Rebasing might not happen immediately, so don't worry if this takes some time.
Note: if you make any changes to this PR yourself, they will take precedence over the rebase.
Bumps the npm_and_yarn group with 1 update in the /test/acceptance/workspaces/npm-package directory: debug.
Bumps the npm_and_yarn group with 1 update in the /test/acceptance/workspaces/npm-package-policy directory: marked.
Bumps the npm_and_yarn group with 4 updates in the /test/acceptance/workspaces/npm-package-shrinkwrap directory: debug, acorn, ajv and rewire.
Bumps the npm_and_yarn group with 2 updates in the /test/acceptance/workspaces/npm-package-with-dist-tag-subdependency directory: follow-redirects and cdktf-cli.
Bumps the npm_and_yarn group with 1 update in the /test/acceptance/workspaces/npm-package-with-overrides directory: ip.
Bumps the npm_and_yarn group with 2 updates in the /test/acceptance/workspaces/yarn-app directory: marked and moment.
Bumps the npm_and_yarn group with 1 update in the /test/acceptance/workspaces/yarn-lock-v2-vuln directory: lodash.
Bumps the npm_and_yarn group with 6 updates in the /test/acceptance/workspaces/yarn-out-of-sync directory:
Bumps the npm_and_yarn group with 1 update in the /test/acceptance/workspaces/yarn-package directory: debug.
Bumps the npm_and_yarn group with 1 update in the /test/acceptance/workspaces/yarn-v2 directory: lodash.
Bumps the npm_and_yarn group with 5 updates in the /test/acceptance/workspaces/yarn-workspace-out-of-sync directory:
Bumps the npm_and_yarn group with 3 updates in the /test/acceptance/workspaces/yarn-workspaces-v2 directory: minimatch, node-fetch and node-uuid.
Bumps the npm_and_yarn group with 2 updates in the /test/acceptance/workspaces/yarn-workspaces-v2-resolutions directory: node-fetch and node-uuid.
Bumps the npm_and_yarn group with 2 updates in the /ts-binary-wrapper directory: semver and @babel/traverse.
Fix uri scheme validation (@ChALkeR).
Fix boolean schemas with strictKeywords option (#1270)
v6.12.4
Fix: coercion of one-item arrays to scalar that should fail validation (failing example).
v6.12.3
Pass schema object to processCode function
Option for strictNumbers (@issacgerges, #1128)
Fixed vulnerability related to untrusted schemas (CVE-2020-15366)
Time formats support two digit and colon-less variants of timezone offset (#1061 , @cjpillsbury)
Docs: RegExp related security considerations
Tests: Disabled failing typescript test
v6.10.2
Fix: the unknown keywords were ignored with the option strictKeywords: true (instead of failing compilation) in some sub-schemas (e.g. anyOf), when the sub-schema didn't have known keywords.
Breaking: Remove official Node v10, v12, v14 and v16 support. We had to do this because one of our dependencies had security issues and the version with the fix dropped Node v10 as well. Additionally, there were also package-lock.json issues because of a breaking change at npm 6deb9bd3edb1d3531ffa689968339f9fd390a5d5092e554955db2591d09b57d3b87a575ee0d510a9
Breaking: Remove Node v8 support. We had to do this because one of our dependencies had security issues and the version with the fix dropped Node v8 as well.
Fix Modifying globals within module leaks to global with Node >=10 #167
Fixed import errors on modules with shebang declarations #179
v5.0.0
Breaking: Remove Node v6 support. We had to do this because one of our dependencies had security issues and the version with the fix dropped Node v6 as well.
Breaking: Remove official Node v10, v12, v14 and v16 support. We had to do this because one of our dependencies had security issues and the version with the fix dropped Node v10 as well. Additionally, there were also package-lock.json issues because of a breaking change at npm 6deb9bd3edb1d3531ffa689968339f9fd390a5d5092e554955db2591d09b57d3b87a575ee0d510a9
Breaking: Remove Node v8 support. We had to do this because one of our dependencies had security issues and the version with the fix dropped Node v8 as well.
Fix Modifying globals within module leaks to global with Node >=10 #167
Fixed import errors on modules with shebang declarations #179
5.0.0
Breaking: Remove Node v6 support. We had to do this because one of our dependencies had security issues and the version with the fix dropped Node v6 as well.
This is a backport of the minor ReDos vulnerability in ansi-regex@<6.0.1, as requested in #38.
Fix ReDoS in certain cases (#37)
You are only really affected if you run the regex on untrusted user input in a server context, which it's very unlikely anyone is doing, since this regex is mainly used in command-line tools.
Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.
Micro-Learning Topic: Denial of service (Detected by phrase)
Matched on "denial of service"
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service
To trigger a single review, invoke the @coderabbitai review command.
You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?
Share
- [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai)
- [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai)
- [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai)
- [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)
Tips
### Chat
There are 3 ways to chat with [CodeRabbit](https://coderabbit.ai):
- Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- `I pushed a fix in commit .`
- `Generate unit testing code for this file.`
- `Open a follow-up GitHub issue for this discussion.`
- Files and specific lines of code (under the "Files changed" tab): Tag `@coderabbitai` in a new review comment at the desired location with your query. Examples:
- `@coderabbitai generate unit testing code for this file.`
- `@coderabbitai modularize this function.`
- PR comments: Tag `@coderabbitai` in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- `@coderabbitai generate interesting stats about this repository and render them as a table.`
- `@coderabbitai show all the console.log statements in this repository.`
- `@coderabbitai read src/utils.ts and generate unit testing code.`
- `@coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.`
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.
### CodeRabbit Commands (invoked as PR comments)
- `@coderabbitai pause` to pause the reviews on a PR.
- `@coderabbitai resume` to resume the paused reviews.
- `@coderabbitai review` to trigger a review. This is useful when automatic reviews are disabled for the repository.
- `@coderabbitai resolve` resolve all the CodeRabbit review comments.
- `@coderabbitai help` to get help.
Additionally, you can add `@coderabbitai ignore` anywhere in the PR description to prevent this PR from being reviewed.
### CodeRabbit Configration File (`.coderabbit.yaml`)
- You can programmatically configure CodeRabbit by adding a `.coderabbit.yaml` file to the root of your repository.
- Please see the [configuration documentation](https://docs.coderabbit.ai/guides/configure-coderabbit) for more information.
- If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: `# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json`
### Documentation and Community
- Visit our [Documentation](https://coderabbit.ai/docs) for detailed information on how to use CodeRabbit.
- Join our [Discord Community](https://discord.com/invite/GsXnASn26c) to get help, request features, and share feedback.
- Follow us on [X/Twitter](https://twitter.com/coderabbitai) for updates and announcements.
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
Take a deeper look at the dependency
Take a moment to review the security alert above. Review the linked
package source code to understand the potential risk. Ensure the package
is not malicious before proceeding. If you're unsure how to proceed, reach
out to your security team or ask the Socket team for help at support [AT]
socket [DOT] dev.
Remove the package
If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.
Mark a package as acceptable risk
To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all
⚠️ Dependabot is rebasing this PR ⚠️
Rebasing might not happen immediately, so don't worry if this takes some time.
Note: if you make any changes to this PR yourself, they will take precedence over the rebase.
Bumps the npm_and_yarn group with 1 update in the /test/acceptance/workspaces/npm-package directory: debug. Bumps the npm_and_yarn group with 1 update in the /test/acceptance/workspaces/npm-package-policy directory: marked. Bumps the npm_and_yarn group with 4 updates in the /test/acceptance/workspaces/npm-package-shrinkwrap directory: debug, acorn, ajv and rewire. Bumps the npm_and_yarn group with 2 updates in the /test/acceptance/workspaces/npm-package-with-dist-tag-subdependency directory: follow-redirects and cdktf-cli. Bumps the npm_and_yarn group with 1 update in the /test/acceptance/workspaces/npm-package-with-overrides directory: ip. Bumps the npm_and_yarn group with 2 updates in the /test/acceptance/workspaces/yarn-app directory: marked and moment. Bumps the npm_and_yarn group with 1 update in the /test/acceptance/workspaces/yarn-lock-v2-vuln directory: lodash. Bumps the npm_and_yarn group with 6 updates in the /test/acceptance/workspaces/yarn-out-of-sync directory:
3.2.5
3.2.7
2.1.1
2.1.3
3.12.0
3.14.1
4.17.11
4.17.21
3.0.4
3.1.2
5.5.1
5.7.2
Bumps the npm_and_yarn group with 1 update in the /test/acceptance/workspaces/yarn-package directory: debug. Bumps the npm_and_yarn group with 1 update in the /test/acceptance/workspaces/yarn-v2 directory: lodash. Bumps the npm_and_yarn group with 5 updates in the /test/acceptance/workspaces/yarn-workspace-out-of-sync directory:
4.1.1
4.3.1
4.17.15
4.17.21
3.0.4
3.1.2
2.6.0
2.6.7
3.2.1
3.2.2
Bumps the npm_and_yarn group with 5 updates in the /test/acceptance/workspaces/yarn-workspaces directory:
4.17.15
4.17.21
3.0.4
3.1.2
2.6.0
2.6.7
3.2.1
3.2.2
1.3.0
1.4.8
Bumps the npm_and_yarn group with 3 updates in the /test/acceptance/workspaces/yarn-workspaces-v2 directory: minimatch, node-fetch and node-uuid. Bumps the npm_and_yarn group with 2 updates in the /test/acceptance/workspaces/yarn-workspaces-v2-resolutions directory: node-fetch and node-uuid. Bumps the npm_and_yarn group with 2 updates in the /ts-binary-wrapper directory: semver and @babel/traverse.
Updates
debug
from 2.2.0 to 2.6.9Release notes
Sourced from debug's releases.
... (truncated)
Changelog
Sourced from debug's changelog.
... (truncated)
Commits
13abeae
Release 2.6.9f53962e
remove ReDoS regexp in %o formatter (#504)52e1f21
Release 2.6.82482e08
Check for undefined on browser globals (#462)6bb07f7
release 2.6.715850cb
Fix Regular Expression Denial of Service (ReDoS)4a6c85c
update "debug" to v1.0.0 (#454)b68dbf8
Fix typo (#455)1351d2f
Inline extend function in node implementation (#452)c211947
update version for componentUpdates
ms
from 0.7.1 to 2.0.0Release notes
Sourced from ms's releases.
Commits
1c6264b
2.1.382495ad
Use GitHub Actions CI (#154)1a13a88
Run prettier 2.x (#153)1048042
Add prettier as a dev dependency (#135)f2bfb40
Rename zeit to vercel (#151)adf1eb2
Bump eslint from 4.12.1 to 4.18.2 (#122)7920885
2.1.2199ff78
Update chat badge (#119)d1add60
Update regexp for10-.5
is invalid input (#117)d95e17f
Support error in case of Infinity (#116)Maintainer changes
This version was pushed to npm by styfle, a new releaser for ms since your current version.
Updates
marked
from 0.3.6 to 4.0.10Release notes
Sourced from marked's releases.
... (truncated)
Commits
ae01170
chore(release): 4.0.10 [skip ci]fceda57
🗜️ build [skip ci]8f80657
fix(security): fix redos vulnerabilitiesc4a3ccd
Merge pull request from GHSA-rrrm-qjm4-v8hfd7212a6
chore(deps-dev): Bump jasmine from 4.0.0 to 4.0.1 (#2352)5a84db5
chore(deps-dev): Bump rollup from 2.62.0 to 2.63.0 (#2350)2bc67a5
chore(deps-dev): Bump markdown-it from 12.3.0 to 12.3.2 (#2351)98996b8
chore(deps-dev): Bump@babel/preset-env
from 7.16.5 to 7.16.7 (#2353)ebc2c95
chore(deps-dev): Bump highlight.js from 11.3.1 to 11.4.0 (#2354)e5171a9
chore(release): 4.0.9 [skip ci]Maintainer changes
This version was pushed to npm by tonybrix, a new releaser for marked since your current version.
Updates
debug
from 3.1.0 to 3.2.7Release notes
Sourced from debug's releases.
... (truncated)
Changelog
Sourced from debug's changelog.
... (truncated)
Commits
13abeae
Release 2.6.9f53962e
remove ReDoS regexp in %o formatter (#504)52e1f21
Release 2.6.82482e08
Check for undefined on browser globals (#462)6bb07f7
release 2.6.715850cb
Fix Regular Expression Denial of Service (ReDoS)4a6c85c
update "debug" to v1.0.0 (#454)b68dbf8
Fix typo (#455)1351d2f
Inline extend function in node implementation (#452)c211947
update version for componentUpdates
ms
from 2.0.0 to 2.1.1Release notes
Sourced from ms's releases.
Commits
1c6264b
2.1.382495ad
Use GitHub Actions CI (#154)1a13a88
Run prettier 2.x (#153)1048042
Add prettier as a dev dependency (#135)f2bfb40
Rename zeit to vercel (#151)adf1eb2
Bump eslint from 4.12.1 to 4.18.2 (#122)7920885
2.1.2199ff78
Update chat badge (#119)d1add60
Update regexp for10-.5
is invalid input (#117)d95e17f
Support error in case of Infinity (#116)Maintainer changes
This version was pushed to npm by styfle, a new releaser for ms since your current version.
Updates
acorn
from 5.7.1 to 5.7.4Commits
6370e90
Mark version 5.7.4fbc15b1
More rigorously check surrogate pairs in regexp validator910e62b
Mark version 5.7.33442a80
Make generate-identifier-regex capable of rewriting src/identifier.js22b22f3
Raise specific errors for unterminated template literals1461c7c
Fix a lint error0c12f63
Fix tokenizing of regexps after .of832c308
Fix 404 url95ca55c
Mark version 5.7.2bba80ab
Remove another fixed test from the 262 whitelistUpdates
ajv
from 5.5.2 to 6.12.6Release notes
Sourced from ajv's releases.
... (truncated)
Commits
fe59143
6.12.6d580d3e
Merge pull request #1298 from ajv-validator/fix-urlfd36389
fix: regular expression for "url" format490e34c
docs: link to v7-beta branch9cd93a1
docs: note about v7 in readme877d286
Merge pull request #1262 from b4h0-c4t/refactor-opt-object-typef1c8e45
6.12.5764035e
Merge branch 'ChALkeR-chalker/fix-comma'3798160
Merge branch 'chalker/fix-comma' of git://github.com/ChALkeR/ajv into ChALkeR...a3c7eba
Merge branch 'refactor-opt-object-type' of github.com:b4h0-c4t/ajv into refac...Updates
rewire
from 4.0.1 to 7.0.0Release notes
Sourced from rewire's releases.
Changelog
Sourced from rewire's changelog.
Commits
ff62cfc
v7.0.0e0ea17d
Remove CoffeeScript supporta183ba7
Add TypeScript support2d7729f
Merge remote-tracking branch 'origin/master' into pulls/ts-support092e554
Also drop official Node 16 supportf32ef51
Update package-lock.json6deb9bd
Update ESLint and drop official Node 10.x, 12.x, 14.x supportc9b536f
NEW Add support for .ts filesf5c655a
Add test case for re-assigning consts9e7f846
v6.0.0Updates
ansi-regex
from 2.1.1 to 5.0.1Release notes
Sourced from ansi-regex's releases.
Commits
a9babce
5.0.14657833
fix incorrect formatc3c0b3f
Fix potential ReDoS (#37)178363b
Move to GitHub Actions (#35)0755e66
Add@Qix
- to funding.yml2b56fb0
5.0.0f26f7fe
Meta tweakse77ea17
Add TypeScript definition (#32)166a0d5
Require Node.js 8f115fca
Tidelift tasksUpdates
js-yaml
from 3.12.0 to 4.1.0Changelog
Sourced from js-yaml's changelog.
Commits
37caaad
3.14.1 released094c0f7
dist rebuild9586ebe
Avoid calling hasOwnProperty of user-controlled objects34e5072
3.14.0 released7b25c83
Browser files rebuild6f73473
Dev deps bump0c29349
Travis-CI: drop old nodejs versions10be97e
fix(loader): Add support forsafe/loadAll(input, options)
d6983dd
Fix issue #526: wrong quote position writing condensed flow (#527)93fbf7d
fix issue 526 (wrong quote position writing condensed flow)Updates
minimatch
from 3.0.4 to 3.1.2Commits
699c459
3.1.22f2b5ff
fix: trim pattern25d7c0d
3.1.155dda29
fix: treat nocase:true as always having magic5e1fb8d
3.1.0f8145c5
Add 'allowWindowsEscape' option570e8b1
add publishConfig for v3 publishes5b7cd33
3.0.620b4b56
[fix] revert all breaking syntax changes2ff0388
document, expose, and test 'partial:true' optionUpdates
follow-redirects
from 1.15.4 to 1.15.6Commits
35a517c
Release version 1.15.6 of the npm package.c4f847f
Drop Proxy-Authorization across hosts.8526b4a
Use GitHub for disclosure.b1677ce
Release version 1.15.5 of the npm package.d8914f7
Preserve fragment in responseUrl.Updates
cdktf-cli
from 0.20.3 to 0.20.7Release notes
Sourced from cdktf-cli's releases.
... (truncated)
Changelog
Sourced from cdktf-cli's changelog.
... (truncated)
Commits
b3e82ea
chore: Upgrade dependencies for cli25efd21
chore: Upgrade dependencies for cli9d944dc
chore: Upgrade dependencies for clicbdf619
chore: Upgrade dependencies for JSII2f5051f
chore: Upgrade dependencies for cliac4ef36
chore: Upgrade dependencies for cli (Unable to locate .performanceTestingBot config file
Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information
Processing PR updates...
Thanks @dependabot[bot] for opening this PR!
For COLLABORATOR only :
To add labels, comment on the issue
/label add label1,label2,label3
To remove labels, comment on the issue
/label remove label1,label2,label3
Micro-Learning Topic: Regular expression denial of service (Detected by phrase)
Matched on "regular expression denial of service"
What is this? (2min video)
Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.
Try a challenge in Secure Code Warrior
Micro-Learning Topic: Denial of service (Detected by phrase)
Matched on "denial of service"
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service
Try a challenge in Secure Code Warrior
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?
Share
- [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai) - [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai) - [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai) - [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)Tips
### Chat There are 3 ways to chat with [CodeRabbit](https://coderabbit.ai): - Review comments: Directly reply to a review comment made by CodeRabbit. Example: - `I pushed a fix in commitNew and removed dependencies detected. Learn more about Socket for GitHub ↗︎
+14
0
+2
+6
0
+2
+1
0
+8
+1
0
+3
+3
0
+5
+3
+1
0
+5
0
0
+2
0
0
0
0
0
0
0
+9
+4
0
0
0
0
0
0
0
0
0
0
+4
0
+10
0
0
0
0
0
0
+2
0
0
0
+26
0
0
0
0
0
0
+24
0
+26
0
0
+1
0
0
0
0
+25
0
🚮 Removed packages: npm/@google-cloud/common@2.0.3, npm/@google-cloud/debug-agent@4.0.1, npm/@google-cloud/profiler@2.0.2, npm/@google-cloud/projectify@1.0.1, npm/@google-cloud/promisify@1.0.2, npm/@google-cloud/trace-agent@4.0.1, npm/@grpc/proto-loader@0.1.0, npm/@opencensus/core@0.0.14, npm/@opencensus/propagation-stackdriver@0.0.14, npm/@protobufjs/aspromise@1.1.2, npm/@protobufjs/base64@1.1.2, npm/@protobufjs/codegen@2.0.4, npm/@protobufjs/eventemitter@1.1.0, npm/@protobufjs/fetch@1.1.0, npm/@protobufjs/float@1.0.2, npm/@protobufjs/inquire@1.1.0, npm/@protobufjs/path@1.1.2, npm/@protobufjs/pool@1.1.0, npm/@protobufjs/utf8@1.1.0, npm/@sindresorhus/is@0.17.1, npm/@types/caseless@0.12.2, npm/@types/console-log-level@1.4.0, npm/@types/form-data@2.2.1, npm/@types/lodash@4.14.110, npm/@types/long@3.0.32, npm/@types/node@9.6.22, npm/@types/request@2.48.1, npm/@types/semver@6.0.1, npm/@types/tough-cookie@2.3.5, npm/acorn@6.2.0, npm/aproba@1.2.0, npm/array-includes@3.0.3, npm/arrify@2.0.1, npm/ascli@1.0.1, npm/async-listener@0.6.10, npm/balanced-match@1.0.0, npm/base64-js@1.3.0, npm/bignumber.js@7.2.1, npm/bindings@1.5.0, npm/buffer-from@1.1.1, npm/builtin-modules@3.1.0, npm/bytebuffer@5.0.1, npm/camelcase@2.1.1, npm/cdktf-cli@0.20.3, npm/chownr@1.1.2, npm/cli-width@2.2.0, npm/cliui@3.2.0, npm/coffeescript@2.4.1, npm/colour@0.7.1, npm/console-log-level@1.4.1, npm/contains-path@0.1.0, npm/continuation-local-storage@3.2.1, npm/debug-log@1.0.1, npm/debug@3.2.6, npm/deglob@2.1.1, npm/delay@4.3.0, npm/emitter-listener@1.1.2, npm/end-of-stream@1.4.1, npm/ent@2.2.0, npm/es-abstract@1.13.0, npm/es-to-primitive@1.2.0, npm/eslint-config-semistandard@12.0.1, npm/eslint-config-standard-jsx@5.0.0, npm/eslint-config-standard@11.0.0, npm/eslint-import-resolver-node@0.3.2, npm/eslint-module-utils@2.4.0, npm/eslint-plugin-import@2.8.0, npm/eslint-plugin-node@6.0.1, npm/eslint-plugin-promise@3.6.0, npm/eslint-plugin-react@7.6.1, npm/eslint-plugin-standard@3.0.1, npm/eslint-visitor-keys@1.0.0, npm/eslint@4.18.2, npm/esquery@1.0.1, npm/esrecurse@4.2.1, npm/estraverse@4.2.0, npm/esutils@2.0.2, npm/event-target-shim@5.0.1, npm/extend@3.0.2, npm/fast-json-parse@1.0.3, npm/fast-json-stable-stringify@2.0.0, npm/fast-redact@1.2.0, npm/fast-safe-stringify@2.0.6, npm/fast-text-encoding@1.0.0, npm/file-uri-to-path@1.0.0, npm/find-root@1.1.0, npm/find-up@2.1.0, npm/findit2@2.2.3, npm/flatstr@1.0.8, npm/fs-minipass@1.2.6, npm/function-bind@1.1.1, npm/gauge@2.7.4, npm/gaxios@2.0.1, npm/gcp-metadata@2.0.1, npm/get-stdin@6.0.0, npm/glob@7.1.4, npm/google-auth-library@4.2.5, npm/google-p12-pem@2.0.1, npm/graceful-fs@4.2.0, npm/grpc@1.22.2, npm/gtoken@3.0.2, npm/has-symbols@1.0.0, npm/has-unicode@2.0.1, npm/has@1.0.3, npm/hex2dec@1.1.2, npm/hosted-git-info@2.7.1, npm/https-proxy-agent@2.2.2, npm/ignore-walk@3.0.1, npm/ini@1.3.5
View full report↗︎
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎
To accept the risk, merge this PR and you will not be notified again.
node -e "try{require('./postinstall')}catch(e){}"
package-lock.json
package.json
node -e "try{require('./postinstall')}catch(e){}"
test/acceptance/workspaces/npm-out-of-sync-graph/package-lock.json
View full report↗︎
Next steps
What is an install script?
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
Take a deeper look at the dependency
Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.
Remove the package
If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.
Mark a package as acceptable risk
To ignore an alert, reply with a comment starting with
@SocketSecurity ignore
followed by a space separated list ofecosystem/package-name@version
specifiers. e.g.@SocketSecurity ignore npm/foo@1.0.0
or ignore all packages with@SocketSecurity ignore-all
@SocketSecurity ignore npm/core-js@2.6.12
@SocketSecurity ignore npm/core-js@3.25.0
Check out the playback for this Pull Request here.