[Snyk] Security upgrade npm from 5.6.0 to 7.0.0 #76
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
With an upgrade:
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00299, Social Trends: No, Days since published: 806, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.65, Score Version: V5
SNYK-JS-ANSIREGEX-1583908
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00063, Social Trends: No, Days since published: 526, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 1.45, Score Version: V5
SNYK-JS-GOT-2932019
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00231, Social Trends: No, Days since published: 1015, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.65, Score Version: V5
SNYK-JS-LODASH-1018905
Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): High, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00606, Social Trends: No, Days since published: 1015, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 9.79, Likelihood: 2.43, Score Version: V5
SNYK-JS-LODASH-1040724
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01362, Social Trends: No, Days since published: 1609, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.67, Score Version: V5
SNYK-JS-LODASH-450202
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1193, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.67, Score Version: V5
SNYK-JS-LODASH-608086
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00117, Social Trends: No, Days since published: 1760, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.64, Score Version: V5
SNYK-JS-LODASH-73638
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): High, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00317, Social Trends: No, Days since published: 1697, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.2, Score Version: V5
SNYK-JS-LODASH-73639
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00063, Social Trends: No, Days since published: 255, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 2.81, Score Version: V5
SNYK-JS-REQUEST-3361831
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00173, Social Trends: No, Days since published: 150, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 2.81, Score Version: V5
SNYK-JS-TOUGHCOOKIE-5672873
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): Low, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00121, Social Trends: No, Days since published: 2112, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.48, Score Version: V5
npm:lodash:20180130
(*) Note that the real score may have changed since the PR was raised.
Release notes
Package name: npm
v7.0.0 (2020-10-12)
BUG FIXES
7bcdb3636
#1949 fix: ensurepublishConfig
is passed through (@ nlf)97978462e
fix: patchconfig.js
to remove duplicate vals (@ darcyclarke)DOCUMENTATION
60769d757
#1911 docs: v7 npm-install refresh (@ ruyadorno)08de49042
#1938 docs: v7 using npm config updates (@ ruyadorno)DEPENDENCIES
15366a1cf
[email protected]
f04a74140
[email protected]
1de21dce0
fix: support dot-separated aliases defined in a.npmrc
ini files forinit-*
configs (@ ruyadorno)a67275cd9
[email protected]
6fb83b78d
[email protected]
1ca30cc9b
[email protected]
28a2d2ba4
@ npmcli/[email protected]
peerDependencies
in transitive dependencies, so that--force
will always accept a best effort override, and--strict-peer-deps
will fail faster on conflicts.9306c6833
[email protected]
fafb348ef
[email protected]
365f2e756
[email protected]
v7.0.0-rc.4 (2020-10-09)
09b456f2d
@ npmcli/[email protected]
npm_config_user_agent
env variable (@ nlf)e859fba9e
#1936 fix npx for non-interactive shells (@ nlf)9320b8e4f
#1906 restore old npx behavior of running existing bins first (@ nlf)7bd47ca2c
@ npmcli/[email protected]
02737453b
[email protected]
v7.0.0-rc.3 (2020-10-06)
d816c2efa
c8f0d5457
d48086d0d
f34595f2e
#1902 tests for several commands (@ nlf)6d49207db
#1903 Revert "Remove unused npx binary" (@ MylesBorins)138dfc202
set executable permissions on bins that node installer usesb06d68078
@ npmcli/[email protected]
node_modules
folders from Workspaces whenloadActual
races withbuildIdealTree
(@ ruyadorno)2509e3a1b
[email protected]
v7.0.0-rc.2 (2020-10-02)
6de81a013
@ npmcli/[email protected]
v7.0.0-rc.1 (2020-10-02)
281a7f39a
@ npmcli/[email protected]
npm update
to update bundled root dependenciesbinding.gyp
384f5ec47
update minipass-fetch to fix many 'cb() never called' errors7b1e75906
@ npmcli/[email protected]
binding.gyp
c20e2f0c7
#1892 Support--omit
options in npm outdatedv7.0.0-rc.0 (2020-10-01)
3b417055c
#1859 fixproxy
andhttps-proxy
config support (@ badeggg)dd7d7a284
@ npmcli/[email protected]
40c17e12c
[email protected]
47a8ca1d7
[email protected]
81073f99a
[email protected]
67793abd4
[email protected]
a27e8d006
[email protected]
893fed45e
[email protected]
bc20e0c8a
[email protected]
a2b8fd3c1
[email protected]
ee4c85b87
[email protected]
4bdad5fdf
[email protected]
c394937ec
@ npmcli/[email protected]
558e9781a
deep-equal2aa9a1f8a
requestd77594e52
npm-registry-couchapp8ec84d9f6
tacksa07b421f7
lincesee41126e165
npm-cache-filename130da51b5
npm-registry-mockb355af486
sprintf-js721c0a873
uid-number9c920e5f5
umaskaae1c38bb
config-chain450845eac
find-npm-prefix963d542d3
has-unicodecad9cbc70
infer-owner3ae02914d
lockfile7bc474d7c
once5c5e0099a
retrycfaddd334
sha3a978ffc7
slidev7.0.0-beta.13 (2020-09-29)
405e051f7
Fix EBADPLATFORM error message (@#1876)e4d911d21
@ npmcli/[email protected]
90550b2e0
#1853 test coverage and refactor for token command (@ nlf)2715220c9
#1858 #1813 do not include omitted optional dependencies in install output (@ ruyadorno)e225ddcf8
#1862 #1861 respect depth when runningnpm ls <pkg>
(@ ruyadorno)2469ae515
#1870 #1780 Add 'fetch-timeout' config (@ isaacs)52114b75e
#1871 fixnpm ls
for linked dependencies (@ ruyadorno)9981211c0
#1857 #1703 fixnpm outdated
parsing invalid specs (@ ruyadorno)v7.0.0-beta.12 (2020-09-22)
24f3a5448
#1811 npm ci should never save package.json or lockfile (@ isaacs)5e780a5f0
remove unused spec parameter, assign error code (@ nlf)f019a248a
Remove unused npx binary (@ isaacs)db157b3ce
@ npmcli/[email protected]
strictPeerDeps
option, defaulting tofalse
b3a50d275
#1846@ npmcli/[email protected]
a1d375f6b
#1819 Add--strict-peer-deps
option (@ isaacs)5837a4843
#1699 Use allow/deny list in docs (@ luciomartinez)v7.0.0-beta.11 (2020-09-16)
63005f4a9
#1639 npm view should not output extra newline (@ MylesBorins)3743a42c8
#1750 add outdated tests (@ claudiahdz)2019abdf1
#1786 add lib/link.js tests (@ ruyadorno)2f8d11968
@ npmcli/[email protected]
49b2bf5a7
@ npmcli/[email protected]
f9aac351d
[email protected]
v7.0.0-beta.10 (2020-09-08)
7418970f0
Improve output of dependency node explanations5e49bdaa3
#1776 Add 'npm explain' commandCommit messages
Package name: npm
The new version differs by 250 commits.See the full diff
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Open Redirect
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn