@jayree/sfdx-plugin-manifest 4.0.109 → 4.0.110

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/CHANGELOG.md +15 -0
  2. package/README.md +3 -3
  3. package/npm-shrinkwrap.json +10 -10
  4. package/oclif.lock +10 -10
  5. package/oclif.manifest.json +1 -1
  6. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -1,3 +1,18 @@
1
+ ## [4.0.110](https://github.com/jayree/sfdx-plugin-manifest/compare/4.0.109...4.0.110) (2025-12-04)
2
+
3
+
4
+ ### Bug Fixes
5
+
6
+ * **deps:** bump jws from 3.2.2 to 3.2.3 ([#2030](https://github.com/jayree/sfdx-plugin-manifest/issues/2030)) ([0dea52b](https://github.com/jayree/sfdx-plugin-manifest/commit/0dea52b016c6e9e69b58cf254fb8f41885dc648d))
7
+ * Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
8
+ * Upgrading JWA version to 1.4.2, addressing a compatibility issue for Node >= 25.
9
+ * Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
10
+ * Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.
11
+ * **BREAKING**: `jwt.verify` now requires an `algorithm` parameter, and `jws.createVerify` requires an `algorithm` option. The `"alg"` field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by `jwt.verify`. See [https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/](https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/) for details.
12
+ * **BREAKING**: Default payload encoding changed from `binary` to `utf8`. `utf8` is a is a more sensible default than `binary` because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. ([6b6de48](https://github.com/brianloveswords/node-jws/commit/6b6de48))
13
+ * Code reorganization, thanks [`@​fearphage`](https://github.com/fearphage)! ([7880050](https://github.com/brianloveswords/node-jws/commit/7880050))
14
+ * Option in all relevant methods for `encoding`. For those few users that might be depending on a `binary` encoding of the messages, this is for them. ([6b6de48](https://github.com/brianloveswords/node-jws/commit/6b6de48))
15
+
1
16
  ## [4.0.109](https://github.com/jayree/sfdx-plugin-manifest/compare/4.0.108...4.0.109) (2025-12-02)
2
17
 
3
18
 
package/README.md CHANGED
@@ -112,7 +112,7 @@ EXAMPLES
112
112
  $ sf jayree manifest cleanup --manifest=package.xml --file=packageignore.xml
113
113
  ```
114
114
 
115
- _See code: [src/commands/jayree/manifest/cleanup.ts](https://github.com/jayree/sfdx-plugin-manifest/blob/4.0.109/src/commands/jayree/manifest/cleanup.ts)_
115
+ _See code: [src/commands/jayree/manifest/cleanup.ts](https://github.com/jayree/sfdx-plugin-manifest/blob/4.0.110/src/commands/jayree/manifest/cleanup.ts)_
116
116
 
117
117
  ### `sf jayree manifest generate`
118
118
 
@@ -150,7 +150,7 @@ EXAMPLES
150
150
  <Package xmlns='http://soap.sforce.com/2006/04/metadata'>...</Package>
151
151
  ```
152
152
 
153
- _See code: [src/commands/jayree/manifest/generate.ts](https://github.com/jayree/sfdx-plugin-manifest/blob/4.0.109/src/commands/jayree/manifest/generate.ts)_
153
+ _See code: [src/commands/jayree/manifest/generate.ts](https://github.com/jayree/sfdx-plugin-manifest/blob/4.0.110/src/commands/jayree/manifest/generate.ts)_
154
154
 
155
155
  ### `sf jayree manifest git diff REF1 [REF2]`
156
156
 
@@ -230,7 +230,7 @@ FLAG DESCRIPTIONS
230
230
  Use this flag to create a 'destructiveChanges.xml' and a blank 'package.xml'.
231
231
  ```
232
232
 
233
- _See code: [src/commands/jayree/manifest/git/diff.ts](https://github.com/jayree/sfdx-plugin-manifest/blob/4.0.109/src/commands/jayree/manifest/git/diff.ts)_
233
+ _See code: [src/commands/jayree/manifest/git/diff.ts](https://github.com/jayree/sfdx-plugin-manifest/blob/4.0.110/src/commands/jayree/manifest/git/diff.ts)_
234
234
  <!-- commandsstop -->
235
235
 
236
236
  ## Performance Testing
package/npm-shrinkwrap.json CHANGED
@@ -1,12 +1,12 @@
1
1
  {
2
2
  "name": "@jayree/sfdx-plugin-manifest",
3
- "version": "4.0.109",
3
+ "version": "4.0.110",
4
4
  "lockfileVersion": 3,
5
5
  "requires": true,
6
6
  "packages": {
7
7
  "": {
8
8
  "name": "@jayree/sfdx-plugin-manifest",
9
- "version": "4.0.109",
9
+ "version": "4.0.110",
10
10
  "license": "Apache-2.0",
11
11
  "dependencies": {
12
12
  "@jayree/changelog": "^1.2.21",
@@ -13984,23 +13984,23 @@
13984
13984
  "license": "MIT"
13985
13985
  },
13986
13986
  "node_modules/jwa": {
13987
- "version": "1.4.1",
13988
- "resolved": "https://registry.npmjs.org/jwa/-/jwa-1.4.1.tgz",
13989
- "integrity": "sha512-qiLX/xhEEFKUAJ6FiBMbes3w9ATzyk5W7Hvzpa/SLYdxNtng+gcurvrI7TbACjIXlsJyr05/S1oUhZrc63evQA==",
13987
+ "version": "1.4.2",
13988
+ "resolved": "https://registry.npmjs.org/jwa/-/jwa-1.4.2.tgz",
13989
+ "integrity": "sha512-eeH5JO+21J78qMvTIDdBXidBd6nG2kZjg5Ohz/1fpa28Z4CcsWUzJ1ZZyFq/3z3N17aZy+ZuBoHljASbL1WfOw==",
13990
13990
  "license": "MIT",
13991
13991
  "dependencies": {
13992
- "buffer-equal-constant-time": "1.0.1",
13992
+ "buffer-equal-constant-time": "^1.0.1",
13993
13993
  "ecdsa-sig-formatter": "1.0.11",
13994
13994
  "safe-buffer": "^5.0.1"
13995
13995
  }
13996
13996
  },
13997
13997
  "node_modules/jws": {
13998
- "version": "3.2.2",
13999
- "resolved": "https://registry.npmjs.org/jws/-/jws-3.2.2.tgz",
14000
- "integrity": "sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA==",
13998
+ "version": "3.2.3",
13999
+ "resolved": "https://registry.npmjs.org/jws/-/jws-3.2.3.tgz",
14000
+ "integrity": "sha512-byiJ0FLRdLdSVSReO/U4E7RoEyOCKnEnEPMjq3HxWtvzLsV08/i5RQKsFVNkCldrCaPr2vDNAOMsfs8T/Hze7g==",
14001
14001
  "license": "MIT",
14002
14002
  "dependencies": {
14003
- "jwa": "^1.4.1",
14003
+ "jwa": "^1.4.2",
14004
14004
  "safe-buffer": "^5.0.1"
14005
14005
  }
14006
14006
  },
package/oclif.lock CHANGED
@@ -3556,7 +3556,7 @@ browserslist@^4.24.0, browserslist@^4.24.4:
3556
3556
  node-releases "^2.0.19"
3557
3557
  update-browserslist-db "^1.1.1"
3558
3558
 
3559
- buffer-equal-constant-time@1.0.1:
3559
+ buffer-equal-constant-time@^1.0.1:
3560
3560
  version "1.0.1"
3561
3561
  resolved "https://registry.yarnpkg.com/buffer-equal-constant-time/-/buffer-equal-constant-time-1.0.1.tgz#f8e71132f7ffe6e01a5c9697a4c6f3e48d5cc819"
3562
3562
  integrity sha512-zRpUiDwd/xk6ADqPMATG8vc9VPrkck7T07OIx0gnjmJAnHnTVXNQG3vfvWNuiZIkwu9KrKdA1iJKfsfTVxE6NA==
@@ -6754,21 +6754,21 @@ just-extend@^6.2.0:
6754
6754
  resolved "https://registry.yarnpkg.com/just-extend/-/just-extend-6.2.0.tgz#b816abfb3d67ee860482e7401564672558163947"
6755
6755
  integrity sha512-cYofQu2Xpom82S6qD778jBDpwvvy39s1l/hrYij2u9AMdQcGRpaBu6kY4mVhuno5kJVi1DAz4aiphA2WI1/OAw==
6756
6756
 
6757
- jwa@^1.4.1:
6758
- version "1.4.1"
6759
- resolved "https://registry.yarnpkg.com/jwa/-/jwa-1.4.1.tgz#743c32985cb9e98655530d53641b66c8645b039a"
6760
- integrity sha512-qiLX/xhEEFKUAJ6FiBMbes3w9ATzyk5W7Hvzpa/SLYdxNtng+gcurvrI7TbACjIXlsJyr05/S1oUhZrc63evQA==
6757
+ jwa@^1.4.2:
6758
+ version "1.4.2"
6759
+ resolved "https://registry.yarnpkg.com/jwa/-/jwa-1.4.2.tgz#16011ac6db48de7b102777e57897901520eec7b9"
6760
+ integrity sha512-eeH5JO+21J78qMvTIDdBXidBd6nG2kZjg5Ohz/1fpa28Z4CcsWUzJ1ZZyFq/3z3N17aZy+ZuBoHljASbL1WfOw==
6761
6761
  dependencies:
6762
- buffer-equal-constant-time "1.0.1"
6762
+ buffer-equal-constant-time "^1.0.1"
6763
6763
  ecdsa-sig-formatter "1.0.11"
6764
6764
  safe-buffer "^5.0.1"
6765
6765
 
6766
6766
  jws@^3.2.2:
6767
- version "3.2.2"
6768
- resolved "https://registry.yarnpkg.com/jws/-/jws-3.2.2.tgz#001099f3639468c9414000e99995fa52fb478304"
6769
- integrity sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA==
6767
+ version "3.2.3"
6768
+ resolved "https://registry.yarnpkg.com/jws/-/jws-3.2.3.tgz#5ac0690b460900a27265de24520526853c0b8ca1"
6769
+ integrity sha512-byiJ0FLRdLdSVSReO/U4E7RoEyOCKnEnEPMjq3HxWtvzLsV08/i5RQKsFVNkCldrCaPr2vDNAOMsfs8T/Hze7g==
6770
6770
  dependencies:
6771
- jwa "^1.4.1"
6771
+ jwa "^1.4.2"
6772
6772
  safe-buffer "^5.0.1"
6773
6773
 
6774
6774
  keyv@^4.0.0, keyv@^4.5.3:
package/oclif.manifest.json CHANGED
@@ -267,5 +267,5 @@
267
267
  ]
268
268
  }
269
269
  },
270
- "version": "4.0.109"
270
+ "version": "4.0.110"
271
271
  }
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@jayree/sfdx-plugin-manifest",
3
3
  "description": "A powerful Salesforce CLI plugin and Node.js library to effortlessly generate, clean up, and manage package.xml and destructiveChanges.xml manifests directly from your Salesforce orgs or from Git changes in your SF projects. Unlock faster, safer, and smarter Salesforce deployments.",
4
- "version": "4.0.109",
4
+ "version": "4.0.110",
5
5
  "author": "jayree",
6
6
  "type": "module",
7
7
  "bugs": "https://github.com/jayree/sfdx-plugin-manifest/issues",