fix(deps): update dependency mathjs to v7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mathjs (source)	^5.0.4 -> ^7.0.0

GitHub Vulnerability Alerts

CVE-2020-7743

The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates.

---

Prototype Pollution in mathjs

CVE-2020-7743 / GHSA-x2fc-mxcx-w4mf

More information

Details

The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates.

Severity

• CVSS Score: 7.3 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-7743
• https://github.com/josdejong/mathjs/commit/ecb80514e80bce4e6ec7e71db8ff79954f07c57e
• https://github.com/josdejong/mathjs/blob/develop/HISTORY.md#2020-10-10-version-751
• https://github.com/josdejong/mathjs/blob/develop/src/utils/object.js%23L82
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1017113
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1017112
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1017111
• https://snyk.io/vuln/SNYK-JS-MATHJS-1016401
• https://www.npmjs.com/package/mathjs

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

josdejong/mathjs (mathjs)

v7.5.1

Compare Source

• Fix object pollution vulnerability in math.config. Thanks Snyk.

v7.5.0

Compare Source

• Function pickRandom now allows randomly picking elements from matrices
  with 2 or more dimensions instead of only from a vector, see #​1974.
  Thanks @​KonradLinkowski.

v7.4.0

Compare Source

• Implemented support for passing a precision in functions ceil, floor,
  and fix, similar to round, see #​1967, #​1901. Thanks @​rnd-debug.
• Implemented function rotationMatrix, see #​1160, #​1984. Thanks @​rnd-debug.
• Implement a clear error message when using sqrtm with a matrix having
  more than two dimensions. Thanks @​KonradLinkowski.
• Update dependency decimal.js to 10.2.1.

v7.3.0

Compare Source

• Implemented functions usolveAll and lsolveAll, see #​1916. Thanks @​m93a.
• Implemented support for units in functions std and variance, see #​1950.
  Thanks @​rnd-debug.
• Implemented support for binary, octal, and hexadecimal notation in the
  expression parser, and implemented functions bin, oct, and hex for
  formatting. Thanks @​clnhlzmn.
• Fix #​1964: inconsistent calculation of negative dividend modulo for
  BigNumber and Fraction. Thanks @​ovk.

v7.2.0

Compare Source

• Implemented new function diff, see #​1634, #​1920. Thanks @​Veeloxfire.
• Implemented support for norm 2 for matrices in function norm.
  Thanks @​rnd-debug.

v7.1.0

Compare Source

• Implement support for recursion (self-referencing) of typed-functions,
  new in [email protected]. This fixes #​1885: functions which where
  extended with a new data type did not always work. Thanks @​nickewing.
• Fix #​1899: documentation on expression trees still using old namespace
  math.expression.node.* instead of math.*.

v7.0.2

Compare Source

• Fix #​1882: have DenseMatrix.resize and SparseMatrix.resize accept
  DenseMatrix and SparseMatrix as inputs too, not only Array.
• Fix functions sum, prod, min, and max not throwing a conversion error
  when passing a single string, like sum("abc").

v7.0.1

Compare Source

• Fix #​1844: clarify the documentation of function eigs. Thanks @​Lazersmoke.
• Fix #​1855: Fix error in the documentation for math.nthRoots(x).
• Fix #​1856: make the library robust against Object prototype pollution.

v7.0.0

Compare Source

Breaking changes:

• Improvements in calculation of the dot product of complex values.
  The first argument is now conjugated. See #​1761. Thanks @​m93a.
• Dropped official support for Node.js v8 which has reached end of life.
• Removed all deprecation warnings introduced in v6.
  To upgrade smoothly from v5 to v7 or higher, upgrade to v6 first
  and resolve all deprecation warnings.

v6.6.5

Compare Source

• Fix #​1834: value Infinity cannot be serialized and deserialized.
  This is solved now with a new math.replacer function used as
  JSON.stringify(value, math.replacer).
• Fix #​1842: value Infinity not turned into the latex symbol \\infty.

v6.6.4

Compare Source

• Fix published files containing Windows line endings (CRLF instead of LF).

v6.6.3

Compare Source

• Fix #​1813: bug in engineering notation for numbers of function format,
  sometimes resulting in needless trailing zeros.
• Fix #​1808: methods .toNumber() and .toNumeric() not working on a
  unitless unit.
• Fix #​1645: not being able to use named operators mod, and, not, or,
  xor, to, in as object keys. Thanks @​Veeloxfire.
• Fix eigs not using config.epsilon.

v6.6.2

Compare Source

• Fix #​1789: Function eigs not calculating with BigNumber precision
  when input contains BigNumbers.
• Run the build script during npm prepare, so you can use the library
  directly when installing directly from git. See #​1751. Thanks @​cinderblock.

v6.6.1

Compare Source

• Fix #​1725: simplify a/(b/c). Thanks @​dbramwell.
• Fix examples in documentation of row and column.

v6.6.0

Compare Source

• Implemented function eigs, see #​1705, #​542 #​1175. Thanks @​arkajitmandal.
• Fixed #​1727: validate matrix size when creating a DenseMatrix using
  fromJSON.
• Fixed DenseMatrix.map copying the size and datatype from the original
  matrix instead of checking the returned dimensions and type of the callback.
• Add a caret to dependencies (like) ^1.2.3) to allow downstream updates
  without having to await a new release of mathjs.

v6.5.0

Compare Source

• Implemented baseName option for createUnit, see #​1707.
  Thanks @​ericman314.

v6.4.0

Compare Source

• Extended function dimension with support for n-dimensional points.
  Thanks @​Veeloxfire.

v6.3.0

Compare Source

• Improved performance of factorial for BigNumber up to a factor two,
  see #​1687. Thanks @​kmdrGroch.

v6.2.5

Compare Source

• Fixed IndexNode using a hardcoded, one-based implementation of index,
  making it impossible to instantiate a zero-based version of the expression
  parser. See #​782.

v6.2.4

Compare Source

• Fixed #​1669: function 'qr' threw an error if the pivot was zero,
  thanks @​kevinkelleher12 and @​harrysarson.
• Resolves #​942: remove misleading assert in 'qr'. Thanks @​harrysarson.
• Work around a bug in complex.js where sign(0) returns complex NaN.
  Thanks @​harrysarson.

v6.2.3

Compare Source

• Fixed #​1640: function mean not working for units. Thanks @​clintonc.
• Fixed #​1639: function min listed twice in the "See also" section of the
  embedded docs of function std.
• Improved performance of isPrime, see #​1641. Thanks @​arguiot.

v6.2.2

Compare Source

• Fixed methods map and clone not copying the dotNotation property of
  IndexNode. Thanks @​rianmcguire.
• Fixed a typo in the documentation of toHTML. Thanks @​maytanthegeek.
• Fixed #​1615: error in the docs of isNumeric.
• Fixed #​1628: Cannot call methods on empty strings or numbers with value 0.

v6.2.1

Compare Source

• Fixed #​1606: function format not working for expressions.

v6.2.0

Compare Source

• Improved performance of combinationsWithRep. Thanks @​waseemyusuf.
• Add unit aliases bit and byte.
• Fix docs referring to bit and byte instead of bits and bytes.
• Updated dependency [email protected].

v6.1.0

Compare Source

• Implemented function combinationsWithRep (see #​1329). Thanks @​waseemyusuf.

v6.0.4

Compare Source

• Fixed #​1554, #​1565: ES Modules where not transpiled to ES5, giving issues on
  old browsers. Thanks @​mockdeep for helping to find a solution.

v6.0.3

Compare Source

• Add unpkg and jsdelivr fields in package.json pointing to UMD build.
  Thanks @​tmcw.
• Fix #​1550: nested user defined function not receiving variables of an
  outer user defined function.

v6.0.2

Compare Source

• Fix not being able to set configuration after disabling function import
  (regression since v6.0.0).

v6.0.1

Compare Source

• Fix function reference not published in npm library.
• Fix function evaluate and parse missing in generated docs.

v6.0.0

Compare Source

!!! BE CAREFUL: BREAKING CHANGES !!!

Most notable changes

1. Full support for ES modules. Support for tree-shaking out of the box.

   Load all functions:

   import * as math from 'mathjs'

   Use a few functions:

   import { add, multiply } from 'mathjs'

   Load all functions with custom configuration:

   import { create, all } from 'mathjs'
   const config = { number: 'BigNumber' }
   const math = create(all, config)

   Load a few functions with custom configuration:

   import { create, addDependencies, multiplyDependencies } from 'mathjs'
   const config = { number: 'BigNumber' }
   const { add, multiply } = create({
     addDependencies,
     multiplyDependencies
   }, config)

2. Support for lightweight, number-only implementations of all functions:

   import { add, multiply } from 'mathjs/number'
   

3. New dependency injection solution used under the hood.

Breaking changes

• Node 6 is no longer supported.

• Functions config and import are not available anymore in the global
  context:

  // v5
  import * as mathjs from 'mathjs'
  mathjs.config(...) // error in v6.0.0
  mathjs.import(...) // error in v6.0.0

  Instead, create your own mathjs instance and pass config and imports
  there:

  // v6
  import { create, all } from 'mathjs'
  const config = { number: 'BigNumber' }
  const mathjs = create(all, config)
  mathjs.import(...)

• Renamed function typeof to typeOf, var to variance,
  and eval to evaluate. (the old function names are reserved keywords
  which can not be used as a variable name).

• Deprecated the Matrix.storage function. Use math.matrix instead to create
  a matrix.

• Deprecated function math.expression.parse, use math.parse instead.
  Was used before for example to customize supported characters by replacing
  math.parse.isAlpha.

• Moved all classes like math.type.Unit and math.expression.Parser to
  math.Unit and math.Parser respectively.

• Fixed #​1428: transform iterating over replaced nodes. New behavior
  is that it stops iterating when a node is replaced.

• Dropped support for renaming factory functions when importing them.

• Dropped fake BigNumber support of function erf.

• Removed all index.js files used to load specific functions instead of all, like:

  // v5
  // ... set up empty instance of mathjs, then load a set of functions:
  math.import(require('mathjs/lib/function/arithmetic'))
  

  Individual functions are now loaded simply like:

  // v6
  import { add, multiply } from 'mathjs'

  To set a specific configuration on the functions:

  // v6
  import { create, addDependencies, multiplyDependencies } from 'mathjs'
  const config = { number: 'BigNumber' }
  const math = create({ addDependencies, multiplyDependencies }, config)

  See example advanced/custom_loading.js.

• Updated the values of all physical units to their latest official values.
  See #​1529. Thanks @​ericman314.

Non breaking changes

• Implemented units t, tonne, bel, decibel, dB, and prefixes
  for candela. Thanks @​mcvladthegoat.
• Fixed epsilon setting being applied globally to Complex numbers.
• Fix math.simplify('add(2, 3)') throwing an error.
• Fix #​1530: number formatting first applied lowerExp and upperExp
  and after that rounded the value instead of the other way around.
• Fix #​1473: remove 'use strict' in every file, not needed anymore.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert (click for details)
Block		[email protected] has Install scripts. Install script: postinstall Source: echo "Web3.js 4.x alpha has been released for early testing and feedback. Checkout doc at https://docs.web3js.org/ " From: ? → npm/[email protected] ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​celo/​base@​6.1.0

View full report