profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/zpao/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.
Paul O’Shannessy zpao @facebook Seattle, WA https://zpao.com I do open source things at @facebook.

reactjs/react-rails 6388

Integrate React.js with Rails views and controllers, the asset pipeline, or webpacker.

reactjs/rfcs 3434

RFCs for changes to React

reactjs/express-react-views 2713

This is an Express view engine which renders React components on server. It renders static markup and *does not* support mounting those views on the client.

sebmarkbage/art 978

Retained mode vector drawing API designed for multiple output modes. There's also a built-in SVG parser.

zpao/building-react-from-scratch 361

Code for my React Rally talk.

zpao/alwaysAsk 8

A Firefox extension to make sure you get a prompt when quitting Firefox.

petehunt/statics 4

static assets in npm

zpao/addon-compatability-reporter 3

Git clone of http://viewvc.svn.mozilla.org/vc/addons/trunk/compatibility/

zpao/acts_as_taggable_on_steroids 2

Tagging for Ruby on Rails

zpao/addon-sdk 2

The Add-on SDK repository.

PR closed facebook/fbjs

bump ua-parser-js to fix RegExp DoS vulnerability CLA Signed

Bump ua-parser-js to fix Regular Expression Denial of Service (ReDoS) detected by Snyk.io (high-severity).

Snyk vulnerability info page: https://snyk.io/vuln/SNYK-JS-UAPARSERJS-610226

Original issue: #399

+6 -6

9 comments

2 changed files

lorenzocestaro

pr closed time in 3 days

pull request commentfacebook/fbjs

bump ua-parser-js to fix RegExp DoS vulnerability

3.0.1 and 0.8.18 have been published with newer versions

lorenzocestaro

comment created time in 3 days

issue closedfacebook/fbjs

ua-parser-js high severity vulnerability

snyk.io has recently disclosed a high severity vulnerability (Regular Expression Denial of Service, ReDoS) affecting ua-parser-js.

Snyk vulnerability info page: https://snyk.io/vuln/SNYK-JS-UAPARSERJS-610226

closed time in 3 days

lorenzocestaro

issue commentfacebook/fbjs

ua-parser-js high severity vulnerability

3.0.1 and 0.8.18 have been published with newer dependencies

lorenzocestaro

comment created time in 3 days

issue closedfacebook/fbjs

ua-parser-js Dependency Security vulnerability

Hello there, Our organization relies on open-source scanners such as WhiteSource and Snyk, and these systems warned us of the following security vulnerability:

ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

One of our products depends on a library which depends on the latest version of fbjs. At time of writing, fbjs depends on "ua-parser-js": "^0.7.18"

Could someone please look at bumping this up?

closed time in 3 days

xmalderaan

issue closedfacebook/fbjs

ua-parser-js to fix Regular Expression Denial Of Service (ReDoS)

Veracode detected high security issues for ua-parser-js for 0.7.22. Its included as "ua-parser-js": "^0.7.18" in fsjs dependencies. Its already version 0.7.23 for ua-parser-js available.

Release a new version will solve above venerability.

closed time in 3 days

PinalSa

issue commentfacebook/fbjs

ua-parser-js to fix Regular Expression Denial Of Service (ReDoS)

3.0.1 and 0.8.18 have been published with updated dependencies

PinalSa

comment created time in 3 days

issue commentfacebook/fbjs

ua-parser-js Dependency Security vulnerability

3.0.1 and 0.8.18 have been published with later dependencies

xmalderaan

comment created time in 3 days

issue closedfacebook/fbjs

fbjs > ua-parser-js@0.7.29: this package has been hijacked

Version 0.7.29 of ua-parser.js has been hijacked by malicious code. Please bump the dependency version to a non-compromised version. See: https://github.com/faisalman/ua-parser-js/issues/536

closed time in 3 days

schematis

issue commentfacebook/fbjs

fbjs > ua-parser-js@0.7.29: this package has been hijacked

3.0.1 and 0.8.18 have been published

schematis

comment created time in 3 days

created tagfacebook/fbjs

tagv0.8.18

A collection of utility libraries used by other Facebook JS projects.

created time in 3 days

created tagfacebook/fbjs

tagfbjs-v3.0.1

A collection of utility libraries used by other Facebook JS projects.

created time in 3 days

push eventfacebook/fbjs

Paul O’Shannessy

commit sha 5893dd1ee1c784891df4cd2519c586a9da46c8a8

Upgrade ua-parser-js

view details

Paul O’Shannessy

commit sha e2a53eb4d17bf25124d193bb3a8b5532a4780b0f

[fbjs] v3.0.1

view details

push time in 3 days

push eventzpao/fbjs

Paul O’Shannessy

commit sha 25dabdb33f3d76fc327aa1b73ddb063bd3755e6b

Update CI Action - Update list of current & lts releases to test with - Update to setup-node@v2 (with built in caching between versions in the matrix)

view details

push time in 3 days

create barnchzpao/fbjs

branch : main

created branch time in 3 days

delete branch zpao/fbjs

delete branch : master

delete time in 3 days

PR opened facebook/fbjs

Update CI Action
  • Update list of current & lts releases to test with
  • Update to setup-node@v2 (with built in caching between versions in the matrix)
+2 -1

