Skip to content

Bump datatables.net from 1.13.4 to 2.3.2 in /components #12567

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Bump datatables.net from 1.13.4 to 2.3.2 in /components #12567

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jun 9, 2025

Bumps datatables.net from 1.13.4 to 2.3.2.

Release notes

Sourced from datatables.net's releases.

1.13.11

DataTables 1.13.11

Commits
  • a8ab1ea Sync tag release - 2.3.2
  • fab249b 5bb67c1e7d3916e4f2eef9835b69642e68524704 Release: 2.3.2
  • 511e0fa 637b024e991159090a586050a9911805fd106d62 Docs: Tweak versionCheck docs
  • 0c281ac 4967819fbef5680f538f66951cb7bdae51ec7cdc
  • ca7f5ec 4967819fbef5680f538f66951cb7bdae51ec7cdc
  • 4470ade 4967819fbef5680f538f66951cb7bdae51ec7cdc
  • b9b8873 4967819fbef5680f538f66951cb7bdae51ec7cdc
  • 04b51da 4967819fbef5680f538f66951cb7bdae51ec7cdc
  • 6901b71 4967819fbef5680f538f66951cb7bdae51ec7cdc
  • 5f8e9b7 4967819fbef5680f538f66951cb7bdae51ec7cdc
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump datatables.net from 1.13.4 to 2.3.2 in /components
852e568 
Bumps [datatables.net](https://github.com/DataTables/Dist-DataTables) from 1.13.4 to 2.3.2.
- [Release notes](https://github.com/DataTables/Dist-DataTables/releases)
- [Commits](DataTables/Dist-DataTables@1.13.4...2.3.2)

---
updated-dependencies:
- dependency-name: datatables.net
  dependency-version: 2.3.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 9, 2025
@dependabot dependabot bot requested review from Maffooch and mtesauro as code owners June 9, 2025 13:03
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 9, 2025
@dependabot dependabot bot mentioned this pull request Jun 9, 2025
Closed
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jun 9, 2025

DryRun Security

This pull request introduces a potential supply chain risk by adding a new version of datatables.net (2.3.2), which could bring unknown security implications due to the semantic versioning used and the inherent risks of third-party dependencies.

⚠️ Dependency Supply Chain Risk in components/package.json
Vulnerability Dependency Supply Chain Risk
Description The addition of a new version of datatables.net (2.3.2) introduces a potential supply chain risk. While no specific vulnerabilities were found for this exact version, introducing new dependencies always carries an inherent risk of potential security issues. The semantic versioning (^2.3.2) means future updates could automatically pull in versions with unknown security implications. Recommended actions include: conducting a thorough security review of the library, using dependency scanning tools, and carefully vetting any third-party dependencies before inclusion.

django-DefectDojo/components/package.json

Lines 12 to 18 in 852e568

"chosen-bootstrap": "https://github.com/dbtek/chosen-bootstrap",
"chosen-js": "^1.8.7",
"clipboard": "^2.0.11",
"datatables.net": "^2.3.2",
"datatables.net-buttons-bs": "^2.3.6",
"datatables.net-buttons-dt": "^2.3.6",
"datatables.net-colreorder": "^1.6.1",

All finding details can be found in the DryRun Security Dashboard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

At least 4 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants