Bump semver, postman-collection and core-js-compat in /web

[dependabot]

Bumps semver to 7.5.4 and updates ancestor dependencies semver, postman-collection and core-js-compat. These dependencies need to be updated together.

Updates semver from 7.0.0 to 7.5.4

Release notes

Sourced from semver's releases.

v7.5.4

7.5.4 (2023-07-07)

Bug Fixes

• cc6fde2 #588 trim each range set before parsing (@​lukekarrys)
• 99d8287 #583 correctly parse long build ids as valid (#583) (@​lukekarrys)

v7.5.3

7.5.3 (2023-06-22)

Bug Fixes

• abdd93d #571 set max lengths in regex for numeric and build identifiers (#571) (@​lukekarrys)

Documentation

• bf53dd8 #569 add example for > comparator (#569) (@​mbtools)

v7.5.2

7.5.2 (2023-06-15)

Bug Fixes

• 58c791f #566 diff when detecting major change from prerelease (#566) (@​lukekarrys)
• 5c8efbc #565 preserve build in raw after inc (#565) (@​lukekarrys)
• 717534e #564 better handling of whitespace (#564) (@​lukekarrys)

v7.5.1

7.5.1 (2023-05-12)

Bug Fixes

• d30d25a #559 show type on invalid semver error (#559) (@​tjenkinson)

v7.5.0

7.5.0 (2023-04-17)

Features

• 503a4e5 #548 allow identifierBase to be false (#548) (@​lsvalina)

Bug Fixes

• e219bb4 #552 throw on bad version with correct error message (#552) (@​wraithgar)
• fc2f3df #546 incorrect results from diff sometimes with prerelease versions (#546) (@​tjenkinson)
• 2781767 #547 avoid re-instantiating SemVer during diff compare (#547) (@​macno)

v7.4.0

7.4.0 (2023-04-10)

... (truncated)

Changelog

Sourced from semver's changelog.

7.5.4 (2023-07-07)

Bug Fixes

• cc6fde2 #588 trim each range set before parsing (@​lukekarrys)
• 99d8287 #583 correctly parse long build ids as valid (#583) (@​lukekarrys)

7.5.3 (2023-06-22)

Bug Fixes

• abdd93d #571 set max lengths in regex for numeric and build identifiers (#571) (@​lukekarrys)

Documentation

• bf53dd8 #569 add example for > comparator (#569) (@​mbtools)

7.5.2 (2023-06-15)

Bug Fixes

• 58c791f #566 diff when detecting major change from prerelease (#566) (@​lukekarrys)
• 5c8efbc #565 preserve build in raw after inc (#565) (@​lukekarrys)
• 717534e #564 better handling of whitespace (#564) (@​lukekarrys)

7.5.1 (2023-05-12)

Bug Fixes

• d30d25a #559 show type on invalid semver error (#559) (@​tjenkinson)

7.5.0 (2023-04-17)

Features

• 503a4e5 #548 allow identifierBase to be false (#548) (@​lsvalina)

Bug Fixes

• e219bb4 #552 throw on bad version with correct error message (#552) (@​wraithgar)
• fc2f3df #546 incorrect results from diff sometimes with prerelease versions (#546) (@​tjenkinson)
• 2781767 #547 avoid re-instantiating SemVer during diff compare (#547) (@​macno)

7.4.0 (2023-04-10)

Features

• 113f513 #532 identifierBase parameter for .inc (#532) (@​wraithgar, @​b-bly)
• 48d8f8f #530 export new RELEASE_TYPES constant (@​hcharley)

... (truncated)

Commits

• 36cd334 chore: release 7.5.4
• 8456d87 chore: postinstall for dependabot template-oss PR
• dde1f00 chore: postinstall for dependabot template-oss PR
• dffcd1b chore: bump @​npmcli/template-oss from 4.16.0 to 4.17.0
• d619f66 chore: postinstall for dependabot template-oss PR
• 3bc4247 chore: bump @​npmcli/template-oss from 4.15.1 to 4.16.0
• cc6fde2 fix: trim each range set before parsing
• 99d8287 fix: correctly parse long build ids as valid (#583)
• 4f0f6b1 chore: fix arguments in whitespace test (#574)
• 6bd1a37 chore: remove duplicate test in semver class (#575)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by npm-cli-ops, a new releaser for semver since your current version.

Updates postman-collection from 4.1.4 to 4.4.0

Changelog

Sourced from postman-collection's changelog.

4.4.0: date: 2024-02-28 new features: - GH-1356 Add new key packages to Script chores: - >- GH-1357 Fixed a bug where invalid JSDoc prevented generating docs and types - GH-1357 Update types for getPath

4.3.0: date: 2023-11-18 new features: - GH-1339 Added getPath method on Item chores: - Updated dependencies

4.2.1: date: 2023-09-11 fixed bugs: - >- GH-1332 Fixed a bug where Variable~update was not updating the description chores: - Updated dependencies

4.2.0: date: 2023-08-03 new features: - GH-1329 Added support for fileName property in formdata request body - GH-1329 Retain string file content while parsing formdata and file bodies chores: - Updated dependencies

4.1.7: date: 2023-01-24 fixed bugs: - GH-1300 Fixed incorrect using typeof operator chores: - GH-1302 Migrate to GitHub Actions - Updated dependencies

4.1.6: date: 2022-11-28 chores: - Updated Travis configuration to use an updated Ubuntu distribution - Updated dependencies

4.1.5: date: 2022-08-02

... (truncated)

Commits

• 9b99f37 Merge branch 'release/4.4.0'
• f907abe Release v4.4.0
• 28b67b1 Add key packages in Script (#1356)
• 13f7ebd Merge pull request #1357 from postmanlabs/fix/jsdoc-error
• a264f03 Update CHANGELOG
• b4ab6e6 Fix errors in generating docs and types
• d332e0c Merge branch 'release/4.3.0'
• a175ec3 Merge branch 'release/4.3.0' into develop
• 1d6e0dd Release v4.3.0
• 64b1c59 Merge pull request #1340 from postmanlabs/dependabot/npm_and_yarn/babel/trave...
• Additional commits viewable in compare view

Updates core-js-compat from 3.21.0 to 3.37.0

Changelog

Sourced from core-js-compat's changelog.

3.37.0 - 2024.04.17

• Changes v3.36.1...v3.37.0
• New Set methods proposal:
  • Built-ins:
    • Set.prototype.intersection
    • Set.prototype.union
    • Set.prototype.difference
    • Set.prototype.symmetricDifference
    • Set.prototype.isSubsetOf
    • Set.prototype.isSupersetOf
    • Set.prototype.isDisjointFrom
  • Moved to stable ES, April 2024 TC39 meeting
  • Added es. namespace modules, /es/ and /stable/ namespaces entries
• Explicit Resource Management stage 3 proposal:
  • Some minor updates like explicit-resource-management/217
• Added Math.sumPrecise stage 2.7 proposal:
  • Built-ins:
    • Math.sumPrecise
• Promise.try proposal:
  • Built-ins:
    • Promise.try
  • Added optional arguments support, promise-try/16
  • Moved to stage 2.7, April 2024 TC39 meeting
• RegExp.escape stage 2 proposal:
  • Moved to hex-escape semantics, regex-escaping/67
    • It's not the final change of the way of escaping, waiting for regex-escaping/77 soon
• Pattern matching stage 1 proposal:
  • Built-ins:
    • Symbol.customMatcher
  • Once again, the used well-known symbol was renamed
  • Added new entries for that
• Added Extractors stage 1 proposal:
  • Built-ins:
    • Symbol.customMatcher
  • Since the Symbol.customMatcher well-known symbol from the pattern matching proposal is also used in the exactors proposal, added an entry also for this proposal
• Added URL.parse, url/825
• Engines bugs fixes:
  • Added a fix of Safari { Object, Map }.groupBy bug that does not support iterable primitives
  • Added a fix of Safari bug with double call of constructor in Array.fromAsync
• Compat data improvements:
  • URL.parse added and marked as supported from FF 126
  • URL.parse added and marked as supported from Bun 1.1.4
  • URL.canParse fixed and marked as supported from Bun 1.1.0
  • New Set methods fixed in JavaScriptCore and marked as supported from Bun 1.1.1
  • Added Opera Android 82 compat data mapping

3.36.1 - 2024.03.19

• Changes v3.36.0...v3.36.1
• Fixed some validation cases in Object.setPrototypeOf, #1329, thanks @​minseok-choe
• Fixed the order of validations in Array.from, #1331, thanks @​minseok-choe

... (truncated)

Commits

• 598d0b2 3.37.0
• a7f3a96 URL.parse added and marked as supported from Bun 1.1.4
• 8957db1 update pattern matching proposal
• 9da401f add Math.sumPrecise
• 80f1d23 add a fix of Safari { Object, Map }.groupBy bug that does not support itera...
• 5b908c2 add a fix of Safari bug with double call of constructor in Array.fromAsync
• 42627a6 Merge pull request #1336 from zloirock/bump-set-methods
• 61abd15 add Opera Android 82 compat data mapping
• 559081f move new Set methods to stable ES
• 66e55a9 URL.parse added and marked as supported from FF 126
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Sensitive Files Analyzer	❕	2 findings
Authn/Authz Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖.
Note that this summary is auto-generated and not meant to be a definitive list of security issues
but rather a helpful summary from a security perspective.

Summary:

The code change in this pull request updates the version of the postman-collection dependency from 4.1.4 to 4.4.0 in the web/package.json file. From an application security perspective, this change is generally not concerning, as the postman-collection library is a utility for working with Postman collections, which are used for API testing and documentation. Upgrading to a newer version of this library is unlikely to introduce any significant security risks, as it is a well-established and widely-used library.

However, it's always a good practice to review the release notes or change logs for the new version of a dependency to ensure that there are no known security vulnerabilities or breaking changes that could impact your application. Additionally, you should consider running thorough integration and regression tests to verify that the updated dependency does not introduce any unexpected behavior or functionality issues. Overall, this code change appears to be a routine library update and does not raise any immediate security concerns. As an application security engineer, you should continue to monitor the security landscape and be prepared to address any potential vulnerabilities that may arise in the future.

Files Changed:

• web/package.json: This file has been updated to change the version of the postman-collection dependency from 4.1.4 to 4.4.0.

Powered by DryRun Security

[guardrails]

⚠️ We detected 1 security issue in this pull request:

Vulnerable Libraries (1)

Severity	Details
Medium	pkg:npm/postman-collection@4.4.0 upgrade to: > 4.4.0

More info on how to fix Vulnerable Libraries in JavaScript.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.