Closed dependabot[bot] closed 3 years ago
@dependabot merge
2021年9月2日(木) 10:19 dependabot[bot] @.***>:
This automated pull request fixes a security vulnerability https://github.com/JXA-userland/JXA/security/dependabot/yarn.lock/tar/open (high severity).
Learn more about Dependabot security updates https://docs.github.com/github/managing-security-vulnerabilities/configuring-dependabot-security-updates.
Bumps tar https://github.com/npm/node-tar from 4.4.15 to 4.4.19. Commits
- 9a6faa0 https://github.com/npm/node-tar/commit/9a6faa017ca90538840f3ae2ccdb4550ac3f4dcf 4.4.19
- 70ef812 https://github.com/npm/node-tar/commit/70ef812593184cc54ea1bc74c5dae2d22995002d drop dirCache for symlink on all platforms
- 3e35515 https://github.com/npm/node-tar/commit/3e35515c09da615ac268254bed85fe43ee71e2f0 4.4.18
- 52b09e3 https://github.com/npm/node-tar/commit/52b09e309bcae0c741a7eb79a17ef36e7828b946 fix: prevent path escape using drive-relative paths
- bb93ba2 https://github.com/npm/node-tar/commit/bb93ba243746f705092905da1955ac3b0509ba1e fix: reserve paths properly for unicode, windows
- 2f1bca0 https://github.com/npm/node-tar/commit/2f1bca027286c23e110b8dfc7efc10756fa3db5a fix: prune dirCache properly for unicode, windows
- 9bf70a8 https://github.com/npm/node-tar/commit/9bf70a8cf725c3af5fe2270f1e5d2e06d1559b93 4.4.17
- 6aafff0 https://github.com/npm/node-tar/commit/6aafff0a8621ba9509b63654bde28762be373d58 fix: skip extract if linkpath is stripped entirely
- 5c5059a https://github.com/npm/node-tar/commit/5c5059a69c2aaaedfe4e9766e102ae9fb79e8255 fix: reserve paths case-insensitively
- fd6accb https://github.com/npm/node-tar/commit/fd6accba697070560f301604b8f5f7e2995a2a8b 4.4.16
- Additional commits viewable in compare view https://github.com/npm/node-tar/compare/v4.4.15...v4.4.19
[image: Dependabot compatibility score] https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
- @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
- @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
- @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page https://github.com/JXA-userland/JXA/network/alerts.
You can view, comment on, or merge this pull request online at:
https://github.com/JXA-userland/JXA/pull/43 Commit Summary
- chore(deps): bump tar from 4.4.15 to 4.4.19
File Changes
- M yarn.lock https://github.com/JXA-userland/JXA/pull/43/files#diff-51e4f558fae534656963876761c95b83b6ef5da5103c4adef6768219ed76c2de (34)
Patch Links:
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/JXA-userland/JXA/pull/43, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAE2ARR2RCCKRQP5RIZVKLT73GKPANCNFSM5DHZDPSA .
Bumps tar from 4.4.15 to 4.4.19.
Commits
9a6faa0
4.4.1970ef812
drop dirCache for symlink on all platforms3e35515
4.4.1852b09e3
fix: prevent path escape using drive-relative pathsbb93ba2
fix: reserve paths properly for unicode, windows2f1bca0
fix: prune dirCache properly for unicode, windows9bf70a8
4.4.176aafff0
fix: skip extract if linkpath is stripped entirely5c5059a
fix: reserve paths case-insensitivelyfd6accb
4.4.16Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot will merge this PR once CI passes on it, as requested by @azu.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/JXA-userland/JXA/network/alerts).