search

2lambda123 / snyk-cli

Other
0 stars 0 forks source link

chore(deps): bump the npm_and_yarn group across 13 directories with 34 updates #15

Closed dependabot[bot] closed 2 months ago

dependabot[bot] commented 2 months ago

Bumps the npm_and_yarn group with 17 updates in the / directory:

Package From To
semver 6.3.1 7.6.0
tar 6.1.11 6.2.1
ajv 6.12.6 8.12.0
express 4.17.1 4.19.2
pkg 5.8.0 5.8.1
webpack 5.54.0 5.76.0
decode-uri-component 0.2.0 0.2.2
fast-json-patch 3.1.0 3.1.1
got 11.8.2 11.8.6
json5 1.0.1 1.0.2
jsonwebtoken 8.5.1 9.0.2
danger 10.9.0 12.1.0
loader-utils 1.4.0 1.4.2
minimist 1.2.6 1.2.8
nanoid 3.1.25 3.3.7
postcss 8.3.6 8.4.38
shell-quote 1.7.2 1.8.1

Bumps the npm_and_yarn group with 2 updates in the /packages/iac-cli-alert directory: axios and @slack/webhook. Bumps the npm_and_yarn group with 1 update in the /test/acceptance/workspaces/extra-large-response-payload directory: yarn. Bumps the npm_and_yarn group with 1 update in the /test/acceptance/workspaces/fail-on/patchable directory: ms. Bumps the npm_and_yarn group with 2 updates in the /test/acceptance/workspaces/gradle-monorepo directory: qs and node-uuid. Bumps the npm_and_yarn group with 2 updates in the /test/acceptance/workspaces/mono-repo-poetry directory: qs and node-uuid. Bumps the npm_and_yarn group with 2 updates in the /test/acceptance/workspaces/mono-repo-project directory: qs and node-uuid. Bumps the npm_and_yarn group with 2 updates in the /test/acceptance/workspaces/mono-repo-project-manifests-only directory: qs and node-uuid. Bumps the npm_and_yarn group with 1 update in the /test/acceptance/workspaces/mono-repo-with-ignores directory: qs. Bumps the npm_and_yarn group with 6 updates in the /test/acceptance/workspaces/monorepo-bad-project directory:

Package From To
debug 3.2.5 3.2.7
semver 5.5.1 5.7.2
lodash 4.17.11 4.17.21
minimatch 3.0.4 3.1.2
ms 2.1.1 2.1.3
js-yaml 3.12.0 3.14.1

Bumps the npm_and_yarn group with 4 updates in the /test/acceptance/workspaces/npm-lock-v2-with-npm-prefixed-sub-dep-version directory: tar, @semantic-release/npm, acorn and qs. Bumps the npm_and_yarn group with 2 updates in the /test/acceptance/workspaces/npm-lock-v2-with-simple-version-range-override directory: json-bigint and @google-cloud/storage. Bumps the npm_and_yarn group with 6 updates in the /test/acceptance/workspaces/npm-out-of-sync-graph directory:

Package From To
debug 4.3.1 4.3.4
semver 5.6.0 5.7.2
ansi-regex 3.0.0 3.0.1
eslint-utils 1.3.1 1.4.3
axios 0.28.0 1.6.8
js-yaml 3.12.0 3.14.1

Updates semver from 6.3.1 to 7.6.0

Release notes

Sourced from semver's releases.

v7.6.0

7.6.0 (2024-01-31)

Features

Chores

v7.5.4

7.5.4 (2023-07-07)

Bug Fixes

v7.5.3

7.5.3 (2023-06-22)

Bug Fixes

Documentation

v7.5.2

7.5.2 (2023-06-15)

Bug Fixes

... (truncated)

Changelog

Sourced from semver's changelog.

7.6.0 (2024-01-31)

Features

Chores

7.5.4 (2023-07-07)

Bug Fixes

7.5.3 (2023-06-22)

Bug Fixes

Documentation

7.5.2 (2023-06-15)

Bug Fixes

7.5.1 (2023-05-12)

Bug Fixes

... (truncated)

Commits
  • 377f709 chore: release 7.6.0 (#661)
  • a7ab13a feat: preserve pre-release and build parts of a version on coerce (#671)
  • 816c7b2 chore: postinstall for dependabot template-oss PR
  • 0bd24d9 chore: bump @​npmcli/template-oss from 4.21.1 to 4.21.3
  • e521932 chore: postinstall for dependabot template-oss PR
  • 8873991 chore: chore: chore: postinstall for dependabot template-oss PR
  • f317dc8 chore: bump @​npmcli/template-oss from 4.19.0 to 4.21.0
  • 7303db1 chore: add clean() test for build metadata (#658)
  • 6240d75 chore: add missing quotes in README.md (#656)
  • 14d263f chore: postinstall for dependabot template-oss PR
  • Additional commits viewable in compare view


Updates tar from 6.1.11 to 6.2.1

Release notes

Sourced from tar's releases.

v6.1.13

6.1.13 (2022-12-07)

Dependencies

v6.1.12

6.1.12 (2022-10-31)

Bug Fixes

Documentation

Changelog

Sourced from tar's changelog.

Changelog

7.0

  • Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
  • Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
  • Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
  • Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

6.2

  • Add support for brotli compression
  • Add maxDepth option to prevent extraction into excessively deep folders.

6.1

6.0

  • Drop support for node 6 and 8
  • fix symlinks and hardlinks on windows being packed with \-style path targets

5.0

  • Address unpack race conditions using path reservations
  • Change large-numbers errors from TypeError to Error
  • Add TAR_* error codes
  • Raise TAR_BAD_ARCHIVE warning/error when there are no valid entries found in an archive
  • do not treat ignored entries as an invalid archive
  • drop support for node v4
  • unpack: conditionally use a file mapping to write files on Windows
  • Set more portable 'mode' value in portable mode
  • Set portable gzip option in portable mode

... (truncated)

Commits


Updates ajv from 6.12.6 to 8.12.0

Release notes

Sourced from ajv's releases.

v8.12.0

  • fix JTD serialisation (remove leading comma in objects with only optional properties) (#2190, @​piliugin-anton)
  • empty JTD "values" schema (#2191)
  • empty object to work with JTD utility type (#2158, @​erikbrinkman)
  • fix JTD "discriminator" schema for objects with more than 8 properties (#2194)
  • correctly narrow "number" type to "integer" (#2192, @​JacobLey)
  • update Node.js versions in CI to 14, 16, 18 and 19

v8.11.2

Update dependencies

Export ValidationError and MissingRefError (ajv-validator/ajv#1840, @​dannyb648)

v8.11.1

Update dependencies

Export ValidationError and MissingRefError (#1840, @​dannyb648)

v8.11.0

Use root schemaEnv when resolving references in oneOf (#1901, @​asprouse)

Only use equal function in generated code when it is used (#1922, @​bhvngt)

v8.10.0

uriResolver option (@​zekth, #1862)

v8.9.0

Option code.esm to generate ESM exports for standalone validation functions (@​rehanvdm, #1861) Support discriminator keyword with $ref in oneOf subschemas (@​dfeufel, #1815)

v8.8.2

Use full RegExp string (with flags) as cache key, related to ajv-validator/ajv-keywords#220

v8.8.1

Fix minContains: 0 (#1819)

v8.8.0

Fix browser bundles in cdnjs regExp option allowing to specify alternative RegExp engine, e.g. re2 (@​efebarlas)

v8.7.1

Publish Ajv bundle for JSON Schema 2020-12 to cdnjs.com

v8.7.0

Update JSON Schema Test Suite. Change minContains: 0 now correctly allows empty array.

v8.6.3

Fix $ref resolution for schemas without $id (@​rbuckton, #1725) Support standalone module import from ESM modules without using .default property (@​bhvngt, #1757)

... (truncated)

Commits


Updates express from 4.17.1 to 4.19.2

Release notes

Sourced from express's releases.

