Bumps [test262](https://github.com/tc39/test262) from `0bccacd` to `926b096`.
<details>
<summary>Commits</summary>
<ul>
<li><a href="926b0960d7"><code>926b096</code></a> update nfv3 test for roundingIncrement (<a href="https://github-redirect.dependabot.com/tc39/test262/issues/3441">#3441</a>)</li>
<li><a href="4c7c24646a"><code>4c7c246</code></a> Check a variety of offset Etc/GMT timezones (<a href="https://github-redirect.dependabot.com/tc39/test262/issues/3403">#3403</a>)</li>
<li><a href="fe40aea50c"><code>fe40aea</code></a> Emit fallback day 1</li>
<li><a href="9aaa22cb06"><code>9aaa22c</code></a> Ensure fallback years values are present</li>
<li><a href="ee1f96235b"><code>ee1f962</code></a> Ensure reference data is emitted when calendarName = 'always'</li>
<li><a href="76b0bafba6"><code>76b0baf</code></a> Update test/built-ins/Temporal/Duration/compare/twenty-five-hour-day.js</li>
<li><a href="2aa754b7cf"><code>2aa754b</code></a> Add test for DST balancing</li>
<li><a href="3ab8adc237"><code>3ab8adc</code></a> Require String.prototype.localeCompare to check for canonical equivalence</li>
<li><a href="3eea1a7959"><code>3eea1a7</code></a> Add tests for various invalid ISO strings for PlainDate</li>
<li><a href="ad74a4ebba"><code>ad74a4e</code></a> Rename some "argument-string" tests to be more specific</li>
<li>Additional commits viewable in <a href="0bccacda69...926b0960d7">compare view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
</details>
Bumps [webpack](https://github.com/webpack/webpack) from 5.70.0 to 5.71.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/webpack/webpack/releases">webpack's releases</a>.</em></p>
<blockquote>
<h2>v5.71.0</h2>
<h1>Features</h1>
<ul>
<li>choose smarter default for <code>uniqueName</code> when using a <code>output.library</code> which includes placeholders</li>
<li>add support for expressions with <code>in</code> of a imported binding</li>
<li>generate UMD code with arrow functions when possible</li>
</ul>
<h1>Bugfixes</h1>
<ul>
<li>fix source map source names for ContextModule to be relative</li>
<li>fix <code>chunkLoading</code> option in module module</li>
<li>fix edge case where <code>evaluateExpression</code> returns <code>null</code></li>
<li>retain optional chaining in imported bindings</li>
<li>include runtime code for the base URI even if not using chunk loading</li>
<li>don't throw errors in persistent caching when importing node.js builtin modules via ESM</li>
<li>fix crash when using <code>lazy-once</code> Context modules</li>
<li>improve handling of context modules with multiple contexts</li>
<li>fix race condition HMR chunk loading when importing chunks during HMR updating</li>
<li>handle errors in <code>runAsChild</code> callback</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="c2079f7e76"><code>c2079f7</code></a> 5.71.0</li>
<li><a href="4a0937fdd0"><code>4a0937f</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/webpack/webpack/issues/15578">#15578</a> from webpack/feat/catch-error-in-run-as-child</li>
<li><a href="c3f5897df9"><code>c3f5897</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/webpack/webpack/issues/15586">#15586</a> from webpack/bugfix/chunk-load-during-hmr</li>
<li><a href="c4f1e4e9f0"><code>c4f1e4e</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/webpack/webpack/issues/15611">#15611</a> from webpack/bugfix/esm-build-deps</li>
<li><a href="ab40959467"><code>ab40959</code></a> support node.js builtin modules in esm build dependencies</li>
<li><a href="e1179bf9bb"><code>e1179bf</code></a> fix egde case where a HMR chunk is incorrectly downloaded when loading a unch...</li>
<li><a href="2c200d1656"><code>2c200d1</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/webpack/webpack/issues/15585">#15585</a> from webpack/refactor/support-context-in-dependency</li>
<li><a href="3929e688a4"><code>3929e68</code></a> fix discussions</li>
<li><a href="129477d11d"><code>129477d</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/webpack/webpack/issues/15536">#15536</a> from webpack/fix/issue-15518</li>
<li><a href="5d8a9719ca"><code>5d8a971</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/webpack/webpack/issues/15551">#15551</a> from webpack/fix/issue-15545</li>
<li>Additional commits viewable in <a href="https://github.com/webpack/webpack/compare/v5.70.0...v5.71.0">compare view</a></li>
</ul>
</details>
<br />
[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=webpack&package-manager=npm_and_yarn&previous-version=5.70.0&new-version=5.71.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
</details>
Bumps [clap](https://github.com/clap-rs/clap) from 3.1.7 to 3.1.8.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/clap-rs/clap/releases">clap's releases</a>.</em></p>
<blockquote>
<h2>v3.1.8</h2>
<h2>[3.1.8] - 2022-04-01</h2>
<h3>Fixes</h3>
<ul>
<li>Add <code>Debug</code> impls to more types</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/clap-rs/clap/blob/master/CHANGELOG.md">clap's changelog</a>.</em></p>
<blockquote>
<h2>[3.1.8] - 2022-04-01</h2>
<h3>Fixes</h3>
<ul>
<li>Add <code>Debug</code> impls to more types</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="08f74046dc"><code>08f7404</code></a> chore: Release</li>
<li><a href="6aa40ad2cb"><code>6aa40ad</code></a> docs: Update changelog</li>
<li><a href="732830a98c"><code>732830a</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/clap-rs/clap/issues/3598">#3598</a> from dragonrider7225/bring-back-debug-impls</li>
<li><a href="17fed36da3"><code>17fed36</code></a> fix: Bring forward Debug impls from v2</li>
<li>See full diff in <a href="https://github.com/clap-rs/clap/compare/v3.1.7...v3.1.8">compare view</a></li>
</ul>
</details>
<br />
[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=clap&package-manager=cargo&previous-version=3.1.7&new-version=3.1.8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
</details>
<!---
Thank you for contributing to Boa! Please fill out the template below, and remove or add any
information as you feel neccesary.
--->
This Pull Request fixes/closes #1989.
It changes the following:
- Implements From<f32> for JsValue
Acked-by: Taylor Sutton <tsutton125@gmail.com>
This Pull Request fixes/closes #1998
The call to retrieve operands modifies pc, setting it to the index of
the *next* instruction. So, we save its initial value and use that
for printing.
Bumps [clap](https://github.com/clap-rs/clap) from 3.1.6 to 3.1.7.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/clap-rs/clap/releases">clap's releases</a>.</em></p>
<blockquote>
<h2>v3.1.7</h2>
<h2>[3.1.7] - 2022-03-31</h2>
<h3>Fixes</h3>
<ul>
<li><code>*(derive)* Abort, rather than ignore, when deriving </code>ArgEnum` with non-unit unskipped variants</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/clap-rs/clap/blob/master/CHANGELOG.md">clap's changelog</a>.</em></p>
<blockquote>
<h2>[3.1.7] - 2022-03-31</h2>
<h3>Fixes</h3>
<ul>
<li><code>*(derive)* Abort, rather than ignore, when deriving </code>ArgEnum` with non-unit unskipped variants</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="c75d2642ef"><code>c75d264</code></a> chore: Release</li>
<li><a href="b774370565"><code>b774370</code></a> docs: Update changelog</li>
<li><a href="71ef8878c5"><code>71ef887</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/clap-rs/clap/issues/3591">#3591</a> from Shir0kamii/fix-ArgEnum-non-unit</li>
<li><a href="fb4755d1c3"><code>fb4755d</code></a> feat(derive): Don't abort when non-unit variant is skipped</li>
<li><a href="ee3d12ec56"><code>ee3d12e</code></a> fix(derive): Abort on non-unit variant</li>
<li><a href="06f855f2ab"><code>06f855f</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/clap-rs/clap/issues/3582">#3582</a> from ducaale/fix-docs</li>
<li><a href="d55e46f65f"><code>d55e46f</code></a> docs(mangen): Fix docs for Man::section()</li>
<li><a href="731d18f300"><code>731d18f</code></a> docs(examples): Fix help output</li>
<li><a href="6835dfa978"><code>6835dfa</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/clap-rs/clap/issues/3577">#3577</a> from samueltardieu/fix-arg-help-doc</li>
<li><a href="ef3c2c73d5"><code>ef3c2c7</code></a> docs: arg! macro uses double quotes for help string</li>
<li>Additional commits viewable in <a href="https://github.com/clap-rs/clap/compare/v3.1.6...v3.1.7">compare view</a></li>
</ul>
</details>
<br />
[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=clap&package-manager=cargo&previous-version=3.1.6&new-version=3.1.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
</details>
Bumps [indexmap](https://github.com/bluss/indexmap) from 1.8.0 to 1.8.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/bluss/indexmap/blob/master/RELEASES.md">indexmap's changelog</a>.</em></p>
<blockquote>
<ul>
<li>
<p>1.8.1</p>
<ul>
<li>The new <code>IndexSet::replace_full</code> will return the index of the item along
with the replaced value, if any, by <a href="https://github.com/zakcutner"><code>@zakcutner</code></a> in PR <a href="https://github-redirect.dependabot.com/bluss/indexmap/pull/222">222</a>.</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="275379c489"><code>275379c</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/bluss/indexmap/issues/222">#222</a> from zakcutner/replace-full</li>
<li><a href="12162abeb0"><code>12162ab</code></a> Release 1.8.1</li>
<li><a href="feb816c4b8"><code>feb816c</code></a> Add a <code>replace_full</code> method on <code>IndexSet</code></li>
<li><a href="d6a9dd6c91"><code>d6a9dd6</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/bluss/indexmap/issues/218">#218</a> from erickt/miri</li>
<li><a href="4dd6619b4c"><code>4dd6619</code></a> Add miri builder</li>
<li><a href="10ee11e56c"><code>10ee11e</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/bluss/indexmap/issues/216">#216</a> from cuviper/dev-dependencies</li>
<li><a href="98de9abe37"><code>98de9ab</code></a> Update dev-dependencies</li>
<li>See full diff in <a href="https://github.com/bluss/indexmap/compare/1.8.0...1.8.1">compare view</a></li>
</ul>
</details>
<br />
[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=indexmap&package-manager=cargo&previous-version=1.8.0&new-version=1.8.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
</details>
This removes the only use of the `git2` and `hex` dependencies by reading the test262 submodule commit id directly from the `.git` directory.
Because `git2` depends on a lot of other crates, this removes a bunch of dependencies.
This Pull Request lets true/false/null be used as object property identifiers, when using dot assignment.
`foo.null = 'bar';`
It changes the following:
- AST parsing of member expressions
Trying to fix the issue in #1982, I noticed that we didn't have a proper error handling for the boa tester.
This adds the `anyhow` dependency to the tester, which makes it much easier to handle errors and bubble them up with attached context. Thanks to this I was able to easily find out the issue, and I think it could be useful to have it. It gives errors such as this one:
```
Error: could not read the suite test
caused by: error reading sub-suite ./test262/test/built-ins
caused by: error reading sub-suite ./test262/test/built-ins/ShadowRealm
caused by: error reading sub-suite ./test262/test/built-ins/ShadowRealm/WrappedFunction
caused by: error reading test ./test262/test/built-ins/ShadowRealm/WrappedFunction/throws-typeerror-on-revoked-proxy.js
caused by: while scanning a block scalar, found a tab character where an indentation space is expected at line 4 column 3
caused by: while scanning a block scalar, found a tab character where an indentation space is expected at line 4 column 3
```
This Pull Request fixes length properties on multiple array prototype methods that were including rest parameters in the count. More tests should pass.
It changes the following:
- Length properties on some array prototype methods
This Pull Request fixes/closes #1645.
It changes the following:
- Add `features` field to `SuiteResult` structure
- Fetch features from `TestSuite` and propagate them via `SuiteResult`
- Add `FeaturesInfo` structure and serialize it to `features.json`
This Pull Request makes the non-octal-decimal-integer test pass. The test would previously fail for values with multiple leading zeroes.
It changes the following:
- Number lexer
Bumps [minimist](https://github.com/substack/minimist) from 1.2.5 to 1.2.6.
<details>
<summary>Commits</summary>
<ul>
<li><a href="7efb22a518"><code>7efb22a</code></a> 1.2.6</li>
<li><a href="ef88b9325f"><code>ef88b93</code></a> security notice for additional prototype pollution issue</li>
<li><a href="c2b981977f"><code>c2b9819</code></a> isConstructorOrProto adapted from PR</li>
<li><a href="bc8ecee438"><code>bc8ecee</code></a> test from prototype pollution PR</li>
<li>See full diff in <a href="https://github.com/substack/minimist/compare/1.2.5...1.2.6">compare view</a></li>
</ul>
</details>
<br />
[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=minimist&package-manager=npm_and_yarn&previous-version=1.2.5&new-version=1.2.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/boa-dev/boa/network/alerts).
</details>
`Node::DoWhileLoop` ast node had a buggy bytecode generation where `self.patch_jump(exit)` was called after emitting `LoopEnd` opcode. This would patch the loop exit to the instruction following the do while code, which would panic in cases where do while was enclosed in a block statement.
This Pull Request fixes#1929.
It changes the following:
- Patch jump before emitting `Opcode::LoopEnd`
- Add test which has do while statement inside a block statement to demonstrate that the change fixes the panic.
This Pull Request fixes/closes #1962.
It changes the following:
- When executing arithmetic operations on `JsValue`s, try to use integer operations and fallback to `f64` operations on error.
- Adds tests for serde_json conversions from integer operations.
Bumps [node-forge](https://github.com/digitalbazaar/forge) from 1.2.1 to 1.3.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md">node-forge's changelog</a>.</em></p>
<blockquote>
<h2>1.3.0 - 2022-03-17</h2>
<h3>Security</h3>
<ul>
<li>Three RSA PKCS#1 v1.5 signature verification issues were reported by Moosa
Yahyazadeh (<a href="mailto:moosa-yahyazadeh@uiowa.edu">moosa-yahyazadeh@uiowa.edu</a>).</li>
<li><strong>HIGH</strong>: Leniency in checking <code>digestAlgorithm</code> structure can lead to
signature forgery.
<ul>
<li>The code is lenient in checking the digest algorithm structure. This can
allow a crafted structure that steals padding bytes and uses unchecked
portion of the PKCS#1 encoded message to forge a signature when a low
public exponent is being used. For more information, please see
<a href="https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/">"Bleichenbacher's RSA signature forgery based on implementation
error"</a>
by Hal Finney.</li>
<li>CVE ID: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771">CVE-2022-24771</a></li>
<li>GHSA ID: <a href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765">GHSA-cfm4-qjh2-4765</a></li>
</ul>
</li>
<li><strong>HIGH</strong>: Failing to check tailing garbage bytes can lead to signature
forgery.
<ul>
<li>The code does not check for tailing garbage bytes after decoding a
<code>DigestInfo</code> ASN.1 structure. This can allow padding bytes to be removed
and garbage data added to forge a signature when a low public exponent is
being used. For more information, please see <a href="https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/">"Bleichenbacher's RSA
signature forgery based on implementation
error"</a>
by Hal Finney.</li>
<li>CVE ID: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772">CVE-2022-24772</a></li>
<li>GHSA ID: <a href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g">GHSA-x4jg-mjrx-434g</a></li>
</ul>
</li>
<li><strong>MEDIUM</strong>: Leniency in checking type octet.
<ul>
<li><code>DigestInfo</code> is not properly checked for proper ASN.1 structure. This can
lead to successful verification with signatures that contain invalid
structures but a valid digest.</li>
<li>CVE ID: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773">CVE-2022-24773</a></li>
<li>GHSA ID: <a href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr">GHSA-2r2c-g63r-vccr</a></li>
</ul>
</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>[asn1] Add fallback to pretty print invalid UTF8 data.</li>
<li>[asn1] <code>fromDer</code> is now more strict and will default to ensuring all input
bytes are parsed or throw an error. A new option <code>parseAllBytes</code> can disable
this behavior.
<ul>
<li><strong>NOTE</strong>: The previous behavior is being changed since it can lead to
security issues with crafted inputs. It is possible that code doing custom
DER parsing may need to adapt to this new behavior and optional flag.</li>
</ul>
</li>
<li>[rsa] Add and use a validator to check for proper structure of parsed ASN.1
<code>RSASSA-PKCS-v1_5</code> <code>DigestInfo</code> data. Additionally check that the hash
algorithm identifier is a known value from RFC 8017
<code>PKCS1-v1-5DigestAlgorithms</code>. An invalid <code>DigestInfo</code> or algorithm identifier
will now throw an error.
<ul>
<li><strong>NOTE</strong>: The previous lenient behavior is being changed to be more strict
since it could lead to security issues with crafted inputs. It is possible
that code may have to handle the errors from these stricter checks.</li>
</ul>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="6c5b90133d"><code>6c5b901</code></a> Release 1.3.0.</li>
<li><a href="0f3972ad58"><code>0f3972a</code></a> Update changelog.</li>
<li><a href="dc77b39dd3"><code>dc77b39</code></a> Fix error checking.</li>
<li><a href="bb822c02df"><code>bb822c0</code></a> Add advisory links.</li>
<li><a href="d4395fec83"><code>d4395fe</code></a> Update changelog.</li>
<li><a href="a4405bb9d6"><code>a4405bb</code></a> Improve signature verification tests.</li>
<li><a href="aa9372d6dd"><code>aa9372d</code></a> Add missing RFC 8017 algorithm identifiers.</li>
<li><a href="3f0b49a057"><code>3f0b49a</code></a> Fix signature verification issues.</li>
<li><a href="c20f309311"><code>c20f309</code></a> Adjust remaining length.</li>
<li><a href="e27f61230f"><code>e27f612</code></a> Remove unused option.</li>
<li>Additional commits viewable in <a href="https://github.com/digitalbazaar/forge/compare/v1.2.1...v1.3.0">compare view</a></li>
</ul>
</details>
<br />
[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=node-forge&package-manager=npm_and_yarn&previous-version=1.2.1&new-version=1.3.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/boa-dev/boa/network/alerts).
</details>
Bumps [actions/cache](https://github.com/actions/cache) from 2.1.7 to 3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/actions/cache/releases">actions/cache's releases</a>.</em></p>
<blockquote>
<h2>v3.0.0</h2>
<ul>
<li>
<p>This change adds a minimum runner version(node12 -> node16), which can break users using an out-of-date/fork of the runner. This would be most commonly affecting users on GHES 3.3 or before, as those runners do not support node16 actions and they can use actions from github.com via <a href="https://docs.github.com/en/enterprise-server@3.0/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect">github connect</a> or manually copying the repo to their GHES instance.</p>
</li>
<li>
<p>Few dependencies and cache action usage examples have also been updated.</p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="4b0cf6cc46"><code>4b0cf6c</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/actions/cache/issues/769">#769</a> from actions/users/ashwinsangem/bump_major_version</li>
<li><a href="60c606a2b4"><code>60c606a</code></a> Update licensed files</li>
<li><a href="b6e9a919a7"><code>b6e9a91</code></a> Revert "Updated to the latest version."</li>
<li><a href="c842503583"><code>c842503</code></a> Updated to the latest version.</li>
<li><a href="2b7da2a62c"><code>2b7da2a</code></a> Bumped up to a major version.</li>
<li><a href="deae296ab3"><code>deae296</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/actions/cache/issues/651">#651</a> from magnetikonline/fix-golang-windows-example</li>
<li><a href="c7c46bcb6d"><code>c7c46bc</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/actions/cache/issues/707">#707</a> from duxtland/main</li>
<li><a href="6535c5fb5f"><code>6535c5f</code></a> Regenerated <code>examples.md</code> TOC</li>
<li><a href="3fdafa472e"><code>3fdafa4</code></a> Update GitHub Actions status badge markdown in <code>README.md</code></li>
<li><a href="341e6d75d9"><code>341e6d7</code></a> Merge branch 'actions:main' into fix-golang-windows-example</li>
<li>Additional commits viewable in <a href="https://github.com/actions/cache/compare/v2.1.7...v3">compare view</a></li>
</ul>
</details>
<br />
[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/cache&package-manager=github_actions&previous-version=2.1.7&new-version=3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
</details>
Some of the fields in AST structs were both
1. Arrays
2. Marked as 'flatten'
This is illegal per serde docs (and doesn't really make sense).
The fix is to remove the attribute.
See: https://serde.rs/attr-flatten.htmlFixes: #1920
Co-authored-by: Taras Boiko <me@tboiko.com>
This Pull Request closes#1912 by migrating to a NPM based build, hopefully making it easier to contribute to the Playground.
Also, reduces the number of features of the editor, since most of them were support for other languages or features that don't make sense in a playground environment. This considerably reduces the number of fetched files per page load and the total size of the playground.
This Pull Request fixes/closes #1942.
`Date.prototype.toDateString` should return a value representing the local date. The Rust `Date` inner value represents UTC time, so it should be adjusted to local time before formatting (see equivalent conversions performed by `to_string` and `to_time_string`).
To verify this is working as intended, run the test suite with your OS timezone set to `GMT+0`, then again with `GMT+10`. The test `date_proto_to_date_string` should pass for each. For me (Ubuntu via WSL), this can be done with `sudo dpkg-reconfigure tzdata`.
This PR also fixes a couple other test cases that used the wrong month value (as noted at the top of the file, JS months are 0-based while `chrono` months are 1-based).
This Pull Request closes#1948.
It changes the following:
- set `readme` in `boa_engine` so `README.md` will be published to crates.io
- remove unnecessary `exclude` field from `Cargo.toml` in all apps
I was unsure whether using a path outside of the workspace root was allowed for `readme` since it [doesn't get included in the release tarball](https://github.com/rust-lang/cargo/issues/5911), but this exact path is used by [juniper](https://github.com/graphql-rust/juniper/blob/master/juniper/Cargo.toml#L13) and [seems to work there](https://crates.io/crates/juniper). I believe `cargo publish` does a bit more than just uploading the tarball, including pulling the `readme` from any arbitrary path.
The default behaviour of `cargo package`/`cargo publish` if neither `exclude` or `include` is specified is to include all files from the package root, excluding
- dotfiles
- .gitignore'd files
- subpackages (any subdirectory with a `Cargo.toml` file)
- the `/target` directory
There's no need to explicitly exclude files from the parent directory since they're already excluded by default. This can be verified by running `cargo package --list` inside any workspace app:
```plain
$ cd boa_wasm
$ cargo package --list
.gitignore
Cargo.toml
Cargo.toml.orig
src/lib.rs
```
You can read more [here](https://doc.rust-lang.org/cargo/reference/manifest.html#the-exclude-and-include-fields).
Bumps [dyn-clone](https://github.com/dtolnay/dyn-clone) from 1.0.4 to 1.0.5.
<details>
<summary>Commits</summary>
<ul>
<li><a href="1500eb86a6"><code>1500eb8</code></a> Release 1.0.5</li>
<li><a href="91b11c3e66"><code>91b11c3</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/dtolnay/dyn-clone/issues/14">#14</a> from dtolnay/compiletest</li>
<li><a href="6872508710"><code>6872508</code></a> Add ui test for missing DynClone supertrait</li>
<li><a href="358e75127e"><code>358e751</code></a> Detect warnings in CI</li>
<li><a href="61ddd087b6"><code>61ddd08</code></a> Track raw pointers in miri CI run</li>
<li><a href="c5d644a3fa"><code>c5d644a</code></a> Add a miri test job in CI</li>
<li><a href="6c2e4585f2"><code>6c2e458</code></a> Declare minimum Rust version in Cargo metadata</li>
<li><a href="943c9296d4"><code>943c929</code></a> Resolve semicolon_if_nothing_returned pedantic clippy lint</li>
<li><a href="07b1c418d7"><code>07b1c41</code></a> Run clippy on test suite too</li>
<li><a href="15c588114a"><code>15c5881</code></a> Skip clippy job on pull requests</li>
<li>Additional commits viewable in <a href="https://github.com/dtolnay/dyn-clone/compare/1.0.4...1.0.5">compare view</a></li>
</ul>
</details>
<br />
[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=dyn-clone&package-manager=cargo&previous-version=1.0.4&new-version=1.0.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
</details>
Fixes `BigInt` and `Number` comparison, and vice versa. Before we were removing the decimal point of the floating-point number which was causing cases like `0.000001 > 0n` (or `0n < 0.000001`) to fail.
Bumps [test262](https://github.com/tc39/test262) from `f7fb969` to `0bccacd`.
<details>
<summary>Commits</summary>
<ul>
<li><a href="0bccacda69"><code>0bccacd</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/tc39/test262/issues/3429">#3429</a> from Igalia/roundingmode-invalid-string</li>
<li><a href="104e5e8fab"><code>104e5e8</code></a> Test more invalid values for roundingMode.</li>
<li><a href="51ce1fa00f"><code>51ce1fa</code></a> Expand some Duration#toString() tests.</li>
<li><a href="c6c31c8dac"><code>c6c31c8</code></a> Add and expand tests for Duration constructor / from().</li>
<li><a href="d45476b9fd"><code>d45476b</code></a> Add a test for observable calls in Temporal.Duration constructor.</li>
<li><a href="50dc96e59e"><code>50dc96e</code></a> Split Array.prototype.Symbol.unscopables tests for features</li>
<li><a href="d8fb00d741"><code>d8fb00d</code></a> Add missing feature flag array-grouping</li>
<li><a href="5fb0f5b6d2"><code>5fb0f5b</code></a> Remove SPACES before features</li>
<li><a href="bc4af482b0"><code>bc4af48</code></a> Fix features by removing leading space</li>
<li>See full diff in <a href="f7fb969cc4...0bccacda69">compare view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
</details>
It changes the following:
- Refreshes the vm and debugging docs to represent the current state
- Fix some bytecode trace output
- Rename a field in the `CodeBlock`