0 comment

1 changed file

pr created time in 3 days

create barnchzpao/fbjs

branch : update-ci

created branch time in 3 days

PR opened facebook/fbjs

Create codeql-analysis.yml
+71 -0

0 comment

1 changed file

pr created time in 3 days

create barnchfacebook/fbjs

branch : add-codeql-analysis

created branch time in 3 days

push eventfacebook/fbjs

dependabot[bot]

commit sha 45ab46073cab61ba0d001aeb93ed75f18f05bd96

Bump tmpl from 1.0.4 to 1.0.5 in /packages/signedsource (#463) Bumps [tmpl](https://github.com/daaku/nodejs-tmpl) from 1.0.4 to 1.0.5. - [Release notes](https://github.com/daaku/nodejs-tmpl/releases) - [Commits](https://github.com/daaku/nodejs-tmpl/commits/v1.0.5) --- updated-dependencies: - dependency-name: tmpl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

view details

push time in 3 days

PR merged facebook/fbjs

Bump tmpl from 1.0.4 to 1.0.5 in /packages/signedsource CLA Signed dependencies

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.


Bumps tmpl from 1.0.4 to 1.0.5. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/daaku/nodejs-tmpl/commits/v1.0.5">compare view</a></li> </ul> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+3 -3

0 comment

1 changed file

dependabot[bot]

pr closed time in 3 days

push eventfacebook/fbjs

dependabot[bot]

commit sha c9b9efdd12cc6e5609dcab483179765552a515d0

Bump tmpl from 1.0.4 to 1.0.5 in /packages/babel-preset-fbjs (#462) Bumps [tmpl](https://github.com/daaku/nodejs-tmpl) from 1.0.4 to 1.0.5. - [Release notes](https://github.com/daaku/nodejs-tmpl/releases) - [Commits](https://github.com/daaku/nodejs-tmpl/commits/v1.0.5) --- updated-dependencies: - dependency-name: tmpl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

view details

push time in 3 days

PR merged facebook/fbjs

Bump tmpl from 1.0.4 to 1.0.5 in /packages/babel-preset-fbjs CLA Signed dependencies

Bumps tmpl from 1.0.4 to 1.0.5. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/daaku/nodejs-tmpl/commits/v1.0.5">compare view</a></li> </ul> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+3 -3

0 comment

1 changed file

dependabot[bot]

pr closed time in 3 days

push eventfacebook/fbjs

dependabot[bot]

commit sha dfae7a8a2686e7abf026fe8cd4a1d297d45302df

Bump tmpl from 1.0.4 to 1.0.5 in /packages/fbjs (#461) Bumps [tmpl](https://github.com/daaku/nodejs-tmpl) from 1.0.4 to 1.0.5. - [Release notes](https://github.com/daaku/nodejs-tmpl/releases) - [Commits](https://github.com/daaku/nodejs-tmpl/commits/v1.0.5) --- updated-dependencies: - dependency-name: tmpl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

view details

push time in 3 days

PR merged facebook/fbjs

Bump tmpl from 1.0.4 to 1.0.5 in /packages/fbjs CLA Signed dependencies

Bumps tmpl from 1.0.4 to 1.0.5. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/daaku/nodejs-tmpl/commits/v1.0.5">compare view</a></li> </ul> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+3 -3

0 comment

1 changed file

dependabot[bot]

pr closed time in 3 days

push eventfacebook/fbjs

dependabot[bot]

commit sha 4e78755ee466adce0bd796a5714baf8c3db70e3f

Bump tar from 4.4.6 to 4.4.19 in /packages/signedsource (#459) Bumps [tar](https://github.com/npm/node-tar) from 4.4.6 to 4.4.19. - [Release notes](https://github.com/npm/node-tar/releases) - [Changelog](https://github.com/npm/node-tar/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/node-tar/compare/v4.4.6...v4.4.19) --- updated-dependencies: - dependency-name: tar dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

view details

push time in 3 days

PR merged facebook/fbjs

Bump tar from 4.4.6 to 4.4.19 in /packages/signedsource CLA Signed dependencies

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.


Bumps tar from 4.4.6 to 4.4.19. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/npm/node-tar/commit/9a6faa017ca90538840f3ae2ccdb4550ac3f4dcf"><code>9a6faa0</code></a> 4.4.19</li> <li><a href="https://github.com/npm/node-tar/commit/70ef812593184cc54ea1bc74c5dae2d22995002d"><code>70ef812</code></a> drop dirCache for symlink on all platforms</li> <li><a href="https://github.com/npm/node-tar/commit/3e35515c09da615ac268254bed85fe43ee71e2f0"><code>3e35515</code></a> 4.4.18</li> <li><a href="https://github.com/npm/node-tar/commit/52b09e309bcae0c741a7eb79a17ef36e7828b946"><code>52b09e3</code></a> fix: prevent path escape using drive-relative paths</li> <li><a href="https://github.com/npm/node-tar/commit/bb93ba243746f705092905da1955ac3b0509ba1e"><code>bb93ba2</code></a> fix: reserve paths properly for unicode, windows</li> <li><a href="https://github.com/npm/node-tar/commit/2f1bca027286c23e110b8dfc7efc10756fa3db5a"><code>2f1bca0</code></a> fix: prune dirCache properly for unicode, windows</li> <li><a href="https://github.com/npm/node-tar/commit/9bf70a8cf725c3af5fe2270f1e5d2e06d1559b93"><code>9bf70a8</code></a> 4.4.17</li> <li><a href="https://github.com/npm/node-tar/commit/6aafff0a8621ba9509b63654bde28762be373d58"><code>6aafff0</code></a> fix: skip extract if linkpath is stripped entirely</li> <li><a href="https://github.com/npm/node-tar/commit/5c5059a69c2aaaedfe4e9766e102ae9fb79e8255"><code>5c5059a</code></a> fix: reserve paths case-insensitively</li> <li><a href="https://github.com/npm/node-tar/commit/fd6accba697070560f301604b8f5f7e2995a2a8b"><code>fd6accb</code></a> 4.4.16</li> <li>Additional commits viewable in <a href="https://github.com/npm/node-tar/compare/v4.4.6...v4.4.19">compare view</a></li> </ul> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+44 -44

0 comment

1 changed file

dependabot[bot]

pr closed time in 3 days

push eventfacebook/fbjs

dependabot[bot]

commit sha b0fce61c7e6ca9a8f11ea64ec44faaa8cdbd5489

Bump tar from 4.4.8 to 4.4.19 in /packages/fbjs (#458) Bumps [tar](https://github.com/npm/node-tar) from 4.4.8 to 4.4.19. - [Release notes](https://github.com/npm/node-tar/releases) - [Changelog](https://github.com/npm/node-tar/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/node-tar/compare/v4.4.8...v4.4.19) --- updated-dependencies: - dependency-name: tar dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

view details

push time in 3 days

PR merged facebook/fbjs

Bump tar from 4.4.8 to 4.4.19 in /packages/fbjs CLA Signed dependencies

Bumps tar from 4.4.8 to 4.4.19. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/npm/node-tar/commit/9a6faa017ca90538840f3ae2ccdb4550ac3f4dcf"><code>9a6faa0</code></a> 4.4.19</li> <li><a href="https://github.com/npm/node-tar/commit/70ef812593184cc54ea1bc74c5dae2d22995002d"><code>70ef812</code></a> drop dirCache for symlink on all platforms</li> <li><a href="https://github.com/npm/node-tar/commit/3e35515c09da615ac268254bed85fe43ee71e2f0"><code>3e35515</code></a> 4.4.18</li> <li><a href="https://github.com/npm/node-tar/commit/52b09e309bcae0c741a7eb79a17ef36e7828b946"><code>52b09e3</code></a> fix: prevent path escape using drive-relative paths</li> <li><a href="https://github.com/npm/node-tar/commit/bb93ba243746f705092905da1955ac3b0509ba1e"><code>bb93ba2</code></a> fix: reserve paths properly for unicode, windows</li> <li><a href="https://github.com/npm/node-tar/commit/2f1bca027286c23e110b8dfc7efc10756fa3db5a"><code>2f1bca0</code></a> fix: prune dirCache properly for unicode, windows</li> <li><a href="https://github.com/npm/node-tar/commit/9bf70a8cf725c3af5fe2270f1e5d2e06d1559b93"><code>9bf70a8</code></a> 4.4.17</li> <li><a href="https://github.com/npm/node-tar/commit/6aafff0a8621ba9509b63654bde28762be373d58"><code>6aafff0</code></a> fix: skip extract if linkpath is stripped entirely</li> <li><a href="https://github.com/npm/node-tar/commit/5c5059a69c2aaaedfe4e9766e102ae9fb79e8255"><code>5c5059a</code></a> fix: reserve paths case-insensitively</li> <li><a href="https://github.com/npm/node-tar/commit/fd6accba697070560f301604b8f5f7e2995a2a8b"><code>fd6accb</code></a> 4.4.16</li> <li>Additional commits viewable in <a href="https://github.com/npm/node-tar/compare/v4.4.8...v4.4.19">compare view</a></li> </ul> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+44 -49

0 comment

1 changed file

dependabot[bot]

pr closed time in 3 days