Skip to content

Bump the npm_and_yarn group across 1 directory with 8 updates #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Bump the npm_and_yarn group across 1 directory with 8 updates #24

wants to merge 1 commit into from

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github May 2, 2024

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package From To
json5 0.5.1 removed
webpack 3.12.0 5.91.0
js-yaml 3.0.1 3.14.1
handlebars 4.0.11 4.7.8
nanoid 3.1.20 removed
mocha 8.4.0 10.4.0

Removes json5

Updates webpack from 3.12.0 to 5.91.0

Release notes

Sourced from webpack's releases.

v5.91.0

Bug Fixes

  • Deserializer for ignored modules doesn't crash
  • Allow the unsafeCache option to be a proxy object
  • Normalize the snapshot.unmanagedPaths option
  • Fixed fs types
  • Fixed resolve's plugins types
  • Fixed wrongly calculate postOrderIndex
  • Fixed watching types
  • Output import attrbiutes/import assertions for external JS imports
  • Throw an error when DllPlugin needs to generate multiple manifest files, but the path is the same
  • [CSS] Output layer/supports/media for external CSS imports

New Features

  • Allow to customize the stage of BannerPlugin
  • [CSS] Support CSS exports convention
  • [CSS] support CSS local ident name
  • [CSS] Support __webpack_nonce__ for CSS chunks
  • [CSS] Support fetchPriority for CSS chunks
  • [CSS] Allow to use LZW to compress css head meta (enabled in the production mode by default)
  • [CSS] Support prefetch/preload for CSS chunks

v5.90.3

Bug Fixes

  • don't mangle when destructuring a reexport
  • types for Stats.toJson() and Stats.toString()
  • many internal types
  • [CSS] clean up export css local vars

Perf

  • simplify and optimize chunk graph creation

v5.90.2

Bug Fixes

  • use Math.imul in fnv1a32 to avoid loss of precision, directly hash UTF16 values
  • the setStatus() of the HMR module should not return an array, which may cause infinite recursion
  • __webpack_exports_info__.xxx.canMangle shouldn't always same as default
  • mangle export with destructuring
  • use new runtime to reconsider skipped connections activeState
  • make dynamic import optional in try/catch
  • improve auto publicPath detection

Dependencies & Maintenance

  • improve CI setup and include Node.js@21

... (truncated)

Commits
  • 60daca5 chore(release): 5.91.0
  • 8dad9ce chore(deps-dev): bump @​babel/preset-react from 7.23.3 to 7.24.1
  • a3229f9 chore(deps-dev): bump @​babel/core from 7.24.0 to 7.24.1
  • 40c2e44 chore(deps-dev): bump @​types/node from 20.11.29 to 20.11.30
  • a04faba chore(deps-dev): bump memfs from 4.7.7 to 4.8.0
  • 8f22221 chore(deps): bump es-module-lexer from 1.4.1 to 1.4.2
  • 8df6912 chore(deps): bump es-module-lexer from 1.4.1 to 1.4.2
  • 711c618 chore(deps-dev): bump memfs from 4.7.7 to 4.8.0
  • c462bb3 chore(deps-dev): bump @​types/node from 20.11.29 to 20.11.30
  • f0d3e3e chore(deps-dev): bump @​babel/preset-react from 7.23.3 to 7.24.1
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by evilebottnawi, a new releaser for webpack since your current version.


Updates js-yaml from 3.0.1 to 3.14.1

Changelog

Sourced from js-yaml's changelog.

[3.14.1] - 2020-12-07

Security

  • Fix possible code execution in (already unsafe) .load() (in &anchor).

[3.14.0] - 2020-05-22

Changed

  • Support safe/loadAll(input, options) variant of call.
  • CI: drop outdated nodejs versions.
  • Dev deps bump.

Fixed

  • Quote = in plain scalars #519.
  • Check the node type for !<?> tag in case user manually specifies it.
  • Verify that there are no null-bytes in input.
  • Fix wrong quote position when writing condensed flow, #526.

[3.13.1] - 2019-04-05

Security

  • Fix possible code execution in (already unsafe) .load(), #480.

[3.13.0] - 2019-03-20

Security

  • Security fix: safeLoad() can hang when arrays with nested refs used as key. Now throws exception for nested arrays. #475.

[3.12.2] - 2019-02-26

Fixed

  • Fix noArrayIndent option for root level, #468.

[3.12.1] - 2019-01-05

Added

  • Added noArrayIndent option, #432.

[3.12.0] - 2018-06-02

Changed

  • Support arrow functions without a block statement, #421.

[3.11.0] - 2018-03-05

Added

  • Add arrow functions suport for !!js/function.

Fixed

  • Fix dump in bin/octal/hex formats for negative integers, #399.

... (truncated)

Commits
  • 37caaad 3.14.1 released
  • 094c0f7 dist rebuild
  • 9586ebe Avoid calling hasOwnProperty of user-controlled objects
  • 34e5072 3.14.0 released
  • 7b25c83 Browser files rebuild
  • 6f73473 Dev deps bump
  • 0c29349 Travis-CI: drop old nodejs versions
  • 10be97e fix(loader): Add support for safe/loadAll(input, options)
  • d6983dd Fix issue #526: wrong quote position writing condensed flow (#527)
  • 93fbf7d fix issue 526 (wrong quote position writing condensed flow)
  • Additional commits viewable in compare view

Updates handlebars from 4.0.11 to 4.7.8

Release notes

Sourced from handlebars's releases.

v4.7.8

  • Make library compatible with workers (#1894) - 3d3796c
  • Don't rely on Node.js global object (#1776) - 2954e7e
  • Fix compiling of each block params in strict mode (#1855) - 30dbf04
  • Fix rollup warning when importing Handlebars as ESM - 03d387b
  • Fix bundler issue with webpack 5 (#1862) - c6c6bbb
  • Use https instead of git for mustache submodule - 88ac068

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.8 - July 27th, 2023

  • Make library compatible with workers (#1894) - 3d3796c
  • Don't rely on Node.js global object (#1776) - 2954e7e
  • Fix compiling of each block params in strict mode (#1855) - 30dbf04
  • Fix rollup warning when importing Handlebars as ESM - 03d387b
  • Fix bundler issue with webpack 5 (#1862) - c6c6bbb
  • Use https instead of git for mustache submodule - 88ac068

Commits

v4.7.7 - February 15th, 2021

  • fix weird error in integration tests - eb860c0
  • fix: check prototype property access in strict-mode (#1736) - b6d3de7
  • fix: escape property names in compat mode (#1736) - f058970
  • refactor: In spec tests, use expectTemplate over equals and shouldThrow (#1683) - 77825f8
  • chore: start testing on Node.js 12 and 13 - 3789a30

(POSSIBLY) BREAKING CHANGES:

  • the changes from version 4.6.0 now also apply in when using the compile-option "strict: true". Access to prototype properties is forbidden completely by default, specific properties or methods can be allowed via runtime-options. See #1633 for details. If you are using Handlebars as documented, you should not be accessing prototype properties from your template anyway, so the changes should not be a problem for you. Only the use of undocumented features can break your build.

That is why we only bump the patch version despite mentioning breaking changes.

Commits

v4.7.6 - April 3rd, 2020

Chore/Housekeeping:

Compatibility notes:

  • Restored Node.js compatibility

Commits

v4.7.5 - April 2nd, 2020

Chore/Housekeeping:

  • Node.js version support has been changed to v6+ Reverted in 4.7.6

Compatibility notes:

... (truncated)

Commits
  • 8dc3d25 v4.7.8
  • 668c4fb Fix browser tests in CI pipeline
  • c65c6cc Test on Node 18
  • 3d3796c Make library compatible with workers
  • 075b354 Fix sync issue with npm lock-file
  • 30dbf04 Fix compiling of each block params in strict mode
  • e3a5448 Fix bundler issue with webpack 5
  • 8e23642 Fix integration-tests issue with npm >= 7
  • 88ac068 use https instead of git for mustache submodule
  • c68bc08 Fix typo
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by jaylinski, a new releaser for handlebars since your current version.


