fix(deps): update dependency mathjs to v15 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
mathjs (source)	^14.0.0 → ^15.2.0

GitHub Vulnerability Alerts

GHSA-jvff-x2qm-6286

Impact

Two security vulnerabilities, the first of which was introduced in version 13.1.0, were detected that allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser.

Patches

The problem is patched in mathjs v15.2.0.

Workarounds

There is no workaround without upgrading.

Severity

• CVSS Score: 8.8 / 10 (High)
• Vector String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

---

Release Notes

josdejong/mathjs (mathjs)

v15.2.0

Compare Source

• Feat: Add amp-hour charge unit Ah (#​3617). Thanks @​adrfantini.
• Feat: #​3595 implement num and den functions returning the parts of
  a fraction (#​3605). Thanks @​AnslemHack.
• Fix: Provide TypeScript types for [and/or]TransformDependencies (#​3639).
  Thanks @​NilsDietrich.
• Fix: two security vulnerabilities that allowed executing arbitrary JavaScript
  via the expression parser. Thanks @​CykuTW for finding and reporting them.

v15.1.1

Compare Source

• Fix: #​3631 Handle bigints in compareNatural (#​3632). Thanks @​Dheemanth07.
• Fix: #​3578 interpret empty true-expr of conditional as error (#​3581).
  Thanks @​gwhitney.
• Fix: #​3597 added nullish type definitions (#​3601). Thanks @​Ayo1984.
• Docs: Correct several arithmetic and relational documentation examples
  and add History (#​3630). Thanks @​Anadian.
• Docs: fix #​3565, update Matrix documentation (#​3591). Thanks @​orelbn.
• Docs: #​3341 add per-function HISTORY sections (#​3606). Thanks @​gwhitney.
• Docs: describe that setDistinct sorts the elements (see #​3602).

v15.1.0

Compare Source

• Fix: #​3578 interpret empty true-expr of conditional as error (#​3581).
  Thanks @​gwhitney.
• Docs: fix #​3565, update Matrix documentation (#​3591). Thanks @​orelbn.

v15.0.0

Compare Source

!!! BE CAREFUL: BREAKING CHANGES !!!

• Feat: #​3349 Decouple precedence of unary percentage operator and binary
  modulus operator (that both use symbol %), and raise the former (#​3432).
  Thanks @​kiprobinsonknack.
• Feat: #​1753 enhance Kronecker product to handle arbitrary dimension (#​3461,
  #​3455). Thanks @​gwhitney and @​Delaney.
• Feat: #​2344 matrix subset according to the type of input (#​3485).
  Thanks @​dvd101x.
• Fix: #​3501 parse % as unary only when not followed by a term (#​3505).
  Thanks @​gwhitney.
• Fix: #​3421 require a space or delimiter after hex, bin, and oct values (#​3463).
• Fix: #​3529 Change function size to always return an Array (#​3535).
• Fix: #​3530 throw an error when trying to flatten a SparseMatrix (#​3536).

v14.9.1

Compare Source

• Fix: issue in HISTORY.md listing all fixes of v14.8.2 under v14.9.0.

v14.9.0

Compare Source

• Feat: improve the performance of map with multiple arguments (#​3526).
  Thanks @​dvd101x.
• Fix: #​3541 throw an error when evaluating a range with a step of zero
  (#​3548). Thanks @​dvd101x.

v14.8.2

Compare Source

• Fix: improve performance in functions like map when passing a unary
  function (#​3546). Thanks @​dvd101x.
• Fix: improve the type definition of abs(complex) which returns a number
  (#​3543). Thanks @​joshkel.
• Fix: add missing type definitions for ctranspose (#​3545). Thanks @​joshkel.
• Fix: typos in code comments (#​3544). Thanks @​joshkel.

v14.8.1

Compare Source

• Fix: #​3538 config printing a warning when using { number: 'bigint' }
  (#​3540).

v14.8.0

Compare Source

• Feat: #​3353 support for the nullish coalescing operator ?? in the
  expression parser (#​3497). Thanks @​ikemHood.

v14.7.0

Compare Source

• Feat: faster DenseMatrix symbol iterator (#​3521). Thanks @​dvd101x.
• Feat: implement serialization support for Parser, fixing #​3509 (#​3525).
• Fix: #​3519, #​3368 categories "Core functions" and "Construction functions"
  missing from the generated function overview.
• Fix: #​3517 printTransformDependencies not exported in the type definitions.
• Fix: add missing type definition for function diff (#​3520). Thanks @​dodokw.
• Fix: #​3396 improve documentation of function range.
• Fix: #​3523 cleanup old polyfills from the browser bundle
  by removing core-js (#​3524).

v14.6.0

Compare Source

• Feat: new function toBest(unit, unitList, offset), and corresponding
  method unit.toBest(...) (#​3484). Thanks @​Mundi93, @​EliaAlesiani, and
  @​HeavyRainLQ.
• Fix: #​3512 sign of zero not returning zero in case of a fraction (#​3513).
  Thanks @​kyle-compute.

v14.5.3

Compare Source

• Fix: #​2199 parse non-breaking white space   as white space
  (#​3487). Thanks donmccurdy.
• Fix: refine the type definitions of scope (#​3490). Thanks @​JayChang4w.
• Fix: #​3493 type definitions of unit(number) (#​3495). Thanks @​mrft.
• Fix: #​3494 type definitions not supporting unit.to(unit) (#​3495).
  Thanks @​mrft.
• Fix: #​3499 refine type definitions of add and multiply to not allow zero
  or one argument (#​3495). Thanks @​mrft.

v14.5.2

Compare Source

• Fix: add embedded docs for the deprecated physical constant coulomb,
  see #​3472.
• Fix: #​3469 add ResultSet interface and improve isResultSet typing
  (#​3481). Thanks @​ranidam.

v14.5.1

Compare Source

• Fix: #​3482 mathjs throwing an error related to BigInt when loading in
  specific environments.
• Fix: syntax section of function numeric (see #​3448).
• Fix: #​3472 rename physical constant coulomb to coulombConstant. The old
  name is still available for backward compatibility.
• Fix: support multiplication of arrays with units (#​3456). Thanks @​Delaney.

v14.5.0

Compare Source

• Feat: improve the performance of the map and forEach methods of
  DenseMatrix (#​3446). Thanks @​dvd101x.
• Feat: improve the performance of subset (#​3467). Thanks @​dvd101x.
• Feat: define embedded docs for compile, evaluate, parse, and parser,
  and add tests for the examples in embedded docs (#​3413). Thanks @​dvd101x.
• Fix: #​3450 support multiplication of valueless units by arbitrary types
  (#​3454).
• Fix: #​3474 correctly parse (lbf in) (#​3476). Thanks @​costerwi.

v14.4.0

Compare Source

• Feat: improve the performance of function flatten (#​3400). Thanks @​dvd101x.
• Feat: improve the performance of map and forEach (#​3409).
  Thanks @​dvd101x.
• Feat: add LaTeX representation for fractions (#​3434, #​3419). Thanks @​orelbn.
• Fix: #​3422 allow dot operators after symbol E (#​3425).
• Fix: issue in the nthRoots latex function template string (#​3427).
  Thanks @​aitee.
• Fix: upgrade to the latest version of @babel/runtime.

v14.3.1

Compare Source

• Fix: #​3350 cannot import a constant that is a complex number.

v14.3.0

Compare Source

• Feat: improved performance of function flatten (#​3354). Thanks @​dvd101x.
• Feat: improved performance of DenseMatrix Symbol.iterator (#​3395).
  Thanks @​dvd101x.
• Feat: improved performance of functions map and forEach (#​3399).
  Thanks @​dvd101x.
• Fix: #​3390 issue in callback optimization and add error handling for invalid
  argument types (#​3394). Thanks @​dvd101x.
• Fix: #​3356 add missing eigsDependencies export to TypeScript definitions
  (#​3397). Thanks @​porst17.
• Fix: #​3406 infer the correct type for multi-dimensional arrays in function
  multiply (#​3408). Thanks @​orelbn.
• Fix: #​3387 use utility math.isNaN for consistent max and min results
  (#​3389). Thanks @​orelbn.

v14.2.1

Compare Source

• Fix: #​3377 remove redundant dependency @lambdatest/node-tunnel.

v14.2.0

Compare Source

• Feat: #​3041, #​3340 rename apply to mapSlices (#​3357). Function
  apply is still available but is now marked deprecated. Thanks @​gwhitney.
• Fix: #​3247 don't override type-native floor/ceil within tolerance of value
  (#​3369). Thanks @​gwhitney.
• Fix: #​3360 add bigint support to matrix indices and ranges (#​3361).
  Thanks @​gwhitney.
• Fix: #​3115 type definitions for matrixFrom* (#​3371). Thanks @​Hudsxn
  and @​gwhitney.

v14.1.0

Compare Source

• Feat: implement bigint support in functions log, log2, log10,
  larger, smaller, max, min (#​3345). Thanks @​gwhitney.
• Fix: #​3342 hexadecimal input not turned into a bigint (#​3348).
• Fix randomInt() not working (#​3345).
• Docs: fixed description of sign in the embedded docs (#​3338).
  Thanks @​witer33.

v14.0.1

Compare Source

• Fix: make derivative much faster (#​3322). Thanks @​paulftw.
• Fix: #​3317 export Fraction type from the fraction.js library instead of
  using a custom interface (#​3330). Thanks @​fchu.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun

[gemini-code-assist]

Code Review

This pull request updates the mathjs dependency from ^14.0.0 to ^15.0.0 in the sample package files for google-cloud-automl and google-cloud-language. Feedback indicates that the current update to ^15.0.0 still allows for vulnerable versions; it is recommended to update to at least ^15.2.0 to address security vulnerability GHSA-jvff-x2qm-6286.

[gemini-code-assist]

The security vulnerabilities (GHSA-jvff-x2qm-6286) are patched in mathjs version 15.2.0. The current range ^15.0.0 allows for vulnerable versions (such as 15.0.0 or 15.1.1) to be resolved. Updating the minimum version to ^15.2.0 ensures that the security fix is applied.

Suggested change

	"mathjs": "^15.0.0",
	"mathjs": "^15.2.0",

[gemini-code-assist]

The security vulnerabilities (GHSA-jvff-x2qm-6286) are patched in mathjs version 15.2.0. The current range ^15.0.0 allows for vulnerable versions (such as 15.0.0 or 15.1.1) to be resolved. Updating the minimum version to ^15.2.0 ensures that the security fix is applied.

Suggested change

	"mathjs": "^15.0.0",
	"mathjs": "^15.2.0",

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun