dapps icon indicating copy to clipboard operation
dapps copied to clipboard

Published 20 hours ago verified publisher icon MetaMask

Bump express from 4.16.4 to 4.18.2

Open dependabot[bot] opened this issue 2 years ago • 2 comments

Bumps express from 4.16.4 to 4.18.2.

Release notes

Sourced from express's releases.

4.18.2

4.18.1

  • Fix hanging on large stack of sync routes

4.18.0

... (truncated)

Changelog

Sourced from express's changelog.

4.18.2 / 2022-10-08

4.18.1 / 2022-04-29

  • Fix hanging on large stack of sync routes

4.18.0 / 2022-04-25

... (truncated)

Commits

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.
> **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

dependabot[bot] avatar Dec 10 '22 01:12 dependabot[bot]

@dependabot recreate

legobeat avatar May 01 '23 01:05 legobeat

New dependency changes detected. Learn more about Socket for GitHub ↗︎

🚨 Potential security issues found in this pull request. To accept the risk, merge this PR and you will not be notified again.

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] bar@* or ignore all packages with @SocketSecurity ignore-all

⚠️ Network access

This module accesses the network.

Packages should remove all network access that isn't functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Package Module Location Source
[email protected] (upgraded) http-errors lib/response.js package.json via [email protected]
⚠️ Debug access

Uses debug, reflection and dynamic code execution features.

Removing the use of debug will reduce the risk of any reflection and dynamic code execution.

Package Module Location Source
[email protected] (upgraded) async_hooks index.js package.json via [email protected]
[email protected] (upgraded) async_hooks index.js package.json via [email protected]
⚠️ Uses eval

Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Avoid packages that use eval, since this could potentially execute any code.

Package Eval Type Location Source
[email protected] (added) Function index.js package.json via [email protected]
[email protected] (added) Function test/bigint.js package.json via [email protected]
[email protected] (added) Function test/bigint.js package.json via [email protected]
[email protected] (added) Function test/bigint.js package.json via [email protected]
[email protected] (added) eval index.js package.json via [email protected]
⚠️ Chronological version anomaly

Semantic versions published out of chronological order.

This could either indicate dependency confusion or a patched vulnerability.

Package Previous Chronological Previous Semver Source
[email protected] (upgraded) [email protected] (2/5/2022, 4:57:40 AM) [email protected] (12/12/2021, 1:18:25 AM) package.json via [email protected]
[email protected] (upgraded) [email protected] (2/5/2022, 6:49:55 PM) [email protected] (12/16/2021, 4:54:39 AM) package.json via [email protected]
⚠️ Unmaintained

Package has not been updated in more than a year and may be unmaintained. Problems with the package may go unaddressed.

Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance.

Package Last Publish Date Source
[email protected] (added) 1/11/2021, 10:36:43 PM package.json via [email protected]
[email protected] (added) 12/29/2020, 7:58:12 PM package.json via [email protected]
[email protected] (added) 11/14/2021, 10:19:09 PM package.json via [email protected]
⚠️ Major refactor

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Consider waiting before upgrading to see if any issues are discovered, or be prepared to scrutinize any bugs or subtle changes the major refactor may bring. Publishers my consider publishing beta versions of major refactors to limit disruption to parties interested in the new changes.

Package Change Percentage Current Line Count Previous Line Count Lines Changed Source
[email protected] (upgraded) 70.38 307 277 411 package.json via [email protected]
Pull request alert summary
Issue Status
Critical CVE ✅ 0 issues
CVE ✅ 0 issues
Mild CVE ✅ 0 issues
Install scripts ✅ 0 issues
Native code ✅ 0 issues
Bin script confusion ✅ 0 issues
Bin script shell injection ✅ 0 issues
Filesystem access ✅ 0 issues
Network access ⚠️ 1 issue
Shell access ✅ 0 issues
Debug access ⚠️ 2 issues
Long strings ✅ 0 issues
High entropy strings ✅ 0 issues
URL strings ✅ 0 issues
Uses eval ⚠️ 5 issues
Dynamic require ✅ 0 issues
Environment variable access ✅ 0 issues
Missing dependency ✅ 0 issues
Unused dependency ✅ 0 issues
Peer dependency ✅ 0 issues
Uncaught optional dependency ✅ 0 issues
Unresolved require ✅ 0 issues
Extraneous dependency ✅ 0 issues
Obfuscated require ✅ 0 issues
Obfuscated code ✅ 0 issues
Minified code ✅ 0 issues
Bidirectional unicode control characters ✅ 0 issues
Zero width unicode chars ✅ 0 issues
Bad text encoding ✅ 0 issues
Unicode homoglyphs ✅ 0 issues
Invisible chars ✅ 0 issues
Suspicious strings ✅ 0 issues
Invalid package.json ✅ 0 issues
HTTP dependency ✅ 0 issues
Git dependency ✅ 0 issues
GitHub dependency ✅ 0 issues
File dependency ✅ 0 issues
No tests ✅ 0 issues
No repository ✅ 0 issues
Bad semver ✅ 0 issues
Bad dependency semver ✅ 0 issues
No v1 ✅ 0 issues
No website ✅ 0 issues
No bug tracker ✅ 0 issues
No contributors or author data ✅ 0 issues
CommonJS depending on ESModule ✅ 0 issues
Empty package ✅ 0 issues
Trivial Package ✅ 0 issues
No README ✅ 0 issues
Deprecated ✅ 0 issues
Chronological version anomaly ⚠️ 2 issues
Semver anomaly ✅ 0 issues
New author ✅ 0 issues
Unstable ownership ✅ 0 issues
Non-existent author ✅ 0 issues
Unmaintained ⚠️ 3 issues
Unpublished package ✅ 0 issues
Major refactor ⚠️ 1 issue
Missing package tarball ✅ 0 issues
Unsafe copyright ✅ 0 issues
License change ✅ 0 issues
Non OSI license ✅ 0 issues
Deprecated license ✅ 0 issues
Missing license ✅ 0 issues
Non SPDX license ✅ 0 issues
Unclear license ✅ 0 issues
Mixed license ✅ 0 issues
Legal notice ✅ 0 issues
Modified license ✅ 0 issues
Modified license exception ✅ 0 issues
License exception ✅ 0 issues
Deprecated SPDX exception ✅ 0 issues
Potential typo squat ✅ 0 issues
Known Malware ✅ 0 issues
Telemetry ✅ 0 issues
Protestware/Troll package ✅ 0 issues
AI detected security risk ✅ 0 issues
AI warning ✅ 0 issues

socket-security[bot] avatar May 01 '23 01:05 socket-security[bot]

Superseded by #216.

dependabot[bot] avatar Aug 24 '24 07:08 dependabot[bot]