search

nelsonmaligro / e-Dokyumento

Document Management System with Machine Learning and Document Workflow and Routing
14 stars 6 forks source link

Bump mongoose from 5.13.1 to 5.13.15 #76

Open dependabot[bot] opened 1 year ago

dependabot[bot] commented 1 year ago

Bumps mongoose from 5.13.1 to 5.13.15.

Changelog

Sourced from mongoose's changelog.

Commits
  • ca7996b chore: release 5.13.15
  • e75732a Merge pull request #12307 from Automattic/vkarpov15/fix-5x-build
  • a1144dc test: run node 7 tests with upgraded npm re: #12297
  • dfc4ad7 test: try upgrading npm for node v4 tests re: #12297
  • b9e985c test: more strict @​types/node version
  • 4d813fa test: fix @​types/node version in tests re: #12297
  • 99b4189 Merge pull request #12297 from shubanker/issue/prototype-pollution-5.x-patch
  • 5eb11dd made function non async
  • 6a19731 fix(schema): disallow setting proto when creating schema with dotted prop...
  • a2ec28d Merge pull request #11366 from laissonsilveira/5.x
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/nelsonmaligro/e-Dokyumento/network/alerts).
socket-security[bot] commented 1 year ago

Socket Security Pull Request Report

Dependency issues detected. If you merge this pull request, you will not be alerted to the instances of these issues again.

📜 Install scripts

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Package Script field Source
nodemon@2.0.7 (added) postinstall
core-js@2.6.11 (upgraded) postinstall
bcrypt@5.0.1 (upgraded) install package-lock.json, package.json
ejs@3.0.1 (upgraded) postinstall package-lock.json, package.json
😵‍💫 Bin script confusion

This package has multiple bin scripts with the same name. This can cause non-deterministic behavior when installing or could be a sign of a supply chain attack

Consider removing one of the conflicting packages. Packages should only export bin scripts with their name

Package Bin script Source
fsevents@1.2.4 (upgraded) nopt package-lock.json via chokidar@2.0.4, mocha@7.1.2, nodemon@1.17.5, public/vendors/animate.css/package-lock.json via gulp@3.9.1, public/vendors/bootstrap/package-lock.json via @babel/cli@7.0.0-beta.52, karma@2.0.4, karma-qunit@2.1.0, karma-sinon@1.0.5, nodemon@1.17.5, postcss-cli@5.0.1, qunit@2.6.1
nopt@3.0.6 (added) nopt package-lock.json via bcrypt@5.0.1, public/vendors/bootstrap/package-lock.json via broken-link-checker@0.7.8, node-sass@4.9.1, public/vendors/chart.js/package.json via karma-coverage@1.1.2, public/vendors/jquery-validation/package.json via grunt@1.0.1, grunt-contrib-concat@1.0.1, grunt-contrib-jshint@1.0.0, grunt-sri@0.2.0, public/vendors/jqvmap/package.json via grunt-contrib-concat@2.1.0, public/vendors/jszip/package.json via grunt-cli@1.1.0, public/vendors/popper.js/package.json via karma-coverage@1.1.1, prettier-eslint-cli@4.4.0, public/vendors/popper.js/packages/popper/package.json via @popperjs/test@1.0.1, public/vendors/popper.js/packages/test/package.json via karma-coverage@1.1.1, public/vendors/popper.js/packages/tooltip/package.json via @popperjs/test@1.0.1
npm@2.15.12 (added) nopt public/vendors/chart.js/package.json via gitbook-cli@2.3.2
npm@5.1.0 (added) nopt public/vendors/chart.js/package.json via gitbook-cli@2.3.2
npm@5.1.0 (added) nopt public/vendors/chart.js/package.json via gitbook-cli@2.3.2
fsevents@1.2.4 (upgraded) semver package-lock.json via chokidar@2.0.4, mocha@7.1.2, nodemon@1.17.5, public/vendors/animate.css/package-lock.json via gulp@3.9.1, public/vendors/bootstrap/package-lock.json via @babel/cli@7.0.0-beta.52, karma@2.0.4, karma-qunit@2.1.0, karma-sinon@1.0.5, nodemon@1.17.5, postcss-cli@5.0.1, qunit@2.6.1
npm@2.15.12 (added) semver public/vendors/chart.js/package.json via gitbook-cli@2.3.2
npm@2.15.12 (added) semver public/vendors/chart.js/package.json via gitbook-cli@2.3.2
npm@5.1.0 (added) semver public/vendors/chart.js/package.json via gitbook-cli@2.3.2
semver@4.3.6 (upgraded) semver
semver@5.0.3 (upgraded) semver public/vendors/popper.js/package.json via karma-sauce-launcher@1.2.0, public/vendors/popper.js/packages/popper/package.json via @popperjs/test@1.0.1, public/vendors/popper.js/packages/test/package.json via karma-sauce-launcher@1.2.0, public/vendors/popper.js/packages/tooltip/package.json via @popperjs/test@1.0.1
semver@5.3.0 (upgraded) semver public/vendors/bootstrap/package-lock.json via node-sass@4.9.1, public/vendors/chart.js/package.json via eslint@4.19.1, gitbook-cli@2.3.2, gulp-eslint@4.0.2
semver@5.4.1 (upgraded) semver public/vendors/popper.js/package.json via babel-plugin-istanbul@4.1.5, bundlesize@0.15.3, eslint@4.10.0, karma-coverage@1.1.1, lerna@2.5.1, nuget-publish@1.0.3, prettier-eslint-cli@4.4.0, yargs@8.0.2, public/vendors/popper.js/packages/babel-config/package.json via babel-preset-env@1.6.0, public/vendors/popper.js/packages/bundle/package.json via @popperjs/babel-config@1.0.0, public/vendors/popper.js/packages/popper/package.json via @popperjs/bundle@1.0.2, @popperjs/test@1.0.1, eslint@4.10.0, nuget-publish@1.0.3, public/vendors/popper.js/packages/test/package.json via babel-plugin-istanbul@4.1.5, eslint@4.10.0, karma-coverage@1.1.1, yargs@8.0.2, public/vendors/popper.js/packages/tooltip/package.json via @popperjs/bundle@1.0.2, @popperjs/test@1.0.1, eslint@4.4.1
semver@5.5.0 (upgraded) semver public/vendors/bootstrap/package.json via eslint@5.0.1, nodemon@1.17.5
fsevents@1.2.4 (upgraded) mkdirp package-lock.json via chokidar@2.0.4, mocha@7.1.2, nodemon@1.17.5, public/vendors/animate.css/package-lock.json via gulp@3.9.1, public/vendors/bootstrap/package-lock.json via @babel/cli@7.0.0-beta.52, karma@2.0.4, karma-qunit@2.1.0, karma-sinon@1.0.5, nodemon@1.17.5, postcss-cli@5.0.1, qunit@2.6.1
mkdirp@0.5.1 (upgraded) mkdirp package-lock.json via bcrypt@5.0.1, forever@3.0.4, make@0.8.1, mocha@7.1.2, multer@1.4.2, pdfreader@1.0.6, public/vendors/animate.css/package-lock.json via cssnano@4.0.3, eslint@5.0.1, gulp@3.9.1, public/vendors/bootstrap/package-lock.json via @babel/cli@7.0.0-beta.52, eslint@5.0.1, eslint-plugin-compat@2.4.0, http-server@0.11.1, karma@2.0.4, karma-coverage-istanbul-reporter@2.0.1, karma-sinon@1.0.5, node-sass@4.9.1, stylelint@9.3.0, stylelint-config-recommended-scss@3.2.0, stylelint-config-standard@18.2.0, stylelint-order@0.8.1, stylelint-scss@3.1.3, public/vendors/chart.js/package.json via eslint@4.19.1, gulp@3.9.1, gulp-eslint@4.0.2, karma-coverage@1.1.2, public/vendors/gmaps/package.json via grunt-contrib-jasmine@1.0.0, public/vendors/jquery-validation/package.json via grunt-contrib-qunit@1.2.0, grunt-jscs@2.8.0, public/vendors/jquery-validation-unobtrusive/package-lock.json via gulp@3.9.1, public/vendors/peity/package.json via mocha@3.2.0, public/vendors/popper.js/package.json via babel-core@6.26.0, eslint@4.10.0, jsdoc-to-markdown@3.0.0, karma-coverage@1.1.1, karma-sauce-launcher@1.2.0, lcov-result-merger@1.2.0, lerna@2.5.1, nuget-publish@1.0.3, prettier-eslint-cli@4.4.0, rollup-plugin-babel@2.7.1, rollup-plugin-babel-minify@3.1.2, public/vendors/popper.js/packages/bundle/package.json via rollup-plugin-babel@2.7.1, rollup-plugin-babel-minify@3.1.2, public/vendors/popper.js/packages/popper/package.json via @popperjs/bundle@1.0.2, @popperjs/test@1.0.1, eslint@4.10.0, nuget-publish@1.0.3, public/vendors/popper.js/packages/test/package.json via babel-core@6.26.0, eslint@4.10.0, karma-coverage@1.1.1, karma-sauce-launcher@1.2.0, rollup-plugin-babel@2.7.1, public/vendors/popper.js/packages/tooltip/package.json via @popperjs/bundle@1.0.2, @popperjs/test@1.0.1, eslint@4.4.1
Pull request report summary
Issue Status
Install scripts ⚠️ 4 issues
Native code ✅ 0 issues
Bin script confusion ⚠️ 16 issues
Bin script shell injection ✅ 0 issues
Unresolved require ✅ 0 issues
Invalid package.json ✅ 0 issues
HTTP dependency ✅ 0 issues
Git dependency ✅ 0 issues
Potential typo squat ✅ 0 issues
Known Malware ✅ 0 issues
Telemetry ✅ 0 issues
Protestware/Troll package ✅ 0 issues
Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@2.4.2

  • @SocketSecurity ignore nodemon@2.0.7
  • @SocketSecurity ignore core-js@2.6.11
  • @SocketSecurity ignore bcrypt@5.0.1
  • @SocketSecurity ignore ejs@3.0.1
  • @SocketSecurity ignore fsevents@1.2.4

⚠️ Please accept the latest app permissions to ensure bot commands work properly. Accept the new permissions here.

Powered by socket.dev