[Snyk] Security upgrade node-sass from 4.14.1 to 5.0.0 - Githubissues

ever-co / ever-demand

Ever® Demand™ - Open Commerce Platform - https://everdemand.co

https://everdemand.co

GNU Affero General Public License v3.0

1.72k stars 460 forks source link

[Snyk] Security upgrade node-sass from 4.14.1 to 5.0.0 #1389

Closed snyk-bot closed 2 years ago

snyk-bot commented 3 years ago

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

merge advice

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- packages/merchant-tablet-ionic/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Recently disclosed, Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	696/1000 Why? Recently disclosed, Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: node-sass

The new version differs by 43 commits.

7105b0a 5.0.0 (#3015)
0648b5a chore: Add Node 15 support (#2983)
e2391c2 Add a deprecation message to the readme (#3011)
6a33e53 chore: Don't upload artifacts on PRs
d763506 chore: Only run coverage on main repo
d4ebe72 build(deps): update actions/setup-node requirement to v2.1.2
2bebe05 build(deps-dev): bump rimraf from 2.7.1 to 3.0.2
f877689 chore: Don't double build DependaBot PRs
b48fac4 chore: Add weekly DependaBot updates
91c40a0 Remove deprecated process.sass API
1f6df86 Replace lodash/assign in favor of the native Object.assign
522828a Remove workarounds for old Node.js versions
40e0f00 chore: Remove second NPM badge
ab91bf6 chore: Remove Slack badge
6853a80 chore: Cleanup status badges
fb1109c chore: Bump minimum engine version to v10
d185440 chore: Add basic Node version support policy
db25736 chore: Bump node-gyp to 7.1.0
2c5b110 chore: Bump cross-spawn to v7.0.3
38b9633 chore: Update Istanbul to NYC
d63b5bf chore: Bump mocha to v8.1.3
d0d8865 chore: Skip constructor tests on v14.6+
ee3984d chore: Hoist test ESLint config
feee448 chore: Remove disabled and recommended rules

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

CLAassistant commented 3 years ago

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}