search

2lambda123 / snyk-cli

Other
0 stars 0 forks source link

chore(deps): bump the npm_and_yarn group across 15 directories with 19 updates #2

Open dependabot[bot] opened 2 months ago

dependabot[bot] commented 2 months ago

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

Bumps the npm_and_yarn group with 1 update in the /test/acceptance/workspaces/npm-package directory: debug. Bumps the npm_and_yarn group with 1 update in the /test/acceptance/workspaces/npm-package-policy directory: marked. Bumps the npm_and_yarn group with 4 updates in the /test/acceptance/workspaces/npm-package-shrinkwrap directory: debug, acorn, ajv and rewire. Bumps the npm_and_yarn group with 2 updates in the /test/acceptance/workspaces/npm-package-with-dist-tag-subdependency directory: follow-redirects and cdktf-cli. Bumps the npm_and_yarn group with 1 update in the /test/acceptance/workspaces/npm-package-with-overrides directory: ip. Bumps the npm_and_yarn group with 2 updates in the /test/acceptance/workspaces/yarn-app directory: marked and moment. Bumps the npm_and_yarn group with 1 update in the /test/acceptance/workspaces/yarn-lock-v2-vuln directory: lodash. Bumps the npm_and_yarn group with 6 updates in the /test/acceptance/workspaces/yarn-out-of-sync directory:

Package From To
debug 3.2.5 3.2.7
ms 2.1.1 2.1.3
js-yaml 3.12.0 3.14.1
lodash 4.17.11 4.17.21
minimatch 3.0.4 3.1.2
semver 5.5.1 5.7.2

Bumps the npm_and_yarn group with 1 update in the /test/acceptance/workspaces/yarn-package directory: debug. Bumps the npm_and_yarn group with 1 update in the /test/acceptance/workspaces/yarn-v2 directory: lodash. Bumps the npm_and_yarn group with 5 updates in the /test/acceptance/workspaces/yarn-workspace-out-of-sync directory:

Package From To
debug 4.1.1 4.3.1
lodash 4.17.15 4.17.21
minimatch 3.0.4 3.1.2
node-fetch 2.6.0 2.6.7
y18n 3.2.1 3.2.2

Bumps the npm_and_yarn group with 5 updates in the /test/acceptance/workspaces/yarn-workspaces directory:

Package From To
lodash 4.17.15 4.17.21
minimatch 3.0.4 3.1.2
node-fetch 2.6.0 2.6.7
y18n 3.2.1 3.2.2
node-uuid 1.3.0 1.4.8

Bumps the npm_and_yarn group with 3 updates in the /test/acceptance/workspaces/yarn-workspaces-v2 directory: minimatch, node-fetch and node-uuid. Bumps the npm_and_yarn group with 2 updates in the /test/acceptance/workspaces/yarn-workspaces-v2-resolutions directory: node-fetch and node-uuid. Bumps the npm_and_yarn group with 2 updates in the /ts-binary-wrapper directory: semver and @babel/traverse.

Updates debug from 2.2.0 to 2.6.9

Release notes

Sourced from debug's releases.

2.6.9

Patches

  • Remove ReDoS regexp in %o formatter: #504

Credits

Huge thanks to @​zhuangya for their help!

release 2.6.7

No release notes provided.

release 2.6.6

No release notes provided.

release 2.6.5

No release notes provided.

release 2.6.4

No release notes provided.

release 2.6.3

No release notes provided.

release 2.6.2

No release notes provided.

release 2.6.1

No release notes provided.

release 2.6.0

No release notes provided.

release 2.5.2

No release notes provided.

release 2.5.1

No release notes provided.

release 2.4.5

No release notes provided.

release 2.4.4

No release notes provided.

release 2.4.3

No release notes provided.

release 2.4.2

No release notes provided.

... (truncated)

Changelog

Sourced from debug's changelog.

2.6.9 / 2017-09-22

  • remove ReDoS regexp in %o formatter (#504)

2.6.8 / 2017-05-18

2.6.7 / 2017-05-16

2.6.5 / 2017-04-27

2.6.4 / 2017-04-20

2.6.3 / 2017-03-13

2.6.2 / 2017-03-10

2.6.1 / 2017-02-10

  • Fix: Module's export default syntax fix for IE8 Expected identifier error
  • Fix: Whitelist DEBUG_FD for values 1 and 2 only (#415, @​pi0)

... (truncated)

Commits


Updates ms from 0.7.1 to 2.0.0

Release notes

Sourced from ms's releases.

2.1.3

Patches

  • Rename zeit to vercel: #151
  • Bump eslint from 4.12.1 to 4.18.2: #122
  • Add prettier as a dev dependency: #135 #153
  • Use GitHub Actions CI: #154

Credits

Huge thanks to @​getsnoopy for helping!

2.1.2

Patches

  • Fixed negative decimals less than -10 don't work: #111
  • Support error in case of Infinity: #116
  • Update regexp for 10-.5 is invalid input: #117
  • Update chat badge: #119

Credits

Huge thanks to @​yuler and @​7ma7X for helping!

Commits
Maintainer changes

This version was pushed to npm by styfle, a new releaser for ms since your current version.


Updates marked from 0.3.6 to 4.0.10

Release notes

Sourced from marked's releases.

v4.0.10

4.0.10 (2022-01-13)

Bug Fixes

  • security: fix redos vulnerabilities (8f80657)

v4.0.9

4.0.9 (2022-01-06)

Bug Fixes

v4.0.8

4.0.8 (2021-12-19)

Bug Fixes

v4.0.7

4.0.7 (2021-12-09)

Bug Fixes

v4.0.6

4.0.6 (2021-12-02)

Bug Fixes

v4.0.5

4.0.5 (2021-11-25)

Bug Fixes

  • table after paragraph without blank line (#2298) (5714212)

v4.0.4

4.0.4 (2021-11-19)

... (truncated)

Commits
  • ae01170 chore(release): 4.0.10 [skip ci]
  • fceda57 🗜️ build [skip ci]
  • 8f80657 fix(security): fix redos vulnerabilities
  • c4a3ccd Merge pull request from GHSA-rrrm-qjm4-v8hf
  • d7212a6 chore(deps-dev): Bump jasmine from 4.0.0 to 4.0.1 (#2352)
  • 5a84db5 chore(deps-dev): Bump rollup from 2.62.0 to 2.63.0 (#2350)
  • 2bc67a5 chore(deps-dev): Bump markdown-it from 12.3.0 to 12.3.2 (#2351)
  • 98996b8 chore(deps-dev): Bump @​babel/preset-env from 7.16.5 to 7.16.7 (#2353)
  • ebc2c95 chore(deps-dev): Bump highlight.js from 11.3.1 to 11.4.0 (#2354)
  • e5171a9 chore(release): 4.0.9 [skip ci]
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by tonybrix, a new releaser for marked since your current version.


Updates debug from 3.1.0 to 3.2.7

Release notes

Sourced from debug's releases.

2.6.9

Patches

  • Remove ReDoS regexp in %o formatter: #504

Credits

Huge thanks to @​zhuangya for their help!

release 2.6.7

No release notes provided.

release 2.6.6

No release notes provided.

release 2.6.5

No release notes provided.

release 2.6.4

No release notes provided.

release 2.6.3

No release notes provided.

release 2.6.2

No release notes provided.

release 2.6.1

No release notes provided.

release 2.6.0

No release notes provided.

release 2.5.2

No release notes provided.

release 2.5.1

No release notes provided.

release 2.4.5

No release notes provided.

release 2.4.4

No release notes provided.

release 2.4.3

No release notes provided.

release 2.4.2

No release notes provided.

... (truncated)

Changelog

Sourced from debug's changelog.

2.6.9 / 2017-09-22

  • remove ReDoS regexp in %o formatter (#504)

2.6.8 / 2017-05-18

2.6.7 / 2017-05-16

2.6.5 / 2017-04-27

2.6.4 / 2017-04-20

2.6.3 / 2017-03-13

2.6.2 / 2017-03-10

2.6.1 / 2017-02-10

  • Fix: Module's export default syntax fix for IE8 Expected identifier error
  • Fix: Whitelist DEBUG_FD for values 1 and 2 only (#415, @​pi0)

... (truncated)

Commits


Updates ms from 2.0.0 to 2.1.1

Release notes

Sourced from ms's releases.

2.1.3

Patches

  • Rename zeit to vercel: #151
  • Bump eslint from 4.12.1 to 4.18.2: #122
  • Add prettier as a dev dependency: #135 #153
  • Use GitHub Actions CI: #154

Credits

Huge thanks to @​getsnoopy for helping!

2.1.2

Patches

  • Fixed negative decimals less than -10 don't work: #111
  • Support error in case of Infinity: #116
  • Update regexp for 10-.5 is invalid input: #117
  • Update chat badge: #119

Credits

Huge thanks to @​yuler and @​7ma7X for helping!

Commits
Maintainer changes

This version was pushed to npm by styfle, a new releaser for ms since your current version.


Updates acorn from 5.7.1 to 5.7.4

Commits
  • 6370e90 Mark version 5.7.4
  • fbc15b1 More rigorously check surrogate pairs in regexp validator
  • 910e62b Mark version 5.7.3
  • 3442a80 Make generate-identifier-regex capable of rewriting src/identifier.js
  • 22b22f3 Raise specific errors for unterminated template literals
  • 1461c7c Fix a lint error
  • 0c12f63 Fix tokenizing of regexps after .of
  • 832c308 Fix 404 url
  • 95ca55c Mark version 5.7.2
  • bba80ab Remove another fixed test from the 262 whitelist
  • Additional commits viewable in compare view


Updates ajv from 5.5.2 to 6.12.6

Release notes

Sourced from ajv's releases.

v6.12.6

Fix performance issue of "url" format.

v6.12.5

Fix uri scheme validation (@​ChALkeR). Fix boolean schemas with strictKeywords option (#1270)

v6.12.4

Fix: coercion of one-item arrays to scalar that should fail validation (failing example).

v6.12.3

Pass schema object to processCode function Option for strictNumbers (@​issacgerges, #1128) Fixed vulnerability related to untrusted schemas (CVE-2020-15366)

v6.12.2

Removed post-install script

v6.12.1

Docs and dependency updates

v6.12.0

Improved hostname validation (@​sambauers, #1143) Option keywords to add custom keywords (@​franciscomorais, #1137) Types fixes (@​boenrobot, @​MattiAstedrone) Docs:

v6.11.0

Time formats support two digit and colon-less variants of timezone offset (#1061 , @​cjpillsbury) Docs: RegExp related security considerations Tests: Disabled failing typescript test

v6.10.2

Fix: the unknown keywords were ignored with the option strictKeywords: true (instead of failing compilation) in some sub-schemas (e.g. anyOf), when the sub-schema didn't have known keywords.

v6.10.1

Fix types Fix addSchema (#1001) Update dependencies

v6.10.0

Option strictDefaults to report ignored defaults (#957, @​not-an-aardvark) Option strictKeywords to report unknown keywords (#781)

v6.9.0

OpenAPI keyword nullable can be any boolean (and not only true). Custom keyword definition changes:

  • dependencies option in to require the presence of keywords in the same schema.

... (truncated)

Commits
  • fe59143 6.12.6
  • d580d3e Merge pull request #1298 from ajv-validator/fix-url
  • fd36389 fix: regular expression for "url" format
  • 490e34c docs: link to v7-beta branch
  • 9cd93a1 docs: note about v7 in readme
  • 877d286 Merge pull request #1262 from b4h0-c4t/refactor-opt-object-type
  • f1c8e45 6.12.5
  • 764035e Merge branch 'ChALkeR-chalker/fix-comma'
  • 3798160 Merge branch 'chalker/fix-comma' of git://github.com/ChALkeR/ajv into ChALkeR...
  • a3c7eba Merge branch 'refactor-opt-object-type' of github.com:b4h0-c4t/ajv into refac...
  • Additional commits viewable in compare view


Updates rewire from 4.0.1 to 7.0.0

Release notes

Sourced from rewire's releases.

v7.0.0

v6.0.0

  • Breaking: Remove Node v8 support. We had to do this because one of our dependencies had security issues and the version with the fix dropped Node v8 as well.
  • Update dependencies #193
  • Fix Modifying globals within module leaks to global with Node >=10 #167
  • Fixed import errors on modules with shebang declarations #179

v5.0.0

  • Breaking: Remove Node v6 support. We had to do this because one of our dependencies had security issues and the version with the fix dropped Node v6 as well.
  • Update dependencies #159 #172 #154 #166
Changelog

Sourced from rewire's changelog.

7.0.0

6.0.0

  • Breaking: Remove Node v8 support. We had to do this because one of our dependencies had security issues and the version with the fix dropped Node v8 as well.
  • Update dependencies #193
  • Fix Modifying globals within module leaks to global with Node >=10 #167
  • Fixed import errors on modules with shebang declarations #179

5.0.0

  • Breaking: Remove Node v6 support. We had to do this because one of our dependencies had security issues and the version with the fix dropped Node v6 as well.
  • Update dependencies #159 #172 #154 #166
Commits
  • ff62cfc v7.0.0
  • e0ea17d Remove CoffeeScript support
  • a183ba7 Add TypeScript support
  • 2d7729f Merge remote-tracking branch 'origin/master' into pulls/ts-support
  • 092e554 Also drop official Node 16 support
  • f32ef51 Update package-lock.json
  • 6deb9bd Update ESLint and drop official Node 10.x, 12.x, 14.x support
  • c9b536f NEW Add support for .ts files
  • f5c655a Add test case for re-assigning consts
  • 9e7f846 v6.0.0
  • Additional commits viewable in compare view


Updates ansi-regex from 2.1.1 to 5.0.1

Release notes

Sourced from ansi-regex's releases.

v5.0.1

Fixes (backport of 6.0.1 to v5)

This is a backport of the minor ReDos vulnerability in ansi-regex@<6.0.1, as requested in #38.

  • Fix ReDoS in certain cases (#37) You are only really affected if you run the regex on untrusted user input in a server context, which it's very unlikely anyone is doing, since this regex is mainly used in command-line tools.

CVE-2021-3807

https://github.com/chalk/ansi-regex/compare/v5.0.0..v5.0.1

Thank you @​yetingli for the patch and reproduction case!

v5.0.0

Breaking

  • Require Node.js 8 166a0d5

Enhancements

  • Add TypeScript definition (#32) e77ea17

https://github.com/chalk/ansi-regex/compare/v4.1.0...v5.0.0

v4.1.0

  • Support more escape code like links (#29) 96200bb

https://github.com/chalk/ansi-regex/compare/v4.0.0...v4.1.0

Commits


Updates js-yaml from 3.12.0 to 4.1.0

Changelog

Sourced from js-yaml's changelog.

[3.14.1] - 2020-12-07

Security

  • Fix possible code execution in (already unsafe) .load() (in &anchor).

[3.14.0] - 2020-05-22

Changed

  • Support safe/loadAll(input, options) variant of call.
  • CI: drop outdated nodejs versions.
  • Dev deps bump.

Fixed

  • Quote = in plain scalars #519.
  • Check the node type for !<?> tag in case user manually specifies it.
  • Verify that there are no null-bytes in input.
  • Fix wrong quote position when writing condensed flow, #526.

[3.13.1] - 2019-04-05

Security

  • Fix possible code execution in (already unsafe) .load(), #480.

[3.13.0] - 2019-03-20

Security

  • Security fix: safeLoad() can hang when arrays with nested refs used as key. Now throws exception for nested arrays. #475.

[3.12.2] - 2019-02-26

Fixed

  • Fix noArrayIndent option for root level, #468.

[3.12.1] - 2019-01-05

Added

  • Added noArrayIndent option, #432.
Commits
  • 37caaad 3.14.1 released
  • 094c0f7 dist rebuild
  • 9586ebe Avoid calling hasOwnProperty of user-controlled objects
  • 34e5072 3.14.0 released
  • 7b25c83 Browser files rebuild
  • 6f73473 Dev deps bump
  • 0c29349 Travis-CI: drop old nodejs versions
  • 10be97e fix(loader): Add support for safe/loadAll(input, options)
  • d6983dd Fix issue #526: wrong quote position writing condensed flow (#527)
  • 93fbf7d fix issue 526 (wrong quote position writing condensed flow)
  • Additional commits viewable in compare view


Updates minimatch from 3.0.4 to 3.1.2

Commits


Updates follow-redirects from 1.15.4 to 1.15.6

Commits
  • 35a517c Release version 1.15.6 of the npm package.
  • c4f847f Drop Proxy-Authorization across hosts.
  • 8526b4a Use GitHub for disclosure.
  • b1677ce Release version 1.15.5 of the npm package.
  • d8914f7 Preserve fragment in responseUrl.
  • See full diff in compare view


Updates cdktf-cli from 0.20.3 to 0.20.7

Release notes

Sourced from cdktf-cli's releases.

v0.20.7

fix

  • fix(provider-generator): refactor logic to determine if a block is optional or required #3580

chore

  • chore(deps): pin trusted workflows based on HashiCorp TSCCR #3583
  • chore: Upgrade dependencies for cli #3588
  • chore: Upgrade dependencies for cli #3574
  • chore: Upgrade dependencies for util #3573
  • chore: Upgrade dependencies for lib #3572

v0.20.6

fix

  • fix(cli): sanitize type arrays #3578
  • fix(lib): Correctly render string tokens that contain plain objects #3545
  • fix: hcl rendering nested maps #3536
  • fix(docs): Italics broken #3490

chore

  • chore: fix typo #3553
  • chore: add separate workflow for JSII upgrades #3552
  • chore(deps): pin trusted workflows based on HashiCorp TSCCR #3549
  • chore: Upgrade dependencies for util #3548
  • chore: Upgrade dependencies for util #3543
  • chore(deps): pin trusted workflows based on HashiCorp TSCCR #3534
  • chore: Upgrade dependencies for util #3533
  • chore: run doc conversions on one runner #3522
  • chore: Upgrade dependencies for cli #3517
  • chore: Upgrade dependencies for lib #3516
  • chore: update-project-board-issue calls different repo #3513

v0.20.5

fix

  • fix(lib): Correctly render string tokens that contain plain objects #3545
  • fix: hcl rendering nested maps #3536
  • fix(docs): Italics broken #3490

chore

  • chore: fix typo #3553
  • chore: add separate workflow for JSII upgrades #3552
  • chore(deps): pin trusted workflows based on HashiCorp TSCCR #3549
  • chore: Upgrade dependencies for util #3548
  • chore: Upgrade dependencies for util #3543
  • chore(deps): pin trusted workflows based on HashiCorp TSCCR #3534

... (truncated)

Changelog

Sourced from cdktf-cli's changelog.

0.20.7

fix

  • fix(provider-generator): refactor logic to determine if a block is optional or required #3580

chore

  • chore(deps): pin trusted workflows based on HashiCorp TSCCR #3583
  • chore: Upgrade dependencies for cli #3588
  • chore: Upgrade dependencies for cli #3574
  • chore: Upgrade dependencies for util #3573
  • chore: Upgrade dependencies for lib #3572

0.20.6

fix

  • fix(cli): sanitize type arrays #3578
  • fix(lib): Correctly render string tokens that contain plain objects #3545
  • fix: hcl rendering nested maps #3536
  • fix(docs): Italics broken #3490

chore

  • chore: fix typo #3553
  • chore: add separate workflow for JSII upgrades #3552
  • chore(deps): pin trusted workflows based on HashiCorp TSCCR #3549
  • chore: Upgrade dependencies for util #3548
  • chore: Upgrade dependencies for util #3543
  • chore(deps): pin trusted workflows based on HashiCorp TSCCR #3534
  • chore: Upgrade dependencies for util #3533
  • chore: run doc conversions on one runner #3522
  • chore: Upgrade dependencies for cli #3517
  • chore: Upgrade dependencies for lib #3516
  • chore: update-project-board-issue calls different repo #3513

0.20.5

fix

  • fix(lib): Correctly render string tokens that contain plain objects #3545
  • fix: hcl rendering nested maps #3536
  • fix(docs): Italics broken #3490

chore

  • chore: fix typo #3553
  • chore: add separate workflow for JSII upgrades #3552
  • chore(deps): pin trusted workflows based on HashiCorp TSCCR #3549

... (truncated)

Commits
  • b3e82ea chore: Upgrade dependencies for cli
  • 25efd21 chore: Upgrade dependencies for cli
  • 9d944dc chore: Upgrade dependencies for cli
  • cbdf619 chore: Upgrade dependencies for JSII
  • 2f5051f chore: Upgrade dependencies for cli
  • ac4ef36 chore: Upgrade dependencies for cli (
    performance-testing-bot[bot] commented 2 months ago

    Unable to locate .performanceTestingBot config file

cr-gpt[bot] commented 2 months ago

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

code-companion-ai[bot] commented 2 months ago

Processing PR updates...

git-greetings[bot] commented 2 months ago

Thanks @dependabot[bot] for opening this PR!

For COLLABORATOR only :

  • To add labels, comment on the issue /label add label1,label2,label3

  • To remove labels, comment on the issue /label remove label1,label2,label3

secure-code-warrior-for-github[bot] commented 2 months ago

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "regular expression denial of service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "denial of service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

coderabbitai[bot] commented 2 months ago

[!IMPORTANT]

Auto Review Skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share - [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai) - [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai) - [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai) - [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)
Tips ### Chat There are 3 ways to chat with [CodeRabbit](https://coderabbit.ai): - Review comments: Directly reply to a review comment made by CodeRabbit. Example: - `I pushed a fix in commit .` - `Generate unit testing code for this file.` - `Open a follow-up GitHub issue for this discussion.` - Files and specific lines of code (under the "Files changed" tab): Tag `@coderabbitai` in a new review comment at the desired location with your query. Examples: - `@coderabbitai generate unit testing code for this file.` - `@coderabbitai modularize this function.` - PR comments: Tag `@coderabbitai` in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples: - `@coderabbitai generate interesting stats about this repository and render them as a table.` - `@coderabbitai show all the console.log statements in this repository.` - `@coderabbitai read src/utils.ts and generate unit testing code.` - `@coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.` Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. ### CodeRabbit Commands (invoked as PR comments) - `@coderabbitai pause` to pause the reviews on a PR. - `@coderabbitai resume` to resume the paused reviews. - `@coderabbitai review` to trigger a review. This is useful when automatic reviews are disabled for the repository. - `@coderabbitai resolve` resolve all the CodeRabbit review comments. - `@coderabbitai help` to get help. Additionally, you can add `@coderabbitai ignore` anywhere in the PR description to prevent this PR from being reviewed. ### CodeRabbit Configration File (`.coderabbit.yaml`) - You can programmatically configure CodeRabbit by adding a `.coderabbit.yaml` file to the root of your repository. - Please see the [configuration documentation](https://docs.coderabbit.ai/guides/configure-coderabbit) for more information. - If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: `# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json` ### Documentation and Community - Visit our [Documentation](https://coderabbit.ai/docs) for detailed information on how to use CodeRabbit. - Join our [Discord Community](https://discord.com/invite/GsXnASn26c) to get help, request features, and share feedback. - Follow us on [X/Twitter](https://twitter.com/coderabbitai) for updates and announcements.
git-greetings[bot] commented 2 months ago
PR Details of @dependabot[bot] in snyk-cli : OPEN CLOSED TOTAL
2 0 2
socket-security[bot] commented 2 months ago

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@octokit/rest@18.12.0 Transitive: network +14 4.28 MB octokitbot
npm/@open-policy-agent/opa-wasm@1.6.0 None 0 875 kB styrainc
npm/@pagerduty/pdjs@2.2.4 Transitive: network +2 155 kB bzmwillemsen
npm/@sentry/node@7.34.0 environment, filesystem, network, shell, unsafe +6 2.85 MB sentry-bot
npm/@sindresorhus/is@4.0.1 None 0 53.3 kB sindresorhus
npm/@slack/webhook@7.0.2 None +2 2.14 MB filmaj
npm/@snyk/cli-interface@2.12.0 None +1 48.6 kB snyk-admin
npm/@snyk/cloud-config-parser@1.14.5 None 0 82.4 kB snyk-admin
npm/@snyk/code-client@4.23.5 filesystem, network +8 253 kB snyk-admin
npm/@snyk/dep-graph@2.8.1 None +1 194 kB snyk-admin
npm/@snyk/docker-registry-v2-client@2.11.0 environment, filesystem 0 67.3 kB snyk-admin
npm/@snyk/fix-pipenv-pipfile@0.7.1 environment Transitive: eval, shell +3 732 kB snyk-admin
npm/@snyk/fix-poetry@0.9.1 Transitive: environment, eval, shell +3 732 kB snyk-admin
npm/@snyk/gemfile@1.2.0 filesystem 0 60.1 kB snyk-admin
npm/@snyk/snyk-cocoapods-plugin@2.5.3 filesystem, shell +5 322 kB snyk-admin
npm/@snyk/snyk-hex-plugin@1.1.6 filesystem, shell +3 161 kB snyk-admin
npm/@types/body-parser@1.19.1 None +1 14.3 kB types
npm/@types/cross-spawn@6.0.2 None 0 3.91 kB types
npm/@types/express@4.17.13 None +5 118 kB types
npm/@types/fs-extra@9.0.12 None 0 26.3 kB types
npm/@types/jest-json-schema@6.1.1 None 0 4.24 kB types
npm/@types/jest@29.5.12 None +2 527 kB types
npm/@types/lodash@4.14.172 None 0 859 kB types
npm/@types/marked@4.0.0 None 0 23.1 kB types
npm/@types/needle@3.3.0 None 0 16.3 kB types
npm/@types/node@14.17.10 None 0 772 kB types
npm/@types/sarif@2.1.7 None 0 74.2 kB types
npm/@types/semver@7.3.8 None 0 23.4 kB types
npm/@types/sinon@7.5.2 None 0 150 kB types
npm/@typescript-eslint/eslint-plugin@4.30.0 Transitive: environment, filesystem +9 4.74 MB jameshenry
npm/@typescript-eslint/parser@4.30.0 Transitive: environment, filesystem +4 1.32 MB jameshenry
npm/acorn-jsx@5.3.2 None 0 24.4 kB rreverser
npm/acorn@7.4.1 None 0 1.21 MB marijn
npm/adm-zip@0.5.9 filesystem 0 103 kB cthackers
npm/ajv-keywords@3.5.2 None 0 72.9 kB esp
npm/ajv@6.12.6 eval 0 929 kB esp
npm/anymatch@3.1.2 None 0 9.54 kB paulmillr
npm/array-differ@3.0.0 None 0 3.06 kB sindresorhus
npm/array-union@2.1.0 None 0 3.17 kB sindresorhus
npm/arrify@1.0.1 None 0 2.34 kB sindresorhus
npm/auto-bind@5.0.1 None 0 6.8 kB sindresorhus
npm/axios@1.6.8 network Transitive: filesystem +4 1.93 MB jasonsaayman
npm/bluebird@3.7.2 environment, eval, unsafe 0 632 kB esailija
npm/body-parser@1.19.0 network Transitive: environment, eval, filesystem +10 344 kB dougwilson
npm/callsites@3.1.0 None 0 6.33 kB sindresorhus
npm/ci-info@3.2.0 environment 0 19.8 kB sibiraj-s
npm/clean-stack@2.2.0 None 0 5.51 kB sindresorhus
npm/cli-boxes@3.0.0 None 0 6.62 kB sindresorhus
npm/cli-spinner@0.2.10 None 0 85.1 kB boemianrapsodi
npm/cli-spinners@2.6.0 None 0 27.4 kB sindresorhus
npm/cli-truncate@3.1.0 None +2 31.5 kB sindresorhus
npm/cli-width@3.0.0 environment 0 11.5 kB knownasilya
npm/code-excerpt@4.0.0 None 0 4.21 kB vdemedes
npm/configstore@5.0.1 None 0 7.61 kB sindresorhus
npm/conventional-changelog-cli@4.1.0 Transitive: filesystem, shell +26 1.33 MB oss-bot
npm/convert-source-map@2.0.0 None 0 15.9 kB phated
npm/convert-to-spaces@2.0.1 None 0 2.96 kB vdemedes
npm/copy-webpack-plugin@9.0.1 None 0 60 kB evilebottnawi
npm/core-js@3.25.0 environment, eval, filesystem 0 1.02 MB zloirock
npm/cross-spawn@6.0.5 environment, filesystem, shell 0 21.4 kB satazor
npm/crypto-random-string@2.0.0 None 0 3.93 kB sindresorhus
npm/danger@10.9.0 Transitive: environment, eval, filesystem, network, shell +24 13.2 MB orta
npm/decode-uri-component@0.2.0 None 0 5.71 kB samverschueren
npm/depcheck@1.4.3 filesystem, unsafe Transitive: environment, eval +26 9.29 MB rumpl
npm/doctrine@3.0.0 None 0 106 kB eslint
npm/dot-prop@5.3.0 None 0 9.61 kB sindresorhus
npm/enquirer@2.3.6 environment +1 222 kB jonschlinkert
npm/env-paths@2.2.1 None 0 10.2 kB sindresorhus
npm/es-abstract@1.18.5 None 0 933 kB ljharb
npm/es-to-primitive@1.2.1 None 0 40.4 kB ljharb
npm/eslint-config-prettier@6.15.0 None 0 62.3 kB lydell
npm/eslint-plugin-anti-trojan-source@1.1.1 Transitive: filesystem +25 403 kB lirantal_bot
npm/eslint@6.8.0 filesystem, unsafe 0 2.9 MB eslintbot

🚮 Removed packages: npm/@google-cloud/common@2.0.3, npm/@google-cloud/debug-agent@4.0.1, npm/@google-cloud/profiler@2.0.2, npm/@google-cloud/projectify@1.0.1, npm/@google-cloud/promisify@1.0.2, npm/@google-cloud/trace-agent@4.0.1, npm/@grpc/proto-loader@0.1.0, npm/@opencensus/core@0.0.14, npm/@opencensus/propagation-stackdriver@0.0.14, npm/@protobufjs/aspromise@1.1.2, npm/@protobufjs/base64@1.1.2, npm/@protobufjs/codegen@2.0.4, npm/@protobufjs/eventemitter@1.1.0, npm/@protobufjs/fetch@1.1.0, npm/@protobufjs/float@1.0.2, npm/@protobufjs/inquire@1.1.0, npm/@protobufjs/path@1.1.2, npm/@protobufjs/pool@1.1.0, npm/@protobufjs/utf8@1.1.0, npm/@sindresorhus/is@0.17.1, npm/@types/caseless@0.12.2, npm/@types/console-log-level@1.4.0, npm/@types/form-data@2.2.1, npm/@types/lodash@4.14.110, npm/@types/long@3.0.32, npm/@types/node@9.6.22, npm/@types/request@2.48.1, npm/@types/semver@6.0.1, npm/@types/tough-cookie@2.3.5, npm/acorn@6.2.0, npm/aproba@1.2.0, npm/array-includes@3.0.3, npm/arrify@2.0.1, npm/ascli@1.0.1, npm/async-listener@0.6.10, npm/balanced-match@1.0.0, npm/base64-js@1.3.0, npm/bignumber.js@7.2.1, npm/bindings@1.5.0, npm/buffer-from@1.1.1, npm/builtin-modules@3.1.0, npm/bytebuffer@5.0.1, npm/camelcase@2.1.1, npm/cdktf-cli@0.20.3, npm/chownr@1.1.2, npm/cli-width@2.2.0, npm/cliui@3.2.0, npm/coffeescript@2.4.1, npm/colour@0.7.1, npm/console-log-level@1.4.1, npm/contains-path@0.1.0, npm/continuation-local-storage@3.2.1, npm/debug-log@1.0.1, npm/debug@3.2.6, npm/deglob@2.1.1, npm/delay@4.3.0, npm/emitter-listener@1.1.2, npm/end-of-stream@1.4.1, npm/ent@2.2.0, npm/es-abstract@1.13.0, npm/es-to-primitive@1.2.0, npm/eslint-config-semistandard@12.0.1, npm/eslint-config-standard-jsx@5.0.0, npm/eslint-config-standard@11.0.0, npm/eslint-import-resolver-node@0.3.2, npm/eslint-module-utils@2.4.0, npm/eslint-plugin-import@2.8.0, npm/eslint-plugin-node@6.0.1, npm/eslint-plugin-promise@3.6.0, npm/eslint-plugin-react@7.6.1, npm/eslint-plugin-standard@3.0.1, npm/eslint-visitor-keys@1.0.0, npm/eslint@4.18.2, npm/esquery@1.0.1, npm/esrecurse@4.2.1, npm/estraverse@4.2.0, npm/esutils@2.0.2, npm/event-target-shim@5.0.1, npm/extend@3.0.2, npm/fast-json-parse@1.0.3, npm/fast-json-stable-stringify@2.0.0, npm/fast-redact@1.2.0, npm/fast-safe-stringify@2.0.6, npm/fast-text-encoding@1.0.0, npm/file-uri-to-path@1.0.0, npm/find-root@1.1.0, npm/find-up@2.1.0, npm/findit2@2.2.3, npm/flatstr@1.0.8, npm/fs-minipass@1.2.6, npm/function-bind@1.1.1, npm/gauge@2.7.4, npm/gaxios@2.0.1, npm/gcp-metadata@2.0.1, npm/get-stdin@6.0.0, npm/glob@7.1.4, npm/google-auth-library@4.2.5, npm/google-p12-pem@2.0.1, npm/graceful-fs@4.2.0, npm/grpc@1.22.2, npm/gtoken@3.0.2, npm/has-symbols@1.0.0, npm/has-unicode@2.0.1, npm/has@1.0.3, npm/hex2dec@1.1.2, npm/hosted-git-info@2.7.1, npm/https-proxy-agent@2.2.2, npm/ignore-walk@3.0.1, npm/ini@1.3.5

View full report↗︎

socket-security[bot] commented 2 months ago

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSource
Install scripts npm/core-js@2.6.12
  • Install script: postinstall
  • Source: node -e "try{require('./postinstall')}catch(e){}"
Install scripts npm/core-js@3.25.0
  • Install script: postinstall
  • Source: node -e "try{require('./postinstall')}catch(e){}"

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

  • @SocketSecurity ignore npm/core-js@2.6.12
  • @SocketSecurity ignore npm/core-js@3.25.0
codesyncapp[bot] commented 2 months ago

Check out the playback for this Pull Request here.