github-actions[bot]
commented
1 week ago Dependency Review
✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.
OpenSSF Scorecard
| Package | Version | Score | Details |
|---|
Scanned Manifest Files
package-lock.json
- tar@6.2.0
- @npmcli/agent@2.2.2
- @npmcli/arborist@7.5.3
- @npmcli/config@8.3.3
- @npmcli/fs@3.1.1
- @npmcli/git@5.0.7
- @npmcli/installed-package-contents@2.1.0
- @npmcli/map-workspaces@3.0.6
- @npmcli/metavuln-calculator@7.1.1
- @npmcli/package-json@5.1.1
- @npmcli/promise-spawn@7.0.2
- @npmcli/redact@2.0.0
- @npmcli/run-script@8.1.0
- @sigstore/bundle@2.3.2
- @sigstore/core@1.1.0
- @sigstore/protobuf-specs@0.3.2
- @sigstore/sign@2.3.2
- @sigstore/tuf@2.3.4
- @sigstore/verify@1.2.1
- @tufjs/models@2.0.1
- agent-base@7.1.1
- bin-links@4.0.4
- binary-extensions@2.3.0
- cacache@18.0.3
- cidr-regex@4.1.1
- cmd-shim@6.0.3
- glob@10.4.1
- hosted-git-info@7.0.2
- ignore-walk@6.0.5
- ini@4.1.3
- init-package-json@6.0.3
- is-cidr@5.1.0
- jackspeak@3.1.2
- json-parse-even-better-errors@3.0.2
- libnpmaccess@8.0.6
- libnpmdiff@6.1.3
- libnpmexec@8.1.2
- libnpmfund@5.0.11
- libnpmhook@10.0.5
- libnpmorg@6.0.6
- libnpmpack@7.0.3
- libnpmpublish@9.0.9
- libnpmsearch@7.0.6
- libnpmteam@6.0.5
- libnpmversion@6.0.3
- lru-cache@10.2.2
- make-fetch-happen@13.0.1
- minipass@7.1.2
- minipass-fetch@3.0.5
- node-gyp@10.1.0
- nopt@7.2.1
- normalize-package-data@6.0.1
- npm@10.8.1
- npm-bundled@3.0.1
- npm-package-arg@11.0.2
- npm-pick-manifest@9.0.1
- npm-profile@10.0.0
- npm-registry-fetch@17.0.1
- npm-user-validate@2.0.1
- pacote@18.0.6
- path-scurry@1.11.1
- postcss-selector-parser@6.1.0
- proc-log@4.2.0
- proggy@2.0.0
- promzard@1.0.2
- read@3.0.1
- semver@7.6.2
- sigstore@2.3.1
- socks@2.8.3
- socks-proxy-agent@8.0.3
- spdx-expression-parse@4.0.0
- spdx-license-ids@3.0.18
- ssri@10.0.6
- tar@6.2.1
- tuf-js@2.2.1
- validate-npm-package-name@5.0.1
- @npmcli/agent@2.2.1
- @npmcli/arborist@7.4.0
- @npmcli/config@8.2.0
- @npmcli/disparity-colors@3.0.0
- @npmcli/fs@3.1.0
- @npmcli/git@5.0.4
- @npmcli/installed-package-contents@2.0.2
- @npmcli/map-workspaces@3.0.4
- @npmcli/metavuln-calculator@7.0.0
- @npmcli/package-json@5.0.0
- @npmcli/promise-spawn@7.0.1
- @npmcli/run-script@7.0.4
- @sigstore/bundle@2.2.0
- @sigstore/core@1.0.0
- @sigstore/protobuf-specs@0.3.0
- @sigstore/sign@2.2.3
- @sigstore/tuf@2.3.1
- @sigstore/verify@1.1.0
- @tufjs/models@2.0.0
- are-we-there-yet@4.0.2
- bin-links@4.0.3
- binary-extensions@2.2.0
- builtins@5.0.1
- cacache@18.0.2
- cidr-regex@4.0.3
- clone@1.0.4
- cmd-shim@6.0.2
- color-support@1.1.3
- columnify@1.6.0
- console-control-strings@1.1.0
- defaults@1.0.4
- gauge@5.0.1
- has-unicode@2.0.1
- hasown@2.0.1
- ignore-walk@6.0.4
- ini@4.1.1
- init-package-json@6.0.0
- is-cidr@5.0.3
- json-parse-even-better-errors@3.0.1
- libnpmaccess@8.0.2
- libnpmdiff@6.0.7
- libnpmexec@7.0.8
- libnpmfund@5.0.5
- libnpmhook@10.0.1
- libnpmorg@6.0.2
- libnpmpack@6.0.7
- libnpmpublish@9.0.4
- libnpmsearch@7.0.1
- libnpmteam@6.0.1
- libnpmversion@5.0.2
- make-fetch-happen@13.0.0
- minipass-fetch@3.0.4
- node-gyp@10.0.1
- nopt@7.2.0
- npm@10.5.0
- npm-bundled@3.0.0
- npm-package-arg@11.0.1
- npm-pick-manifest@9.0.0
- npm-profile@9.0.0
- npm-registry-fetch@16.1.0
- npm-user-validate@2.0.0
- npmlog@7.0.1
- pacote@17.0.6
- promzard@1.0.0
- read@2.1.0
- read-package-json@7.0.0
- set-blocking@2.0.0
- sigstore@2.2.2
- socks@2.8.0
- socks-proxy-agent@8.0.2
- ssri@10.0.5
- tuf-js@2.2.0
- validate-npm-package-name@5.0.0
- wcwidth@1.0.1
- wide-align@1.1.5
Removes tar. It's no longer used after updating ancestor dependency npm. These dependencies need to be updated together.
Removes
tarUpdates
npmfrom 10.5.0 to 10.8.1Changelog
Sourced from npm's changelog.
... (truncated)
Commits
6109960chore: release 10.8.16b55646fix(exec): look in workspace and root for bin entries (#7569)4a36d78chore: fix linting in arborist debugger2d84091chore: fix snapshots for updated@npmcli/package-jsone3f0fd4deps:@npmcli/package-json@5.1.14b57b95chore: fix linting in mock registry6574dc9chore: dev dependency updates447a8d7deps: spdx-license-ids@3.0.1883fed2edeps: sigstore@2.3.141291badeps:@sigstore/tuf@2.3.4Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show