Audit NPM, Yarn, PNPM, and Bun dependencies in continuous integration environments, preventing integration if vulnerabilities are found at or above a configurable threshold while ignoring allowlisted advisories
Apache License 2.0
265
stars
43
forks
source link
chore(deps): bump follow-redirects, axios and github-build in /test/npm-allowlisted-path #329
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/IBM/audit-ci/network/alerts).
Bumps follow-redirects to 1.15.6 and updates ancestor dependencies follow-redirects, axios and github-build. These dependencies need to be updated together.
Updates
follow-redirects
from 1.0.0 to 1.15.6Release notes
Sourced from follow-redirects's releases.
... (truncated)
Commits
35a517c
Release version 1.15.6 of the npm package.c4f847f
Drop Proxy-Authorization across hosts.8526b4a
Use GitHub for disclosure.b1677ce
Release version 1.15.5 of the npm package.d8914f7
Preserve fragment in responseUrl.6585820
Release version 1.15.4 of the npm package.7a6567e
Disallow bracketed hostnames.05629af
Prefer native URL instead of deprecated url.parse.1cba8e8
Prefer native URL instead of legacy url.resolve.72bc2a4
Simplify _processResponse error handling.Updates
axios
from 0.15.3 to 1.6.7Release notes
Sourced from axios's releases.
... (truncated)
Changelog
Sourced from axios's changelog.
... (truncated)
Commits
a52e4d9
chore(release): v1.6.7 (#6204)2b69888
chore: remove unnecessary check (#6186)1a08f90
fix: capture async stack only for rejections with native error objects; (#6203)104aa3f
chore(release): v1.6.6 (#6199)a1938ff
fix: fixed missed dispatchBeforeRedirect argument (#5778)123f354
fix: wrap errors to improve async stack trace (#5987)6d4c421
chore(release): v1.6.5 (#6177)0736f95
fix(ci): refactor notify action as a job of publish action; (#6176)f4f2b03
fix(dns): fixed lookup error handling; (#6175)1f73dcb
docs: update sponsor linksMaintainer changes
This version was pushed to npm by jasonsaayman, a new releaser for axios since your current version.
Updates
github-build
from 1.2.0 to 1.2.4Release notes
Sourced from github-build's releases.
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show