[Security] Bump command-exists from 1.2.2 to 1.2.8 #3

dependabot-preview · 2019-07-08T03:31:27Z

Bumps command-exists from 1.2.2 to 1.2.8. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Node Security Working Group.

Command Injection - Generic
command-exists concatenates unsanitized input into exec()/execSync() commands

Affected versions: <=1.2.3

Commits

5e33ffd 1.2.8
ae8e78e Merge pull request #21 from mandel59/fix-path-for-windows
4af96dc check if there is a forbidden character in commandName
db45a2f add a test
b4c1657 fix to work with pathnames for windows
826c8a9 Update README.md
0b7fafe 1.2.7
c50c096 Merge pull request #19 from IliaSky/remove-windows-log
a4a0e2b Prevent logs in commandExistsWindowsSync. fix #18
6ef128c 1.2.6
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by mathisonian, a new releaser for command-exists since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it). To ignore the version in this PR you can just close it
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
@dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

Update frequency (including time of day and day of week)
Pull request limits (per update run and/or open at any time)
Out-of-range updates (receive only lockfile updates, if desired)
Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

Bumps [command-exists](https://github.com/mathisonian/command-exists) from 1.2.2 to 1.2.8. **This update includes security fixes.** - [Release notes](https://github.com/mathisonian/command-exists/releases) - [Commits](mathisonian/command-exists@v1.2.2...v1.2.8) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Jul 8, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] Bump command-exists from 1.2.2 to 1.2.8 #3

[Security] Bump command-exists from 1.2.2 to 1.2.8 #3

dependabot-preview bot commented Jul 8, 2019

[Security] Bump command-exists from 1.2.2 to 1.2.8 #3

Are you sure you want to change the base?

[Security] Bump command-exists from 1.2.2 to 1.2.8 #3

Conversation

dependabot-preview bot commented Jul 8, 2019