search

mattermost / desktop

Mattermost Desktop application for Windows, Mac and Linux
Apache License 2.0
2.03k stars 829 forks source link

[Snyk] Security upgrade @electron/rebuild from 3.6.0 to 3.7.0 #3163

Closed mm-prodsec-bot closed 1 month ago

mm-prodsec-bot commented 1 month ago

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 631/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.2		 Missing Release of Resource after Effective Lifetime
SNYK-JS-INFLIGHT-6095116		 No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: @electron/rebuild The new version differs by 26 commits.
  • 96b462a feat: Change node-gyp to @ electron/node-gyp (#1157)
  • a235385 chore: bump continuousauth/npm to 2.1.1 (main) (#1156)
  • 683129a fix: allow using forks for prebuilt modules (#1155)
  • 9ebf9bd build: ensure setuptools is available on windows
  • cc184c3 build: use supported circle windows image
  • dd2321c chore: fix lint
  • 0bd2100 fix: cross-platform prebuild downloads (#1153)
  • b1fb8d6 chore: enforce semicolons via eslint (#1154)
  • cb372cd build: fix repository.url in package.json (#1150)
  • 14ddd55 chore(deps): bump micromatch from 4.0.4 to 4.0.8 (#1149)
  • f5872bb chore(deps): bump amannn/action-semantic-pull-request from 5.5.2 to 5.5.3 (#1147)
  • d1fbc59 docs: update option documentation (#1141)
  • b8ac6db chore(deps): bump bcrypt from 3.0.6 to 5.0.0 in /test/fixture/native-app1 (#1146)
  • 670c3ea test: add yarn.lock for native-app1 fixture (#1145)
  • bfd050c chore(deps): bump braces from 3.0.2 to 3.0.3 (#1144)
  • 29c0e2d chore: bump electronjs/node to 2.3.0 (main) (#1142)
  • a93581c chore: bump electronjs/node to 2.2.3 (main) (#1137)
  • 867e178 chore: bump electronjs/node to 2.2.2 (main) (#1135)
  • de9dd15 chore(deps): bump amannn/action-semantic-pull-request from 5.4.0 to 5.5.2 (#1134)
  • 2beab69 build: update yarn.lock to fix audit output (#1133)
  • 13a1c29 chore(deps): bump dsanders11/project-actions from 1.2.0 to 1.3.0 (#1132)
  • 86cbe44 chore(deps): bump dsanders11/project-actions from 1.1.0 to 1.2.0 (#1131)
  • b7d41e3 chore(deps): bump amannn/action-semantic-pull-request from 5.2.0 to 5.4.0 (#1130)
  • c7ee1a9 chore: use Dependabot to update GitHub Actions deps (#1129)
See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

mm-cloud-bot commented 1 month ago

@mm-prodsec-bot: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

I understand the commands that are listed [here](https://chewbacca.core.cloud.mattermost.com/command-help.html)
github-actions[bot] commented 1 month ago

Here are the test results below:

Test Summary for Linux on commit bd533d0b1745124643234df49b179c7a06c935fb

New failed tests found on Linux:

Test Summary for macOS on commit bd533d0b1745124643234df49b179c7a06c935fb

All stable tests passed on macOS.