Closed renovate[bot] closed 6 months ago
renovate[bot]
commented
1 year ago This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.
changelogg[bot]
commented
1 year ago Hey! Changelogs info seems to be missing or might be in incorrect format. Please use the below template in PR description to ensure Changelogg can detect your changes:
- (tag) changelog_textor
```
- tag: changelog_text
```
**OR**
You can add tag in PR header or while doing a commit too
```
(tag) PR header
```
or
```
tag: PR header
```
Valid tags: **added** / **feat**, **changed**, **deprecated**, **fixed** / **fix**, **removed**, **security**, **build**, **ci**, **chore**, **docs**, **perf**, **refactor**, **revert**, **style**, **test**
Thanks!
For more info, check out [changelogg docs](https://docs.changelogg.io/)
viezly[bot]
commented
1 year ago Pull request by bot. No need to analyze
github-actions[bot]
commented
1 year ago Thanks for opening an issue! Make sure you've followed CONTRIBUTING.md.
github-actions[bot]
commented
1 year ago Is your PR ready for review and processing? Mark the PR ready by including #pr-ready in a comment.
If you still have work to do, even after marking this ready. Put the PR on hold by including #pr-onhold in a comment.
github-actions[bot]
commented
1 year ago Thanks for the PR!
This section of the codebase is owner by https://github.com/AlexRogalskiy/ - if they write a comment saying "LGTM" then it will be merged.
socket-security[bot]
commented
1 year ago New dependency changes detected. Learn more about Socket for GitHub ↗︎
👍 No new dependency issues detected in pull request
To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all
| Issue | Status |
|---|---|
| Install scripts | ✅ 0 issues |
| Native code | ✅ 0 issues |
| Bin script shell injection | ✅ 0 issues |
| Unresolved require | ✅ 0 issues |
| Invalid package.json | ✅ 0 issues |
| HTTP dependency | ✅ 0 issues |
| Git dependency | ✅ 0 issues |
| Potential typo squat | ✅ 0 issues |
| Known Malware | ✅ 0 issues |
| Telemetry | ✅ 0 issues |
| Protestware/Troll package | ✅ 0 issues |
📊 Modified Dependency Overview:
| ➕ Added Package | Capability Access | +/- Transitive Count |
Publisher |
|---|---|---|---|
| @xmldom/xmldom@0.7.9 | None | +0 |
karfau |
🚮 Removed packages: xmldom@0.6.0
This PR contains the following updates:
^0.6.0->^0.7.5GitHub Vulnerability Alerts
CVE-2021-32796
Impact
xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications.
Patches
Update to one of the fixed versions of
@xmldom/xmldom(>=0.7.0)See issue #271 for the status of publishing
xmldomto npm or join #270 for Q&A/discussion until it's resolved.Workarounds
Downstream applications can validate the input and reject the maliciously crafted documents.
References
Similar to this one reported on the Go standard library:
For more information
If you have any questions or comments about this advisory:
xmldom/xmldomnpm owner ls @​xmldom/xmldomThis is a special PR that replaces
xmldomwith the community suggested minimal stable replacement version.Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Moscow, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.