search

City-of-Helsinki / servicemap

UI components for the Service Map of the Helsinki Metropolitan Area
GNU Affero General Public License v3.0
32 stars 18 forks source link

[Snyk] Upgrade bower from 1.8.4 to 1.8.12 #633

Open snyk-bot opened 3 years ago

snyk-bot commented 3 years ago

Snyk has created this PR to upgrade bower from 1.8.4 to 1.8.12.

:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
Arbitrary File Write via Archive Extraction (Zip Slip)
SNYK-JS-BOWER-73627		 614/1000
Why? Has a fix available, CVSS 8		 No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: bower
  • 1.8.12 - 2021-01-18
    • Properly bundle all dependencies of Bower within package
  • 1.8.11 - 2021-01-18

    Bump to 1.8.11

  • 1.8.10 - 2021-01-14
    • Security fixes for tar-fs dependency #2576
    • Security fixes for handlebars dependency #2586
    • Security fixes for ini dependency #2589
  • 1.8.9 - 2021-01-14
  • 1.8.8 - 2019-01-23

    Fix security issue connected to extracting .tar.gz archives

    This bug allows to write arbitrary file on filesystem when Bower extracts malicious package

    Needlessly to say, please upgrade

  • 1.8.7 - 2019-01-17

    Fixes side effect of fix from v1.8.6 that caused improper permissions for extracted folders

    #2532

  • 1.8.6 - 2019-01-17

    Fix Zip Slip Vulnerability of decompress-zip package: https://snyk.io/research/zip-slip-vulnerability

    Note: v1.8.5 has been unpublished because of missing files

  • 1.8.4 - 2018-03-28
    • Fixes release 1.8.3 by publishing with npm@3 instead of npm@5 (to include lib/node_modules)
from bower GitHub release notes

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs