github.com/socketio/engine.io/compare/6.2.0...6.2.1">6.2.1</a> (2022-11-20)</h2>
<p>⚠️ This release contains an important security fix ⚠️</p>
<p>A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:</p>
<pre><code>Error: read ECONNRESET
at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
at emitErrorNT (internal/streams/destroy.js:106:8)
at emitErrorCloseNT (internal/streams/destroy.js:74:3)
at processTicksAndRejections (internal/process/task_queues.js:80:21) {
errno: -104,
code: 'ECONNRESET',
syscall: 'read'
}
</code></pre>
<p>Please upgrade as soon as possible.</p>
<h3>Bug Fixes</h3>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="67a3a87859"><code>67a3a87</code></a> chore(release): 3.6.1</li>
<li><a href="83c4071af8"><code>83c4071</code></a> fix: catch errors when destroying invalid upgrades</li>
<li>See full diff in <a href="https://github.com/socketio/engine.io/compare/3.6.0...3.6.1">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `dependabot rebase` will rebase this PR
- `dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `dependabot merge` will merge this PR after your CI passes on it
- `dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `dependabot cancel merge` will cancel a previously requested merge and block automerging
- `dependabot reopen` will reopen this PR if it is closed
- `dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/facebook/yoga/network/alerts).
</details>
Pull Request resolved: https://github.com/facebook/yoga/pull/1178
Reviewed By: javache
Differential Revision: D41553525
Pulled By: NickGerleman
fbshipit-source-id: 78f520c4e102eebcf505f59f6beced5216e25ef1
Summary:
Bumps [socket.io-parser](https://github.com/socketio/socket.io-parser) from 3.3.2 to 3.3.3.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/socketio/socket.io-parser/blob/main/CHANGELOG.md">socket.io-parser's changelog</a>.</em></p>
<blockquote>
<h2><a href="https://github.com/Automattic/socket.io-parser/compare/3.3.2...3.3.3">3.3.3</a> (2022-11-09)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>check the format of the index of each attachment (<a href="fb21e422fc">fb21e42</a>)</li>
</ul>
<h2><a href="https://github.com/socketio/socket.io-parser/compare/3.4.1...3.4.2">3.4.2</a> (2022-11-09)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>check the format of the index of each attachment (<a href="04d23cecaf">04d23ce</a>)</li>
</ul>
<h2><a href="https://github.com/socketio/socket.io-parser/compare/4.2.0...4.2.1">4.2.1</a> (2022-06-27)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>check the format of the index of each attachment (<a href="b5d0cb7dc5">b5d0cb7</a>)</li>
</ul>
<h2><a href="https://github.com/socketio/socket.io-parser/compare/4.0.4...4.0.5">4.0.5</a> (2022-06-27)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>check the format of the index of each attachment (<a href="b559f050ee">b559f05</a>)</li>
</ul>
<h1><a href="https://github.com/socketio/socket.io-parser/compare/4.1.2...4.2.0">4.2.0</a> (2022-04-17)</h1>
<h3>Features</h3>
<ul>
<li>allow the usage of custom replacer and reviver (<a href="https://github-redirect.dependabot.com/socketio/socket.io-parser/issues/112">https://github.com/facebook/yoga/issues/112</a>) (<a href="b08bc1a93e">b08bc1a</a>)</li>
</ul>
<h2><a href="https://github.com/socketio/socket.io-parser/compare/4.1.1...4.1.2">4.1.2</a> (2022-02-17)</h2>
<h3>Bug Fixes</h3>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="cd11e38e1a"><code>cd11e38</code></a> chore(release): 3.3.3</li>
<li><a href="fb21e422fc"><code>fb21e42</code></a> fix: check the format of the index of each attachment</li>
<li>See full diff in <a href="https://github.com/socketio/socket.io-parser/compare/3.3.2...3.3.3">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `dependabot rebase` will rebase this PR
- `dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `dependabot merge` will merge this PR after your CI passes on it
- `dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `dependabot cancel merge` will cancel a previously requested merge and block automerging
- `dependabot reopen` will reopen this PR if it is closed
- `dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/facebook/yoga/network/alerts).
</details>
Pull Request resolved: https://github.com/facebook/yoga/pull/1172
Reviewed By: christophpurrer
Differential Revision: D41177051
Pulled By: NickGerleman
fbshipit-source-id: 66ee5defdd185cffe52c0cc077efb979937293bb
Summary:
Pull Request resolved: https://github.com/facebook/yoga/pull/1164
Yoga CI in GitHub is currently running using Node 8, released in 2017. It has long been out of support, and is not able to install many of the packages in the updated lockfile due to version restrictions in the new packages.
Node 12 is able to install the current lockfile. Although it is old enough that security support has ended for it 5 months ago, `yoga-layout` currently fails to install on Node 12+, because a dependency, `nbind`, was reliant on V8 internals that have changed between versions, and has not published a version supporting anything later than Node 10.
There are unpublished commits in the official repo which add Node 12 support. So, we use that version when developing against the website, to jump us to something more up to date, without rewriting or removing all of the JS bindings quite yet.
Reviewed By: yungsters
Differential Revision: D40036466
fbshipit-source-id: e1b775d87854250bd74fa17ca7ba939b32aa3bd8
Summary:
Yoga has 35 open dependabot PRs targeting these two packages. This change generates fresh lockfiles for each version, which should close most of them I think.
For each lockfile:
1. Delete lockfile
2. Run `yarn --ignore-scripts`
Full-fat rebuilds of lockfiles are normally bit dangerous compared to more targeted dependency upgrades, but rebuilding the lockfile felt like a better option because of the duration since last update, number of pending updates, and the low risk due to neither package being installable on Node 12+ at the moment.
allow-large-files
Reviewed By: mdvacca
Differential Revision: D39987360
fbshipit-source-id: 86febac73b90b6c9f1fe2345325b59d14463d28b
Summary:
This gets us on the latest Prettier 2.x:
https://prettier.io/blog/2020/03/21/2.0.0.html
Notably, this adds support for TypeScript 3.8,
which introduces new syntax, such as `import type`.
Reviewed By: zertosh
Differential Revision: D20636268
fbshipit-source-id: fca5833d003804333a05ba16325bbbe0e06d6c8a
Summary:
@public
This bumps Prettier to v1.16.4
Only format source files were updated.
Reviewed By: mjesun
Differential Revision: D14454893
fbshipit-source-id: 72f9872fe764a79dbf0d9fab9bebb1456b039f2f
Summary:
Updates all dependencies of the website to their latest version. This is made due to CVE-2018-3728 and a vunerable version of `hoek` used in s transitive dependency of the website. This updates `hoek` to v 4.2.1 which is not affected.
allow-large-files
Reviewed By: astreet
Differential Revision: D8734272
fbshipit-source-id: 3e96ea5890190f7d7b83cc4c18121fc925411f69
Summary:
On the first render the landing page was missing a CSS class. This ls probably related to https://github.com/gatsbyjs/gatsby/issues/5136
It is fixed by wrapping the page in a <div>
Reviewed By: priteshrnandgaonkar
Differential Revision: D8660801
fbshipit-source-id: dd1ac4145831f2556e2c7ceeaddb2a423447f833
Summary:
@public
Bump Prettier to use version 1.13.4
All code changes are caused by running Prettier and should only affect files that have an `format` header.
All other changes caused by yarn.
Reviewed By: ryanmce
Differential Revision: D8251255
fbshipit-source-id: 0b4445c35f1269d72730f2000002a27c1bc35914
Summary:
Updates Prettier to v1.12.1, using `xplat/js/scripts/prettier-bump.js` based on the playbook by https://our.intern.facebook.com/intern/wiki/Prettier/upgrade-guide/
All changes related to upgrading or running Prettier
allow-many-files
allow-large-files
bypass-lint
drop-conflicts
ignore-conflict-markers
ignore-signed-source
ignore-nocommit
Reviewed By: benjaffe, ryanmce, yungsters
Differential Revision: D7652946
fbshipit-source-id: 396d45c675e93f2298cd2920d927630c81867447
Summary:
Sets up a skeleton for the new yoga website using gatsby static site generator
allow-large-files
Reviewed By: emilsjolander
Differential Revision: D6952326
fbshipit-source-id: 7579bc80bec21552689da5b78f3d960910ff13bb
