AztecProtocol
[security] build(deps): bump react-dev-utils from 8.0.0 to 11.0.4
Bumps react-dev-utils from 8.0.0 to 11.0.4.
Changelog
Sourced from react-dev-utils's changelog.
2.0.3 and Newer Versions
Please refer to CHANGELOG-2.x.md for the 2.x range, and https://github.com/facebook/create-react-app/blob/master/CHANGELOG.md for the newer versions.
1.1.5 (August 24, 2018)
react-scripts
- Update the
webpack-dev-serverdependency
react-dev-utilsCommitters: 1
- Andrew Clark (acdlite)
Migrating from 1.1.4 to 1.1.5
Inside any created project that has not been ejected, run:
npm install --save --save-exact [email protected]or
yarn add --exact [email protected]1.1.4 (April 3, 2018)
:bug: Bug Fix
Committers: 1
- Joe Haddad (Timer)
Migrating from 1.1.3 to 1.1.4
Inside any created project that has not been ejected, run:
</tr></table>
... (truncated)
Commits
- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)@dependabot use these labelswill set the current labels as the default for future PRs for this repo and language@dependabot use these reviewerswill set the current reviewers as the default for future PRs for this repo and language@dependabot use these assigneeswill set the current assignees as the default for future PRs for this repo and language@dependabot use this milestonewill set the current milestone as the default for future PRs for this repo and language@dependabot badge mewill comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot dashboard:
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
![dependabot-preview[bot] avatar](https://avatars.githubusercontent.com/in/2141?v=4 "Published by a pub.dev verified publisher"){kind=small}
We've just been alerted that this update fixes a security vulnerability:
Sourced from The GitHub Security Advisory Database.
Improper Neutralization of Special Elements used in an OS Command.
react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.
Affected versions: [">= 0.4.0 < 11.0.4"]