Skip to content

build(deps): bump the npm_and_yarn group across 1 directory with 7 updates #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

build(deps): bump the npm_and_yarn group across 1 directory with 7 updates #33

wants to merge 1 commit into from

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Nov 5, 2024

Bumps the npm_and_yarn group with 3 updates in the / directory: mocha, webpack and js-yaml.

Updates mocha from 7.2.0 to 10.8.2

Release notes

Sourced from mocha's releases.

v10.8.2

10.8.2 (2024-10-30)

🩹 Fixes

  • support errors with circular dependencies in object values with --parallel (#5212) (ba0fefe)
  • test link in html reporter (#5224) (f054acc)

📚 Documentation

  • indicate 'exports' interface does not work in browsers (#5181) (14e640e)

🧹 Chores

  • fix docs builds by re-adding eleventy and ignoring gitignore again (#5240) (881e3b0)

🤖 Automation

  • deps: bump the github-actions group with 1 update (#5132) (e536ab2)

v10.8.1

10.8.1 (2024-10-29)

🩹 Fixes

v10.8.0

10.8.0 (2024-10-29)

🌟 Features

🩹 Fixes

📚 Documentation

... (truncated)

Changelog

Sourced from mocha's changelog.

10.8.2 (2024-10-30)

🩹 Fixes

  • support errors with circular dependencies in object values with --parallel (#5212) (ba0fefe)
  • test link in html reporter (#5224) (f054acc)

📚 Documentation

  • indicate 'exports' interface does not work in browsers (#5181) (14e640e)

🧹 Chores

  • fix docs builds by re-adding eleventy and ignoring gitignore again (#5240) (881e3b0)

🤖 Automation

  • deps: bump the github-actions group with 1 update (#5132) (e536ab2)

10.8.1 (2024-10-29)

🩹 Fixes

10.8.0 (2024-10-29)

🌟 Features

🩹 Fixes

📚 Documentation

... (truncated)

Commits
  • 05097db chore(main): release 10.8.2 (#5239)
  • 14e640e docs: indicate 'exports' interface does not work in browsers (#5181)
  • 881e3b0 chore: fix docs builds by re-adding eleventy and ignoring gitignore again (#5...
  • f054acc fix: test link in html reporter (#5224)
  • e536ab2 build(deps): bump the github-actions group with 1 update (#5132)
  • ba0fefe fix: support errors with circular dependencies in object values with --parall...
  • f44f71b chore(main): release 10.8.1 (#5238)
  • f72bc17 fix: handle case of invalid package.json with no explicit config (#5198)
  • 68803b6 fix: use accurate test links in HTML reporter (#5228)
  • d8ca270 fix: Typos on mochajs.org (#5237)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by voxpelli, a new releaser for mocha since your current version.


Updates webpack from 3.12.0 to 5.96.1

Release notes

Sourced from webpack's releases.

v5.96.1

Bug Fixes

  • [Types] Add @types/eslint-scope to dependencieS
  • [Types] Fixed regression in validate

v5.96.0

Bug Fixes

  • Fixed Module Federation should track all referenced chunks
  • Handle Data URI without base64 word
  • HotUpdateChunk have correct runtime when modified with new runtime
  • Order of chunks ids in generated chunk code
  • No extra Javascript chunks when using asset module as an entrypoint
  • Use optimistically logic for output.environment.dynamicImport to determine chunk format when no browserslist or target
  • Collision with global variables for optimization.avoidEntryIife
  • Avoid through variables in inlined module
  • Allow chunk template strings in output.devtoolNamespace
  • No extra runtime for get javascript/css chunk filename
  • No extra runtime for prefetch and preload in JS runtime when it was unsed in CSS
  • Avoid cache invalidation using ProgressPlugin
  • Increase parallelism when using importModule on the execution stage
  • Correctly parsing string in export and import
  • Typescript types
  • [CSS] css/auto considers a module depending on its filename as css (pure CSS) or css/local, before it was css/global and css/local
  • [CSS] Always interpolate classes even if they are not involved in export
  • [CSS] No extra runtime in Javascript runtime chunks for asset modules used in CSS
  • [CSS] No extra runtime in Javascript runtime chunks for external asset modules used in CSS
  • [CSS] No extra runtime for the node target
  • [CSS] Fixed url()s and @import parsing
  • [CSS] Fixed - emit a warning on broken :local and :global

New Features

  • Export CSS and ESM runtime modules
  • Single Runtime Chunk and Federation eager module hoisting
  • [CSS] Support /* webpackIgnore: true */ for CSS files
  • [CSS] Support src() support
  • [CSS] CSS nesting in CSS modules

v5.95.0

Bug Fixes

  • Fixed hanging when attempting to read a symlink-like file that it can't read
  • Handle default for import context element dependency
  • Merge duplicate chunks call after split chunks
  • Generate correctly code for dynamically importing the same file twice and destructuring
  • Use content hash as [base] and [name] for extracted DataURI's
  • Distinguish module and import in module-import for externals import's

... (truncated)

Commits
  • d4ced73 chore(release): 5.96.1
  • 7d6dbea fix: types regression in validate
  • 5c556e3 fix: types regression in validate
  • 2420eae fix: add @types/eslint-scope to dependencies due types regression
  • ec45d2d fix: add @types/eslint-scope to dependencies
  • aff0c3e chore(release): 5.96.0
  • 6f11ec1 refactor: module source types code
  • b07142f refactor: module source types code
  • 7d98b3c fix: Module Federation should track all referenced chunks
  • 6d09769 chore: linting
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by evilebottnawi, a new releaser for webpack since your current version.


Updates json5 from 0.5.1 to 1.0.2

Release notes

Sourced from json5's releases.

v1.0.2

  • Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295). This has been backported to v1. (#298)

v1.0.1

This release includes a bug fix and minor change.

  • Fix: parse throws on unclosed objects and arrays.

  • New: package.json5 has been removed until an easier way to keep it in sync with package.json is found.

v1.0.0

This release includes major internal changes and public API enhancements.

  • Major JSON5 officially supports Node.js v4 and later. Support for Node.js v0.10 and v0.12 have been dropped.

  • New: Unicode property names and Unicode escapes in property names are supported. (#1)

  • New: stringify outputs trailing commas in objects and arrays when a space option is provided. (#66)

  • New: JSON5 allows line and paragraph separator characters (U+2028 and U+2029) in strings in order to be compatible with JSON. However, ES5 does not allow these characters in strings, so JSON5 gives a warning when they are parsed and escapes them when they are stringified. (#70)

  • New: stringify accepts an options object as its second argument. The supported options are replacer, space, and a new quote option that specifies the quote character used in strings. (#71)

  • New: The CLI supports STDIN and STDOUT and adds --out-file, --space, and --validate options. See json5 --help for more information. (#72, #84, and #108)

  • New: In addition to the white space characters space \t, \v, \f, \n, \r, and \xA0, the additional white space characters \u2028, \u2029, and all other characters in the Space Separator Unicode category are allowed.

  • New: In addition to the character escapes \', \", \\, \b, \f, \n, \r, and \t, the additional character escapes \v and \0, hexadecimal escapes like \x0F, and unnecessary escapes like \a are allowed in string values and string property names.

  • New: stringify outputs strings with single quotes by default but intelligently uses double quotes if there are more single quotes than double quotes inside the string. (i.e. stringify('Stay here.') outputs 'Stay here.' while stringify('Let\'s go.') outputs "Let's go.")

... (truncated)

Changelog

Sourced from json5's changelog.

Unreleased [code, diff]

v2.2.3 [code, diff]

  • Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2 [code, diff]

  • Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1 [code, diff]

v2.2.0 [code, diff]

  • New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)

v2.1.3 [code, diff]

  • Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)

v2.1.2 [code, diff]

... (truncated)

Commits

Updates js-yaml from 3.0.1 to 3.14.1

Changelog

Sourced from js-yaml's changelog.

[3.14.1] - 2020-12-07

Security

  • Fix possible code execution in (already unsafe) .load() (in &anchor).

[3.14.0] - 2020-05-22

Changed

  • Support safe/loadAll(input, options) variant of call.
  • CI: drop outdated nodejs versions.
  • Dev deps bump.

Fixed

  • Quote = in plain scalars #519.
  • Check the node type for !<?> tag in case user manually specifies it.
  • Verify that there are no null-bytes in input.
  • Fix wrong quote position when writing condensed flow, #526.

[3.13.1] - 2019-04-05

Security

  • Fix possible code execution in (already unsafe) .load(), #480.

[3.13.0] - 2019-03-20

Security

  • Security fix: safeLoad() can hang when arrays with nested refs used as key. Now throws exception for nested arrays. #475.

[3.12.2] - 2019-02-26

Fixed

  • Fix noArrayIndent option for root level, #468.

[3.12.1] - 2019-01-05

Added

  • Added noArrayIndent option, #432.

[3.12.0] - 2018-06-02

Changed

  • Support arrow functions without a block statement, #421.

[3.11.0] - 2018-03-05

Added

  • Add arrow functions suport for !!js/function.

Fixed

  • Fix dump in bin/octal/hex formats for negative integers, #399.

... (truncated)

Commits
  • 37caaad 3.14.1 released
  • 094c0f7 dist rebuild
  • 9586ebe Avoid calling hasOwnProperty of user-controlled objects
  • 34e5072 3.14.0 released
  • 7b25c83 Browser files rebuild
  • 6f73473 Dev deps bump
  • 0c29349 Travis-CI: drop old nodejs versions
  • 10be97e fix(loader): Add support for safe/loadAll(input, options)
  • d6983dd Fix issue #526: wrong quote position writing condensed flow (#527)
  • 93fbf7d fix issue 526 (wrong quote position writing condensed flow)
  • Additional commits viewable in compare view

Updates braces from 2.3.2 to 3.0.2

Changelog

Sourced from braces's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

  • Changelogs are for humans, not machines.
  • There should be an entry for every single version.
  • The same types of changes should be grouped.
  • Versions and sections should be linkable.
  • The latest version comes first.
  • The release date of each versions is displayed.
  • Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

  • Added for new features.
  • Changed for changes in existing functionality.
  • Deprecated for soon-to-be removed features.
  • Removed for now removed features.
  • Fixed for any bug fixes.
  • Security in case of vulnerabilities.

[3.0.0] - 2018-04-08

v3.0 is a complete refactor, resulting in a faster, smaller codebase, with fewer deps, and a more accurate parser and compiler.

Breaking Changes

  • The undocumented .makeRe method was removed

Non-breaking changes

  • Caching was removed
Commits

Updates flat from 4.1.1 to 5.0.2

Commits
  • e5ffd66 Release 5.0.2
  • fdb79d5 Update dependencies, refresh lockfile, format with standard.
  • e52185d Test against node 14 in CI.
  • 0189cb1 Avoid arrow function syntax.
  • f25d3a1 Release 5.0.1
  • 54cc7ad use standard formatting
  • 779816e drop dependencies
  • 2eea6d3 Bump lodash from 4.17.15 to 4.17.19
  • a61a554 Bump acorn from 7.1.0 to 7.4.0
  • 20ef0ef Fix prototype pollution on unflatten
  • Additional commits viewable in compare view

Updates yargs-parser from 7.0.0 to 20.2.9

Release notes

Sourced from yargs-parser's releases.

yargs-parser yargs-parser-v20.2.9

Bug Fixes

  • build: fixed automated release pipeline (1fe9135)

yargs-parser yargs-parser-v20.2.8

Bug Fixes

  • deno: force relese for Deno (6687c97)
  • locale: Turkish camelize and decamelize issues with toLocaleLowerCase/toLocaleUpperCase (2617303)
  • perf: address slow parse when using unknown-options-as-args (#394) (441f059)
  • string-utils: detect [0,1] ranged values as numbers (#388) (efcc32c)

yargs-parser yargs-parser-v15.0.3

Bug Fixes

  • build: should use releases_created when using manifest (49ea4ef)

yargs-parser yargs-parser-v15.0.2

Bug Fixes

  • perf: address slow parse when using unknown-options-as-args (#400) (bc387ec)
Changelog

Sourced from yargs-parser's changelog.

20.2.9 (2021-06-20)

Bug Fixes

  • build: fixed automated release pipeline (1fe9135)

20.2.8 (2021-06-20)

Bug Fixes

  • locale: Turkish camelize and decamelize issues with toLocaleLowerCase/toLocaleUpperCase (2617303)
  • perf: address slow parse when using unknown-options-as-args (#394) (441f059)
  • string-utils: detect [0,1] ranged values as numbers (#388) (efcc32c)

20.2.7 (2021-03-10)

Bug Fixes

  • deno: force release for Deno (6687c97)

20.2.6 (2021-02-22)

Bug Fixes

  • populate--: -- should always be array (#354) (585ae8f)

20.2.5 (2021-02-13)

Bug Fixes

20.2.4 (2020-11-09)

Bug Fixes

20.2.3 (2020-10-16)

Bug Fixes

  • exports: node 13.0 and 13.1 require the dotted object form with a string fallback (#336) (3ae7242)

... (truncated)

Commits
  • 3859e74 chore: release main (#404)
  • 1fe9135 fix(build): fixed automated release pipeline
  • 9eb9c2f chore: release main (#398)
  • 4b9e134 build: should be releases_created
  • 441f059 fix(perf): address slow parse when using unknown-options-as-args (#394)
  • fb22816 build: switch from master to main
  • a0a0814 build: switch to manifest based releases (#396)
  • 088481c docs: fix typos in README.md (#379)
  • 6877a2d test: add test for optimized output (#373)
  • 2cfab05 refactor: quote properties used for meta-programming
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by oss-bot, a new releaser for yargs-parser since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump the npm_and_yarn group across 1 directory with 7 up…
de9bd6e 
…dates

Bumps the npm_and_yarn group with 3 updates in the / directory: [mocha](https://github.com/mochajs/mocha), [webpack](https://github.com/webpack/webpack) and [js-yaml](https://github.com/nodeca/js-yaml).


Updates `mocha` from 7.2.0 to 10.8.2
- [Release notes](https://github.com/mochajs/mocha/releases)
- [Changelog](https://github.com/mochajs/mocha/blob/main/CHANGELOG.md)
- [Commits](mochajs/mocha@v7.2.0...v10.8.2)

Updates `webpack` from 3.12.0 to 5.96.1
- [Release notes](https://github.com/webpack/webpack/releases)
- [Commits](webpack/webpack@v3.12.0...v5.96.1)

Updates `json5` from 0.5.1 to 1.0.2
- [Release notes](https://github.com/json5/json5/releases)
- [Changelog](https://github.com/json5/json5/blob/main/CHANGELOG.md)
- [Commits](json5/json5@v0.5.1...v1.0.2)

Updates `js-yaml` from 3.0.1 to 3.14.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.0.1...3.14.1)

Updates `braces` from 2.3.2 to 3.0.2
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/braces/commits/3.0.2)

Updates `flat` from 4.1.1 to 5.0.2
- [Release notes](https://github.com/hughsk/flat/releases)
- [Commits](hughsk/flat@4.1.1...5.0.2)

Updates `yargs-parser` from 7.0.0 to 20.2.9
- [Release notes](https://github.com/yargs/yargs-parser/releases)
- [Changelog](https://github.com/yargs/yargs-parser/blob/main/CHANGELOG.md)
- [Commits](yargs/yargs-parser@v7.0.0...yargs-parser-v20.2.9)

---
updated-dependencies:
- dependency-name: mocha
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: webpack
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: json5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: braces
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: flat
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: yargs-parser
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Nov 5, 2024
@dependabot dependabot bot mentioned this pull request Nov 5, 2024
Closed
@socket-security
Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@jridgewell/source-map@0.3.6 None +3 446 kB jridgewell
npm/@types/eslint-scope@3.7.7 None 0 6.27 kB types
npm/@types/eslint@9.6.1 None 0 196 kB types
npm/@types/estree@1.0.6 None 0 25.8 kB types
npm/@types/node@22.9.0 None 0 2.27 MB types
npm/@webassemblyjs/ast@1.12.1 None 0 207 kB xtuc
npm/@webassemblyjs/floating-point-hex-parser@1.11.6 None 0 5.14 kB xtuc
npm/@webassemblyjs/helper-api-error@1.11.6 None 0 5.4 kB xtuc
npm/@webassemblyjs/helper-buffer@1.12.1 None 0 10.8 kB xtuc
npm/@webassemblyjs/helper-numbers@1.11.6 None 0 6.68 kB xtuc
npm/@webassemblyjs/helper-wasm-bytecode@1.11.6 None 0 16 kB xtuc
npm/@webassemblyjs/helper-wasm-section@1.12.1 None 0 19.7 kB xtuc
npm/@webassemblyjs/ieee754@1.11.6 None 0 3.18 kB xtuc
npm/@webassemblyjs/leb128@1.11.6 None 0 30.7 kB xtuc
npm/@webassemblyjs/utf8@1.11.6 None 0 7.31 kB xtuc
npm/@webassemblyjs/wasm-edit@1.12.1 None 0 34.6 kB xtuc
npm/@webassemblyjs/wasm-gen@1.12.1 None 0 28.1 kB xtuc
npm/@webassemblyjs/wasm-opt@1.12.1 None 0 14.4 kB xtuc
npm/@webassemblyjs/wasm-parser@1.12.1 None 0 129 kB xtuc
npm/@webassemblyjs/wast-printer@1.12.1 None 0 39.6 kB xtuc
npm/@xtuc/ieee754@1.2.0 None 0 8.57 kB xtuc
npm/@xtuc/long@4.2.2 None 0 190 kB xtuc
npm/camelcase@6.3.0 None 0 11.7 kB sindresorhus
npm/chrome-trace-event@1.0.4 None 0 9.81 kB samccone
npm/cliui@7.0.4 None +2 46.9 kB oss-bot
npm/diff@5.2.0 None 0 429 kB explodingcabbage
npm/enhanced-resolve@5.17.1 unsafe Transitive: environment, filesystem +1 244 kB evilebottnawi
npm/es-module-lexer@1.5.4 None 0 90.9 kB guybedford
npm/flat@5.0.2 None 0 26.6 kB timoxley
npm/glob-to-regexp@0.4.1 None 0 18.1 kB nickfitzgerald
npm/is-plain-obj@2.1.0 None 0 3.69 kB sindresorhus
npm/is-unicode-supported@0.1.0 None 0 3.54 kB sindresorhus
npm/jest-worker@27.5.1 environment, shell +2 94.8 kB simenb
npm/json-parse-even-better-errors@2.3.1 None 0 10.4 kB isaacs
npm/loader-runner@4.3.0 eval, filesystem 0 18.4 kB sokra
npm/log-symbols@4.1.0 None +3 63.6 kB sindresorhus
npm/merge-stream@2.0.0 None 0 4.31 kB stevemao
npm/mime-db@1.52.0 None 0 206 kB dougwilson
npm/mime-types@2.1.35 None 0 18.3 kB dougwilson
npm/mocha@10.8.2 environment, eval, filesystem +11 2.89 MB joshuakgoldberg, uzlopak, voxpelli
npm/serialize-javascript@6.0.2 None 0 16.9 kB redonkulus
npm/tapable@2.2.1 None 0 46.9 kB sokra
npm/terser-webpack-plugin@5.3.10 Transitive: environment +1 173 kB evilebottnawi
npm/terser@5.36.0 Transitive: filesystem, shell +1 2.27 MB fabiosantoscode
npm/undici-types@6.19.8 None 0 84.2 kB matteo.collina
npm/watchpack@2.4.2 environment, filesystem 0 56.4 kB evilebottnawi
npm/webpack-sources@3.2.3 None 0 91.3 kB sokra
npm/webpack@5.96.1 environment, filesystem, network, unsafe Transitive: shell +8 8.14 MB evilebottnawi, jhnns, sokra, ...1 more
npm/workerpool@6.5.1 eval 0 374 kB josdejong
npm/yargs-parser@20.2.9 environment, filesystem 0 124 kB oss-bot
npm/yargs-unparser@2.0.0 None +1 17.9 kB oss-bot
npm/yargs@16.2.0 environment, filesystem +4 325 kB oss-bot
npm/yocto-queue@0.1.0 None 0 6.03 kB sindresorhus

🚮 Removed packages: npm/acorn-dynamic-import@2.0.2, npm/align-text@0.1.4, npm/ansi-colors@3.2.3, npm/ansi-regex@2.1.1, npm/argparse@0.1.16, npm/arr-diff@4.0.0, npm/arr-flatten@1.1.0, npm/arr-union@3.1.0, npm/array-unique@0.3.2, npm/array.prototype.reduce@1.0.6, npm/asn1.js@5.4.1, npm/assert@1.5.1, npm/assign-symbols@1.0.0, npm/async-each@1.0.1, npm/atob@2.1.2, npm/base@0.11.2, npm/binary-extensions@1.11.0, npm/browserify-aes@1.2.0, npm/browserify-cipher@1.0.1, npm/browserify-des@1.0.2, npm/browserify-rsa@4.1.0, npm/browserify-sign@4.2.2, npm/browserify-zlib@0.2.0, npm/buffer-xor@1.0.3, npm/buffer@4.9.2, npm/builtin-status-codes@3.0.0, npm/cache-base@1.0.1, npm/camelcase@5.3.1, npm/center-align@0.1.3, npm/cipher-base@1.0.4, npm/class-utils@0.3.6, npm/cliui@5.0.0, npm/code-point-at@1.1.0, npm/collection-visit@1.0.0, npm/component-emitter@1.3.1, npm/console-browserify@1.2.0, npm/constants-browserify@1.0.0, npm/copy-descriptor@0.1.1, npm/create-ecdh@4.0.4, npm/create-hash@1.2.0, npm/create-hmac@1.1.7, npm/crypto-browserify@3.12.0, npm/d@1.0.0, npm/debug@2.6.9, npm/decamelize@1.2.0, npm/decode-uri-component@0.2.2, npm/define-property@2.0.2, npm/des.js@1.1.0, npm/diff@3.5.0, npm/diffie-hellman@5.0.3, npm/domain-browser@1.2.0, npm/emoji-regex@7.0.3, npm/enhanced-resolve@3.4.1, npm/errno@0.1.8, npm/error-ex@1.3.2, npm/es5-ext@0.10.64, npm/es6-iterator@2.0.3, npm/es6-map@0.1.5, npm/es6-set@0.1.5, npm/es6-symbol@3.1.1, npm/es6-weak-map@2.0.2, npm/escope@3.6.0, npm/esniff@2.0.1, npm/esrecurse@4.2.1, npm/event-emitter@0.3.5, npm/evp_bytestokey@1.0.3, npm/execa@0.7.0, npm/expand-brackets@2.1.4, npm/ext@1.7.0, npm/extend-shallow@3.0.2, npm/extglob@2.0.4, npm/flat@4.1.1, npm/for-in@1.0.2, npm/fragment-cache@0.2.1, npm/get-caller-file@1.0.3, npm/get-stream@3.0.0, npm/get-value@2.0.6, npm/growl@1.10.5, npm/has-value@1.0.0, npm/has-values@1.0.0, npm/hash-base@3.0.4, npm/hosted-git-info@2.8.9, npm/https-browserify@1.0.0, npm/interpret@1.1.0, npm/invert-kv@1.0.0, npm/is-accessor-descriptor@1.0.1, npm/is-arrayish@0.2.1, npm/is-binary-path@1.0.1, npm/is-buffer@1.1.6, npm/is-data-descriptor@1.0.1, npm/is-descriptor@0.1.7, npm/is-extendable@0.1.1, npm/is-fullwidth-code-point@1.0.0, npm/is-number@3.0.0, npm/is-stream@1.1.0, npm/is-windows@1.0.2, npm/js-yaml@3.0.1, npm/json5@0.5.1, npm/kind-of@3.2.2, npm/lazy-cache@1.0.4, npm/lcid@1.0.0, npm/load-json-file@2.0.0, npm/loader-runner@2.4.0, npm/log-symbols@3.0.0, npm/longest@1.0.1, npm/map-cache@0.2.2, npm/map-visit@1.0.0, npm/md5.js@1.3.4, npm/mem@1.1.0, npm/memory-fs@0.4.1, npm/micromatch@3.1.10, npm/miller-rabin@4.0.1, npm/mimic-fn@1.2.0, npm/mixin-deep@1.3.2, npm/mocha@7.2.0, npm/ms@2.0.0, npm/nanomatch@1.2.13, npm/next-tick@1.1.0, npm/node-environment-flags@1.0.6, npm/node-libs-browser@2.2.1, npm/normalize-package-data@2.5.0, npm/npm-run-path@2.0.2, npm/number-is-nan@1.0.1, npm/object-copy@0.1.0, npm/object-visit@1.0.1, npm/object.assign@4.1.0, npm/object.getownpropertydescriptors@2.1.7, npm/object.pick@1.3.0, npm/os-browserify@0.3.0, npm/os-locale@2.1.0, npm/p-finally@1.0.0, npm/pako@1.0.11, npm/parse-asn1@5.1.6, npm/parse-json@2.2.0, npm/pascalcase@0.1.1, npm/path-browserify@0.0.1, npm/path-dirname@1.0.2, npm/path-type@2.0.0, npm/pbkdf2@3.1.2, npm/pify@2.3.0, npm/posix-character-classes@0.1.1, npm/process@0.11.10, npm/prr@1.0.1, npm/public-encrypt@4.0.3, npm/qs@6.11.2, npm/querystring-es3@0.2.1, npm/randomfill@1.0.4, npm/read-pkg-up@2.0.0, npm/read-pkg@2.0.0, npm/regex-not@1.0.2, npm/remove-trailing-separator@1.1.0, npm/repeat-element@1.1.2, npm/repeat-string@1.6.1, npm/require-main-filename@1.0.1, npm/resolve-url@0.2.1, npm/ret@0.1.15, npm/right-align@0.1.3, npm/ripemd160@2.0.2, npm/safe-regex@1.1.0, npm/safer-buffer@2.1.2, npm/set-blocking@2.0.0, npm/set-value@2.0.1, npm/setimmediate@1.0.5, npm/sha.js@2.4.11, npm/signal-exit@3.0.3, npm/snapdragon-node@2.1.1, npm/snapdragon-util@3.0.1, npm/snapdragon@0.8.2, npm/source-list-map@2.0.1, npm/source-map-resolve@0.5.3, npm/source-map-url@0.4.1, npm/source-map@0.5.7, npm/spdx-correct@3.2.0, npm/spdx-exceptions@2.3.0, npm/spdx-expression-parse@3.0.1, npm/spdx-license-ids@3.0.16, npm/split-string@3.1.0, npm/static-extend@0.1.2, npm/stream-browserify@2.0.2, npm/stream-http@2.8.3, npm/string-width@1.0.2, npm/strip-ansi@3.0.1, npm/strip-eof@1.0.0, npm/strip-json-comments@2.0.1, npm/tapable@0.2.9, npm/timers-browserify@2.0.12, npm/to-arraybuffer@1.0.1, npm/to-object-path@0.3.0, npm/to-regex@3.0.2, npm/tty-browserify@0.0.0, npm/type@2.7.2, npm/uglify-js@2.8.29, npm/uglify-to-browserify@1.0.2, npm/uglifyjs-webpack-plugin@0.4.6, npm/underscore.string@2.4.0, npm/underscore@1.7.0, npm/union-value@1.0.1, npm/unset-value@1.0.0, npm/upath@1.2.0, npm/urix@0.1.0, npm/url@0.11.3, npm/use@3.1.1, npm/util@0.11.1, npm/validate-npm-package-license@3.0.4, npm/vm-browserify@1.1.2, npm/watchpack-chokidar2@2.0.1, npm/watchpack@1.7.5, npm/webpack-sources@1.4.3, npm/webpack@3.12.0, npm/which-module@2.0.1, npm/wide-align@1.1.3, npm/window-size@0.1.0, npm/wrap-ansi@2.1.0, npm/xtend@4.0.1, npm/y18n@3.2.2, npm/yargs-parser@13.1.2, npm/yargs-unparser@1.6.0, npm/yargs@13.3.2

View full report↗︎

@socket-security
Copy link

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSourceCI
New author npm/merge-stream@2.0.0 🚫
Shell access npm/jest-worker@27.5.1 🚫
New author npm/diff@5.2.0 🚫
Network access npm/webpack@5.96.1 🚫
Network access npm/webpack@5.96.1 🚫
Network access npm/webpack@5.96.1 🚫

View full report↗︎

Next steps

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

What is shell access?

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

What is network access?

This module accesses the network.

Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

  • @SocketSecurity ignore npm/merge-stream@2.0.0
  • @SocketSecurity ignore npm/jest-worker@27.5.1
  • @SocketSecurity ignore npm/diff@5.2.0
  • @SocketSecurity ignore npm/webpack@5.96.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant