search

gipplab / MathMLben

A quality benchmark for MathML
https://mathmlben.wmflabs.org/
4 stars 2 forks source link

[Snyk] Security upgrade npm-check-updates from 2.15.0 to 3.0.0 #97

Open snyk-bot opened 4 years ago

snyk-bot commented 4 years ago

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:
Severity Issue Breaking Change Exploit Maturity
high severity Arbitrary File Overwrite
SNYK-JS-NPM-537603		 Yes Proof of Concept
low severity Unauthorized File Access
SNYK-JS-NPM-537604		 Yes Proof of Concept
high severity Arbitrary File Write
SNYK-JS-NPM-537606		 Yes Proof of Concept
medium severity Time of Check Time of Use (TOCTOU)
npm:chownr:20180731		 Yes No Known Exploit
medium severity Access Restriction Bypass
npm:npm:20180222		 Yes No Known Exploit
Commit messages
Package name: npm-check-updates The new version differs by 64 commits.
  • 4dc843f 3.0.0
  • 1121fbc README
  • 3a91c87 Upgrade packages
  • c301680 Match E404 error messages.
  • 564a277 Add tests for detecting -alpha, -beta, -rc. Closes #368.
  • d319202 Replace --prod/dev/etc with --dep. -m = --minimal. -p = --packageManager.
  • 07ec417 README
  • 6133184 Fix spacing in ncu -g output (minor).
  • 74bc003 Add linting and vulnerability testing to "npm test".
  • 6804d56 Upgrade non-major dependencies.
  • 54bca4d Make -u output clearer.
  • bc056c6 Upgrade dependency: eslint
  • 3a03e87 Lint
  • f8a7bcc Upgrade dependency: mocha
  • 4396ede Upgrade dependency: should
  • 3bb2daf Upgrade dependency: tmp
  • 6a7ae3b Upgrade dependency: get-stdin
  • 2c7f8d2 Merge unit tests from #382
  • c4658e6 Upgrade dependency: chalk
  • 802af36 Default arguments (minor)
  • 8b261f5 Remove npm and npmi from dependencies. Use requireg instead of npmi in bower.
  • 2ea7cb0 Upgrade dependency: find-up
  • d7fee5c Minor update of tabs to spaces and a few lingering vars.
  • a1444b7 Skip test. TODO: filter org deps by regex.
See the full diff

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the effected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:

🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic