boilerplate-typescript-rest-docker
boilerplate-typescript-rest-docker copied to clipboard
stefanwalther
fix(deps): update dependency npm to v6 [security]
This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| npm (source) | ^3.10.9 -> ^6.14.6 |
GitHub Vulnerability Alerts
CVE-2019-16776
Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of node_modules. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. Only files accessible by the user running the npm install are affected.
This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Recommendation
Upgrade to version 6.13.3 or later.
CVE-2019-16775
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to create files on a user's system when the package is installed. It is only possible to affect files that the user running npm install has access to and it is not possible to over write files that already exist on disk.
This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Recommendation
Upgrade to version 6.13.3 or later.
CVE-2019-16777
Versions of the npm CLI prior to 6.13.4 are vulnerable to a Global node_modules Binary Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations.
For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This will not overwrite system binaries but only binaries put into the global node_modules directory.
This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Recommendation
Upgrade to version 6.13.4 or later.
CVE-2020-15095
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like <protocol>://[<user>[:<password>]@​]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files.
CVE-2018-7408
An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue.
Release Notes
npm/cli (npm)
v6.14.6
6.14.6 (2020-07-07)
BUG FIXES
a9857b8f6chore: remove auth info from logs (@claudiahdz)b7ad77598#1416 fix: wrongnpm doctorcommand result (@vanishcode)
DEPENDENCIES
v6.14.5
6.14.5 (2020-05-04)
BUG FIXES
33ec41f18#758 fix: relativize file links when inflating shrinkwrap (@jsnajdr)94ed456df#1162 fix: npm init help output (@mum-never-proud)
DEPENDENCIES
5587ac01f[email protected]fc5d94c39fix: removed default timeout
07a4d8884[email protected]8228d1f2e[email protected]e6d208317[email protected]
v6.14.4
6.14.4 (2020-03-25)
DEPENDENCIES
136832dca[email protected]- Bump
[email protected]transitive dep to resolve security issue9c554fd8c[email protected]- bump
[email protected] - bump
[email protected] - bump
[email protected] - bump
[email protected] - bump
[email protected] - bump
[email protected]
8bf99b2b5#1053 deps: updates term-size to use signed binary
v6.14.3
6.14.3 (2020-03-19)
DOCUMENTATION
4ad221487#1020 docs(teams): updated team docs to reflect MFA workflow (@blkdm0n)4a31a4ba2#1034 docs: cleanup (@ruyadorno)0eac801cd#1013 docs: fix links to cli commands (@alenros)7d8e5b99c#755 docs: correction tonpm update -gbehaviour (@johnkennedy9147)
DEPENDENCIES
e11167646[email protected]c50d679c6[email protected]a2de99ff9[email protected]217debeb9[email protected]
v6.14.2
6.14.2 (2020-03-03)
DOCUMENTATION
f9248c0be#730 chore(docs): update unpublish docs & policy reference (@nomadtechie, @mikemimik)
DEPENDENCIES
909cc3918[email protected](@darcyclarke)5038b1891fix: regression in old node versions w/ respect to url.URL implmentation
9204ffa58[email protected](@isaacs)6bcf0860afix: treat non-http/https login urls as invalid
0365d39bd[email protected](@isaacs)dab030536[email protected](@rvagg)
v6.14.1
6.14.1 (2020-02-26)
303e5c11e[email protected]Fixes a regression where scp-style git urls are passed to the WhatWG URL parser, which does not handle them properly. (@isaacs)
v6.14.0
6.14.0 (2020-02-25)
FEATURES
30f170877#731 add support for multiple funding sources (@ljharb & @ruyadorno)
BUG FIXES
55916b130#508 fix: checknpm.configbefore accessing its members (@kaiyoma)7d0cd65b2#733 fix: access grant with unscoped packages (@netanelgilad)28c3d40d6,0769c5b20#945, #697 fix: allow new major versions of node to be automatically considered "supported" (@isaacs, @ljharb)
DEPENDENCIES
6f39e93[email protected](@darcyclarke)- fix: passwords & usernames are escaped properly in git deps (@stevenhilder)
f14b594ee[email protected](@isaacs)77044150b[email protected](@isaacs)1d112461a[email protected](@isaacs)ba8b4fefix: always bypass cache when ?write=true
a47fed760[email protected]
DOCUMENTATION
