search

antongolub / yarn-audit-fix

The missing `yarn audit fix`
MIT License
179 stars 8 forks source link

chore(deps): update dependency npm to v8.11.0 [security] #252

Closed renovate[bot] closed 2 years ago

renovate[bot] commented 2 years ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
npm (source) 8.9.0 -> 8.11.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-29244

Impact

npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish inside a workspace, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.

Patch

Steps to take to see if you're impacted

  1. Run npm publish --dry-run or npm pack with an npm version >=7.9.0 & <8.11.0 inside the project's root directory using a workspace flag like: --workspaces or --workspace=<name> (ex. npm pack --workspace=foo)
  2. Check the output in your terminal which will list the package contents (note: tar -tvf <package-on-disk> also works)
  3. If you find that there are files included you did not expect, you should: 3.1. Create & publish a new release excluding those files (ref. "Keeping files out of your Package") 3.2. Deprecate the old package (ex. npm deprecate <pkg>[@&#8203;<version>] <message>) 3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed

References

Release Notes

npm/cli ### [`v8.11.0`](https://togithub.com/npm/cli/blob/HEAD/CHANGELOG.md#v8110-2022-05-25) [Compare Source](https://togithub.com/npm/cli/compare/v8.10.0...v8.11.0) ##### Features - [`8898710`](https://togithub.com/npm/cli/commit/8898710220a3d84b0a9ea2a6d9cf880e50b94c9e) [#​4879](https://togithub.com/npm/cli/pull/4879) feat: deprecated set-script, birthday, --global, and --local ([@​fritzy](https://togithub.com/fritzy)) - [`7307c8d`](https://togithub.com/npm/cli/commit/7307c8de388cd14c96c42d70b7e567ec343ad084) [#​4940](https://togithub.com/npm/cli/pull/4940) feat(libnpmpack): bump pacote for better workspace awareness ([@​nlf](https://togithub.com/nlf)) ##### Bug Fixes - [`400c80f`](https://togithub.com/npm/cli/commit/400c80f570228a2c0ffe09d6564cc88dc2f356c3) [#​4913](https://togithub.com/npm/cli/pull/4913) fix(ci): remove node_modules post-validation ([@​wraithgar](https://togithub.com/wraithgar)) - [`124df81`](https://togithub.com/npm/cli/commit/124df81391ea5810b29d2af9500ed597f076d597) [#​4910](https://togithub.com/npm/cli/pull/4910) fix: clean up npm cache tests ([@​wraithgar](https://togithub.com/wraithgar)) - [`ee3308a`](https://togithub.com/npm/cli/commit/ee3308a7a08799ec7e86237165ebaf278d9a4f9f) fix: remove dead code from get-identity ([@​wraithgar](https://togithub.com/wraithgar)) - [`357b0af`](https://togithub.com/npm/cli/commit/357b0af2af2b07a58d2d837043d1d77c9495d8b5) [#​4917](https://togithub.com/npm/cli/pull/4917) fix: pass prefix and workspaces to libnpmpack ([@​nlf](https://togithub.com/nlf)) - [`0f89e07`](https://togithub.com/npm/cli/commit/0f89e0750f2ac9b5b4794b5718d047b5286283c8) [#​4935](https://togithub.com/npm/cli/pull/4935) fix: add global getter to npm class ([@​nlf](https://togithub.com/nlf)) ##### Documentation - [`83ed8d0`](https://togithub.com/npm/cli/commit/83ed8d0d4fb51716fa58608fa3c1ee8eb0a93571) [#​4922](https://togithub.com/npm/cli/pull/4922) docs: update roadmap link in readme ([@​OmriBarZik](https://togithub.com/OmriBarZik)) - [`ed054d4`](https://togithub.com/npm/cli/commit/ed054d477093be3da96968d217c244cf2efd3ef1) [#​4933](https://togithub.com/npm/cli/pull/4933) docs: fix broken link in changelog ([@​yonran](https://togithub.com/yonran)) ##### Dependencies - [`632ce87`](https://togithub.com/npm/cli/commit/632ce87bbd23707cba2c49b95d5db755b3d68638) [#​4915](https://togithub.com/npm/cli/pull/4915) deps: `cacache@16.1.0` - [`7b2b77a`](https://togithub.com/npm/cli/commit/7b2b77adca730e516c1b187092374a01de7f0f56) [#​4915](https://togithub.com/npm/cli/pull/4915) deps: `make-fetch-happen@10.1.5` - [`f3b0a24`](https://togithub.com/npm/cli/commit/f3b0a2407c7e213b1660ef7024c861dcb0eacb50) [#​4915](https://togithub.com/npm/cli/pull/4915) deps: `pacote@13.4.1` - [`0df3011`](https://togithub.com/npm/cli/commit/0df3011ec59ba76c12fb8fbfb29ff4d601cc4bdb) [#​4915](https://togithub.com/npm/cli/pull/4915) deps: `ssri@9.0.1` - [`dc38ab9`](https://togithub.com/npm/cli/commit/dc38ab96fca99069449e6c5e492062b94a1264b6) [#​4919](https://togithub.com/npm/cli/pull/4919) deps: `npm-packlist@5.0.4` - [`353e2f9`](https://togithub.com/npm/cli/commit/353e2f9dc60a5d319d4105822a9e0b2ddbf82bc0) [#​4940](https://togithub.com/npm/cli/pull/4940) deps: `pacote@13.5.0 npm-packlist@5.1.0` - [`f4d4126`](https://togithub.com/npm/cli/commit/f4d41265931c3c2eee433e27f4535c7a209e69fa) [#​4941](https://togithub.com/npm/cli/pull/4941) deps: `libnpmpack@4.1.0` ### [`v8.10.0`](https://togithub.com/npm/cli/blob/HEAD/CHANGELOG.md#v8100-2022-05-11) [Compare Source](https://togithub.com/npm/cli/compare/v8.9.0...v8.10.0) ##### Features - [`911f55d`](https://togithub.com/npm/cli/commit/911f55dc6ac3672f48740d0675f67c934c01aaf4) [#​4864](https://togithub.com/npm/cli/pull/4864) feat: add --iwr alias for --include-workspace-root ([@​fritzy](https://togithub.com/fritzy)) - [`bfb8bcc`](https://togithub.com/npm/cli/commit/bfb8bccbe83753e527b43c8a3889696087dbe8f1) [#​4874](https://togithub.com/npm/cli/pull/4874) feat: add flag --omit-lockfile-registry-resolved ([@​fritzy](https://togithub.com/fritzy)) ([Caleb ツ Everett](mailto:calebev@amazon.com)) ##### Bug Fixes - [`48d2db6`](https://togithub.com/npm/cli/commit/48d2db6037487fd782f67bbcd2cf12e009ece17b) [#​4862](https://togithub.com/npm/cli/pull/4862) fix: remove test coverage map ([@​wraithgar](https://togithub.com/wraithgar)) - [`38cf29a`](https://togithub.com/npm/cli/commit/38cf29a0054544c575b6bce953f1d433dbb6a3b5) [#​4868](https://togithub.com/npm/cli/pull/4868) fix: cleanup star/unstar ([@​wraithgar](https://togithub.com/wraithgar)) - [`5baa4a7`](https://togithub.com/npm/cli/commit/5baa4a7c64319485604982f9060702a7cee8a85c) [#​4857](https://togithub.com/npm/cli/pull/4857) fix: consolidate bugs, docs, repo command logic ([@​wraithgar](https://togithub.com/wraithgar)) - [`5a50762`](https://togithub.com/npm/cli/commit/5a50762faa37ae5964ae6f12595b20b367056c0a) [#​4875](https://togithub.com/npm/cli/pull/4875) fix(arborist): link deps lifecycle scripts ([@​ruyadorno](https://togithub.com/ruyadorno)) ##### Dependencies - [`d58bf40`](https://togithub.com/npm/cli/commit/d58bf40abf7c3ff8ae400f50e5e5a19c33138707) [#​4856](https://togithub.com/npm/cli/pull/4856) deps: `npm-packlist@5.0.3` - [`86f443e`](https://togithub.com/npm/cli/commit/86f443e97aa58c1a06b8eb6f523656274234bb71) [#​4872](https://togithub.com/npm/cli/pull/4872) deps: `make-fetch-happen@10.1.3` - [`f9984e6`](https://togithub.com/npm/cli/commit/f9984e64e714937fa69f14850a1d3ed7ccfc934c) [#​4880](https://togithub.com/npm/cli/pull/4880) deps: `@npmcli/arborist@5.2.0` - [`ba59915`](https://togithub.com/npm/cli/commit/ba599154dc8ea9f424410fb7dc382d5829215920) [#​4881](https://togithub.com/npm/cli/pull/4881) deps: `socks-proxy-agent@6.2.0` - [`c0806ba`](https://togithub.com/npm/cli/commit/c0806ba2b325456199069b245446c8a86e7feae2) [#​4881](https://togithub.com/npm/cli/pull/4881) deps: `http-proxy-agent@5.0.1` - [`cc7be6b`](https://togithub.com/npm/cli/commit/cc7be6b8b63a7314066e8763589a57e5a6e77d30) [#​4881](https://togithub.com/npm/cli/pull/4881) deps: `is-core-module@2.9.0` - [`0432c7d`](https://togithub.com/npm/cli/commit/0432c7d8a22ddbfdf238c2b22dd3c7bd263e2d6c) [#​4881](https://togithub.com/npm/cli/pull/4881) deps: `lru-cache@7.9.0` - [`5778820`](https://togithub.com/npm/cli/commit/57788204646a6aa5a384630a5640bf00efa25ce0) [#​4881](https://togithub.com/npm/cli/pull/4881) deps: `just-diff@5.0.2` - [`893dd00`](https://togithub.com/npm/cli/commit/893dd0066e2315f0d9937fe05879957e1446b755) [#​4881](https://togithub.com/npm/cli/pull/4881) deps: `ip@1.1.8` - [`6ab85bd`](https://togithub.com/npm/cli/commit/6ab85bd5df88ade023f7e4895d07a39228d23a33) [#​4881](https://togithub.com/npm/cli/pull/4881) deps: `builtins@5.0.1`

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

sonarcloud[bot] commented 2 years ago

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

antongolub commented 2 years ago

:tada: This PR is included in version 9.3.2 :tada:

The release is available on:

Your semantic-release bot :package::rocket: