[Snyk] Security upgrade npm from 5.6.0 to 7.21.0 #86
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
With an upgrade:
Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00318, Social Trends: No, Days since published: 1404, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 9.79, Likelihood: 1.68, Score Version: V5
SNYK-JS-AJV-584908
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00348, Social Trends: No, Days since published: 981, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.65, Score Version: V5
SNYK-JS-ANSIREGEX-1583908
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Changed, Exploit Maturity: No data, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00083, Social Trends: No, Days since published: 745, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 6.65, Likelihood: 1.45, Score Version: V5
SNYK-JS-HAWK-2808852
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00324, Social Trends: No, Days since published: 1154, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.65, Score Version: V5
SNYK-JS-HOSTEDGITINFO-1088355
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00384, Social Trends: No, Days since published: 918, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 7.84, Likelihood: 1.9, Score Version: V5
SNYK-JS-JSONSCHEMA-1920922
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00146, Social Trends: No, Days since published: 580, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 1.89, Score Version: V5
SNYK-JS-MINIMATCH-3050818
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00877, Social Trends: No, Days since published: 533, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.66, Score Version: V5
SNYK-JS-QS-3153490
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00091, Social Trends: No, Days since published: 335, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.81, Score Version: V5
SNYK-JS-SEMVER-3247795
Why? Confidentiality impact: Low, Integrity impact: None, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00205, Social Trends: No, Days since published: 2132, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 1.9, Score Version: V5
npm:cryptiles:20180710
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.0039, Social Trends: No, Days since published: 2128, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.62, Likelihood: 1.9, Score Version: V5
npm:extend:20180424
Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): Low, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01021, Social Trends: No, Days since published: 2287, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.62, Likelihood: 2.5, Score Version: V5
npm:hoek:20180212
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.0017, Social Trends: No, Days since published: 2233, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.64, Score Version: V5
npm:sshpk:20180409
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00115, Social Trends: No, Days since published: 2286, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 1.89, Score Version: V5
npm:ssri:20180214
Why? Confidentiality impact: Low, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Functional, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Physical, EPSS: 0.00211, Social Trends: No, Days since published: 2199, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 7.03, Likelihood: 2.87, Score Version: V5
npm:stringstream:20180511
(*) Note that the real score may have changed since the PR was raised.
Release notes
Package name: npm
v7.21.0 (2021-08-19)
FEATURES
ff34d6cd6
#3592 feat(cache): initial implementation of ls and rm (@ fritzy)BUG FIXES
32e88c943
#3640 fix(did-you-mean): switch levenshtein libraries (@ wraithgar)487731cd5
#3658 fix(logging): sanitize logged argv (@ wraithgar)68a19bb02
#3661 fix(error-message): look for er.path not er.file (@ wraithgar)DEPENDENCIES
df57f0d53
@ npmcli/run-script@1.8.6
8183976cf
normalize-package-data@3.0.3
:f07772401
init-package-json@2.0.4
991a3bd39
read-package-json@4.0.0
e9e5ee560
@ npmcli/arborist@2.8.2
:b6f40b5f8
tar@6.1.10
:218cacadc
is-core-module@2.6.0
7ac621cd1
smart-buffer@4.2.0
94f92de13
make-fetch-happen@9.0.5
71cdfd898
spdx-license-ids@3.0.10
:v7.20.6 (2021-08-12)
DEPENDENCIES
5bebf280f
tar@6.1.8
5d89de44d
tar@6.1.7
:a1bdbea97
#3569 remove byte-size (@ wraithgar)61782fa85
@ npmcli/map-workspaces@1.0.4
:b88f770fa
@ npmcli/arborist@2.8.1
:DOCUMENTATION
001f2c1b7
#3621 fix(docs): do not include certain files (@ AkiJoey)d1812f1a6
#3630 fix(docs): update npm-publish access flag info (@ austincho)d5a099c7b
#3615 fix(readme): add nvm-windows to installers links (@ Yash-Singh1)v7.20.5 (2021-08-05)
DEPENDENCIES
44377738e
graceful-fs@4.2.8
v7.20.4 (2021-08-05)
BUG FIXES
6a8086e25
#3463 fix(tests): move more tests to use real npm (@ wraithgar)DEPENDENCIES
15fae4941
tar@6.1.6
:745326de0
libnpmexec@2.0.1
:e82bcd4e8
graceful-fs@4.2.7
:v7.20.3 (2021-07-29)
BUG FIXES
66dc5f94d
#3588 update eresolve explanations for new arborist data provided99575acab
#3591 fix(node_modules): remove duplicated file (@ wraithgar)DEPENDENCIES
97cb5ec31
@ npmcli/arborist@2.8.0
:peerDependencies use cases.
7db1a0a26
chore(deps):mime-types@1.49.0
mime-db@1.49.0
v7.20.2 (2021-07-27)
DEPENDENCIES
f5aab1f88
tar@6.1.1
ce8fb0f69
tar@6.1.2
ced85087a
gauge@3.0.1
BUG FIXES
009ad1e68
#3561 fix(exit-handler): always warn if not called (@ wraithgar)eb67054c8
#3563 fix(config): consolidate use of npm.color (@ wraithgar)DOCUMENTATION
a014f3d28
#3562 fix(docs): typo innpm cmd
docs (@ wraithgar)1fe1c9b74
#3523 fix(docs): updated policy urls (@ DemiraDimitrova)DEPENDENCIES
d7f29e8c9
read-package-json-fast@2.0.3
:b1fefa73d
npmlog@5.0.0
b6e09971a
remove ignored files from node_modules ([@ Ruy Adorno](https://github.com/Ruy Adorno))cf737c505
debug@4.3.2
v7.20.0 (2021-07-15)
FEATURES
f17aca5cd
#3487 feat: addnpm pkg
command (@ ruyadorno)98905ae37
#3471 feat(config): introducelocation
parameter (@ nlf)BUG FIXES
4755b0728
#3498 friendlier errors forERR_SOCKET_TIMEOUT
(@ nlf)3ecf19cdc
#3508 fix(config): fix noproxy (@ wraithgar)c3bd10e46
#3499 fix(update-notifier): don't force black background (@ wraithgar)89483e888
#3497 fix(usage): better audit/boolean flag usage output (@ wraithgar)feeb8e42a
#3495 fix(publish): obey --ignore-scripts flag (@ wraithgar)103c8c3ef
#3479 chore(exit): log any un-ended timings (@ wraithgar)efc4313c2
#3482 chore(refactor): refactor exit handler and tests (@ wraithgar)d8eb49b70
#3540 fix(bundle-and-ignore): case sensitivity cleanup (@ wraithgar)DOCUMENTATION
339145f64
#3491 fix(docs): clarify what install type gets.bin
(@ wraithgar)74c99755e
#3494 fix(docs): add npm update example (@ wraithgar)801a52330
#3542 fix(docs): correct Node.js JavaScript stylings (@ relrelb)791416713
#3546 fix(docs): how to see background script output (@ cinderblock)DEPENDENCIES
691816f3d
@ npmcli/arborist@2.7.1
b9597e944
make-fetch-happen@9.0.4
f573e7c56
minipass-fetch@1.3.4
2d5797ea0
pacote@11.3.5
6.14.14 (2021-07-27)
DEPENDENCIES
4627c0670
tar@4.4.15
Commit messages
Package name: npm
The new version differs by 250 commits.See the full diff
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Insecure Randomness