284c1c055,fbb5f0e50#729 update lifecycle hooks docs (@seanhealy, @mikemimik)1c272832d#787 fix: trademarks typo (@dnicolson)f6ff41776#936 fix: postinstall example (@ajaymathur)373224b16#939 fix: bad links in publish docs (@vit100)
MISCELLANEOUS
85c79636d#736 add script to update dist-tags (@mikemimik)
v6.13.7
6.13.7 (2020-01-28)
BUG FIXES
DEPENDENCIES
0fb1296c7[email protected](@mikemimik)c9b69d569[email protected](@mikemimik)e8dbaf452[email protected](@mikemimik)- #613 Fixes bin entry for package
v6.13.6
6.13.6 (2020-01-09)
DEPENDENCIES
v6.13.5
6.13.5 (2020-01-09)
BUG FIXES
fd0a802ec#550 Fix cache location fornpm ci(@zhenyavinogradov)4b30f3cca#648 fix(version): using 'allow-same-version', git commit --allow-empty and git tag -f (@rhengles)
TESTING
e16f68d30test(ci): add failing cache config test (@ruyadorno)3f009fbf2#659 test: fix bin-overwriting test on Windows (@isaacs)43ae0791f#601 ci: Allow builds to run even if one fails (@XhmikosR)4a669bee4#603 Remove the unused appveyor.yml (@XhmikosR)9295046ac#600 ci: switch toactions/checkout@v2(@XhmikosR)
DOCUMENTATION
f2d770ac7#569 fix netlify publish path config (@claudiahdz)462cf0983#627 update gatsby dependencies (@felixonmars)6fb5dbb72#532 docs: clarify usage of global prefix (@jgehrcke)
v6.13.4
6.13.4 (2019-12-11)
BUGFIXES
320ac9aeenpm/bin-links#12 npm/gentle-fs#7 Do not remove global bin/man links inappropriately (@isaacs)
DEPENDENCIES
v6.13.3
6.13.3 (2019-12-09)
DEPENDENCIES
19ce061a2[email protected]Properly normalize, sanitize, and verifybinentries inpackage.json.59c836aae[email protected]fb4ecd7d2[email protected]5f33040#476 npm/pacote#22 npm/pacote#14 fix: Do not drop perms in git when not root (isaacs, @darcyclarke)6f229f7sanitize and normalize package bin field (isaacs)
1743cb339[email protected]
v6.13.2
6.13.2 (2019-12-03)
BUG FIXES
4429645b3#546 fix docs target typo (@richardlau)867642942#142 fix(packageRelativePath): fix 'where' for file deps (@larsgw)d480f2c17#527 Revert "windows: Add preliminary WSL support for npm and npx" (@craigloewen-msft)e4b97962e#504 remove unnecessary package.json read when reading shrinkwrap (@Lighting-Jack)1c65d26ac#501 fix(fund): open url for string shorthand (@ruyadorno)ae7afe565#263 Don't log error message if git tagging is disabled (@woppa684)4c1b16f6a#182 Warn the user that it is uninstalling npm-install (@Hoidberg)
v6.13.1
6.13.1 (2019-11-18)
BUG FIXES
938d6124d#472 fix(fund): support funding string shorthand (@ruyadorno)b49c5535b#471 should not publish tap-snapshot folder (@ruyadorno)3471d5200#253 Add preliminary WSL support for npm and npx (@infinnie)3ef295f23#486 print quick audit report for human output (@isaacs)
TESTING
dbbf977ac#278 added workflow to trigger and run benchmarks (@mikemimik)b4f5e3825#457 feat(docs): adding tests and updating docs to reflect changes in registry teams API. (@nomadtechie)454c7dd60#456 fix git configs for git 2.23 and above (@isaacs)
DOCUMENTATION
b8c1576a430b013ae826c1b2ef69f943a765c0346b1588e09d5ad64a2f551ee87d67258c5c3b32722b150eaeff7555a743cb89423e2f#463 #285 #268 #232 #485 #453 docs cleanup: typos, styling and content (@claudiahdz) (@XhmikosR) (@mugli) (@brettz9) (@mkotsollaris)
DEPENDENCIES
v6.13.0
6.13.0 (2019-11-05)
NEW FEATURES
4414b06d9#273 add fund command (@ruyadorno)
DOCUMENTATION
ae4c74d04#274 migrate existing docs to gatsby (@claudiahdz)4ff1bb180#277 updated documentation copy (@oletizi)
BUG FIXES
e4455409f#281 delete ps1 files on package removal (@NoDocCat)cd14d4701#279 update supported node list to remove v6.0, v6.1, v9.0 - v9.2 (@ljharb)
DEPENDENCIES
TESTING
688cd97be#272 use github actions for CI (@JasonEtco)9a2d8af84#240 Clean up some flakiness and inconsistency (@isaacs)
v6.12.1
6.12.1 (2019-10-29)
BUG FIXES
6508e833d#269 add node v13 as a supported version (@ljharb)b6588a8f7#265 Fix regression in lockfile repair for sub-deps (@feelepxyz)d5dfe57a1#266 resolve circular dependency in pack.js (@addaleax)
DEPENDENCIES
73678bb59[email protected]4b76926e2[email protected]c691f36a9[email protected]5e1a14975[email protected]c194482d6[email protected]bc6a8e0ec[email protected]4dcca3cbb[email protected]
v6.12.0
6.12.0 (2019-10-08):
Now npm ci runs prepare scripts for git dependencies, and respects the --no-optional argument. Warnings for engine mismatches are printed again. Various other fixes and cleanups.
BUG FIXES
890b245dc#252 ci: add dirPacker to options (@claudiahdz)f3299acd0#257 npm.community#4792 warn message on engine mismatch (@ruyadorno)bbc92fb8f#259 npm.community#10288 Fix figgyPudding error innpm token(@benblank)70f54dcb5#241 doctor: Make OK more consistent (@gemal)
FEATURES
ed993a29c#249 Add CI environment variables to user-agent (@isaacs)f6b0459a4#248 Add option to save package-lock without formatting Adds a new config--format-package-lock, which defaults to true. (@bl00mber)
DEPENDENCIES
0ca063c5d[email protected]:- fix: filter functions and undefined out of makeEnv (@isaacs)
5df6b0ea2[email protected]:- fix: pack git directories properly (@claudiahdz)
- respect no-optional argument (@cruzdanilo)
7e04f728c[email protected]5c380e5a3[email protected](@isaacs)62f2ca692[email protected](@isaacs)0ff0ea47a[email protected](@isaacs)f46edae94[email protected](@isaacs)
TESTING
v6.11.3
6.11.3 (2019-09-03):
Fix npm ci regressions and npm outdated depth.
BUG FIXES
235ed1d28#239 Don't override user specified depth in outdated. Restores ability to update packages using--depthas suggested bynpm audit. (@G-Rath)1fafb5151#242 npm.community#9586 Revert "install: do not descend into directory deps' child modules" (@isaacs)cebf542e6#243 npm.community#9720 ci: pass appropriate configs for file/dir modes (@isaacs)
DEPENDENCIES
v6.11.2
6.11.2 (2019-08-22):
Fix a recent Windows regression, and two long-standing Windows bugs. Also, get CI running on Windows, so these things are less likely in the future.
DEPENDENCIES
9778a1b87[email protected]: Fix regression where shims fail to preserve exit code (@isaacs)bf93e91d8[email protected]: Properly handle git+file: urls on Windows when a drive letter is included. (@isaacs)
BUGFIXES
6cc4cc66fescape args properly on Windows Bash Despite being bash, Node.js running on windows git mingw bash still executes child processes using cmd.exe. As a result, arguments in this environment need to be escaped in the style of cmd.exe, not bash. (@isaacs)
TESTS
291aba7b8make tests pass on Windows (@isaacs)fea3a023atravis: run tests on Windows as well (@isaacs)
v6.11.1
6.11.1 (2019-08-20):
Fix a regression for windows command shim syntax.
v6.11.0
v6.11.0 (2019-08-20):
A few meaty bugfixes, and introducing peerDependenciesMeta.
FEATURES
a12341088#224 Implements peerDependenciesMeta (@arcanis)2f3b79bba#234 add new forbidden 403 error code (@claudiahdz)
BUGFIXES
24acc9fc8and45772af0d#217 npm.community#8863 npm.community#9327 do not descend into directory deps' child modules, fix shrinkwrap files that inappropriately list child nodes of symlink packages (@isaacs and @salomvary)50cfe113d#229 fixed typo in semver doc (@gall0ws)e8fb2a1bd#231 Fix spelling mistakes in CHANGELOG-3.md (@XhmikosR)769d2e057npm/uid-number#7 Better error on invalid--user/--groupconfigs. This addresses the issue when people fail to install binary packages on Docker and other environments where there is no 'nobody' user. (@isaacs)8b43c9624nodejs/node#28987 npm.community#6032 npm.community#6658 npm.community#6069 npm.community#9323 Fix the regression where random config values in a .npmrc file are not passed to lifecycle scripts, breaking build processes which rely on them. (@isaacs)8b85eaa47save files with inferred ownership rather than relying onSUDO_UIDandSUDO_GID. (@isaacs)b7f6e5f02Infer ownership of shrinkwrap files (@isaacs)54b095d77#235 Add spec to dist-tag remove function (@theberbie)
DEPENDENCIES
dc8f9e52f[email protected]: Infer the ownership of all unpacked files innode_modules, so that we never have user-owned files in root-owned folders, or root-owned files in user-owned folders. (@isaacs)bb33940c3[email protected]:9c93ac3#2 npm#3380 Handle environment variables properly (@basbossink)2d277f8#25 #36 #35 Fix 'no shebang' case by always providing$basedirin shell script (@igorklopov)adaf20b#26 Fix$*causing an error when arguments contain parentheses (@satazor)49f0c13#30 Fix paths for MSYS/MINGW bash (@dscho)51a8af3#34 Add proper support for PowerShell (@ExE-Boss)4c37e04#10 Work around quoted batch file names (@isaacs)
a4e279544[email protected](@isaacs):- fail properly if
uid-numberraises an error
- fail properly if
7086a1809[email protected](@isaacs)8845141f9[email protected](@isaacs)51c028215[email protected](@isaacs)534a5548c[email protected](@isaacs)3038f2fd5[email protected](@isaacs)a609a1648[email protected](@isaacs)f0346f754[email protected](@isaacs)ca9c615c8[email protected](@isaacs)b417affbf[email protected](@isaacs)
TESTS
b6df0913c#228 Proper handing of /usr/bin/node lifecycle-path test (@olivr70)aaf98e88c[email protected](@isaacs)
v6.10.3
v6.10.3 (2019-08-06):
BUGFIXES
27cccfbda#223 vulns → vulnerabilities in npm audit output (@sapegin)d5e865eb7#222 #226 install, doctor: don't crash if registry unset (@dmitrydvorkin, @isaacs)5b3890226#227 npm.community#9167 Handle unhandledRejections, tell user what to do when encountering anEACCESerror in the cache. (@isaacs)
DEPENDENCIES
77516df6e[email protected](@isaacs)ceb993590[email protected](@isaacs)4050b9189[email protected]- #46 #43 #47 #44 Add support for GitLab subgroups (@mterrel, @isaacs, @ybiquitous)
3b1d629#48 fix http protocol using sshurl by default (@fengmk2)5d4a8d7ignore noCommittish on tarball url generation (@isaacs)1692435use gist tarball url that works for anonymous gists (@isaacs)d5cf830Do not allow invalid gist urls (@isaacs)e518222Use LRU cache to prevent unbounded memory consumption (@iarna)
v6.10.2
v6.10.2 (2019-07-23):
tl;dr - Fixes several issues with the cache when npm is run as sudo on Unix systems.
TESTING
2a78b96f8check test cache for root-owned files (@isaacs)108646ebcrun sudo tests on Travis-CI (@isaacs)cf984e946set --no-esm tap flag (@isaacs)8e0a3100dadd script to run tests and leave fixtures for inspection and debugging (@isaacs)
BUGFIXES
25f4f73f6add a util for writing arbitrary files to cache This prevents metrics timing and debug logs from becoming root-owned. (@isaacs)2c61ce65dinfer cache owner from parent dir incorrect-mkdirutil (@isaacs)235e5d6dfensure correct owner on cached all-packages metadata (@isaacs)e2d377bb6npm.community#8540 audit: report server error on failure (@isaacs)52576a39e#216 npm.community#5385 npm.community#6076 Fixnpm ciwithfile:dependencies. Partially reverts #40/#86, recording dependencies of linked deps in order fornpm cito work. (@jfirebaugh)
DEPENDENCIES
0fefdee13[email protected](@isaacs)e1d87a392[email protected](@isaacs)- git: ensure stream failures are reported (7f07b5d) #1 (@lddubeau)
3f035bf09[email protected](@isaacs)ba3283112[email protected](@isaacs)ee90c334d[email protected](@isaacs)1e480c384[email protected]([@isa
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}