fix(deps): update dependency mathjs to v15 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
mathjs (source)	^13.0.0 → ^15.2.0

GitHub Vulnerability Alerts

GHSA-jvff-x2qm-6286

Impact

Two security vulnerabilities where detected that allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser.

Patches

The problem is patched in mathjs v15.2.0.

Workarounds

There is no workaround without upgrading.

---

Release Notes

josdejong/mathjs (mathjs)

v15.2.0

Compare Source

• Feat: Add amp-hour charge unit Ah (#​3617). Thanks @​adrfantini.
• Feat: #​3595 implement num and den functions returning the parts of
  a fraction (#​3605). Thanks @​AnslemHack.
• Fix: Provide TypeScript types for [and/or]TransformDependencies (#​3639).
  Thanks @​NilsDietrich.
• Fix: two security vulnerabilities that allowed executing arbitrary JavaScript
  via the expression parser. Thanks @​CykuTW for finding and reporting them.

v15.1.1

Compare Source

• Fix: #​3631 Handle bigints in compareNatural (#​3632). Thanks @​Dheemanth07.
• Fix: #​3578 interpret empty true-expr of conditional as error (#​3581).
  Thanks @​gwhitney.
• Fix: #​3597 added nullish type definitions (#​3601). Thanks @​Ayo1984.
• Docs: Correct several arithmetic and relational documentation examples
  and add History (#​3630). Thanks @​Anadian.
• Docs: fix #​3565, update Matrix documentation (#​3591). Thanks @​orelbn.
• Docs: #​3341 add per-function HISTORY sections (#​3606). Thanks @​gwhitney.
• Docs: describe that setDistinct sorts the elements (see #​3602).

v15.1.0

Compare Source

• Fix: #​3578 interpret empty true-expr of conditional as error (#​3581).
  Thanks @​gwhitney.
• Docs: fix #​3565, update Matrix documentation (#​3591). Thanks @​orelbn.

v15.0.0

Compare Source

!!! BE CAREFUL: BREAKING CHANGES !!!

• Feat: #​3349 Decouple precedence of unary percentage operator and binary
  modulus operator (that both use symbol %), and raise the former (#​3432).
  Thanks @​kiprobinsonknack.
• Feat: #​1753 enhance Kronecker product to handle arbitrary dimension (#​3461,
  #​3455). Thanks @​gwhitney and @​Delaney.
• Feat: #​2344 matrix subset according to the type of input (#​3485).
  Thanks @​dvd101x.
• Fix: #​3501 parse % as unary only when not followed by a term (#​3505).
  Thanks @​gwhitney.
• Fix: #​3421 require a space or delimiter after hex, bin, and oct values (#​3463).
• Fix: #​3529 Change function size to always return an Array (#​3535).
• Fix: #​3530 throw an error when trying to flatten a SparseMatrix (#​3536).

v14.9.1

Compare Source

• Fix: issue in HISTORY.md listing all fixes of v14.8.2 under v14.9.0.

v14.9.0

Compare Source

• Feat: improve the performance of map with multiple arguments (#​3526).
  Thanks @​dvd101x.
• Fix: #​3541 throw an error when evaluating a range with a step of zero
  (#​3548). Thanks @​dvd101x.

v14.8.2

Compare Source

• Fix: improve performance in functions like map when passing a unary
  function (#​3546). Thanks @​dvd101x.
• Fix: improve the type definition of abs(complex) which returns a number
  (#​3543). Thanks @​joshkel.
• Fix: add missing type definitions for ctranspose (#​3545). Thanks @​joshkel.
• Fix: typos in code comments (#​3544). Thanks @​joshkel.

v14.8.1

Compare Source

• Fix: #​3538 config printing a warning when using { number: 'bigint' }
  (#​3540).

v14.8.0

Compare Source

• Feat: #​3353 support for the nullish coalescing operator ?? in the
  expression parser (#​3497). Thanks @​ikemHood.

v14.7.0

Compare Source

• Feat: faster DenseMatrix symbol iterator (#​3521). Thanks @​dvd101x.
• Feat: implement serialization support for Parser, fixing #​3509 (#​3525).
• Fix: #​3519, #​3368 categories "Core functions" and "Construction functions"
  missing from the generated function overview.
• Fix: #​3517 printTransformDependencies not exported in the type definitions.
• Fix: add missing type definition for function diff (#​3520). Thanks @​dodokw.
• Fix: #​3396 improve documentation of function range.
• Fix: #​3523 cleanup old polyfills from the browser bundle
  by removing core-js (#​3524).

v14.6.0

Compare Source

• Feat: new function toBest(unit, unitList, offset), and corresponding
  method unit.toBest(...) (#​3484). Thanks @​Mundi93, @​EliaAlesiani, and
  @​HeavyRainLQ.
• Fix: #​3512 sign of zero not returning zero in case of a fraction (#​3513).
  Thanks @​kyle-compute.

v14.5.3

Compare Source

• Fix: #​2199 parse non-breaking white space   as white space
  (#​3487). Thanks donmccurdy.
• Fix: refine the type definitions of scope (#​3490). Thanks @​JayChang4w.
• Fix: #​3493 type definitions of unit(number) (#​3495). Thanks @​mrft.
• Fix: #​3494 type definitions not supporting unit.to(unit) (#​3495).
  Thanks @​mrft.
• Fix: #​3499 refine type definitions of add and multiply to not allow zero
  or one argument (#​3495). Thanks @​mrft.

v14.5.2

Compare Source

• Fix: add embedded docs for the deprecated physical constant coulomb,
  see #​3472.
• Fix: #​3469 add ResultSet interface and improve isResultSet typing
  (#​3481). Thanks @​ranidam.

v14.5.1

Compare Source

• Fix: #​3482 mathjs throwing an error related to BigInt when loading in
  specific environments.
• Fix: syntax section of function numeric (see #​3448).
• Fix: #​3472 rename physical constant coulomb to coulombConstant. The old
  name is still available for backward compatibility.
• Fix: support multiplication of arrays with units (#​3456). Thanks @​Delaney.

v14.5.0

Compare Source

• Feat: improve the performance of the map and forEach methods of
  DenseMatrix (#​3446). Thanks @​dvd101x.
• Feat: improve the performance of subset (#​3467). Thanks @​dvd101x.
• Feat: define embedded docs for compile, evaluate, parse, and parser,
  and add tests for the examples in embedded docs (#​3413). Thanks @​dvd101x.
• Fix: #​3450 support multiplication of valueless units by arbitrary types
  (#​3454).
• Fix: #​3474 correctly parse (lbf in) (#​3476). Thanks @​costerwi.

v14.4.0

Compare Source

• Feat: improve the performance of function flatten (#​3400). Thanks @​dvd101x.
• Feat: improve the performance of map and forEach (#​3409).
  Thanks @​dvd101x.
• Feat: add LaTeX representation for fractions (#​3434, #​3419). Thanks @​orelbn.
• Fix: #​3422 allow dot operators after symbol E (#​3425).
• Fix: issue in the nthRoots latex function template string (#​3427).
  Thanks @​aitee.
• Fix: upgrade to the latest version of @babel/runtime.

v14.3.1

Compare Source

• Fix: #​3350 cannot import a constant that is a complex number.

v14.3.0

Compare Source

• Feat: improved performance of function flatten (#​3354). Thanks @​dvd101x.
• Feat: improved performance of DenseMatrix Symbol.iterator (#​3395).
  Thanks @​dvd101x.
• Feat: improved performance of functions map and forEach (#​3399).
  Thanks @​dvd101x.
• Fix: #​3390 issue in callback optimization and add error handling for invalid
  argument types (#​3394). Thanks @​dvd101x.
• Fix: #​3356 add missing eigsDependencies export to TypeScript definitions
  (#​3397). Thanks @​porst17.
• Fix: #​3406 infer the correct type for multi-dimensional arrays in function
  multiply (#​3408). Thanks @​orelbn.
• Fix: #​3387 use utility math.isNaN for consistent max and min results
  (#​3389). Thanks @​orelbn.

v14.2.1

Compare Source

• Fix: #​3377 remove redundant dependency @lambdatest/node-tunnel.

v14.2.0

Compare Source

• Feat: #​3041, #​3340 rename apply to mapSlices (#​3357). Function
  apply is still available but is now marked deprecated. Thanks @​gwhitney.
• Fix: #​3247 don't override type-native floor/ceil within tolerance of value
  (#​3369). Thanks @​gwhitney.
• Fix: #​3360 add bigint support to matrix indices and ranges (#​3361).
  Thanks @​gwhitney.
• Fix: #​3115 type definitions for matrixFrom* (#​3371). Thanks @​Hudsxn
  and @​gwhitney.

v14.1.0

Compare Source

• Feat: implement bigint support in functions log, log2, log10,
  larger, smaller, max, min (#​3345). Thanks @​gwhitney.
• Fix: #​3342 hexadecimal input not turned into a bigint (#​3348).
• Fix randomInt() not working (#​3345).
• Docs: fixed description of sign in the embedded docs (#​3338).
  Thanks @​witer33.

v14.0.1

Compare Source

• Fix: make derivative much faster (#​3322). Thanks @​paulftw.
• Fix: #​3317 export Fraction type from the fraction.js library instead of
  using a custom interface (#​3330). Thanks @​fchu.

v14.0.0

Compare Source

!!! BE CAREFUL: BREAKING CHANGES !!!

• Feat: Upgrade to fraction.js@5, using bigint under the hood (#​3283).
• Feat: Implement support for Unit in functions ceil, floor, and fix.
  Possible breaking changes in the type definitions of arrays and matrices
  due to the introduction of generics (#​3269). Thanks @​orelbn.
• Feat: Implement support for log(x: Fraction, base: Fraction).
• Fix: #​3301 precedence of % (mod) being higher than * and / (#​3311).
  Thanks @​nkumawat34.
• Fix: #​3222 prevent math.import(...) from overriding units unless you
  specify { override: true } (#​3225).
• Fix: #​3219 let functions dotDivide, dotPow, bitXor, xor, equal,
  larger, largerEq, smaller, smallerEq, and unequal return a sparse
  matrix when the input is two sparse matrices (#​3307). Thanks @​Aakash-Rana.
• Fix: Improve type definitions of arrays (#​3306). Thanks @​orelbn.

v13.2.3

Compare Source

• Fix: #​3260 improve type definitions and documentation on the callback
  indices of map, filter, and forEach.
• Fix: #​3323 support functions in function clone.
• Docs: fix a broken link in the documentation (#​3316).
  Thanks @​emmanuel-ferdman.

v13.2.2

Compare Source

• Fix: #​1455 implicit multiplication of a fraction with unit in is incorrect
  (#​3315). Thanks @​nkumawat34.

v13.2.1

Compare Source

• Update to the latest version of complex.js.
• Fix Index.dimension(dim) accepting non-numeric input.
• Fix: #​3290 should validate variables names in method Parser.set (#​3308).
  Thanks @​nkumawat34.

v13.2.0

Compare Source

• Feat: improve performance of functions map, filter and forEach (#​3256).
  Thanks @​dvd101x.
• Feat: improve performance of the methods map() and forEach()
  of DenseMatrix (#​3251). Thanks @​Galm007.
• Fix: #​3253 cannot use identifiers containing special characters in function
  derivative.
• Fix: improve the type definitions of ConstantNode to support all data
  types (#​3257). Thanks @​smith120bh.
• Fix: #​3259 function symbolicEqual missing in the TypeScript definitions.
• Fix: #​3246 function leafCount missing in the TypeScript definitions.
• Fix: #​3267 implicit multiplication with a negative number and unit in.
• Docs: fix broken links on the Configuration page. Thanks @​vassudanagunta.
• Docs: document the syntax of map and forEach in the expression parser
  (#​3272). Thanks @​dvd101x.

v13.1.1

Compare Source

• Fix security vulnerability in the CLI and web API allowing to call functions
  import, createUnit and reviver, allowing to get access to the internal
  math namespace and allowing arbitrary code execution. Thanks @​StarlightPWN.
• Fix security vulnerability: when overwriting a rawArgs function with a
  non-rawArgs function, it was still called with raw arguments. This was both
  a functional issue and a security issue. Thanks @​StarlightPWN.
• Fix security vulnerability: ensure that ObjectWrappingMap cannot delete
  unsafe properties. Thanks @​StarlightPWN.
• Fix: not being able to use methods and properties on arrays inside the
  expression parser.

v13.1.0

Compare Source

• Feat: support multiple inputs in function map (#​3228, #​3196).
  Thanks @​dvd101x.
• Feat: add matrix datatypes in more cases (#​3235). Thanks @​dvd101x.
• Feat: export util functions isMap, isPartitionedMap, and
  isObjectWrappingMap.
• Fix: #​3241 function map not always working with matrices (#​3242).
  Thanks @​dvd101x.
• Fix: #​3244 fix broken link to ResultSet in the docs about classes.
• Docs: add a link to the documentation page about the syntax expression
  from the function evaluate (see #​3238).
• Docs: improve the documentation of scope and fix the example
  custom_scope_objects.js (#​3150)
• Docs: spelling fixes in the embedded docs (#​3252). Thanks @​dvd101x.

v13.0.3

Compare Source

• Fix: #​3232 fix type definitions of function format to support notations
  hex, bin, and oct.
• Fix: use more precise definitions for US liquid volume units (#​3229).
  Thanks @​Vistinum.
• Fix: #​2286 types static methods and members for Unit class (#​3230).
  Thanks @​orelbn.

v13.0.2

Compare Source

• Fix an error in the type definitions of quantileSeq (#​3223).
  Thanks @​domdomegg.

v13.0.1

Compare Source

• Fix: #​3227 generated bundle containing catch blocks without parameters.
• Fix: #​2348 update type definitions of the Parser methods (#​3226).
  Thanks @​orelbn.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun

[gemini-code-assist]

Code Review

This pull request updates the mathjs dependency from version 13.0.0 to 15.2.0 in the automl and cloud-language packages. Feedback indicates that this update introduces a compatibility issue because mathjs v15 requires Node.js >= 18.0.0, while the engines field in both package.json files still specifies Node.js >= 16.0.0. The engines field needs to be updated to prevent installation or runtime issues for users on older Node.js versions.

[gemini-code-assist]

The update to mathjs v15 introduces a requirement for Node.js >= 18.0.0. However, the engines field in this file (line 7) still specifies >=16.0.0, which is incompatible with this update. This mismatch will cause installation or runtime issues for users on Node.js 16. Please update the engines field to reflect the new requirement of the updated dependency.

[gemini-code-assist]

The update to mathjs v15 introduces a requirement for Node.js >= 18.0.0. However, the engines field in this file (line 6) still specifies >=16.0.0, which is incompatible with this update. This mismatch will cause installation or runtime issues for users on Node.js 16. Please update the engines field to reflect the new requirement of the updated dependency.