atom
[Security] Bump underscore from 1.9.1 to 1.13.1
Bumps underscore from 1.9.1 to 1.13.1. This update includes a security fix.
Vulnerabilities fixed
Sourced from The GitHub Security Advisory Database.
Arbitrary Code Execution in underscore The package
underscorefrom 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.Affected versions: >= 1.3.2 < 1.12.1
Commits
943977eMerge branch 'umd-alias', tag 1.13.1 release5630f88Add version 1.13.1 to the change log5aa5b52Update the bundle sizes76c8d8aBump the version to 1.13.19cda0b0Add some build clarifications to the documentation (#2923)8b5928cRevert .gitignore underscore.js from 57a4a0e (fix #2923)7054a54Update generated sources and tag 1.13.0 release37dc52aMerge pull request #2921 from jgonggrijp/prepare-1.13.05511d12Add version 1.13.0 to the change logefe5fbfBump the version to 1.13.0- Additional commits viewable in compare view
Maintainer changes
This version was pushed to npm by jgonggrijp, a new releaser for underscore since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)@dependabot badge mewill comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in the .dependabot/config.yml file in this repo:
- Update frequency
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
![dependabot-preview[bot] avatar](https://avatars.githubusercontent.com/in/2141?v=4 "Published by a pub.dev verified publisher"){kind=small}
Codecov Report
Merging #2672 (61f9348) into master (853ea19) will decrease coverage by
0.00%. The diff coverage isn/a.
@@ Coverage Diff @@
## master #2672 +/- ##
==========================================
- Coverage 93.46% 93.46% -0.01%
==========================================
Files 237 237
Lines 13213 13213
Branches 1900 1900
==========================================
- Hits 12350 12349 -1
- Misses 863 864 +1
| Impacted Files | Coverage Δ | |
|---|---|---|
| lib/atom/gutter.js | 90.47% <0.00%> (-2.39%) |
:arrow_down: |
Continue to review full report at Codecov.
Legend - Click here to learn more
Δ = absolute <relative> (impact),ø = not affected,? = missing dataPowered by Codecov. Last update 853ea19...61f9348. Read the comment docs.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}