4.19.2

What's Changed

Full Changelog: https://github.com/expressjs/express/compare/4.19.1...4.19.2

4.19.1

What's Changed

Full Changelog: https://github.com/expressjs/express/compare/4.19.0...4.19.1

4.19.0

What's Changed

New Contributors

Full Changelog: https://github.com/expressjs/express/compare/4.18.3...4.19.0

4.18.3

Main Changes

  • Fix routing requests without method
  • deps: body-parser@1.20.2
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: raw-body@2.5.2

Other Changes

... (truncated)

Changelog

Sourced from express's changelog.

4.19.2 / 2024-03-25

  • Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

  • Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

  • Prevent open redirect allow list bypass due to encodeurl
  • deps: cookie@0.6.0

4.18.3 / 2024-02-29

  • Fix routing requests without method
  • deps: body-parser@1.20.2
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: raw-body@2.5.2
  • deps: cookie@0.6.0
    • Add partitioned option

4.18.2 / 2022-10-08

  • Fix regression routing a large stack in a single route
  • deps: body-parser@1.20.1
    • deps: qs@6.11.0
    • perf: remove unnecessary object clone
  • deps: qs@6.11.0

4.18.1 / 2022-04-29

  • Fix hanging on large stack of sync routes

4.18.0 / 2022-04-25

  • Add "root" option to res.download
  • Allow options without filename in res.download
  • Deprecate string and non-integer arguments to res.status
  • Fix behavior of null/undefined as maxAge in res.cookie
  • Fix handling very large stacks of sync middleware
  • Ignore Object.prototype values in settings through app.set/app.get

... (truncated)

Commits
  • 04bc627 4.19.2
  • da4d763 Improved fix for open redirect allow list bypass
  • 4f0f6cc 4.19.1
  • a003cfa Allow passing non-strings to res.location with new encoding handling checks f...
  • a1fa90f fixed un-edited version in history.md for 4.19.0
  • 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
  • 084e365 4.19.0
  • 0867302 Prevent open redirect allow list bypass due to encodeurl
  • 567c9c6 Add note on how to update docs for new release (#5541)
  • 69a4cf2 deps: cookie@0.6.0
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.


Updates pkg from 5.8.0 to 5.8.1

Release notes

Sourced from pkg's releases.

5.8.1

Patches

  • Producer: properly call "prebuild-install" if N-API is used: dd9de59c9fca2751bf5d22b57bd9b03d43e85e80
  • Chore: clean up obsolete eslint disable comments: #1760
  • Chore: add prettier check in linting step: #1764
  • Chore: separate individual test scripts: #1759
  • Chore: use @types/babel__generator package: #1755
  • Chore: remove unused entry: #1766
  • Chore: upgrade actions runners: #1767
  • Style: fix typo in test-99-#1192/main.js: #1790
  • Chore: bump prebuild-install@7.1.1: #1788
  • Fix: add force flag to codesign to avoid already signed error: #1756

Credits

Huge thanks to @​ignatiusmb, @​eltociear, @​PraveenAnaparthi, and @​brianunlam for helping!

Commits


Updates webpack from 5.54.0 to 5.76.0

Release notes

Sourced from webpack's releases.

v5.76.0

Bugfixes

Features

Security

Repo Changes

New Contributors

Full Changelog: https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0

v5.75.0

Bugfixes

  • experiments.* normalize to false when opt-out
  • avoid NaN%
  • show the correct error when using a conflicting chunk name in code
  • HMR code tests existance of window before trying to access it
  • fix eval-nosources-* actually exclude sources
  • fix race condition where no module is returned from processing module
  • fix position of standalong semicolon in runtime code

Features

  • add support for @import to extenal CSS when using experimental CSS in node
  • add i64 support to the deprecated WASM implementation

Developer Experience

  • expose EnableWasmLoadingPlugin
  • add more typings
  • generate getters instead of readonly properties in typings to allow overriding them

... (truncated)

Commits
  • 97b1718 Merge pull request #16781 from askoufis/loader-context-target-type
  • b84efe6 Merge pull request #16759 from ryanwilsonperkin/real-content-hash-regex-perf
  • c98e9e0 Merge pull request #16493 from piwysocki/patch-1
  • 5f34acf feat: Add target to LoaderContext type
  • b7fc4d8 Merge pull request #16703 from ryanwilsonperkin/ryanwilsonperkin/fix-16160
  • 63ea82d Merge branch 'webpack:main' into patch-1
  • 4ba2252 Merge pull request #16446 from akhilgkrishnan/patch-1
  • 1acd635 Merge pull request #16613 from jakebailey/ts-logo
  • 302eb37 Merge pull request #16614 from jakebailey/html5-logo
  • cfdb1df Improve performance of hashRegExp lookup
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by evilebottnawi, a new releaser for webpack since your current version.


Updates ansi-regex from 2.1.1 to 4.1.1

Commits


Updates qs from 6.7.0 to 6.11.0

Changelog

Sourced from qs's changelog.

6.2.4

  • [Fix] parse: ignore __proto__ keys (#428)
  • [Fix] utils.merge: avoid a crash with a null target and an array source
  • [Fix] utils.merge: avoid a crash with a null target and a truthy non-array source
  • [Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided
  • [Fix] when parseArrays is false, properly handle keys ending in []
  • [Robustness] stringify: avoid relying on a global undefined (#427)
  • [Refactor] use cached Array.isArray
  • [Docs] Clarify the need for "arrayLimit" option
  • [meta] fix README.md (#399)
  • [meta] Clean up license text so it’s properly detected as BSD-3-Clause
  • [meta] add FUNDING.yml
  • [actions] backport actions from main
  • [Tests] use safer-buffer instead of Buffer constructor
  • [Tests] remove nonexistent tape option
  • [Dev Deps] backport from main

6.2.3

  • [Fix] follow allowPrototypes option during merge (#201, #200)
  • [Fix] chmod a-x
  • [Fix] support keys starting with brackets (#202, #200)
  • [Tests] up to node v7.7, v6.10, v4.8; disable osx builds since they block linux builds

6.2.2

  • [Fix] ensure that allowPrototypes: false does not ever shadow Object.prototype properties

6.2.1

  • [Fix] ensure key[]=x&key[]&key[]=y results in 3, not 2, values
  • [Refactor] Be explicit and use Object.prototype.hasOwnProperty.call
  • [Tests] remove parallelshell since it does not reliably report failures
  • [Tests] up to node v6.3, v5.12
  • [Dev Deps] update tape, eslint, @ljharb/eslint-config, qs-iconv

6.2.0

  • [New] pass Buffers to the encoder/decoder directly (#161)
  • [New] add "encoder" and "decoder" options, for custom param encoding/decoding (#160)
  • [Fix] fix compacting of nested sparse arrays (#150)

6.1.2

  • [Fix] follow allowPrototypes option during merge (#201, #200)
  • [Fix] chmod a-x
  • [Fix] support keys starting with brackets (#202, #200)
  • [Tests] up to node v7.7, v6.10, v4.8; disable osx builds since they block linux builds

6.1.1

  • [Fix] ensure that allowPrototypes: false does not ever shadow Object.prototype properties

6.1.0

  • [New] allowDots option for stringify (#151)
  • [Fix] "sort" option should work at a depth of 3 or more (#151)

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by ljharb, a new releaser for qs since your current version.


Updates decode-uri-component from 0.2.0 to 0.2.2

Release notes

Sourced from decode-uri-component's releases.

v0.2.2

  • Prevent overwriting previously decoded tokens 980e0bf

https://github.com/SamVerschueren/decode-uri-component/compare/v0.2.1...v0.2.2

v0.2.1

  • Switch to GitHub workflows 76abc93
  • Fix issue where decode throws - fixes
    performance-testing-bot[bot] commented 2 months ago

    Unable to locate .performanceTestingBot config file

secure-code-warrior-for-github[bot] commented 2 months ago

Micro-Learning Topic: Open redirect (Detected by phrase)

Matched on "open redirect"

What is this? (2min video)

This vulnerability refers to the ability of an attacker to arbitrarily perform a redirection (external) or forward (internal) against the system. It arises due to insufficient validation or sanitisation of inputs used to perform a redirect or forward and may result in privilege escalation (in the case of a forward) or may be used to launch phishing attacks against users (in the case of redirects).

Try a challenge in Secure Code Warrior

Helpful references

Micro-Learning Topic: Race condition (Detected by phrase)

Matched on "race condition"

What is this? (2min video)

A race condition is a flaw that produces an unexpected result when the timing of actions impact other actions.

Try a challenge in Secure Code Warrior

cr-gpt[bot] commented 2 months ago

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

code-companion-ai[bot] commented 2 months ago

Processing PR updates...

codesyncapp[bot] commented 2 months ago

Check out the playback for this Pull Request here.

coderabbitai[bot] commented 2 months ago

[!IMPORTANT]

Auto Review Skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share - [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai) - [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai) - [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai) - [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)
Tips ### Chat There are 3 ways to chat with [CodeRabbit](https://coderabbit.ai): - Review comments: Directly reply to a review comment made by CodeRabbit. Example: - `I pushed a fix in commit .` - `Generate unit testing code for this file.` - `Open a follow-up GitHub issue for this discussion.` - Files and specific lines of code (under the "Files changed" tab): Tag `@coderabbitai` in a new review comment at the desired location with your query. Examples: - `@coderabbitai generate unit testing code for this file.` - `@coderabbitai modularize this function.` - PR comments: Tag `@coderabbitai` in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples: - `@coderabbitai generate interesting stats about this repository and render them as a table.` - `@coderabbitai show all the console.log statements in this repository.` - `@coderabbitai read src/utils.ts and generate unit testing code.` - `@coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.` Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. ### CodeRabbit Commands (invoked as PR comments) - `@coderabbitai pause` to pause the reviews on a PR. - `@coderabbitai resume` to resume the paused reviews. - `@coderabbitai review` to trigger a review. This is useful when automatic reviews are disabled for the repository. - `@coderabbitai resolve` resolve all the CodeRabbit review comments. - `@coderabbitai help` to get help. Additionally, you can add `@coderabbitai ignore` anywhere in the PR description to prevent this PR from being reviewed. ### CodeRabbit Configration File (`.coderabbit.yaml`) - You can programmatically configure CodeRabbit by adding a `.coderabbit.yaml` file to the root of your repository. - Please see the [configuration documentation](https://docs.coderabbit.ai/guides/configure-coderabbit) for more information. - If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: `# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json` ### Documentation and Community - Visit our [Documentation](https://coderabbit.ai/docs) for detailed information on how to use CodeRabbit. - Join our [Discord Community](https://discord.com/invite/GsXnASn26c) to get help, request features, and share feedback. - Follow us on [X/Twitter](https://twitter.com/coderabbitai) for updates and announcements.
git-greetings[bot] commented 2 months ago

Thanks @dependabot[bot] for opening this PR!

For COLLABORATOR only :

  • To add labels, comment on the issue /label add label1,label2,label3

  • To remove labels, comment on the issue /label remove label1,label2,label3

git-greetings[bot] commented 2 months ago
PR Details of @dependabot[bot] in snyk-cli : OPEN CLOSED TOTAL
2 12 14
socket-security[bot] commented 2 months ago

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@octokit/rest@18.12.0 Transitive: network +21 4.78 MB octokitbot
npm/@slack/webhook@7.0.2 Transitive: environment, filesystem, network +10 2.34 MB filmaj
npm/@types/node@20.12.7 None +1 2.1 MB types
npm/typescript@4.8.4 None 0 68.8 MB typescript-bot

🚮 Removed packages: npm/esprima@3.1.3

View full report↗︎