Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chore: fixes some npm audit vulnerabilities #62

Merged
merged 1 commit into from
Jan 27, 2022
Merged

Chore: fixes some npm audit vulnerabilities #62

merged 1 commit into from
Jan 27, 2022

Conversation

lalaps[bot]
Copy link
Contributor

@lalaps lalaps bot commented Jan 24, 2022
edited by pustovitDmytro

This PR fixes some of found vulnerabilities.

Fixed 3 of 10 npm vulnerabilities.
7 issues left.
Success Rate: 30.0%

Vulnerabilities:

Inefficient Regular Expression Complexity in chalk/ansi-regex
Library: ansi-regex
Affected versions: >2.1.1 <5.0.1
Severity: moderate
Fix: ❌ true
Root Libraries:

  • ✔️ mocha 6.1.0 - 8.2.1. Fixed in true

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Library: node-fetch
Affected versions: <2.6.7
Severity: high
Fix: ❌ 10.4.0
Root Libraries:

  • danger 0.0.2 - 3.4.6 || >=10.4.1. Fixed in 10.4.0

You can wait for the next updates with a full fix or merge immediately.
In case of closing this PR, it will be recreated. If that's undesired, modify config.

This change is Reviewable

@lalaps lalaps bot requested a review from pustovitDmytro as a code owner January 24, 2022 01:07
@lalaps lalaps bot added the dependencies label Jan 24, 2022
@lalaps lalaps bot added the security label Jan 24, 2022
@lalaps lalaps bot mentioned this pull request Jan 24, 2022
Open
@pustovitDmytro
Copy link
Owner

pustovitDmytro commented Jan 24, 2022
edited

Warnings
⚠️

Only owner can change system files [package-lock.json], please provide issue instead
Messages
📖

lalaps[bot] login already contributed 3 times
📖 Changed Files in this PR:
  • package-lock.json

Generated by 🚫 dangerJS against a8828ae

@sonarcloud
Copy link

sonarcloud bot commented Jan 25, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@pustovitDmytro pustovitDmytro merged commit 4eac9fe into master Jan 27, 2022
pustovitDmytro pushed a commit that referenced this pull request Jan 28, 2022
@semantic-release-bot
Chore: (release) add version 1.3.0 [skip ci]
638362d 
# [1.3.0](v1.2.0...v1.3.0) (2022-01-28)

### Chore

* fixes some npm audit vulnerabilities (#62) ([4eac9fe](4eac9fe)), closes [#62](#62)
* increase coverage ([a4824b1](a4824b1))
* Update devDependencies (non-major) (#48) ([50cadfe](50cadfe)), closes [#48](#48)
* Update devDependencies (non-major) (#49) ([0d58df2](0d58df2)), closes [#49](#49)

### New

* specify legacy modules versions ([ca92495](ca92495))

### Upgrade

* Update dependency @babel/core to v7.16.12 (#52) ([0d1eabd](0d1eabd)), closes [#52](#52)
* Update dependency rollup to v2.66.1 (#69) ([7009ace](7009ace)), closes [#69](#69)
@pustovitDmytro
Copy link
Owner

🎉 This PR is included in version 1.3.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@pustovitDmytro pustovitDmytro deleted the lalaps/npm-partial-fix branch January 28, 2022 12:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pustovitDmytro pustovitDmytro Awaiting requested review from pustovitDmytro pustovitDmytro is a code owner

Assignees

@pustovitDmytro pustovitDmytro

Labels
dependencies released security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@pustovitDmytro