render[bot]
commented
3 weeks ago Your Render PR Server URL is https://turborepo-remote-cache-pr-385.onrender.com.
Follow its progress at https://dashboard.render.com/web/srv-cpk0ek6ct0pc73bqfmr0.
Closed dependabot[bot] closed 3 weeks ago
render[bot]
commented
3 weeks ago Your Render PR Server URL is https://turborepo-remote-cache-pr-385.onrender.com.
Follow its progress at https://dashboard.render.com/web/srv-cpk0ek6ct0pc73bqfmr0.
socket-security[bot]
commented
3 weeks ago 🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎
To accept the risk, merge this PR and you will not be notified again.
Package has not been updated in more than 5 years and may be unmaintained. Problems with the package may go unaddressed.
Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance.
Package accesses environment variables, which may be a sign of credential stuffing or data theft.
Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.
Accesses the file system, and could potentially read sensitive data.
If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.
Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.
Avoid packages that use eval, since this could potentially execute any code.
A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.
The maintainer of the package marked it as deprecated. This could indicate that a single version should not be used, or that the package is no longer maintained and any new vulnerabilities will not be fixed.
Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.
Packages less than 10 lines of code are easily copied into your own project and may not warrant the additional supply chain risk of an external dependency.
Removing this package as a dependency and implementing its logic will reduce supply chain risk.
This module accesses the network.
Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.
Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.
If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.
To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all
@SocketSecurity ignore npm/rc@1.2.8@SocketSecurity ignore npm/is-unicode-supported@1.3.0@SocketSecurity ignore npm/registry-auth-token@5.0.2@SocketSecurity ignore npm/bottleneck@2.19.5@SocketSecurity ignore npm/get-stream@8.0.1@SocketSecurity ignore npm/conventional-changelog-writer@7.0.1@SocketSecurity ignore npm/read-pkg-up@11.0.0@SocketSecurity ignore npm/object-keys@1.1.1@SocketSecurity ignore npm/isarray@2.0.5@SocketSecurity ignore npm/get-caller-file@2.0.5@SocketSecurity ignore npm/require-directory@2.1.1@SocketSecurity ignore npm/y18n@5.0.8@SocketSecurity ignore npm/media-typer@0.3.0@SocketSecurity ignore npm/for-each@0.3.3@SocketSecurity ignore npm/min-indent@1.0.1@SocketSecurity ignore npm/config-chain@1.1.13@SocketSecurity ignore npm/proto-list@1.2.4
Bumps braces from 3.0.2 to 3.0.3.
Commits
74b2db23.0.388f1429update eslint. lint, fix unit tests.415d660Snyk js braces 6838727 (#40)190510ffix tests, skip 1 test in test/braces.expand716eb9freadme bumpa5851e5Merge pull request #37 from coderaiser/fix/vulnerability2092bd1feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...9f5b4cffix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)98414f9remove funding file665ab5dupdate keepEscaping doc (#27)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show