astro-shield icon indicating copy to clipboard operation
astro-shield copied to clipboard

Published 20 hours ago verified publisher icon kindspells

chore(deps): bump astro from 4.16.8 to 4.16.18 in the prod-deps-security group across 1 directory

Open dependabot[bot] opened this issue 11 months ago • 2 comments

Bumps the prod-deps-security group with 1 update in the / directory: astro.

Updates astro from 4.16.8 to 4.16.18

Release notes

Sourced from astro's releases.

[email protected]

Patch Changes

[email protected]

Patch Changes

  • #12632 e7d14c3 Thanks @​ematipico! - Fixes an issue where the checkOrigin feature wasn't correctly checking the content-type header

[email protected]

Patch Changes

[email protected]

Patch Changes

[email protected]

Patch Changes

[email protected]

Patch Changes

  • #12436 453ec6b Thanks @​martrapp! - Fixes a potential null access in the clientside router

  • #12392 0462219 Thanks @​apatel369! - Fixes an issue where scripts were not correctly injected during the build. The issue was triggered when there were injected routes with the same entrypoint and different pattern

[email protected]

Patch Changes

  • #12420 acac0af Thanks @​ematipico! - Fixes an issue where the dev server returns a 404 status code when a user middleware returns a valid Response.

... (truncated)

Changelog

Sourced from astro's changelog.

4.16.18

Patch Changes

4.16.17

Patch Changes

  • #12632 e7d14c3 Thanks @​ematipico! - Fixes an issue where the checkOrigin feature wasn't correctly checking the content-type header

4.16.16

Patch Changes

4.16.15

Patch Changes

4.16.14

Patch Changes

4.16.13

Patch Changes

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the Security Alerts page.

dependabot[bot] avatar Dec 23 '24 07:12 dependabot[bot]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/[email protected] Transitive: environment, eval, filesystem, network, shell, unsafe +309 62.2 MB fredkschott

🚮 Removed packages: npm/[email protected]

View full report↗︎

socket-security[bot] avatar Dec 23 '24 07:12 socket-security[bot]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSourceCI
Possible typosquat attack npm/[email protected] ⚠︎

View full report↗︎

Next steps

What is a typosquat?

Package name is similar to other popular packages and may not be the package you want.

Use care when consuming similarly named packages and ensure that you did not intend to consume a different package. Malicious packages often publish using similar names as existing popular packages.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

socket-security[bot] avatar Dec 23 '24 07:12 socket-security[bot]