chore(deps): update dependency npm to 8.11.0 [security] - autoclosed

[renovate[bot]]

This PR contains the following updates:

Package	Change
npm	7.24.2 -> 8.11.0

GitHub Vulnerability Alerts

CVE-2022-29244

Impact

npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.

Patch

• Upgrade to the latest, patched version of npm (v8.11.0 or greater), run: npm i -g npm@latest
• Node.js versions v16.15.1, v17.19.1 & v18.3.0 include the patched v8.11.0 version of npm

Steps to take to see if you're impacted

1. Run npm publish --dry-run or npm pack with an npm version >=7.9.0 & <8.11.0 inside the project's root directory using a workspace flag like: --workspaces or --workspace=<name> (ex. npm pack --workspace=foo)
2. Check the output in your terminal which will list the package contents (note: tar -tvf <package-on-disk> also works)
3. If you find that there are files included you did not expect, you should: 3.1. Create & publish a new release excluding those files (ref. "Keeping files out of your Package") 3.2. Deprecate the old package (ex. npm deprecate <pkg>[@&#8203;<version>] <message>) 3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed

References

• CVE-2022-29244
• npm-packlist
• libnpmpack
• libnpmpublish

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate[bot]]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

real    0m17.506s
user    0m15.070s
sys 0m2.132s
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: @sonia-corporation/rpg-character@1.0.0
npm WARN Found: semantic-release@17.4.7
npm WARN node_modules/semantic-release
npm WARN   dev semantic-release@"19.0.0" from the root project
npm WARN   6 more (@semantic-release/changelog, ...)
npm WARN 
npm WARN Could not resolve dependency:
npm WARN peer semantic-release@">=15.8.0 <18.0.0" from @semantic-release/changelog@5.0.1
npm WARN node_modules/@semantic-release/changelog
npm WARN   dev @semantic-release/changelog@"5.0.1" from the root project
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: @sonia-corporation/rpg-character@1.0.0
npm WARN Found: semantic-release@17.4.7
npm WARN node_modules/semantic-release
npm WARN   dev semantic-release@"19.0.0" from the root project
npm WARN   6 more (@semantic-release/changelog, ...)
npm WARN 
npm WARN Could not resolve dependency:
npm WARN peer semantic-release@">=16.0.0 <18.0.0" from @semantic-release/git@9.0.1
npm WARN node_modules/@semantic-release/git
npm WARN   dev @semantic-release/git@"9.0.1" from the root project
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: @sonia-corporation/rpg-character@1.0.0
npm WARN Found: semantic-release@17.4.7
npm WARN node_modules/semantic-release
npm WARN   dev semantic-release@"19.0.0" from the root project
npm WARN   6 more (@semantic-release/changelog, ...)
npm WARN 
npm WARN Could not resolve dependency:
npm WARN peer semantic-release@">=16.0.0 <18.0.0" from @semantic-release/github@7.2.3
npm WARN node_modules/@semantic-release/github
npm WARN   dev @semantic-release/github@"7.2.3" from the root project
npm WARN   1 more (semantic-release)
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR! 
npm ERR! While resolving: @sonia-corporation/rpg-character@1.0.0
npm ERR! Found: semantic-release@19.0.0
npm ERR! node_modules/semantic-release
npm ERR!   dev semantic-release@"19.0.0" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer semantic-release@">=16.0.0 <18.0.0" from @semantic-release/github@7.2.3
npm ERR! node_modules/@semantic-release/github
npm ERR!   dev @semantic-release/github@"7.2.3" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /tmp/renovate-cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate-cache/others/npm/_logs/2022-06-18T14_17_50_644Z-debug.log