search

apache / cordova-cli

Apache Cordova CLI
Apache License 2.0
940 stars 340 forks source link

chore(deps): bump systeminformation from 5.17.12 to 5.21.7 #627

Closed dependabot[bot] closed 11 months ago

dependabot[bot] commented 1 year ago

Bumps systeminformation from 5.17.12 to 5.21.7.

Changelog

Sourced from systeminformation's changelog.

Changelog

Major Changes - Version 5

New Functions

  • audio() detailed audio information
  • bluetoothDevices() detailed information detected bluetooth devices
  • dockerImages() detailed information docker images
  • dockerVolumes() detailed information docker volumes
  • printers() detailed printer information
  • usb() detailed USB information
  • wifiInterfaces() detected Wi-Fi interfaces
  • wifiConnections() active Wi-Fi connections

Breaking Changes

Be aware, that the new version 5.x is NOT fully backward compatible to version 4.x ...

We had to make several interface changes to keep systeminformation as consistent as possible. We highly recommend to go through the complete list and adapt your own code to be again compatible to the new version 5.

Function Old New (V5) Comments
unsupported values -1 null values which are unknown orunsupported on platform
battery() hasbatterycyclecountischargingdesignedcapacitymaxcapacityacconnectedtimeremaining hasBatterycycleCountisChargingdesignedCapacitymaxCapacityacConnectedtimeRemaining pascalCase conformity
blockDevices() fstype fsType pascalCase conformity
cpu() speedminspeedmax speedMinspeedMax pascalCase conformity
cpu().speedcpu().speedMincpu().speedMax string values now returningnumerical values better value handling
cpuCurrentspeed() cpuCurrentSpeed() function name changedpascalCase conformity
currentLoad() avgloadcurrentloadcurrentload_usercurrentload_systemcurrentload_nicecurrentload_idlecurrentload_irqraw_currentload avgLoadcurrentLoadcurrentLoadUsercurrentLoadSystemcurrentLoadNicecurrentLoadIdlecurrentLoadIrqrawCurrentLoad pascalCase conformity
dockerContainerStats() mem_usagemem_limitmem_percentcpu_percentcpu_statsprecpu_statsmemory_stats memUsagememLimitmemPercentcpuPercentcpuStatsprecpuStatsmemoryStats pascalCase conformity
dockerContainerProcesses() pid_host pidHost pascalCase conformity
graphics().display pixeldepthresolutionxresolutionysizexsizey pixelDepthresolutionXresolutionYsizeXsizeY pascalCase conformity
networkConnections() localaddresslocalportpeeraddresspeerport localAddresslocalPortpeerAddresspeerPort pascalCase conformity
networkInterfaces() carrier_changes carrierChanges pascalCase conformity
processes() mem_vszmem_rsspcpupcpuupcpuspmem memVszmemRsscpucpuucpusmem pascalCase conformityrenamed attributes
processLoad() result as object result as array of objects function now allows to provide more thanone process (as a comma separated list)
services() pcpupmem cpumem renamed attributes
vbox() HPETPAEAPICX2APICACPIIOAPICbiosAPICmodeTRC hpetpaeapicx2ApicacpiioApicbiosApicModertc pascalCase conformity

Other Improvements and Changes

  • baseboard(): added memMax, memSlots
  • bios(): added language and features (linux)
  • blockDevices() added raid group member (linux)
  • cpu(): extended AMD processor list
  • cpu(): extended socket list (win)
  • cpu(): added virtualization if cpu supports virtualization
  • cpu(): now flags are part of this function
  • cpuTemperature() added socket and chipset temp (linux)

... (truncated)

Commits


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/cordova-cli/network/alerts).
codecov-commenter commented 1 year ago

Codecov Report

Merging #627 (9fd10ec) into master (bff99d3) will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #627   +/-   ##
=======================================
  Coverage   70.68%   70.68%           
=======================================
  Files           4        4           
  Lines         307      307           
=======================================
  Hits          217      217           
  Misses         90       90

:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more

shajz commented 11 months ago

Hi @erisu, could you merge this PR ? It fixes a critical vulnerability

npm audit output on an app running cordova@12.0.0:

systeminformation  5.0.0 - 5.21.6
Severity: critical
systeminformation SSID Command Injection Vulnerability - https://github.com/advisories/GHSA-gx6r-qc2v-3p3v
fix available via `npm audit fix`
node_modules/systeminformation
breautek commented 11 months ago

Hi @erisu, could you merge this PR ? It fixes a critical vulnerability

npm audit output on an app running cordova@12.0.0:

systeminformation  5.0.0 - 5.21.6
Severity: critical
systeminformation SSID Command Injection Vulnerability - https://github.com/advisories/GHSA-gx6r-qc2v-3p3v
fix available via `npm audit fix`
node_modules/systeminformation

This PR won't correct end-user apps, it will just correct local development environments when developing the CLI.

Apps/libraries consuming cordova needs to update their own package-lock.json files.

If you have cordova globally installed, then npm install -g cordova@12.0.1 should automatically do this.

If you have cordova locally installed, then you'll need to issue npm upgrade which will upgrade your entire dependency tree to the latest satisfactory packages possible.

shajz commented 11 months ago

Woops, well spotted @breautek, I was quick to assume that this PR also bumped this repo's package.json (and the published one). Maybe we could amend this PR to reflect these changes in the package.json file to make them available to everyone in a future version ?

If you have cordova globally installed, then npm install -g cordova@12.0.1 should automatically do this.

I'm not seeing the 12.0.1 release you mention, neither here nor on npm 🤔

breautek commented 11 months ago

I'm not seeing the 12.0.1 release you mention, neither here nor on npm

Oops, my bad, that's still in dev, the current latest is 12.0.0

Woops, well spotted @breautek, I was quick to assume that this PR also bumped this repo's package.json (and the published one). Maybe we could amend this PR to reflect these changes in the package.json file to make them available to everyone in a future version ?

I made a PR to address the package.json for this + several other NPM audits that is outstanding in the current package-lock.json state. There's still audit issues from the insight package that needs to be addressed and that's not as simple as a version bump. So that will remain currently. To re-iterate you don't need this or my PR to address the systeminformation concern, you just need to npm upgrade (if yo have cordova locally installed in your project) or npm install -g cordova@latest and NPM will reinstall cordova globally with the latest dependency tree information. This works because cordova has the version pin to allow for any version in 5.x range for systeminformation.

shajz commented 11 months ago

Yes I've just seen your PR, thanks for the effort! Much appreciated <3 It will actually fix this vulnerability without forcing users to meddle with their package-lock file.

breautek commented 11 months ago

@dependabot rebase

dependabot[bot] commented 11 months ago

Looks like systeminformation is up-to-date now, so this is no longer needed.