[Security] Bump codecov from 3.6.5 to 3.7.1

[dependabot-preview]

Bumps codecov from 3.6.5 to 3.7.1. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Command injection in codecov (npm package)

Impact

The upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

A similar CVE was issued: CVE-2020-7597, but the fix was incomplete. It only blocked &, and command injection is still possible using backticks instead to bypass the sanitizer.

We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the codecov-node project here.

Patches

3.7.1

Workarounds

None, however, the attack surface is low in this case. Particularly in the standard use of codecov, where the module is used directly in a build pipeline, not built against as a library in another application that may supply malicious input and perform command injection.

References

• CVE-2020-7597

For more information

Affected versions: < 3.7.1

Commits

• 29dd5b6 3.7.1
• c0711c6 Switch from execSync to execFileSync (#180)
• 5f6cc62 Bump lodash from 4.17.15 to 4.17.19 (#183)
• 0c4d7f3 Merge pull request #182 from codecov/update-readme-badges
• cc5e121 Update depstat image and urls
• b44b44e Update readme with 400 error info (#181)
• bb79335 V3.7.0 (#179)
• 0d7b9b0 Remove 'x-amz-acl': 'public-read' header (#178)
• eeff4e1 Bump acorn from 5.7.3 to 5.7.4 (#174)
• eb8a527 Merge pull request #172 from RoboCafaz/bugfix/codebuild-pr-parser
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[codeclimate]

Code Climate has analyzed commit 0822f28 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 23.4% (0.0% change).

View more on Code Climate.

[codecov-commenter]

Codecov Report

Merging #213 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #213   +/-   ##
=======================================
  Coverage   23.44%   23.44%           
=======================================
  Files         395      395           
  Lines        6218     6218           
=======================================
  Hits         1458     1458           
  Misses       4760     4760           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 34732c6...0822f28. Read the comment docs.