Updates minimist from 0.0.8 to 1.2.8

Changelog

Sourced from minimist's changelog.

v1.2.8 - 2023-02-09

Merged

Fixed

Commits

  • Merge tag 'v0.2.3' a026794
  • [eslint] fix indentation and whitespace 5368ca4
  • [eslint] fix indentation and whitespace e5f5067
  • [eslint] more cleanup 62fde7d
  • [eslint] more cleanup 36ac5d0
  • [meta] add auto-changelog 73923d2
  • [actions] add reusable workflows d80727d
  • [eslint] add eslint; rules to enable later are warnings 48bc06a
  • [eslint] fix indentation 34b0f1c
  • [readme] rename and add badges 5df0fe4
  • [Dev Deps] switch from covert to nyc a48b128
  • [Dev Deps] update covert, tape; remove unnecessary tap f0fb958
  • [meta] create FUNDING.yml; add funding in package.json 3639e0c
  • [meta] use npmignore to autogenerate an npmignore file be2e038
  • Only apps should have lockfiles 282b570
  • isConstructorOrProto adapted from PR ef9153f
  • [Dev Deps] update @ljharb/eslint-config, aud 098873c
  • [Dev Deps] update @ljharb/eslint-config, aud 3124ed3
  • [meta] add safe-publish-latest 4b927de
  • [Tests] add aud in posttest b32d9bd
  • [meta] update repo URLs f9fdfc0
  • [actions] Avoid 0.6 tests due to build failures ba92fe6
  • [Dev Deps] update tape 950eaa7
  • [Dev Deps] add missing npmignore dev dep 3226afa
  • Merge tag 'v0.2.2' 980d7ac

v1.2.7 - 2022-10-10

Commits

... (truncated)

Commits
  • 6901ee2 v1.2.8
  • a026794 Merge tag 'v0.2.3'
  • c0b2661 v0.2.3
  • 63b8fee [Fix] Fix long option followed by single dash (#17)
  • 72239e6 [Tests] Remove duplicate test (#12)
  • 34b0f1c [eslint] fix indentation
  • 3226afa [Dev Deps] add missing npmignore dev dep
  • 098873c [Dev Deps] update @ljharb/eslint-config, aud
  • 9ec4d27 [Fix] Fix long option followed by single dash
  • ba92fe6 [actions] Avoid 0.6 tests due to build failures
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ljharb, a new releaser for minimist since your current version.


Updates yargs-parser from 7.0.0 to 20.2.4

Release notes

Sourced from yargs-parser's releases.

yargs-parser yargs-parser-v15.0.3

Bug Fixes

  • build: should use releases_created when using manifest (49ea4ef)

yargs-parser yargs-parser-v15.0.2

Bug Fixes

  • perf: address slow parse when using unknown-options-as-args (#400) (bc387ec)
Changelog

Sourced from yargs-parser's changelog.

20.2.4 (2020-11-09)

Bug Fixes

20.2.3 (2020-10-16)

Bug Fixes

  • exports: node 13.0 and 13.1 require the dotted object form with a string fallback (#336) (3ae7242)

20.2.2 (2020-10-14)

Bug Fixes

  • exports: node 13.0-13.6 require a string fallback (#333) (291aeda)

20.2.1 (2020-10-01)

Bug Fixes

20.2.0 (2020-09-21)

Features

  • string-utils: export looksLikeNumber helper (#324) (c8580a2)

Bug Fixes

  • unknown-options-as-args: convert positionals that look like numbers (#326) (f85ebb4)

20.1.0 (2020-09-20)

Features

  • adds parse-positional-numbers configuration (#321) (9cec00a)

Bug Fixes

... (truncated)

Commits
  • 637690d chore: release 20.2.4 (#340)
  • 2c6b905 chore(deps): update @​typescript-eslint/standardx (#341)
  • 3b54e5e fix(deno): address import issues in Deno (#339)
  • b6974c9 chore: release 20.2.3 (#337)
  • 3ae7242 fix(exports): node 13.0 and 13.1 require the dotted object form with a stri...
  • 3fe41fe chore: release 20.2.2 (#335)
  • b4a447f build: run latest and greatest relese please
  • 291aeda fix(exports): node 13.0-13.6 require a string fallback (#333)
  • 94220bf chore(deps): update dependency gts to v3 (#332)
  • 251951b chore: release 20.2.1 (#331)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by oss-bot, a new releaser for yargs-parser since your current version.


Removes nanoid

Updates mocha from 8.4.0 to 10.4.0

Release notes

Sourced from mocha's releases.

v10.4.0

10.4.0 / 2024-03-26

🎉 Enhancements

🐛 Fixes

🔩 Other

v10.3.0

This is a stable release equivalent to v10.3.0-preminor.0.

What's Changed

... (truncated)

Changelog

Sourced from mocha's changelog.

10.4.0 / 2024-03-26

🎉 Enhancements

🐛 Fixes

🔩 Other

10.3.0 / 2024-02-08

This is a stable release equivalent to 10.30.0-prerelease.

10.3.0-prerelease / 2024-01-18

This is a prerelease version to test our ability to release. Other than removing or updating dependencies, it contains no intended user-facing changes.

🔩 Other

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by voxpelli, a new releaser for mocha since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the npm_and_yarn group across 1 directory with 8 updates
1073b2e 
Bumps the npm_and_yarn group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [json5](https://github.com/json5/json5) | `0.5.1` | `removed` |
| [webpack](https://github.com/webpack/webpack) | `3.12.0` | `5.91.0` |
| [js-yaml](https://github.com/nodeca/js-yaml) | `3.0.1` | `3.14.1` |
| [handlebars](https://github.com/handlebars-lang/handlebars.js) | `4.0.11` | `4.7.8` |
| [nanoid](https://github.com/ai/nanoid) | `3.1.20` | `removed` |
| [mocha](https://github.com/mochajs/mocha) | `8.4.0` | `10.4.0` |



Removes `json5`

Updates `webpack` from 3.12.0 to 5.91.0
- [Release notes](https://github.com/webpack/webpack/releases)
- [Commits](webpack/webpack@v3.12.0...v5.91.0)

Updates `js-yaml` from 3.0.1 to 3.14.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.0.1...3.14.1)

Updates `handlebars` from 4.0.11 to 4.7.8
- [Release notes](https://github.com/handlebars-lang/handlebars.js/releases)
- [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.8/release-notes.md)
- [Commits](handlebars-lang/handlebars.js@v4.0.11...v4.7.8)

Updates `minimist` from 0.0.8 to 1.2.8
- [Changelog](https://github.com/minimistjs/minimist/blob/main/CHANGELOG.md)
- [Commits](minimistjs/minimist@v0.0.8...v1.2.8)

Updates `yargs-parser` from 7.0.0 to 20.2.4
- [Release notes](https://github.com/yargs/yargs-parser/releases)
- [Changelog](https://github.com/yargs/yargs-parser/blob/main/CHANGELOG.md)
- [Commits](yargs/yargs-parser@v7.0.0...v20.2.4)

Removes `nanoid`

Updates `mocha` from 8.4.0 to 10.4.0
- [Release notes](https://github.com/mochajs/mocha/releases)
- [Changelog](https://github.com/mochajs/mocha/blob/master/CHANGELOG.md)
- [Commits](mochajs/mocha@v8.4.0...v10.4.0)

---
updated-dependencies:
- dependency-name: json5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: webpack
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: handlebars
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimist
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: yargs-parser
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: nanoid
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: mocha
  dependency-type: direct:development
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label May 2, 2024
@socket-security
Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@jridgewell/source-map@0.3.6 None +3 446 kB jridgewell
npm/@types/eslint-scope@3.7.7 None 0 6.27 kB types
npm/@types/eslint@8.56.10 None 0 192 kB types
npm/@types/estree@1.0.5 None 0 25.7 kB types
npm/@types/node@20.12.8 None 0 2.06 MB types
npm/@webassemblyjs/ast@1.12.1 None 0 207 kB xtuc
npm/@webassemblyjs/floating-point-hex-parser@1.11.6 None 0 5.14 kB xtuc
npm/@webassemblyjs/helper-api-error@1.11.6 None 0 5.4 kB xtuc
npm/@webassemblyjs/helper-buffer@1.12.1 None 0 10.8 kB xtuc
npm/@webassemblyjs/helper-numbers@1.11.6 None 0 6.68 kB xtuc
npm/@webassemblyjs/helper-wasm-bytecode@1.11.6 None 0 16 kB xtuc
npm/@webassemblyjs/helper-wasm-section@1.12.1 None 0 19.7 kB xtuc
npm/@webassemblyjs/ieee754@1.11.6 None 0 3.18 kB xtuc
npm/@webassemblyjs/leb128@1.11.6 None 0 30.7 kB xtuc
npm/@webassemblyjs/utf8@1.11.6 None 0 7.31 kB xtuc
npm/@webassemblyjs/wasm-edit@1.12.1 None 0 34.6 kB xtuc
npm/@webassemblyjs/wasm-gen@1.12.1 None 0 28.1 kB xtuc
npm/@webassemblyjs/wasm-opt@1.12.1 None 0 14.4 kB xtuc
npm/@webassemblyjs/wasm-parser@1.12.1 None 0 129 kB xtuc
npm/@webassemblyjs/wast-printer@1.12.1 None 0 39.6 kB xtuc
npm/@xtuc/ieee754@1.2.0 None 0 8.57 kB xtuc
npm/@xtuc/long@4.2.2 None 0 190 kB xtuc
npm/acorn-import-assertions@1.9.0 None 0 25.7 kB xtuc
npm/acorn@8.11.3 None 0 531 kB marijn
npm/chrome-trace-event@1.0.3 None 0 14.2 kB samccone
npm/enhanced-resolve@5.16.0 unsafe Transitive: environment, filesystem +1 243 kB evilebottnawi
npm/es-module-lexer@1.5.2 None 0 90.6 kB guybedford
npm/glob-to-regexp@0.4.1 None 0 18.1 kB nickfitzgerald
npm/handlebars@4.7.8 filesystem Transitive: environment, eval +1 4.06 MB jaylinski
npm/is-unicode-supported@0.1.0 None 0 3.54 kB sindresorhus
npm/jest-worker@27.5.1 environment, shell 0 81.9 kB simenb
npm/json-parse-even-better-errors@2.3.1 None 0 10.4 kB isaacs
npm/loader-runner@4.3.0 eval, filesystem 0 18.4 kB sokra
npm/log-symbols@4.1.0 None +6 102 kB sindresorhus
npm/merge-stream@2.0.0 None 0 4.31 kB stevemao
npm/mime-db@1.52.0 None 0 206 kB dougwilson
npm/mime-types@2.1.35 None 0 18.3 kB dougwilson
npm/mocha@10.4.0 environment, eval, filesystem +5 2.61 MB voxpelli
npm/serialize-javascript@6.0.0 None 0 16.8 kB okuryu
npm/tapable@2.2.1 None 0 46.9 kB sokra
npm/terser-webpack-plugin@5.3.10 Transitive: environment +2 190 kB evilebottnawi
npm/terser@5.31.0 environment, eval Transitive: filesystem, shell +1 2.25 MB fabiosantoscode
npm/undici-types@5.26.5 None 0 73.1 kB ethan_arrowood
npm/watchpack@2.4.1 environment, filesystem 0 56.2 kB evilebottnawi
npm/webpack-sources@3.2.3 None 0 91.3 kB sokra
npm/webpack@5.91.0 environment, filesystem, network, unsafe 0 4.93 MB evilebottnawi
npm/workerpool@6.2.1 None 0 330 kB josdejong

🚮 Removed packages: npm/@ungap/promise-all-settled@1.1.2, npm/acorn-dynamic-import@2.0.2, npm/acorn@5.7.4, npm/align-text@0.1.4, npm/ansi-regex@2.1.1, npm/argparse@0.1.16, npm/arr-diff@4.0.0, npm/arr-flatten@1.1.0, npm/arr-union@3.1.0, npm/array-unique@0.3.2, npm/asn1.js@5.4.1, npm/assert@1.5.1, npm/assign-symbols@1.0.0, npm/async-each@1.0.1, npm/async@2.6.4, npm/atob@2.1.2, npm/base64-js@1.5.1, npm/base@0.11.2, npm/binary-extensions@1.11.0, npm/bindings@1.5.0, npm/brorand@1.1.0, npm/browserify-aes@1.2.0, npm/browserify-cipher@1.0.1, npm/browserify-des@1.0.2, npm/browserify-rsa@4.1.0, npm/browserify-sign@4.2.2, npm/browserify-zlib@0.2.0, npm/buffer-xor@1.0.3, npm/buffer@4.9.2, npm/builtin-status-codes@3.0.0, npm/cache-base@1.0.1, npm/camelcase@4.1.0, npm/center-align@0.1.3, npm/cipher-base@1.0.4, npm/class-utils@0.3.6, npm/cliui@3.2.0, npm/code-point-at@1.1.0, npm/collection-visit@1.0.0, npm/component-emitter@1.3.0, npm/console-browserify@1.2.0, npm/constants-browserify@1.0.0, npm/copy-descriptor@0.1.1, npm/create-ecdh@4.0.4, npm/create-hash@1.2.0, npm/create-hmac@1.1.7, npm/crypto-browserify@3.12.0, npm/d@1.0.0, npm/debug@2.6.9, npm/decamelize@1.2.0, npm/decode-uri-component@0.2.2, npm/define-property@2.0.2, npm/des.js@1.1.0, npm/diffie-hellman@5.0.3, npm/domain-browser@1.2.0, npm/elliptic@6.5.4, npm/enhanced-resolve@3.4.1, npm/errno@0.1.8, npm/error-ex@1.3.2, npm/es5-ext@0.10.42, npm/es6-iterator@2.0.3, npm/es6-map@0.1.5, npm/es6-set@0.1.5, npm/es6-symbol@3.1.1, npm/es6-weak-map@2.0.2, npm/escope@3.6.0, npm/esrecurse@4.2.1, npm/event-emitter@0.3.5, npm/evp_bytestokey@1.0.3, npm/execa@0.7.0, npm/expand-brackets@2.1.4, npm/extend-shallow@3.0.2, npm/extglob@2.0.4, npm/file-uri-to-path@1.0.0, npm/for-in@1.0.2, npm/fragment-cache@0.2.1, npm/fsevents@1.2.13, npm/get-caller-file@1.0.3, npm/get-stream@3.0.0, npm/get-value@2.0.6, npm/growl@1.10.5, npm/handlebars@4.0.11, npm/has-value@1.0.0, npm/has-values@1.0.0, npm/hash-base@3.1.0, npm/hash.js@1.1.7, npm/hmac-drbg@1.0.1, npm/hosted-git-info@2.8.9, npm/https-browserify@1.0.0, npm/ieee754@1.2.1, npm/interpret@1.1.0, npm/invert-kv@1.0.0, npm/is-accessor-descriptor@1.0.1, npm/is-arrayish@0.2.1, npm/is-binary-path@1.0.1, npm/is-buffer@1.1.6, npm/is-data-descriptor@1.0.1, npm/is-descriptor@0.1.7, npm/is-extendable@0.1.1, npm/is-fullwidth-code-point@1.0.0, npm/is-number@3.0.0, npm/is-stream@1.1.0, npm/is-windows@1.0.2, npm/js-yaml@3.0.1, npm/json5@0.5.1, npm/kind-of@3.2.2, npm/lazy-cache@1.0.4, npm/lcid@1.0.0, npm/load-json-file@2.0.0, npm/loader-runner@2.4.0, npm/locate-path@2.0.0, npm/log-symbols@4.0.0, npm/longest@1.0.1, npm/map-cache@0.2.2, npm/map-visit@1.0.0, npm/md5.js@1.3.5, npm/mem@1.1.0, npm/memory-fs@0.4.1, npm/micromatch@3.1.10, npm/miller-rabin@4.0.1, npm/mimic-fn@1.2.0, npm/minimalistic-assert@1.0.1, npm/minimalistic-crypto-utils@1.0.1, npm/minimist@0.0.8, npm/mixin-deep@1.3.2, npm/mocha@8.4.0, npm/ms@2.0.0, npm/nan@2.18.0, npm/nanoid@3.1.20, npm/nanomatch@1.2.13, npm/next-tick@1.0.0, npm/node-libs-browser@2.2.1, npm/normalize-package-data@2.5.0, npm/npm-run-path@2.0.2, npm/number-is-nan@1.0.1, npm/object-copy@0.1.0, npm/object-visit@1.0.1, npm/object.pick@1.3.0, npm/optimist@0.6.1, npm/os-browserify@0.3.0, npm/os-locale@2.1.0, npm/p-finally@1.0.0, npm/p-limit@1.3.0, npm/p-locate@2.0.0, npm/p-try@1.0.0, npm/pako@1.0.11, npm/parse-asn1@5.1.6, npm/parse-json@2.2.0, npm/pascalcase@0.1.1, npm/path-browserify@0.0.1, npm/path-dirname@1.0.2, npm/path-type@2.0.0, npm/pbkdf2@3.1.2, npm/pify@2.3.0, npm/posix-character-classes@0.1.1, npm/process@0.11.10, npm/prr@1.0.1, npm/public-encrypt@4.0.3, npm/qs@6.11.2, npm/querystring-es3@0.2.1, npm/randomfill@1.0.4, npm/read-pkg-up@2.0.0, npm/read-pkg@2.0.0, npm/regex-not@1.0.2, npm/remove-trailing-separator@1.1.0, npm/repeat-element@1.1.2, npm/repeat-string@1.6.1, npm/require-main-filename@1.0.1, npm/resolve-url@0.2.1, npm/ret@0.1.15, npm/right-align@0.1.3, npm/ripemd160@2.0.2, npm/safe-regex@1.1.0, npm/safer-buffer@2.1.2, npm/serialize-javascript@5.0.1, npm/set-blocking@2.0.0, npm/set-value@2.0.1, npm/setimmediate@1.0.5, npm/sha.js@2.4.11, npm/signal-exit@3.0.7, npm/snapdragon-node@2.1.1, npm/snapdragon-util@3.0.1, npm/snapdragon@0.8.2, npm/source-list-map@2.0.1, npm/source-map-resolve@0.5.3, npm/source-map-url@0.4.1, npm/source-map@0.5.7, npm/spdx-correct@3.2.0, npm/spdx-exceptions@2.3.0, npm/spdx-expression-parse@3.0.1, npm/spdx-license-ids@3.0.16, npm/split-string@3.1.0, npm/static-extend@0.1.2, npm/stream-browserify@2.0.2, npm/stream-http@2.8.3, npm/string-width@1.0.2, npm/strip-ansi@3.0.1, npm/strip-eof@1.0.0, npm/tapable@0.2.9, npm/timers-browserify@2.0.12, npm/to-arraybuffer@1.0.1, npm/to-object-path@0.3.0, npm/to-regex@3.0.2, npm/tty-browserify@0.0.0, npm/uglify-js@2.8.29, npm/uglify-to-browserify@1.0.2, npm/uglifyjs-webpack-plugin@0.4.6, npm/underscore.string@2.4.0, npm/underscore@1.7.0, npm/union-value@1.0.1, npm/unset-value@1.0.0, npm/upath@1.2.0, npm/urix@0.1.0, npm/url@0.11.3, npm/use@3.1.1, npm/util@0.11.1, npm/validate-npm-package-license@3.0.4, npm/vm-browserify@1.1.2, npm/watchpack-chokidar2@2.0.1, npm/watchpack@1.7.5, npm/webpack-sources@1.4.3, npm/webpack@3.12.0, npm/which-module@2.0.1, npm/wide-align@1.1.3, npm/window-size@0.1.0, npm/workerpool@6.1.0, npm/wrap-ansi@2.1.0, npm/xtend@4.0.1, npm/y18n@3.2.2, npm/yargs-parser@7.0.0, npm/yargs@8.0.2

View full report↗︎

@socket-security
Copy link

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSource
New author npm/merge-stream@2.0.0
Shell access npm/jest-worker@27.5.1
New author npm/handlebars@4.7.8
New author npm/watchpack@2.4.1
Network access npm/webpack@5.91.0
Network access npm/webpack@5.91.0
Network access npm/webpack@5.91.0
New author npm/mocha@10.4.0

View full report↗︎

Next steps

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

What is shell access?

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

What is network access?

This module accesses the network.

Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

  • @SocketSecurity ignore npm/merge-stream@2.0.0
  • @SocketSecurity ignore npm/jest-worker@27.5.1
  • @SocketSecurity ignore npm/handlebars@4.7.8
  • @SocketSecurity ignore npm/watchpack@2.4.1
  • @SocketSecurity ignore npm/webpack@5.91.0
  • @SocketSecurity ignore npm/mocha@10.4.0

@dependabot @github
Copy link
Author

dependabot bot commented on behalf of github Jun 16, 2024

Superseded by #25.

@dependabot dependabot bot closed this Jun 16, 2024
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/npm_and_yarn-542ba259fd branch June 16, 2024 06:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant