3id-connect icon indicating copy to clipboard operation
3id-connect copied to clipboard
verified publisher icon 3box

build(deps): [security] bump url-parse from 1.4.7 to 1.5.0

Open dependabot-preview[bot] opened this issue 4 years ago • 0 comments

Bumps url-parse from 1.4.7 to 1.5.0. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Path reaversal in url-parse url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

Affected versions: < 1.5.0

Commits
  • 267a0c6 [dist] 1.5.0
  • d1e7e88 [security] More backslash fixes (#197)
  • d99bf4c [ignore] Remove npm-debug.log from .gitignore
  • 422c8b5 [pkg] Replace nyc with c8
  • 933809d [pkg] Move coveralls to dev dependencies
  • 190b216 [pkg] Add .npmrc
  • ce3783f [test] Do not test on all available versions of Edge and Safari
  • 77c1184 [pkg] Update mocha to version 8.0.1
  • 673c3a7 [travis] Test on node 14
  • 08fd2cc [pkg] Update mocha to version 7.0.1 (#189)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in the .dependabot/config.yml file in this repo:

  • Update frequency
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

dependabot-preview[bot] avatar Jul 26 '21 08:07 dependabot-preview[bot]