Skip to content

build(deps): bump the npm_and_yarn group across 1 directory with 7 updates #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

build(deps): bump the npm_and_yarn group across 1 directory with 7 updates #32

wants to merge 1 commit into from

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Jun 13, 2024
edited
Loading

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package From To
json5 0.5.1 removed
webpack 3.12.0 5.92.0
js-yaml 3.0.1 3.13.1
flat 4.1.1 5.0.2
mocha 7.2.0 10.4.0

Removes json5

Updates webpack from 3.12.0 to 5.92.0

Release notes

Sourced from webpack's releases.

v5.92.0

Bug Fixes

  • Correct tidle range's comutation for module federation
  • Consider runtime for pure expression dependency update hash
  • Return value in the subtractRuntime function for runtime logic
  • Fixed failed to resolve promise when eager import a dynamic cjs
  • Avoid generation extra code for external modules when remapping is not required
  • The css/global type now handles the exports name
  • Avoid hashing for @keyframe and @property at-rules in css/global type
  • Fixed mangle with destructuring for JSON modules
  • The stats.hasWarnings() method now respects the ignoreWarnings option
  • Fixed ArrayQueue iterator
  • Correct behavior of __webpack_exports_info__.a.b.canMangle
  • Changed to the correct plugin name for the CommonJsChunkFormatPlugin plugin
  • Set the chunkLoading option to the import when environment is unknown and output is module
  • Fixed when runtimeChunk has no exports when module chunkFormat used
  • [CSS] Fixed parsing minimized CSS import
  • [CSS] URLs in CSS files now have correct public path
  • [CSS] The css module type should not allow parser to switch mode
  • [Types] Improved context module types

New Features

  • Added platform target properties to compiler
  • Improved multi compiler cache location and validating it
  • Support import attributes spec (with keyword)
  • Support node: prefix for Node.js core modules in runtime code
  • Support prefetch/preload for module chunk format
  • Support "..." in the importsFields option for resolver
  • Root module is less prone to be wrapped in IIFE
  • Export InitFragment class for plugins
  • Export compileBooleanMatcher util for plugins
  • Export InputFileSystem and OutputFileSystem types
  • [CSS] Support the esModule generator option for CSS modules
  • [CSS] Support CSS when chunk format is module

v5.91.0

Bug Fixes

  • Deserializer for ignored modules doesn't crash
  • Allow the unsafeCache option to be a proxy object
  • Normalize the snapshot.unmanagedPaths option
  • Fixed fs types
  • Fixed resolve's plugins types
  • Fixed wrongly calculate postOrderIndex
  • Fixed watching types
  • Output import attrbiutes/import assertions for external JS imports
  • Throw an error when DllPlugin needs to generate multiple manifest files, but the path is the same
  • [CSS] Output layer/supports/media for external CSS imports

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by evilebottnawi, a new releaser for webpack since your current version.


Updates js-yaml from 3.0.1 to 3.13.1

Changelog

Sourced from js-yaml's changelog.

[3.13.1] - 2019-04-05

Security

  • Fix possible code execution in (already unsafe) .load(), #480.

[3.13.0] - 2019-03-20

Security

  • Security fix: safeLoad() can hang when arrays with nested refs used as key. Now throws exception for nested arrays. #475.

[3.12.2] - 2019-02-26

Fixed

  • Fix noArrayIndent option for root level, #468.

[3.12.1] - 2019-01-05

Added

  • Added noArrayIndent option, #432.

[3.12.0] - 2018-06-02

Changed

  • Support arrow functions without a block statement, #421.

[3.11.0] - 2018-03-05

Added

  • Add arrow functions suport for !!js/function.

Fixed

  • Fix dump in bin/octal/hex formats for negative integers, #399.

[3.10.0] - 2017-09-10

Fixed

  • Fix condenseFlow output (quote keys for sure, instead of spaces), #371, #370.
  • Dump astrals as codepoints instead of surrogate pair, #368.

[3.9.1] - 2017-07-08

Fixed

  • Ensure stack is present for custom errors in node 7.+, #351.

[3.9.0] - 2017-07-08

Added

  • Add condenseFlow option (to create pretty URL query params), #346.

Fixed

... (truncated)

Commits

Updates braces from 2.3.2 to 3.0.2

Changelog

Sourced from braces's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

  • Changelogs are for humans, not machines.
  • There should be an entry for every single version.
  • The same types of changes should be grouped.
  • Versions and sections should be linkable.
  • The latest version comes first.
  • The release date of each versions is displayed.
  • Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

  • Added for new features.
  • Changed for changes in existing functionality.
  • Deprecated for soon-to-be removed features.
  • Removed for now removed features.
  • Fixed for any bug fixes.
  • Security in case of vulnerabilities.

[3.0.0] - 2018-04-08

v3.0 is a complete refactor, resulting in a faster, smaller codebase, with fewer deps, and a more accurate parser and compiler.

Breaking Changes

  • The undocumented .makeRe method was removed

Non-breaking changes

  • Caching was removed
Commits

Updates flat from 4.1.1 to 5.0.2

Commits
  • e5ffd66 Release 5.0.2
  • fdb79d5 Update dependencies, refresh lockfile, format with standard.
  • e52185d Test against node 14 in CI.
  • 0189cb1 Avoid arrow function syntax.
  • f25d3a1 Release 5.0.1
  • 54cc7ad use standard formatting
  • 779816e drop dependencies
  • 2eea6d3 Bump lodash from 4.17.15 to 4.17.19
  • a61a554 Bump acorn from 7.1.0 to 7.4.0
  • 20ef0ef Fix prototype pollution on unflatten
  • Additional commits viewable in compare view

Updates mocha from 7.2.0 to 10.4.0

Release notes

Sourced from mocha's releases.

v10.4.0

10.4.0 / 2024-03-26

🎉 Enhancements

🐛 Fixes

🔩 Other

v10.3.0

This is a stable release equivalent to v10.3.0-preminor.0.

What's Changed

... (truncated)

Changelog

Sourced from mocha's changelog.

10.4.0 / 2024-03-26

🎉 Enhancements

🐛 Fixes

🔩 Other

10.3.0 / 2024-02-08

This is a stable release equivalent to 10.30.0-prerelease.

10.3.0-prerelease / 2024-01-18

This is a prerelease version to test our ability to release. Other than removing or updating dependencies, it contains no intended user-facing changes.

🔩 Other

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by voxpelli, a new releaser for mocha since your current version.


Updates yargs-parser from 7.0.0 to 20.2.4

Release notes

Sourced from yargs-parser's releases.

yargs-parser yargs-parser-v15.0.3

Bug Fixes

  • build: should use releases_created when using manifest (49ea4ef)

yargs-parser yargs-parser-v15.0.2

Bug Fixes

  • perf: address slow parse when using unknown-options-as-args (#400) (bc387ec)
Changelog

Sourced from yargs-parser's changelog.

20.2.4 (2020-11-09)

Bug Fixes

20.2.3 (2020-10-16)

Bug Fixes

  • exports: node 13.0 and 13.1 require the dotted object form with a string fallback (#336) (3ae7242)

20.2.2 (2020-10-14)

Bug Fixes

  • exports: node 13.0-13.6 require a string fallback (#333) (291aeda)

20.2.1 (2020-10-01)

Bug Fixes

20.2.0 (2020-09-21)

Features

  • string-utils: export looksLikeNumber helper (#324) (c8580a2)

Bug Fixes

  • unknown-options-as-args: convert positionals that look like numbers (#326) (f85ebb4)

20.1.0 (2020-09-20)

Features

  • adds parse-positional-numbers configuration (#321) (9cec00a)

Bug Fixes

... (truncated)

Commits
  • 637690d chore: release 20.2.4 (#340)
  • 2c6b905 chore(deps): update @​typescript-eslint/standardx (#341)
  • 3b54e5e fix(deno): address import issues in Deno (#339)
  • b6974c9 chore: release 20.2.3 (#337)
  • 3ae7242 fix(exports): node 13.0 and 13.1 require the dotted object form with a stri...
  • 3fe41fe chore: release 20.2.2 (#335)
  • b4a447f build: run latest and greatest relese please
  • 291aeda fix(exports): node 13.0-13.6 require a string fallback (#333)
  • 94220bf chore(deps): update dependency gts to v3 (#332)
  • 251951b chore: release 20.2.1 (#331)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by oss-bot, a new releaser for yargs-parser since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump the npm_and_yarn group across 1 directory with 7 up…
22d1b87 
…dates

Bumps the npm_and_yarn group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [json5](https://github.com/json5/json5) | `0.5.1` | `removed` |
| [webpack](https://github.com/webpack/webpack) | `3.12.0` | `5.92.0` |
| [js-yaml](https://github.com/nodeca/js-yaml) | `3.0.1` | `3.13.1` |
| [flat](https://github.com/hughsk/flat) | `4.1.1` | `5.0.2` |
| [mocha](https://github.com/mochajs/mocha) | `7.2.0` | `10.4.0` |



Removes `json5`

Updates `webpack` from 3.12.0 to 5.92.0
- [Release notes](https://github.com/webpack/webpack/releases)
- [Commits](webpack/webpack@v3.12.0...v5.92.0)

Updates `js-yaml` from 3.0.1 to 3.13.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.0.1...3.13.1)

Updates `braces` from 2.3.2 to 3.0.2
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/braces/commits/3.0.2)

Updates `flat` from 4.1.1 to 5.0.2
- [Release notes](https://github.com/hughsk/flat/releases)
- [Commits](hughsk/flat@4.1.1...5.0.2)

Updates `mocha` from 7.2.0 to 10.4.0
- [Release notes](https://github.com/mochajs/mocha/releases)
- [Changelog](https://github.com/mochajs/mocha/blob/master/CHANGELOG.md)
- [Commits](mochajs/mocha@v7.2.0...v10.4.0)

Updates `yargs-parser` from 7.0.0 to 20.2.4
- [Release notes](https://github.com/yargs/yargs-parser/releases)
- [Changelog](https://github.com/yargs/yargs-parser/blob/main/CHANGELOG.md)
- [Commits](yargs/yargs-parser@v7.0.0...v20.2.4)

---
updated-dependencies:
- dependency-name: json5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: webpack
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: braces
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: flat
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: mocha
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: yargs-parser
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Jun 13, 2024
@socket-security
Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@jridgewell/source-map@0.3.6 None +3 446 kB jridgewell
npm/@types/eslint-scope@3.7.7 None 0 6.27 kB types
npm/@types/eslint@8.56.10 None 0 192 kB types
npm/@types/estree@1.0.5 None 0 25.7 kB types
npm/@types/node@20.14.2 None 0 2.09 MB types
npm/@webassemblyjs/ast@1.12.1 None 0 207 kB xtuc
npm/@webassemblyjs/floating-point-hex-parser@1.11.6 None 0 5.14 kB xtuc
npm/@webassemblyjs/helper-api-error@1.11.6 None 0 5.4 kB xtuc
npm/@webassemblyjs/helper-buffer@1.12.1 None 0 10.8 kB xtuc
npm/@webassemblyjs/helper-numbers@1.11.6 None 0 6.68 kB xtuc
npm/@webassemblyjs/helper-wasm-bytecode@1.11.6 None 0 16 kB xtuc
npm/@webassemblyjs/helper-wasm-section@1.12.1 None 0 19.7 kB xtuc
npm/@webassemblyjs/ieee754@1.11.6 None 0 3.18 kB xtuc
npm/@webassemblyjs/leb128@1.11.6 None 0 30.7 kB xtuc
npm/@webassemblyjs/utf8@1.11.6 None 0 7.31 kB xtuc
npm/@webassemblyjs/wasm-edit@1.12.1 None 0 34.6 kB xtuc
npm/@webassemblyjs/wasm-gen@1.12.1 None 0 28.1 kB xtuc
npm/@webassemblyjs/wasm-opt@1.12.1 None 0 14.4 kB xtuc
npm/@webassemblyjs/wasm-parser@1.12.1 None 0 129 kB xtuc
npm/@webassemblyjs/wast-printer@1.12.1 None 0 39.6 kB xtuc
npm/@xtuc/ieee754@1.2.0 None 0 8.57 kB xtuc
npm/@xtuc/long@4.2.2 None 0 190 kB xtuc
npm/acorn-import-attributes@1.9.5 None 0 32 kB xtuc
npm/ansi-colors@4.1.1 environment 0 24.4 kB jonschlinkert
npm/argparse@2.0.1 environment, filesystem 0 172 kB vitaly
npm/camelcase@6.3.0 None 0 11.7 kB sindresorhus
npm/chrome-trace-event@1.0.4 None 0 9.81 kB samccone
npm/cliui@7.0.4 None 0 30.6 kB oss-bot
npm/decamelize@4.0.0 None 0 4 kB sindresorhus
npm/diff@5.0.0 None 0 369 kB kpdecker
npm/enhanced-resolve@5.17.0 unsafe Transitive: environment, filesystem +1 243 kB evilebottnawi
npm/es-module-lexer@1.5.3 None 0 90.9 kB guybedford
npm/flat@5.0.2 None 0 26.6 kB timoxley
npm/glob-to-regexp@0.4.1 None 0 18.1 kB nickfitzgerald
npm/is-plain-obj@2.1.0 None 0 3.69 kB sindresorhus
npm/is-unicode-supported@0.1.0 None 0 3.54 kB sindresorhus
npm/jest-worker@27.5.1 environment, shell +2 94.8 kB simenb
npm/json-parse-even-better-errors@2.3.1 None 0 10.4 kB isaacs
npm/loader-runner@4.3.0 eval, filesystem 0 18.4 kB sokra
npm/log-symbols@4.1.0 None +2 46.7 kB sindresorhus
npm/merge-stream@2.0.0 None 0 4.31 kB stevemao
npm/mime-db@1.52.0 None 0 206 kB dougwilson
npm/mime-types@2.1.35 None 0 18.3 kB dougwilson
npm/mocha@10.4.0 environment, eval, filesystem +10 2.66 MB voxpelli
npm/serialize-javascript@6.0.2 None 0 16.9 kB redonkulus
npm/tapable@2.2.1 None 0 46.9 kB sokra
npm/terser-webpack-plugin@5.3.10 Transitive: environment +1 173 kB evilebottnawi
npm/terser@5.31.1 environment, eval Transitive: filesystem, shell +2 2.79 MB fabiosantoscode
npm/undici-types@5.26.5 None 0 73.1 kB ethan_arrowood
npm/watchpack@2.4.1 environment, filesystem 0 56.2 kB evilebottnawi
npm/webpack-sources@3.2.3 None 0 91.3 kB sokra
npm/webpack@5.92.0 environment, filesystem, network, unsafe 0 4.97 MB evilebottnawi
npm/workerpool@6.2.1 None 0 330 kB josdejong
npm/wrap-ansi@7.0.0 None +3 61.5 kB sindresorhus
npm/y18n@5.0.8 filesystem 0 23.4 kB oss-bot
npm/yargs-parser@20.2.4 environment, filesystem 0 120 kB oss-bot
npm/yargs-unparser@2.0.0 None 0 13.9 kB oss-bot
npm/yargs@16.2.0 environment, filesystem 0 286 kB oss-bot
npm/yocto-queue@0.1.0 None 0 6.03 kB sindresorhus

🚮 Removed packages: npm/acorn-dynamic-import@2.0.2, npm/align-text@0.1.4, npm/ansi-colors@3.2.3, npm/ansi-regex@2.1.1, npm/argparse@0.1.16, npm/arr-diff@4.0.0, npm/arr-flatten@1.1.0, npm/arr-union@3.1.0, npm/array-unique@0.3.2, npm/array.prototype.reduce@1.0.6, npm/asn1.js@5.4.1, npm/assert@1.5.1, npm/assign-symbols@1.0.0, npm/async-each@1.0.1, npm/atob@2.1.2, npm/base@0.11.2, npm/binary-extensions@1.11.0, npm/browserify-aes@1.2.0, npm/browserify-cipher@1.0.1, npm/browserify-des@1.0.2, npm/browserify-rsa@4.1.0, npm/browserify-sign@4.2.2, npm/browserify-zlib@0.2.0, npm/buffer-xor@1.0.3, npm/buffer@4.9.2, npm/builtin-status-codes@3.0.0, npm/cache-base@1.0.1, npm/camelcase@5.3.1, npm/center-align@0.1.3, npm/cipher-base@1.0.4, npm/class-utils@0.3.6, npm/cliui@5.0.0, npm/code-point-at@1.1.0, npm/collection-visit@1.0.0, npm/component-emitter@1.3.1, npm/console-browserify@1.2.0, npm/constants-browserify@1.0.0, npm/copy-descriptor@0.1.1, npm/create-ecdh@4.0.4, npm/create-hash@1.2.0, npm/create-hmac@1.1.7, npm/crypto-browserify@3.12.0, npm/d@1.0.0, npm/debug@2.6.9, npm/decamelize@1.2.0, npm/decode-uri-component@0.2.2, npm/define-property@2.0.2, npm/des.js@1.1.0, npm/diff@3.5.0, npm/diffie-hellman@5.0.3, npm/domain-browser@1.2.0, npm/emoji-regex@7.0.3, npm/enhanced-resolve@3.4.1, npm/errno@0.1.8, npm/error-ex@1.3.2, npm/es5-ext@0.10.64, npm/es6-iterator@2.0.3, npm/es6-map@0.1.5, npm/es6-set@0.1.5, npm/es6-symbol@3.1.1, npm/es6-weak-map@2.0.2, npm/escope@3.6.0, npm/esniff@2.0.1, npm/esrecurse@4.2.1, npm/event-emitter@0.3.5, npm/evp_bytestokey@1.0.3, npm/execa@0.7.0, npm/expand-brackets@2.1.4, npm/ext@1.7.0, npm/extend-shallow@3.0.2, npm/extglob@2.0.4, npm/flat@4.1.1, npm/for-in@1.0.2, npm/fragment-cache@0.2.1, npm/get-caller-file@1.0.3, npm/get-stream@3.0.0, npm/get-value@2.0.6, npm/growl@1.10.5, npm/has-value@1.0.0, npm/has-values@1.0.0, npm/hash-base@3.0.4, npm/hosted-git-info@2.8.9, npm/https-browserify@1.0.0, npm/interpret@1.1.0, npm/invert-kv@1.0.0, npm/is-accessor-descriptor@1.0.1, npm/is-arrayish@0.2.1, npm/is-binary-path@1.0.1, npm/is-buffer@1.1.6, npm/is-data-descriptor@1.0.1, npm/is-descriptor@0.1.7, npm/is-extendable@0.1.1, npm/is-fullwidth-code-point@1.0.0, npm/is-number@3.0.0, npm/is-stream@1.1.0, npm/is-windows@1.0.2, npm/js-yaml@3.0.1, npm/json5@0.5.1, npm/kind-of@3.2.2, npm/lazy-cache@1.0.4, npm/lcid@1.0.0, npm/load-json-file@2.0.0, npm/loader-runner@2.4.0, npm/log-symbols@3.0.0, npm/longest@1.0.1, npm/map-cache@0.2.2, npm/map-visit@1.0.0, npm/md5.js@1.3.4, npm/mem@1.1.0, npm/memory-fs@0.4.1, npm/micromatch@3.1.10, npm/miller-rabin@4.0.1, npm/mimic-fn@1.2.0, npm/mixin-deep@1.3.2, npm/mocha@7.2.0, npm/ms@2.0.0, npm/nanomatch@1.2.13, npm/next-tick@1.1.0, npm/node-environment-flags@1.0.6, npm/node-libs-browser@2.2.1, npm/normalize-package-data@2.5.0, npm/npm-run-path@2.0.2, npm/number-is-nan@1.0.1, npm/object-copy@0.1.0, npm/object-visit@1.0.1, npm/object.assign@4.1.0, npm/object.getownpropertydescriptors@2.1.7, npm/object.pick@1.3.0, npm/os-browserify@0.3.0, npm/os-locale@2.1.0, npm/p-finally@1.0.0, npm/pako@1.0.11, npm/parse-asn1@5.1.6, npm/parse-json@2.2.0, npm/pascalcase@0.1.1, npm/path-browserify@0.0.1, npm/path-dirname@1.0.2, npm/path-type@2.0.0, npm/pbkdf2@3.1.2, npm/pify@2.3.0, npm/posix-character-classes@0.1.1, npm/process@0.11.10, npm/prr@1.0.1, npm/public-encrypt@4.0.3, npm/qs@6.11.2, npm/querystring-es3@0.2.1, npm/randomfill@1.0.4, npm/read-pkg-up@2.0.0, npm/read-pkg@2.0.0, npm/regex-not@1.0.2, npm/remove-trailing-separator@1.1.0, npm/repeat-element@1.1.2, npm/repeat-string@1.6.1, npm/require-main-filename@1.0.1, npm/resolve-url@0.2.1, npm/ret@0.1.15, npm/right-align@0.1.3, npm/ripemd160@2.0.2, npm/safe-regex@1.1.0, npm/safer-buffer@2.1.2, npm/set-blocking@2.0.0, npm/set-value@2.0.1, npm/setimmediate@1.0.5, npm/sha.js@2.4.11, npm/signal-exit@3.0.3, npm/snapdragon-node@2.1.1, npm/snapdragon-util@3.0.1, npm/snapdragon@0.8.2, npm/source-list-map@2.0.1, npm/source-map-resolve@0.5.3, npm/source-map-url@0.4.1, npm/source-map@0.5.7, npm/spdx-correct@3.2.0, npm/spdx-exceptions@2.3.0, npm/spdx-expression-parse@3.0.1, npm/spdx-license-ids@3.0.16, npm/split-string@3.1.0, npm/static-extend@0.1.2, npm/stream-browserify@2.0.2, npm/stream-http@2.8.3, npm/string-width@1.0.2, npm/strip-ansi@3.0.1, npm/strip-eof@1.0.0, npm/strip-json-comments@2.0.1, npm/tapable@0.2.9, npm/timers-browserify@2.0.12, npm/to-arraybuffer@1.0.1, npm/to-object-path@0.3.0, npm/to-regex@3.0.2, npm/tty-browserify@0.0.0, npm/type@2.7.2, npm/uglify-js@2.8.29, npm/uglify-to-browserify@1.0.2, npm/uglifyjs-webpack-plugin@0.4.6, npm/underscore.string@2.4.0, npm/underscore@1.7.0, npm/union-value@1.0.1, npm/unset-value@1.0.0, npm/upath@1.2.0, npm/urix@0.1.0, npm/url@0.11.3, npm/use@3.1.1, npm/util@0.11.1, npm/validate-npm-package-license@3.0.4, npm/vm-browserify@1.1.2, npm/watchpack-chokidar2@2.0.1, npm/watchpack@1.7.5, npm/webpack-sources@1.4.3, npm/webpack@3.12.0, npm/which-module@2.0.1, npm/wide-align@1.1.3, npm/window-size@0.1.0, npm/wrap-ansi@2.1.0, npm/xtend@4.0.1, npm/y18n@3.2.2, npm/yargs-parser@13.1.2, npm/yargs-unparser@1.6.0, npm/yargs@13.3.2

View full report↗︎

@socket-security
Copy link

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSource
New author npm/merge-stream@2.0.0
Shell access npm/jest-worker@27.5.1
New author npm/watchpack@2.4.1
New author npm/mocha@10.4.0
Network access npm/webpack@5.92.0
Network access npm/webpack@5.92.0
Network access npm/webpack@5.92.0

View full report↗︎

Next steps

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

What is shell access?

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

What is network access?

This module accesses the network.

Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

  • @SocketSecurity ignore npm/merge-stream@2.0.0
  • @SocketSecurity ignore npm/jest-worker@27.5.1
  • @SocketSecurity ignore npm/watchpack@2.4.1
  • @SocketSecurity ignore npm/mocha@10.4.0
  • @SocketSecurity ignore npm/webpack@5.92.0

@mikesposito mikesposito mentioned this pull request Oct 24, 2024
Open
@kanthesha
Copy link

@dependabot rebase

@dependabot @github
Copy link
Author

dependabot bot commented on behalf of github Nov 5, 2024

Looks like this PR is already up-to-date with main! If you'd still like to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

@kanthesha
Copy link

@dependabot recreate

@dependabot @github
Copy link
Author

dependabot bot commented on behalf of github Nov 5, 2024

Superseded by #33.

@dependabot dependabot bot closed this Nov 5, 2024
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/npm_and_yarn-08bf2de3ff branch November 5, 2024 12:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kanthesha