brave / brave-ui

List of reusable React components to empower your brave UI
https://brave.github.io/brave-ui
Mozilla Public License 2.0
472 stars 136 forks source link

Bump http-cache-semantics and lerna #631

Open dependabot[bot] opened 1 year ago

dependabot[bot] commented 1 year ago

Bumps http-cache-semantics to 4.1.1 and updates ancestor dependency lerna. These dependencies need to be updated together.

Updates http-cache-semantics from 3.8.1 to 4.1.1

Commits


Updates lerna from 3.22.1 to 6.4.1

Release notes

Sourced from lerna's releases.

v6.4.1

6.4.1 (2023-01-12)

Bug Fixes

v6.4.0

6.4.0 (2023-01-05)

Bug Fixes

  • run: add explicit nx dependency (#3486) (7e39397)
  • version: recognize .prettierignore when formatting files (#3482) (4e2c7a9)

Features

  • create: support relative path from root as lerna create location (#3478) (82825ce)
  • watch: Add lerna watch command (#3466) (008b995)

v6.3.0

6.3.0 (2022-12-26)

Features

  • version: support custom command for git tag (#2760) (6eac92f)
  • version: use npmClientArgs in npm install after lerna version (#3434) (e019e3f)

v6.2.0

6.2.0 (2022-12-13)

Bug Fixes

  • core: more detailed error message when version cannot be found (#3424) (b729b0c)
  • schema: add the other format changelogPreset can assume (#3441) (d286973)
  • utils: check validity of bundledDependencies before iteration (#2960) (2517ffb)

Features

v6.1.0

6.1.0 (2022-11-29)

... (truncated)

Changelog

Sourced from lerna's changelog.

6.4.1 (2023-01-12)

Bug Fixes

6.4.0 (2023-01-05)

Features

6.3.0 (2022-12-26)

Features

  • version: use npmClientArgs in npm install after lerna version (#3434) (e019e3f)

6.2.0 (2022-12-13)

Bug Fixes

  • schema: add the other format changelogPreset can assume (#3441) (d286973)

Features

6.1.0 (2022-11-29)

Features

  • version: bump prerelease versions from conventional commits (#3362) (2288b3a)

6.0.3 (2022-11-07)

Note: Version bump only for package lerna

6.0.2 (2022-11-02)

Note: Version bump only for package lerna

6.0.1 (2022-10-14)

Bug Fixes

  • run: allow for loading of env files to be skipped (#3375) (5dbd904)

6.0.0 (2022-10-12)

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by jameshenry, a new releaser for lerna since your current version.


You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/brave/brave-ui/network/alerts).

Note Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

socket-security[bot] commented 1 year ago

Socket Security Pull Request Report

Dependency issues detected. If you merge this pull request, you will not be alerted to the instances of these issues again.

📜 Install scripts

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Package Script field Source
nx@15.6.3 (added) postinstall package-lock.json via lerna@6.4.1, package/package.json via lerna@6.4.1
@parcel/watcher@2.0.4 (added) install package-lock.json via lerna@6.4.1, package/package.json via lerna@6.4.1
😵‍💫 Bin script confusion

This package has multiple bin scripts with the same name. This can cause non-deterministic behavior when installing or could be a sign of a supply chain attack

Consider removing one of the conflicting packages. Packages should only export bin scripts with their name

Package Bin script Source
@zkochan/js-yaml@0.0.6 (added) js-yaml package-lock.json via lerna@6.4.1, package/package.json via lerna@6.4.1
js-yaml@3.14.0 (added) js-yaml package-lock.json via @storybook/react@5.3.19, jest@26.6.3, lerna@6.4.1, storybook-addon-styled-component-theme@1.3.0, svgo@1.3.2, ts-jest@26.4.1, tslint@6.1.3, tslint-config-standard@9.0.0, tslint-react@5.0.0, package/package.json via @storybook/react@5.3.19, lerna@6.4.1, react-storybook-addon-chapters@3.1.7, storybook-addon-styled-component-theme@1.3.0, stylelint@9.10.1, stylelint-config-recommended@2.2.0, ts-jest@23.10.5, tslint@5.20.1, tslint-config-standard@7.1.0, tslint-react@3.6.0, tools/icon-component-generator/package.json via svgo@1.3.2
js-yaml@4.1.0 (added) js-yaml package-lock.json via lerna@6.4.1, package/package.json via lerna@6.4.1
Pull request report summary
Issue Status
Install scripts ⚠️ 2 issues
Native code ✅ 0 issues
Bin script confusion ⚠️ 3 issues
Bin script shell injection ✅ 0 issues
Unresolved require ✅ 0 issues
Invalid package.json ✅ 0 issues
HTTP dependency ✅ 0 issues
Git dependency ✅ 0 issues
Potential typo squat ✅ 0 issues
Known Malware ✅ 0 issues
Telemetry ✅ 0 issues
Protestware/Troll package ✅ 0 issues
Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@2.4.2

  • @SocketSecurity ignore nx@15.6.3
  • @SocketSecurity ignore @parcel/watcher@2.0.4
  • @SocketSecurity ignore @zkochan/js-yaml@0.0.6
  • @SocketSecurity ignore js-yaml@3.14.0
  • @SocketSecurity ignore js-yaml@4.1.0

Powered by socket.dev