Potentially breaking change: the publish method now always returns a promise. Previously, it did not return a promise in some error cases. This should not impact most users.
Updates to the development dependencies required a minimum Node version of 14 for the tests. The library should still work on Node 12, but tests are no longer run in CI for version 12. A future major version of the library may drop support for version 12 altogether.
#395 - Switch from filenamify-url to filenamify (@tw0517tw)
v3.0.0
Breaking changes:
None really. But tests are no longer run on Node < 10. Development dependencies were updated to address security warnings, and this meant tests could no longer be run on Node 6 or 8. If you still use these Node versions, you may still be able to use this library, but be warned that tests are no longer run on these versions.
Potentially breaking change: the publish method now always returns a promise. Previously, it did not return a promise in some error cases. This should not impact most users.
Updates to the development dependencies required a minimum Node version of 14 for the tests. The library should still work on Node 12, but tests are no longer run in CI for version 12. A future major version of the library may drop support for version 12 altogether.
Removed ondragexit from Window and friends, per a spec update.
Fixed the URL of about:blank iframes. Previously it was getting set to the parent's URL. (SimonMueller)
Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.
Fixed the hidden="" attribute to cause display: none per the user-agent stylesheet. (ph-fritsche)
Fixed the new File() constructor to no longer convert / to :, per a pending spec update.
Fixed mutation observer callbacks to be called with the MutationObserver instance as their this value.
Fixed <input type=checkbox> and <input type=radio> to be mutable even when disabled, per a spec update.
Fixed XMLHttpRequest to not fire a redundant final progress event if a progress event was previously fired with the same loaded value. This would usually occur with small files.
Fixed XMLHttpRequest to expose the Content-Length header on cross-origin responses.
Fixed xhr.response to return null for failures that occur during the middle of the download.
Fixed edge cases around passing callback functions or event handlers. (ExE-Boss)
Fixed edge cases around the properties of proxy-like objects such as localStorage or dataset. (ExE-Boss)
Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi)
Version 16.4.0
Added a not-implemented warning if you try to use the second pseudo-element argument to getComputedStyle(), unless you pass a ::part or ::slotted pseudo-element, in which case we throw an error per the spec. (ExE-Boss)
Improved the performance of repeated access to el.tagName, which also indirectly improves performance of selector matching and style computation. (eps1lon)
Fixed form.elements to respect the form="" attribute, so that it can contain non-descendant form controls. (ccwebdesign)
Fixed el.focus() to do nothing on disconnected elements. (eps1lon)
Fixed el.focus() to work on SVG elements. (zjffun)
Fixed removing the currently-focused element to move focus to the <body> element. (eps1lon)
Fixed imgEl.complete to return true for <img> elements with empty or unset src="" attributes. (strager)
Fixed imgEl.complete to return true if an error occurs loading the <img>, when canvas is enabled. (strager)
Fixed imgEl.complete to return false if the <img> element's src="" attribute is reset. (strager)
Fixed the valueMissing validation check for <input type="radio">. (zjffun)
Fixed translate="" and draggable="" attribute processing to use ASCII case-insensitivity, instead of Unicode case-insensitivity. (zjffun)
Version 16.3.0
Added firing of focusin and focusout when using el.focus() and el.blur(). (trueadm)
Fixed elements with the contenteditable="" attribute to be considered as focusable. (jamieliu386)
Fixed window.NodeFilter to be per-Window, instead of shared across all Windows. (ExE-Boss)
Fixed edge-case behavior involving use of objects with handleEvent properties as event listeners. (ExE-Boss)
Fixed a second failing image load sometimes firing a load event instead of an error event, when the canvas package is installed. (strager)
Fixed drawing an empty canvas into another canvas. (zjffun)
Version 16.2.2
Updated StyleSheetList for better spec compliance; notably it no longer inherits from Array.prototype. (ExE-Boss)
Fixed requestAnimationFrame() from preventing process exit. This likely regressed in v16.1.0.
Fixed setTimeout() to no longer leak the closures passed in to it. This likely regressed in v16.1.0. (AviVahl)
Fixed infinite recursion that could occur when calling click() on a <label> element, or one of its descendants.
Fixed getComputedStyle() to consider inline style="" attributes. (eps1lon)
Fixed several issues with <input type="number">'s stepUp() and stepDown() functions to be properly decimal-based, instead of floating point-based.
Fixed various issues where updating selectEl.value would not invalidate properties such as selectEl.selectedOptions. (ExE-Boss)
Fixed <input>'s src property, and <ins>/<del>'s cite property, to properly reflect as URLs.
Fixed window.addEventLister, window.removeEventListener, and window.dispatchEvent to properly be inherited from EventTarget, instead of being distinct functions. (ExE-Boss)
Fixed errors that would occur if attempting to use a DOM object, such as a custom element, as an argument to addEventListener.
Removed ondragexit from Window and friends, per a spec update.
Fixed the URL of about:blank iframes. Previously it was getting set to the parent's URL. (SimonMueller)
Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.
Fixed the hidden="" attribute to cause display: none per the user-agent stylesheet. (ph-fritsche)
Fixed the new File() constructor to no longer convert / to :, per a pending spec update.
Fixed mutation observer callbacks to be called with the MutationObserver instance as their this value.
Fixed <input type=checkbox> and <input type=radio> to be mutable even when disabled, per a spec update.
Fixed XMLHttpRequest to not fire a redundant final progress event if a progress event was previously fired with the same loaded value. This would usually occur with small files.
Fixed XMLHttpRequest to expose the Content-Length header on cross-origin responses.
Fixed xhr.response to return null for failures that occur during the middle of the download.
Fixed edge cases around passing callback functions or event handlers. (ExE-Boss)
Fixed edge cases around the properties of proxy-like objects such as localStorage or dataset. (ExE-Boss)
Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi)
16.4.0
Added a not-implemented warning if you try to use the second pseudo-element argument to getComputedStyle(), unless you pass a ::part or ::slotted pseudo-element, in which case we throw an error per the spec. (ExE-Boss)
Improved the performance of repeated access to el.tagName, which also indirectly improves performance of selector matching and style computation. (eps1lon)
Fixed form.elements to respect the form="" attribute, so that it can contain non-descendant form controls. (ccwebdesign)
Fixed el.focus() to do nothing on disconnected elements. (eps1lon)
Fixed el.focus() to work on SVG elements. (zjffun)
Fixed removing the currently-focused element to move focus to the <body> element. (eps1lon)
Fixed imgEl.complete to return true for <img> elements with empty or unset src="" attributes. (strager)
Fixed imgEl.complete to return true if an error occurs loading the <img>, when canvas is enabled. (strager)
Fixed imgEl.complete to return false if the <img> element's src="" attribute is reset. (strager)
Fixed the valueMissing validation check for <input type="radio">. (zjffun)
Fixed translate="" and draggable="" attribute processing to use ASCII case-insensitivity, instead of Unicode case-insensitivity. (zjffun)
16.3.0
Added firing of focusin and focusout when using el.focus() and el.blur(). (trueadm)
Fixed elements with the contenteditable="" attribute to be considered as focusable. (jamieliu386)
Fixed window.NodeFilter to be per-Window, instead of shared across all Windows. (ExE-Boss)
Fixed edge-case behavior involving use of objects with handleEvent properties as event listeners. (ExE-Boss)
Fixed a second failing image load sometimes firing a load event instead of an error event, when the canvas package is installed. (strager)
Fixed drawing an empty canvas into another canvas. (zjffun)
16.2.2
Updated StyleSheetList for better spec compliance; notably it no longer inherits from Array.prototype. (ExE-Boss)
Fixed requestAnimationFrame() from preventing process exit. This likely regressed in v16.1.0.
Fixed setTimeout() to no longer leak the closures passed in to it. This likely regressed in v16.1.0. (AviVahl)
Fixed infinite recursion that could occur when calling click() on a <label> element, or one of its descendants.
Fixed getComputedStyle() to consider inline style="" attributes. (eps1lon)
Fixed several issues with <input type="number">'s stepUp() and stepDown() functions to be properly decimal-based, instead of floating point-based.
To trigger a single review, invoke the @coderabbitai review command.
You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?
Share
- [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai)
- [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai)
- [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai)
- [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)
Tips
### Chat
There are 3 ways to chat with [CodeRabbit](https://coderabbit.ai):
- Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- `I pushed a fix in commit .`
- `Generate unit testing code for this file.`
- `Open a follow-up GitHub issue for this discussion.`
- Files and specific lines of code (under the "Files changed" tab): Tag `@coderabbitai` in a new review comment at the desired location with your query. Examples:
- `@coderabbitai generate unit testing code for this file.`
- `@coderabbitai modularize this function.`
- PR comments: Tag `@coderabbitai` in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- `@coderabbitai generate interesting stats about this repository and render them as a table.`
- `@coderabbitai show all the console.log statements in this repository.`
- `@coderabbitai read src/utils.ts and generate unit testing code.`
- `@coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.`
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.
### CodeRabbit Commands (invoked as PR comments)
- `@coderabbitai pause` to pause the reviews on a PR.
- `@coderabbitai resume` to resume the paused reviews.
- `@coderabbitai review` to trigger a review. This is useful when automatic reviews are disabled for the repository.
- `@coderabbitai resolve` resolve all the CodeRabbit review comments.
- `@coderabbitai help` to get help.
Additionally, you can add `@coderabbitai ignore` anywhere in the PR description to prevent this PR from being reviewed.
### CodeRabbit Configration File (`.coderabbit.yaml`)
- You can programmatically configure CodeRabbit by adding a `.coderabbit.yaml` file to the root of your repository.
- Please see the [configuration documentation](https://docs.coderabbit.ai/guides/configure-coderabbit) for more information.
- If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: `# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json`
### Documentation and Community
- Visit our [Documentation](https://coderabbit.ai/docs) for detailed information on how to use CodeRabbit.
- Join our [Discord Community](https://discord.com/invite/GsXnASn26c) to get help, request features, and share feedback.
- Follow us on [X/Twitter](https://twitter.com/coderabbitai) for updates and announcements.
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
Take a deeper look at the dependency
Take a moment to review the security alert above. Review the linked
package source code to understand the potential risk. Ensure the package
is not malicious before proceeding. If you're unsure how to proceed, reach
out to your security team or ask the Socket team for help at support [AT]
socket [DOT] dev.
Remove the package
If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.
Mark a package as acceptable risk
To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all
Bumps the npm_and_yarn group with 51 updates in the / directory:
0.7.200.7.330.12.05.0.09.12.016.5.04.12.07.0.07.1.67.24.16.10.26.12.63.8.35.4.60.0.7removed3.8.03.11.32.6.32.6.46.24.1removed23.6.029.7.023.6.029.7.04.0.44.2.34.7.04.23.06.1.112.0.11.5.31.9.12.1.02.1.30.2.00.2.21.3.11.3.40.10.150.10.643.1.3removed2.13.33.1.12.4.22.8.91.1.51.1.92.16.02.20.63.0.0removed4.0.24.0.30.2.30.4.01.4.11.4.22.1.02.2.31.0.12.2.31.1.01.4.24.17.154.17.213.0.43.0.82.1.02.2.31.2.01.2.80.5.10.5.61.0.21.0.31.0.12.1.11.0.0-rc.31.0.0-rc.122.0.32.0.75.0.36.0.11.0.51.0.77.0.188.4.381.0.17.1.10.2.30.4.37.0.07.0.36.0.16.0.24.6.012.0.24.3.04.8.10.1.27removed2.3.22.5.2Updates
ua-parser-jsfrom 0.7.20 to 0.7.33Changelog
Sourced from ua-parser-js's changelog.
Commits
f2d0db0Bump version 0.7.33a6140a1Remove unsafe regex in trim() functiona886604Fix #605 - Identify Macintosh as Apple deviceb814bcdMerge pull request #606 from rileyjshaw/patch-17f71024Fix documentationc239ac5Merge pull request #604 from obecerra3/master8d3c2d3Add new browser: Cobaltd11fc47Bump version 0.7.32b490110Merge branch 'develop' of github.com:faisalman/ua-parser-jscb5da5eMerge pull request #600 from moekm/developUpdates
gh-pagesfrom 0.12.0 to 5.0.0Release notes
Sourced from gh-pages's releases.
... (truncated)
Changelog
Sourced from gh-pages's changelog.
... (truncated)
Commits
f729b975.0.051534c7Log changesace063bMerge pull request #438 from Vicropht/patch-158e54beMerge pull request #459 from tschaub/dependabot/npm_and_yarn/async-3.2.42189df3Bump async from 2.6.4 to 3.2.4051846eMerge pull request #454 from tschaub/dependabot/npm_and_yarn/email-addresses-...5c91c67Merge pull request #455 from tschaub/dependabot/github_actions/actions/setup-...fe0ad83Merge pull request #453 from tschaub/dependabot/github_actions/actions/checko...b89287dMerge pull request #445 from Nezteb/patch-1e890bd1Bump email-addresses from 3.0.1 to 5.0.0Updates
jsdomfrom 9.12.0 to 16.5.0Release notes
Sourced from jsdom's releases.
... (truncated)
Changelog
Sourced from jsdom's changelog.
... (truncated)
Commits
2d82763Version 16.5.09741311Fix loading of subresources with Unicode filenames5e46553Use domenic's ESLint config as the base19b35daFix the URL of about:blank iframes017568eSupport inputType on InputEvent29f4fdfUpgrade dependenciese2f7639Refactor create‑event‑accessor.js to remove code duplicationff69a75Convert JSDOM to use callback functions19df6bcUpdate links in contributing guidelines1e34ff5Test triageUpdates
node-sassfrom 4.12.0 to 7.0.0Release notes
Sourced from node-sass's releases.
... (truncated)
Changelog
Sourced from node-sass's changelog.
Commits
918dcb3Lint fix0a21792Set rejectUnauthorized to true by default (#3149)e80d4afchore: Drop EOL Node 15 (#3122)d753397feat: Add Node 17 support (#3195)dcf2e75build(deps-dev): bump eslint from 7.32.0 to 8.0.0bfa1a3cbuild(deps): bump actions/setup-node from 2.4.0 to 2.4.180d6c00chore: Windows x86 on GitHub Actions (#3041)566dc27build(deps-dev): bump fs-extra from 0.30.0 to 10.0.0 (#3102)7bb5157build(deps): bump npmlog from 4.1.2 to 5.0.0 (#3156)2efb38fbuild(deps): bump chalk from 1.1.3 to 4.1.2 (#3161)Updates
@babel/traversefrom 7.1.6 to 7.24.1Release notes
Sourced from
@babel/traverse's releases.... (truncated)
Changelog
Sourced from
@babel/traverse's changelog.... (truncated)
Commits
Unable to locate .performanceTestingBot config file
Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information
Check out the playback for this Pull Request here.
Thanks @dependabot[bot] for opening this PR!
For COLLABORATOR only :
To add labels, comment on the issue
/label add label1,label2,label3To remove labels, comment on the issue
/label remove label1,label2,label3Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?
Share
- [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai) - [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai) - [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai) - [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)Tips
### Chat There are 3 ways to chat with [CodeRabbit](https://coderabbit.ai): - Review comments: Directly reply to a review comment made by CodeRabbit. Example: - `I pushed a fix in commitNew and removed dependencies detected. Learn more about Socket for GitHub ↗︎
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000🚮 Removed packages: npm/@babel/traverse@7.6.0, npm/@mrmlnc/readdir-enhanced@2.2.1, npm/@nodelib/fs.stat@1.1.3, npm/@types/events@3.0.0, npm/@types/glob@7.1.1, npm/@types/minimatch@3.0.3, npm/@types/q@1.5.2, npm/abab@2.0.1, npm/accepts@1.3.7, npm/acorn-globals@4.3.3, npm/acorn-walk@6.2.0, npm/ajv@6.10.2, npm/alphanum-sort@1.0.2, npm/ansi-html@0.0.7, npm/append-transform@0.4.0, npm/are-we-there-yet@1.1.5, npm/arr-diff@2.0.0, npm/array-equal@1.0.0, npm/array-find-index@1.0.2, npm/array-map@0.0.0, npm/array-reduce@0.0.0, npm/array-unique@0.2.1, npm/assert-plus@0.2.0, npm/async@2.6.3, npm/aws-sign2@0.6.0, npm/babel-code-frame@6.26.0, npm/babel-generator@6.26.1, npm/babel-helpers@6.24.1, npm/babel-jest@23.6.0, npm/babel-messages@6.23.0, npm/babel-plugin-istanbul@4.1.6, npm/babel-plugin-jest-hoist@23.2.0, npm/babel-plugin-syntax-object-rest-spread@6.13.0, npm/babel-preset-jest@23.2.0, npm/babel-register@6.26.0, npm/babel-runtime@6.26.0, npm/babel-template@6.26.0, npm/babel-traverse@6.26.0, npm/babel-types@6.26.0, npm/babylon@6.18.0, npm/block-stream@0.0.9, npm/body-parser@1.19.0, npm/boom@2.10.1, npm/braces@1.8.5, npm/browser-process-hrtime@0.1.3, npm/browser-resolve@1.11.3, npm/browserify-sign@4.0.4, npm/browserslist@4.7.0, npm/bser@2.1.0, npm/cacache@10.0.4, npm/call-me-maybe@1.0.1, npm/caller-callsite@2.0.0, npm/caller-path@2.0.0, npm/camelcase-keys@2.1.0, npm/camelcase@4.1.0, npm/caniuse-lite@1.0.30000989, npm/capture-exit@1.2.0, npm/caseless@0.11.0, npm/cheerio@1.0.0-rc.3, npm/ci-info@1.6.0, npm/cliui@4.1.0, npm/coa@2.0.2, npm/collections@0.2.2, npm/color-string@1.5.3, npm/color@3.1.2, npm/compressible@2.0.17, npm/content-disposition@0.5.3, npm/content-type-parser@1.0.2, npm/content-type@1.0.4, npm/cookie@0.4.0, npm/copy-webpack-plugin@4.6.0, npm/core-js@2.6.9, npm/coveralls@2.13.3, npm/cryptiles@2.0.5, npm/css-color-names@0.0.4, npm/css-declaration-sorter@4.0.1, npm/css-loader@1.0.1, npm/css-select-base-adapter@0.1.1, npm/css-select@1.2.0, npm/css-selector-tokenizer@0.7.1, npm/css-tree@1.0.0-alpha.33, npm/css-unit-converter@1.1.1, npm/css-what@2.1.3, npm/cssesc@0.1.0, npm/cssnano-preset-default@4.0.7, npm/cssnano-util-get-arguments@4.0.0, npm/cssnano-util-get-match@4.0.0, npm/cssnano-util-raw-cache@4.0.1, npm/cssnano-util-same-parent@4.0.1, npm/cssnano@4.1.10, npm/csso@3.5.1, npm/cssom@0.3.8, npm/cssstyle@1.4.0, npm/currently-unhandled@0.4.1, npm/d@1.0.1, npm/data-urls@1.1.0, npm/decode-uri-component@0.2.0, npm/deep-equal@1.1.0, npm/default-require-extensions@1.0.0, npm/detect-indent@4.0.0, npm/detect-newline@2.1.0, npm/detect-node@2.0.4, npm/diff@3.5.0, npm/dir-glob@2.2.2, npm/dns-packet@1.3.1, npm/dom-serializer@0.1.1, npm/domelementtype@1.3.1, npm/domexception@1.0.1, npm/domhandler@2.4.2, npm/domutils@1.5.1, npm/dot-prop@4.2.0, npm/electron-to-chromium@1.3.253, npm/emojis-list@2.1.0, npm/entities@1.1.2, npm/es5-ext@0.10.51, npm/es6-set@0.1.5, npm/es6-symbol@3.1.2, npm/escodegen@1.12.0, npm/eventemitter3@3.1.2, npm/eventsource@0.1.6, npm/exec-sh@0.2.2, npm/expand-brackets@0.1.5, npm/expand-range@1.8.2, npm/expand-tilde@2.0.2, npm/expect@23.6.0, npm/express@4.17.1, npm/extglob@0.3.2, npm/fast-deep-equal@2.0.1, npm/fast-glob@2.2.7, npm/fastparse@1.1.2, npm/fb-watchman@2.0.0, npm/filename-regex@2.0.1, npm/fileset@2.0.3, npm/fill-range@2.2.4, npm/finalhandler@1.1.2, npm/follow-redirects@1.9.0, npm/for-own@0.1.5, npm/form-data@2.1.4, npm/forwarded@0.1.2, npm/fstream@1.0.12, npm/gauge@2.7.4, npm/get-caller-file@1.0.3, npm/gh-pages@0.12.0, npm/glob-base@0.3.0, npm/glob-parent@2.0.0, npm/glob-to-regexp@0.3.0, npm/global-modules@1.0.0, npm/global-prefix@1.0.2, npm/globby@7.1.1, npm/graceful-readlink@1.0.1, npm/growly@1.3.0, npm/handle-thing@2.0.0, npm/handlebars@4.2.0, npm/har-validator@2.0.6, npm/hawk@3.1.3, npm/hex-color-regex@1.1.0, npm/hoek@2.16.3, npm/home-or-tmp@2.0.0, npm/homedir-polyfill@1.0.3, npm/hosted-git-info@2.8.4, npm/hsl-regex@1.0.0, npm/hsla-regex@1.0.0, npm/html-comment-regex@1.1.2, npm/html-encoding-sniffer@1.0.2, npm/html-entities@1.2.1, npm/htmlparser2@3.10.1, npm/http-proxy@1.17.0, npm/http-signature@1.1.1, npm/icss-replace-symbols@1.1.0, npm/icss-utils@2.1.0, npm/immer@1.7.2, npm/import-local@1.0.0, npm/in-publish@2.0.0, npm/indexes-of@1.0.1, npm/ini@1.3.5, npm/invert-kv@1.0.0, npm/ip@1.1.5, npm/ipaddr.js@1.9.0, npm/is-absolute-url@2.1.0, npm/is-arguments@1.0.4, npm/is-ci@1.2.1, npm/is-color-stop@1.1.0, npm/is-directory@0.3.1, npm/is-dotfile@1.0.3, npm/is-equal-shallow@0.1.3, npm/is-extglob@1.0.0, npm/is-generator-fn@1.0.0, npm/is-glob@2.0.1, npm/is-my-ip-valid@1.0.0, npm/is-my-json-valid@2.20.0, npm/is-number@2.1.0, npm/is-obj@1.0.1, npm/is-posix-bracket@0.1.1, npm/is-primitive@2.0.0, npm/is-root@2.0.0, npm/is-svg@3.0.0, npm/is-utf8@0.2.1, npm/isobject@2.1.0, npm/istanbul-api@1.3.7, npm/istanbul-lib-coverage@1.2.1, npm/istanbul-lib-hook@1.2.2, npm/istanbul-lib-instrument@1.10.2, npm/istanbul-lib-report@1.1.5, npm/istanbul-lib-source-maps@1.2.6, npm/istanbul-reports@1.5.1, npm/jasmine-reporters@2.3.2, npm/jest-changed-files@23.4.2, npm/jest-config@23.6.0, npm/jest-diff@23.6.0, npm/jest-docblock@23.2.0, npm/jest-each@23.6.0, npm/jest-environment-jsdom@23.4.0, npm/jest-environment-node@23.4.0, npm/jest-get-type@22.4.3, npm/jest-haste-map@23.6.0, npm/jest-jasmine2@23.6.0, npm/jest-leak-detector@23.6.0, npm/jest-matcher-utils@23.6.0, npm/jest-message-util@23.4.0, npm/jest-mock@23.2.0, npm/jest-regex-util@23.3.0, npm/jest-resolve-dependencies@23.6.0, npm/jest-resolve@23.6.0, npm/jest-runner@23.6.0, npm/jest-runtime@23.6.0, npm/jest-serializer@23.0.1, npm/jest-snapshot@23.6.0, npm/jest-util@23.4.0, npm/jest-validate@23.6.0, npm/jest-watcher@23.4.0, npm/jest-worker@23.2.0, npm/jest@23.6.0, npm/js-base64@2.5.1, npm/jsdom@9.12.0, npm/json-schema@0.2.3, npm/json-stable-stringify@1.0.1, npm/json3@3.3.3, npm/json5@2.1.0, npm/jsonify@0.0.0, npm/jsonpointer@4.0.1, npm/jsprim@1.4.1, npm/kleur@2.0.2, npm/lcid@1.0.0, npm/lcov-parse@0.0.10, npm/left-pad@1.3.0, npm/leven@2.1.0, npm/load-json-file@1.1.0, npm/loader-fs-cache@1.0.2, npm/loader-utils@1.2.3, npm/lodash.sortby@4.7.0, npm/lodash@4.17.15, npm/log-driver@1.2.5, npm/loglevel@1.6.4, npm/loud-rejection@1.6.0, npm/makeerror@1.0.11, npm/map-age-cleaner@0.1.3, npm/map-obj@1.0.1, npm/math-random@1.0.4, npm/mdn-data@2.0.4, npm/mem@1.1.0, npm/meow@3.7.0, npm/merge-stream@1.0.1, npm/merge2@1.2.4, npm/micromatch@2.3.11, npm/mimeparse@0.1.4, npm/minimatch@3.0.4, npm/minimist@1.2.0, npm/mississippi@2.0.0, npm/mkdirp@0.5.1, npm/negotiator@0.6.2, npm/next-tick@1.0.0, npm/node-forge@0.8.2, npm/node-gyp@3.8.0, npm/node-notifier@5.4.3, npm/node-releases@1.1.29, npm/node-sass@4.12.0, npm/nopt@3.0.6, npm/normalize-url@3.3.0, npm/npmlog@4.1.2, npm/nth-check@1.0.2, npm/nwmatcher@1.4.4, npm/nwsapi@2.1.4, npm/oauth-sign@0.8.2, npm/object.omit@2.0.1, npm/opn@5.4.0, npm/optimist@0.6.1, npm/optimize-css-assets-webpack-plugin@5.0.3, npm/original@1.0.2, npm/os-locale@2.1.0, npm/osenv@0.1.5, npm/p-defer@1.0.0, npm/p-is-promise@2.1.0, npm/parse-glob@3.0.4, npm/parse-passwd@1.0.0, npm/parse5@3.0.3, npm/path-parse@1.0.6, npm/path-type@1.1.0, npm/pkg-up@2.0.0, npm/pn@1.1.0, npm/portfinder@1.0.24, npm/postcss-calc@7.0.1, npm/postcss-colormin@4.0.3, npm/postcss-convert-values@4.0.1, npm/postcss-discard-comments@4.0.2, npm/postcss-discard-duplicates@4.0.2, npm/postcss-discard-empty@4.0.1, npm/postcss-discard-overridden@4.0.1, npm/postcss-merge-longhand@4.0.11, npm/postcss-merge-rules@4.0.3, npm/postcss-minify-font-values@4.0.2, npm/postcss-minify-gradients@4.0.2, npm/postcss-minify-params@4.0.2, npm/postcss-minify-selectors@4.0.2, npm/postcss-modules-extract-imports@1.2.1, npm/postcss-modules-local-by-default@1.2.0, npm/postcss-modules-scope@1.1.0, npm/postcss-modules-values@1.3.0, npm/postcss-normalize-charset@4.0.1, npm/postcss-normalize-display-values@4.0.2, npm/postcss-normalize-positions@4.0.2, npm/postcss-normalize-repeat-style@4.0.2, npm/postcss-normalize-string@4.0.2, npm/postcss-normalize-timing-functions@4.0.2, npm/postcss-normalize-unicode@4.0.1, npm/postcss-normalize-url@4.0.1, npm/postcss-normalize-whitespace@4.0.2, npm/postcss-ordered-values@4.1.2, npm/postcss-reduce-initial@4.0.3, npm/postcss-reduce-transforms@4.0.2, npm/postcss-selector-parser@5.0.0, npm/postcss-svgo@4.0.2, npm/postcss-unique-selectors@4.0.1, npm/postcss-value-parser@3.3.1, npm/postcss@6.0.23, npm/preserve@0.2.0, npm/pretty-format@23.6.0, npm/prompts@0.1.14, npm/proxy-addr@2.0.5, npm/q-io@1.13.2, npm/q@1.4.1, npm/qs@6.3.2, npm/randomatic@3.1.1, npm/raw-body@2.4.0, npm/react-dev-utils@6.1.1, npm/react-error-overlay@5.1.6, npm/read-pkg-up@1.0.1, npm/read-pkg@1.1.0, npm/realpath-native@1.1.0, npm/recursive-readdir@2.1.0, npm/redent@1.0.0, npm/regenerator-runtime@0.11.1, npm/regex-cache@0.4.4, npm/regexp.prototype.flags@1.2.0, npm/renderkid@2.0.3, npm/request-promise-core@1.1.2, npm/request-promise-native@1.0.7, npm/request@2.79.0, npm/require-main-filename@1.0.1, npm/resolve-dir@1.0.1, npm/rgb-regex@1.0.1, npm/rgba-regex@1.0.0, npm/rsvp@3.6.2, npm/sane@2.5.2, npm/sass-graph@2.2.4, npm/sax@1.2.4, npm/scss-tokenizer@0.2.3, npm/selfsigned@1.10.6
View full report↗︎
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎
To accept the risk, merge this PR and you will not be notified again.
node -e "try{require('./_postinstall')}catch(e){}" || exit 0package-lock.jsonView full report↗︎
Next steps
What is an install script?
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
Take a deeper look at the dependency
Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.
Remove the package
If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.
Mark a package as acceptable risk
To ignore an alert, reply with a comment starting with
@SocketSecurity ignorefollowed by a space separated list ofecosystem/package-name@versionspecifiers. e.g.@SocketSecurity ignore npm/foo@1.0.0or ignore all packages with@SocketSecurity ignore-all@SocketSecurity ignore npm/es5-ext@0.10.64