commitizen / cz-cli

The commitizen command line utility. #BlackLivesMatter
http://commitizen.github.io/cz-cli/
MIT License
16.9k stars 552 forks source link

chore(deps): update dependency npm to 8.11.0 [security] - autoclosed #941

Closed renovate[bot] closed 1 year ago

renovate[bot] commented 2 years ago

Mend Renovate

This PR contains the following updates:

Package Change
npm 7.20.1 -> 8.11.0

GitHub Vulnerability Alerts

CVE-2022-29244

Impact

npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.

Patch

Steps to take to see if you're impacted

  1. Run npm publish --dry-run or npm pack with an npm version >=7.9.0 & <8.11.0 inside the project's root directory using a workspace flag like: --workspaces or --workspace=<name> (ex. npm pack --workspace=foo)
  2. Check the output in your terminal which will list the package contents (note: tar -tvf <package-on-disk> also works)
  3. If you find that there are files included you did not expect, you should: 3.1. Create & publish a new release excluding those files (ref. "Keeping files out of your Package") 3.2. Deprecate the old package (ex. npm deprecate <pkg>[@&#8203;<version>] <message>) 3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed

References


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.



This PR has been generated by Mend Renovate. View repository job log here.