Skip to content

build(deps): bump the npm_and_yarn group across 1 directory with 8 updates #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

build(deps): bump the npm_and_yarn group across 1 directory with 8 updates #26

wants to merge 1 commit into from

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Jan 13, 2025

Warning

Dependabot will stop supporting npm v6!

Please upgrade to one of the following versions: v7, v8, v9, or v10.

Bumps the npm_and_yarn group with 4 updates in the / directory: mocha, webpack, js-yaml and handlebars.

Updates mocha from 8.4.0 to 11.0.1

Release notes

Sourced from mocha's releases.

v11.0.1

11.0.1 (2024-12-02)

🌟 Features

📚 Documentation

  • fix examples for linkPartialObjects methods (#5255) (34e0e52)

v11.0.0 Prerelease

11.0.0 (2024-11-11)

⚠ BREAKING CHANGES

  • adapt new engine range for Mocha 11 (#5216)

🌟 Features

🩹 Fixes

📚 Documentation

v10.8.2

10.8.2 (2024-10-30)

🩹 Fixes

  • support errors with circular dependencies in object values with --parallel (#5212) (ba0fefe)
  • test link in html reporter (#5224) (f054acc)

📚 Documentation

  • indicate 'exports' interface does not work in browsers (#5181) (14e640e)

... (truncated)

Changelog

Sourced from mocha's changelog.

11.0.1 (2024-12-02)

🌟 Features

📚 Documentation

  • fix examples for linkPartialObjects methods (#5255) (34e0e52)

11.0.0 (2024-11-11)

⚠ BREAKING CHANGES

  • adapt new engine range for Mocha 11 (#5216)

🌟 Features

🩹 Fixes

📚 Documentation

10.8.2 (2024-10-30)

🩹 Fixes

  • support errors with circular dependencies in object values with --parallel (#5212) (ba0fefe)
  • test link in html reporter (#5224) (f054acc)

📚 Documentation

  • indicate 'exports' interface does not work in browsers (#5181) (14e640e)

🧹 Chores

  • fix docs builds by re-adding eleventy and ignoring gitignore again (#5240) (881e3b0)

🤖 Automation

  • deps: bump the github-actions group with 1 update (#5132) (e536ab2)

10.8.1 (2024-10-29)

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by voxpelli, a new releaser for mocha since your current version.


Updates webpack from 3.12.0 to 5.97.1

Release notes

Sourced from webpack's releases.

v5.97.1

Bug Fixes

  • Performance regression
  • Sub define key should't be renamed when it's a defined variable

v5.97.0

Bug Fixes

  • Don't crash with filesystem cache and unknown scheme
  • Generate a valid code when output.iife is true and output.library.type is umd
  • Fixed conflict variable name with concatenate modules and runtime code
  • Merge duplicate chunks before
  • Collisions in ESM library
  • Use recursive search for versions of shared dependencies
  • [WASM] Don't crash WebAssembly with Reference Types (sync and async)
  • [WASM] Fixed wasm loading for sync and async webassembly
  • [CSS] Don't add [uniqueName] to localIdentName when it is empty
  • [CSS] Parsing strings on Windows
  • [CSS] Fixed CSS local escaping

New Features

  • Added support for injecting debug IDs
  • Export the MergeDuplicateChunks plugin
  • Added universal loading for JS chunks and JS worker chunks (only ES modules)
  • [WASM] Added universal loading for WebAssembly chunks (only for async WebAssembly)
  • [CSS] Allow initial CSS chunks to be placed anywhere - the output.cssHeadDataCompression option was deleted
  • [CSS] Added universal loading for CSS chunks
  • [CSS] Parse ICSS @value at-rules in CSS modules
  • [CSS] Parse ICSS :import rules in CSS modules
  • [CSS] Added the url and import options for CSS
  • [CSS] Allow to import custom properties in CSS modules

Performance

  • Faster Queue implementation, also fixed queue iterator state in dequeue method to ensure correct behavior after item removal

v5.96.1

Bug Fixes

  • [Types] Add @types/eslint-scope to dependencieS
  • [Types] Fixed regression in validate

v5.96.0

Bug Fixes

  • Fixed Module Federation should track all referenced chunks
  • Handle Data URI without base64 word
  • HotUpdateChunk have correct runtime when modified with new runtime

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by evilebottnawi, a new releaser for webpack since your current version.


Updates json5 from 0.5.1 to 1.0.2

Release notes

Sourced from json5's releases.

v1.0.2

  • Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295). This has been backported to v1. (#298)

v1.0.1

This release includes a bug fix and minor change.

  • Fix: parse throws on unclosed objects and arrays.

  • New: package.json5 has been removed until an easier way to keep it in sync with package.json is found.

v1.0.0

This release includes major internal changes and public API enhancements.

  • Major JSON5 officially supports Node.js v4 and later. Support for Node.js v0.10 and v0.12 have been dropped.

  • New: Unicode property names and Unicode escapes in property names are supported. (#1)

  • New: stringify outputs trailing commas in objects and arrays when a space option is provided. (#66)

  • New: JSON5 allows line and paragraph separator characters (U+2028 and U+2029) in strings in order to be compatible with JSON. However, ES5 does not allow these characters in strings, so JSON5 gives a warning when they are parsed and escapes them when they are stringified. (#70)

  • New: stringify accepts an options object as its second argument. The supported options are replacer, space, and a new quote option that specifies the quote character used in strings. (#71)

  • New: The CLI supports STDIN and STDOUT and adds --out-file, --space, and --validate options. See json5 --help for more information. (#72, #84, and #108)

  • New: In addition to the white space characters space \t, \v, \f, \n, \r, and \xA0, the additional white space characters \u2028, \u2029, and all other characters in the Space Separator Unicode category are allowed.

  • New: In addition to the character escapes \', \", \\, \b, \f, \n, \r, and \t, the additional character escapes \v and \0, hexadecimal escapes like \x0F, and unnecessary escapes like \a are allowed in string values and string property names.

  • New: stringify outputs strings with single quotes by default but intelligently uses double quotes if there are more single quotes than double quotes inside the string. (i.e. stringify('Stay here.') outputs 'Stay here.' while stringify('Let\'s go.') outputs "Let's go.")

... (truncated)

Changelog

Sourced from json5's changelog.

Unreleased [code, diff]

v2.2.3 [code, diff]

  • Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2 [code, diff]

  • Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1 [code, diff]

v2.2.0 [code, diff]

  • New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)

v2.1.3 [code, diff]

  • Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)

v2.1.2 [code, diff]

... (truncated)

Commits

Updates js-yaml from 3.0.1 to 3.14.1

Changelog

Sourced from js-yaml's changelog.

[3.14.1] - 2020-12-07

Security

  • Fix possible code execution in (already unsafe) .load() (in &anchor).

[3.14.0] - 2020-05-22

Changed

  • Support safe/loadAll(input, options) variant of call.
  • CI: drop outdated nodejs versions.
  • Dev deps bump.

Fixed

  • Quote = in plain scalars #519.
  • Check the node type for !<?> tag in case user manually specifies it.
  • Verify that there are no null-bytes in input.
  • Fix wrong quote position when writing condensed flow, #526.

[3.13.1] - 2019-04-05

Security

  • Fix possible code execution in (already unsafe) .load(), #480.

[3.13.0] - 2019-03-20

Security

  • Security fix: safeLoad() can hang when arrays with nested refs used as key. Now throws exception for nested arrays. #475.

[3.12.2] - 2019-02-26

Fixed

  • Fix noArrayIndent option for root level, #468.

[3.12.1] - 2019-01-05

Added

  • Added noArrayIndent option, #432.

[3.12.0] - 2018-06-02

Changed

  • Support arrow functions without a block statement, #421.

[3.11.0] - 2018-03-05

Added

  • Add arrow functions suport for !!js/function.

Fixed

  • Fix dump in bin/octal/hex formats for negative integers, #399.

... (truncated)

Commits
  • 37caaad 3.14.1 released
  • 094c0f7 dist rebuild
  • 9586ebe Avoid calling hasOwnProperty of user-controlled objects
  • 34e5072 3.14.0 released
  • 7b25c83 Browser files rebuild
  • 6f73473 Dev deps bump
  • 0c29349 Travis-CI: drop old nodejs versions
  • 10be97e fix(loader): Add support for safe/loadAll(input, options)
  • d6983dd Fix issue #526: wrong quote position writing condensed flow (#527)
  • 93fbf7d fix issue 526 (wrong quote position writing condensed flow)
  • Additional commits viewable in compare view

Updates braces from 2.3.2 to 3.0.2

Changelog

Sourced from braces's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

  • Changelogs are for humans, not machines.
  • There should be an entry for every single version.
  • The same types of changes should be grouped.
  • Versions and sections should be linkable.
  • The latest version comes first.
  • The release date of each versions is displayed.
  • Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

  • Added for new features.
  • Changed for changes in existing functionality.
  • Deprecated for soon-to-be removed features.
  • Removed for now removed features.
  • Fixed for any bug fixes.
  • Security in case of vulnerabilities.

[3.0.0] - 2018-04-08

v3.0 is a complete refactor, resulting in a faster, smaller codebase, with fewer deps, and a more accurate parser and compiler.

Breaking Changes

  • The undocumented .makeRe method was removed
  • Require Node.js >= 8.3

Non-breaking changes

  • Caching was removed
Commits

Updates yargs-parser from 7.0.0 to 13.1.2

Changelog

Sourced from yargs-parser's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

21.1.1 (2022-08-04)

Bug Fixes

  • typescript: ignore .cts files during publish (#454) (d69f9c3), closes #452

21.1.0 (2022-08-03)

Features

  • allow the browser build to be imported (#443) (a89259f)

Bug Fixes

  • halt-at-non-option: prevent known args from being parsed when "unknown-options-as-args" is enabled (#438) (c474bc1)
  • node version check now uses process.versions.node (#450) (d07bcdb)
  • parse options ending with 3+ hyphens (#434) (4f1060b)

21.0.1 (2022-02-27)

Bug Fixes

21.0.0 (2021-11-15)

⚠ BREAKING CHANGES

  • drops support for 10 (#421)

Bug Fixes

Code Refactoring

20.2.9 (2021-06-20)

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by oss-bot, a new releaser for yargs-parser since your current version.


Updates handlebars from 4.0.11 to 4.7.8

Release notes

Sourced from handlebars's releases.

v4.7.8

  • Make library compatible with workers (#1894) - 3d3796c
  • Don't rely on Node.js global object (#1776) - 2954e7e
  • Fix compiling of each block params in strict mode (#1855) - 30dbf04
  • Fix rollup warning when importing Handlebars as ESM - 03d387b
  • Fix bundler issue with webpack 5 (#1862) - c6c6bbb
  • Use https instead of git for mustache submodule - 88ac068

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.8 - July 27th, 2023

  • Make library compatible with workers (#1894) - 3d3796c
  • Don't rely on Node.js global object (#1776) - 2954e7e
  • Fix compiling of each block params in strict mode (#1855) - 30dbf04
  • Fix rollup warning when importing Handlebars as ESM - 03d387b
  • Fix bundler issue with webpack 5 (#1862) - c6c6bbb
  • Use https instead of git for mustache submodule - 88ac068

Commits

v4.7.7 - February 15th, 2021

  • fix weird error in integration tests - eb860c0
  • fix: check prototype property access in strict-mode (#1736) - b6d3de7
  • fix: escape property names in compat mode (#1736) - f058970
  • refactor: In spec tests, use expectTemplate over equals and shouldThrow (#1683) - 77825f8
  • chore: start testing on Node.js 12 and 13 - 3789a30

(POSSIBLY) BREAKING CHANGES:

  • the changes from version 4.6.0 now also apply in when using the compile-option "strict: true". Access to prototype properties is forbidden completely by default, specific properties or methods can be allowed via runtime-options. See #1633 for details. If you are using Handlebars as documented, you should not be accessing prototype properties from your template anyway, so the changes should not be a problem for you. Only the use of undocumented features can break your build.

That is why we only bump the patch version despite mentioning breaking changes.

Commits

v4.7.6 - April 3rd, 2020

Chore/Housekeeping:

Compatibility notes:

  • Restored Node.js compatibility

Commits

v4.7.5 - April 2nd, 2020

Chore/Housekeeping:

  • Node.js version support has been changed to v6+ Reverted in 4.7.6

Compatibility notes:

... (truncated)

Commits
  • 8dc3d25 v4.7.8
  • 668c4fb Fix browser tests in CI pipeline
  • c65c6cc Test on Node 18
  • 3d3796c Make library compatible with workers
  • 075b354 Fix sync issue with npm lock-file
  • 30dbf04 Fix compiling of each block params in strict mode
  • e3a5448 Fix bundler issue with webpack 5
  • 8e23642 Fix integration-tests issue with npm >= 7
  • 88ac068 use https instead of git for mustache submodule
  • c68bc08 Fix typo
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by jaylinski, a new releaser for handlebars since your current version.


Updates minimist from 0.0.8 to 1.2.8

Changelog

Sourced from minimist's changelog.

v1.2.8 - 2023-02-09

Merged

Fixed

Commits

  • Merge tag 'v0.2.3' a026794
  • [eslint] fix indentation and whitespace 5368ca4
  • [eslint] fix indentation and whitespace e5f5067
  • [eslint] more cleanup 62fde7d
  • [eslint] more cleanup 36ac5d0
  • [meta] add auto-changelog 73923d2
  • [actions] add reusable workflows d80727d
  • [eslint] add eslint; rules to enable later are warnings 48bc06a
  • [eslint] fix indentation 34b0f1c
  • [readme] rename and add badges 5df0fe4
  • [Dev Deps] switch from covert to nyc a48b128
  • [Dev Deps] update covert, tape; remove unnecessary tap f0fb958
  • [meta] create FUNDING.yml; add funding in package.json 3639e0c
  • [meta] use npmignore to autogenerate an npmignore file be2e038
  • Only apps should have lockfiles 282b570
  • isConstructorOrProto adapted from PR ef9153f
  • [Dev Deps] update @ljharb/eslint-config, aud 098873c
  • [Dev Deps] update @ljharb/eslint-config, aud 3124ed3
  • [meta] add safe-publish-latest 4b927de
  • [Tests] add aud in posttest b32d9bd
  • [meta] update repo URLs f9fdfc0
  • [actions] Avoid 0.6 tests due to build failures ba92fe6
  • [Dev Deps] update tape 950eaa7
  • [Dev Deps] add missing npmignore dev dep 3226afa
  • Merge tag 'v0.2.2' 980d7ac

v1.2.7 - 2022-10-10

Commits

... (truncated)

Commits
  • 6901ee2 v1.2.8
  • a026794 Merge tag 'v0.2.3'
  • c0b2661 v0.2.3
  • 63b8fee [Fix] Fix long option followed by single dash (#17)
  • 72239e6 [Tests] Remove duplicate test (#12)
  • 34b0f1c [eslint] fix indentation
  • 3226afa [Dev Deps] add missing npmignore dev dep
  • 098873c [Dev Deps] update @ljharb/eslint-config, aud
  • 9ec4d27 [Fix] Fix long option followed by single dash
  • ba92fe6 [actions] Avoid 0.6 tests due to build failures
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ljharb, a new releaser for minimist since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump the npm_and_yarn group across 1 directory with 8 up…
82bcf52 
…dates

Bumps the npm_and_yarn group with 4 updates in the / directory: [mocha](https://github.com/mochajs/mocha), [webpack](https://github.com/webpack/webpack), [js-yaml](https://github.com/nodeca/js-yaml) and [handlebars](https://github.com/handlebars-lang/handlebars.js).


Updates `mocha` from 8.4.0 to 11.0.1
- [Release notes](https://github.com/mochajs/mocha/releases)
- [Changelog](https://github.com/mochajs/mocha/blob/main/CHANGELOG.md)
- [Commits](mochajs/mocha@v8.4.0...v11.0.1)

Updates `webpack` from 3.12.0 to 5.97.1
- [Release notes](https://github.com/webpack/webpack/releases)
- [Commits](webpack/webpack@v3.12.0...v5.97.1)

Updates `json5` from 0.5.1 to 1.0.2
- [Release notes](https://github.com/json5/json5/releases)
- [Changelog](https://github.com/json5/json5/blob/main/CHANGELOG.md)
- [Commits](json5/json5@v0.5.1...v1.0.2)

Updates `js-yaml` from 3.0.1 to 3.14.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.0.1...3.14.1)

Updates `braces` from 2.3.2 to 3.0.2
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/braces/commits/3.0.2)

Updates `yargs-parser` from 7.0.0 to 13.1.2
- [Release notes](https://github.com/yargs/yargs-parser/releases)
- [Changelog](https://github.com/yargs/yargs-parser/blob/main/CHANGELOG.md)
- [Commits](https://github.com/yargs/yargs-parser/commits)

Updates `handlebars` from 4.0.11 to 4.7.8
- [Release notes](https://github.com/handlebars-lang/handlebars.js/releases)
- [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.8/release-notes.md)
- [Commits](handlebars-lang/handlebars.js@v4.0.11...v4.7.8)

Updates `minimist` from 0.0.8 to 1.2.8
- [Changelog](https://github.com/minimistjs/minimist/blob/main/CHANGELOG.md)
- [Commits](minimistjs/minimist@v0.0.8...v1.2.8)

---
updated-dependencies:
- dependency-name: mocha
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: webpack
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: json5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: braces
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: yargs-parser
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: handlebars
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimist
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Jan 13, 2025
@socket-security
Copy link

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@isaacs/cliui@8.0.2 None +8 72.6 kB isaacs
npm/@jridgewell/source-map@0.3.6 None +2 277 kB jridgewell
npm/@pkgjs/parseargs@0.11.0 None 0 74.2 kB oss-bot
npm/@types/eslint-scope@3.7.7 None 0 6.27 kB types
npm/@types/eslint@9.6.1 None 0 196 kB types
npm/@types/estree@1.0.6 None 0 25.8 kB types
npm/@webassemblyjs/ast@1.14.1 None 0 207 kB xtuc
npm/@webassemblyjs/floating-point-hex-parser@1.13.2 None 0 6.37 kB xtuc
npm/@webassemblyjs/helper-api-error@1.13.2 None 0 11.3 kB xtuc
npm/@webassemblyjs/helper-buffer@1.14.1 None 0 10.8 kB xtuc
npm/@webassemblyjs/helper-numbers@1.13.2 None 0 10.5 kB xtuc
npm/@webassemblyjs/helper-wasm-bytecode@1.13.2 None 0 34.2 kB xtuc
npm/@webassemblyjs/helper-wasm-section@1.14.1 None 0 19.7 kB xtuc
npm/@webassemblyjs/ieee754@1.13.2 None 0 5.34 kB xtuc
npm/@webassemblyjs/leb128@1.13.2 None 0 48.5 kB xtuc
npm/@webassemblyjs/utf8@1.13.2 None 0 12.3 kB xtuc
npm/@webassemblyjs/wasm-edit@1.14.1 None 0 34.6 kB xtuc
npm/@webassemblyjs/wasm-gen@1.14.1 None 0 28.1 kB xtuc
npm/@webassemblyjs/wasm-opt@1.14.1 None 0 14.4 kB xtuc
npm/@webassemblyjs/wasm-parser@1.14.1 None 0 137 kB xtuc
npm/@webassemblyjs/wast-printer@1.14.1 None 0 39.6 kB xtuc
npm/@xtuc/ieee754@1.2.0 None 0 8.57 kB xtuc
npm/@xtuc/long@4.2.2 None 0 190 kB xtuc
npm/acorn@8.14.0 🔁 npm/acorn@4.0.13, npm/acorn@5.7.4 None 0 547 kB marijn
npm/ajv-formats@2.1.1 Transitive: eval +2 1.11 MB esp
npm/chrome-trace-event@1.0.4 None 0 9.81 kB samccone
npm/diff@5.2.0 🔁 npm/diff@5.0.0 None 0 429 kB explodingcabbage
npm/eastasianwidth@0.2.0 None 0 13.6 kB komagata
npm/enhanced-resolve@5.18.0 🔁 npm/enhanced-resolve@3.4.1 Transitive: environment, filesystem +1 245 kB evilebottnawi, jhnns, sokra, ...1 more
npm/es-module-lexer@1.6.0 None 0 91.3 kB guybedford
npm/fast-uri@3.0.5 None 0 109 kB climba03003, delvedor, eomm, ...7 more
npm/foreground-child@3.3.0 shell Transitive: environment, filesystem +2 162 kB isaacs
npm/glob-to-regexp@0.4.1 None 0 18.1 kB nickfitzgerald
npm/handlebars@4.7.8 🔁 npm/handlebars@4.0.11 Transitive: environment, eval +2 4.14 MB jaylinski
npm/is-unicode-supported@0.1.0 None 0 3.54 kB sindresorhus
npm/jackspeak@3.4.3 environment 0 297 kB isaacs
npm/jest-worker@27.5.1 environment, shell +2 94.8 kB simenb
npm/json-parse-even-better-errors@2.3.1 None 0 10.4 kB isaacs
npm/loader-runner@4.3.0 🔁 npm/loader-runner@2.4.0 eval 0 18.4 kB sokra
npm/log-symbols@4.1.0 🔁 npm/log-symbols@4.0.0 None +2 46.7 kB sindresorhus
npm/merge-stream@2.0.0 None 0 4.31 kB stevemao
npm/mime-db@1.52.0 None 0 206 kB dougwilson
npm/mime-types@2.1.35 None 0 18.3 kB dougwilson
npm/minipass@7.1.2 None 0 286 kB isaacs
npm/mocha@11.0.1 🔁 npm/mocha@8.4.0 None +17 4.24 MB voxpelli
npm/package-json-from-dist@1.0.1 None 0 36.5 kB isaacs
npm/path-scurry@1.11.1 filesystem +1 1.34 MB isaacs
npm/serialize-javascript@6.0.2 🔁 npm/serialize-javascript@5.0.1 None 0 16.9 kB redonkulus
npm/tapable@2.2.1 🔁 npm/tapable@0.2.9 None 0 46.9 kB sokra
npm/terser-webpack-plugin@5.3.11 Transitive: environment +3 466 kB evilebottnawi, jhnns, sokra
npm/terser@5.37.0 environment, eval Transitive: filesystem, shell +1 2.28 MB fabiosantoscode
npm/watchpack@2.4.2 🔁 npm/watchpack@1.7.5 environment, filesystem 0 56.4 kB evilebottnawi
npm/webpack-sources@3.2.3 🔁 npm/webpack-sources@1.4.3 None 0 91.3 kB sokra
npm/webpack@5.97.1 🔁 npm/webpack@3.12.0 network +8 7.73 MB evilebottnawi
npm/workerpool@6.5.1 🔁 npm/workerpool@6.1.0 eval 0 374 kB josdejong

🚮 Removed packages: npm/@ungap/promise-all-settled@1.1.2, npm/acorn-dynamic-import@2.0.2, npm/align-text@0.1.4, npm/argparse@0.1.16, npm/arr-diff@4.0.0, npm/arr-flatten@1.1.0, npm/arr-union@3.1.0, npm/array-unique@0.3.2, npm/asn1.js@5.4.1, npm/assert@1.5.1, npm/assign-symbols@1.0.0, npm/async-each@1.0.1, npm/atob@2.1.2, npm/base64-js@1.5.1, npm/base@0.11.2, npm/binary-extensions@1.11.0, npm/browserify-cipher@1.0.1, npm/browserify-des@1.0.2, npm/browserify-rsa@4.1.0, npm/browserify-sign@4.2.2, npm/browserify-zlib@0.2.0, npm/buffer@4.9.2, npm/builtin-status-codes@3.0.0, npm/cache-base@1.0.1, npm/camelcase@1.2.1, npm/center-align@0.1.3, npm/class-utils@0.3.6, npm/cliui@2.1.0, npm/code-point-at@1.1.0, npm/collection-visit@1.0.0, npm/component-emitter@1.3.1, npm/console-browserify@1.2.0, npm/constants-browserify@1.0.0, npm/copy-descriptor@0.1.1, npm/create-ecdh@4.0.4, npm/crypto-browserify@3.12.0, npm/d@1.0.0, npm/decode-uri-component@0.2.2, npm/define-property@2.0.2, npm/des.js@1.1.0, npm/diffie-hellman@5.0.3, npm/domain-browser@1.2.0, npm/errno@0.1.8, npm/error-ex@1.3.2, npm/es5-ext@0.10.42, npm/es6-iterator@2.0.3, npm/es6-map@0.1.5, npm/es6-set@0.1.5, npm/es6-symbol@3.1.1, npm/es6-weak-map@2.0.2, npm/escope@3.6.0, npm/esrecurse@4.2.1, npm/event-emitter@0.3.5, npm/expand-brackets@2.1.4, npm/extend-shallow@3.0.2, npm/extglob@2.0.4, npm/for-in@1.0.2, npm/fragment-cache@0.2.1, npm/get-caller-file@1.0.3, npm/get-value@2.0.6, npm/growl@1.10.5, npm/has-value@1.0.0, npm/has-values@1.0.0, npm/hosted-git-info@2.8.9, npm/https-browserify@1.0.0, npm/ieee754@1.2.1, npm/interpret@1.1.0, npm/invert-kv@1.0.0, npm/is-accessor-descriptor@1.0.1, npm/is-arrayish@0.2.1, npm/is-binary-path@1.0.1, npm/is-buffer@1.1.6, npm/is-data-descriptor@1.0.1, npm/is-descriptor@0.1.7, npm/is-extendable@0.1.1, npm/is-fullwidth-code-point@1.0.0, npm/is-number@3.0.0, npm/is-windows@1.0.2, npm/json5@0.5.1, npm/kind-of@3.2.2, npm/lazy-cache@1.0.4, npm/lcid@1.0.0, npm/load-json-file@2.0.0, npm/longest@1.0.1, npm/map-cache@0.2.2, npm/map-visit@1.0.0, npm/memory-fs@0.4.1, npm/micromatch@3.1.10, npm/miller-rabin@4.0.1, npm/minimist@0.0.8, npm/mixin-deep@1.3.2, npm/ms@2.0.0, npm/nanoid@3.1.20, npm/nanomatch@1.2.13, npm/next-tick@1.0.0, npm/node-libs-browser@2.2.1, npm/normalize-package-data@2.5.0, npm/number-is-nan@1.0.1, npm/object-copy@0.1.0, npm/object-visit@1.0.1, npm/object.pick@1.3.0, npm/optimist@0.6.1, npm/os-browserify@0.3.0, npm/os-locale@2.1.0, npm/pako@1.0.11, npm/parse-asn1@5.1.6, npm/parse-json@2.2.0, npm/pascalcase@0.1.1, npm/path-browserify@0.0.1, npm/path-dirname@1.0.2, npm/path-type@2.0.0, npm/pify@2.3.0, npm/posix-character-classes@0.1.1, npm/process@0.11.10, npm/prr@1.0.1, npm/public-encrypt@4.0.3, npm/qs@6.11.2, npm/querystring-es3@0.2.1, npm/randomfill@1.0.4, npm/read-pkg-up@2.0.0, npm/read-pkg@2.0.0, npm/regex-not@1.0.2, npm/remove-trailing-separator@1.1.0, npm/repeat-element@1.1.2, npm/repeat-string@1.6.1, npm/require-main-filename@1.0.1, npm/resolve-url@0.2.1, npm/ret@0.1.15, npm/right-align@0.1.3, npm/safe-regex@1.1.0, npm/safer-buffer@2.1.2, npm/set-value@2.0.1, npm/snapdragon-node@2.1.1, npm/snapdragon-util@3.0.1, npm/snapdragon@0.8.2, npm/source-list-map@2.0.1, npm/source-map-resolve@0.5.3, npm/source-map-url@0.4.1, npm/source-map@0.5.7, npm/spdx-correct@3.2.0, npm/spdx-exceptions@2.3.0, npm/spdx-expression-parse@3.0.1, npm/spdx-license-ids@3.0.16, npm/split-string@3.1.0, npm/static-extend@0.1.2, npm/stream-browserify@2.0.2, npm/stream-http@2.8.3, npm/timers-browserify@2.0.12, npm/to-arraybuffer@1.0.1, npm/to-object-path@0.3.0, npm/to-regex@3.0.2, npm/tty-browserify@0.0.0, npm/uglify-to-browserify@1.0.2, npm/uglifyjs-webpack-plugin@0.4.6, npm/underscore.string@2.4.0, npm/underscore@1.7.0, npm/union-value@1.0.1, npm/unset-value@1.0.0, npm/upath@1.2.0, npm/urix@0.1.0, npm/url@0.11.3, npm/use@3.1.1, npm/util@0.11.1, npm/validate-npm-package-license@3.0.4, npm/vm-browserify@1.1.2, npm/watchpack-chokidar2@2.0.1, npm/wide-align@1.1.3, npm/window-size@0.1.0, npm/xtend@4.0.1, npm/y18n@3.2.2, npm/yargs@3.10.0

View full report↗︎

@socket-security
Copy link

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSourceCI
New author npm/merge-stream@2.0.0 🚫
Shell access npm/jest-worker@27.5.1 🚫
Shell access npm/foreground-child@3.3.0 🚫
New author npm/handlebars@4.7.8 🚫
New author npm/diff@5.2.0 🚫
Network access npm/webpack@5.97.1 🚫
Network access npm/webpack@5.97.1 🚫
Network access npm/webpack@5.97.1 🚫

View full report↗︎

Next steps

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

What is shell access?

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

What is network access?

This module accesses the network.

Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

  • @SocketSecurity ignore npm/merge-stream@2.0.0
  • @SocketSecurity ignore npm/jest-worker@27.5.1
  • @SocketSecurity ignore npm/foreground-child@3.3.0
  • @SocketSecurity ignore npm/handlebars@4.7.8
  • @SocketSecurity ignore npm/diff@5.2.0
  • @SocketSecurity ignore npm/webpack@5.97.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant