[Snyk] Upgrade npm from 6.4.1 to 6.13.7

[snyk-bot]

Snyk has created this PR to upgrade npm from 6.4.1 to 6.13.7.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 41 versions ahead of your current version.
• The recommended version was released a month ago, on 2020-01-28.

The recommended version fixes:

Severity	Issue	Exploit Maturity
	Arbitrary File Write SNYK-JS-NPM-537606	Proof of Concept
	Arbitrary File Overwrite SNYK-JS-NPM-537603	Proof of Concept
	Arbitrary File Overwrite SNYK-JS-FSTREAM-174725	No Known Exploit
	Arbitrary File Write SNYK-JS-BINLINKS-537610	Proof of Concept
	Arbitrary File Overwrite SNYK-JS-BINLINKS-537608	Proof of Concept
	Denial of Service (DoS) npm:mem:20180117	No Known Exploit
	Man-in-the-Middle (MitM) SNYK-JS-HTTPSPROXYAGENT-469131	Proof of Concept
	Unauthorized File Access SNYK-JS-NPM-537604	Proof of Concept
	Unauthorized File Access SNYK-JS-BINLINKS-537609	Proof of Concept

Release notes

Package name: npm

• 6.13.7 - 2020-01-28
  

  6.13.7 (2020-01-28)

  BUG FIXES

  • 7dbb91438 #655 Update CI detection cases (@isaacs)

  DEPENDENCIES

  • 0fb1296c7 libnpx@10.2.2 (@mikemimik)
  • c9b69d569 node-gyp@5.0.7 (@mikemimik)
  • e8dbaf452 bin-links@1.1.7 (@mikemimik)
    • #613 Fixes bin entry for package
• 6.13.6 - 2020-01-09
  

  6.13.6 (2020-01-09)

  DEPENDENCIES

  • 6dba897a1 pacote@9.5.12:
    • d2f4176 fix(git): Do not drop uid/gid when executing in root-owned directory (@isaacs)
• 6.13.5 - 2020-01-09
  

  6.13.5 (2020-01-09)

  BUG FIXES

  • fd0a802ec #550 Fix cache location for npm ci (@zhenyavinogradov)
  • 4b30f3cca #648 fix(version): using 'allow-same-version', git commit --allow-empty and git tag -f (@rhengles)

  TESTING

  • e16f68d30 test(ci): add failing cache config test (@ruyadorno)
  • 3f009fbf2 #659 test: fix bin-overwriting test on Windows (@isaacs)
  • 43ae0791f #601 ci: Allow builds to run even if one fails (@XhmikosR)
  • 4a669bee4 #603 Remove the unused appveyor.yml (@XhmikosR)
  • 9295046ac #600 ci: switch to actions/checkout@v2 (@XhmikosR)

  DOCUMENTATION

  • f2d770ac7 #569 fix netlify publish path config (@claudiahdz)
  • 462cf0983 #627 update gatsby dependencies (@felixonmars)
  • 6fb5dbb72 #532 docs: clarify usage of global prefix (@jgehrcke)
• 6.13.4 - 2019-12-11
  

  6.13.4 (2019-12-11)

  BUGFIXES

  • 320ac9aee npm/bin-links#12 npm/gentle-fs#7 Do not remove global bin/man links inappropriately (@isaacs)

  DEPENDENCIES

  • 52fd21061 gentle-fs@2.3.0 (@isaacs)
  • d06f5c0b0 bin-links@1.1.6 (@isaacs)
• 6.13.3 - 2019-12-10
  

  6.13.3 (2019-12-09)

  DEPENDENCIES

  • 19ce061a2 bin-links@1.1.5 Properly normalize, sanitize, and verify bin entries in package.json.
  • 59c836aae npm-packlist@1.4.7
  • fb4ecd7d2 pacote@9.5.11
    • 5f33040 #476 npm/pacote#22 npm/pacote#14 fix: Do not drop perms in git when not root (isaacs, @darcyclarke)
    • 6f229f7 sanitize and normalize package bin field (isaacs)
  • 1743cb339 read-package-json@2.1.1
• 6.13.2 - 2019-12-03
  

  6.13.2 (2019-12-03)

  BUG FIXES

  • 4429645b3 #546 fix docs target typo (@richardlau)
  • 867642942 #142 fix(packageRelativePath): fix 'where' for file deps (@larsgw)
  • d480f2c17 #527 Revert "windows: Add preliminary WSL support for npm and npx" (@craigloewen-msft)
  • e4b97962e #504 remove unnecessary package.json read when reading shrinkwrap (@Lighting-Jack)
  • 1c65d26ac #501 fix(fund): open url for string shorthand (@ruyadorno)
  • ae7afe565 #263 Don't log error message if git tagging is disabled (@woppa684)
  • 4c1b16f6a #182 Warn the user that it is uninstalling npm-install (@Hoidberg)
• 6.13.1 - 2019-11-18
  

  6.13.1 (2019-11-18)

  BUG FIXES

  • 938d6124d #472 fix(fund): support funding string shorthand (@ruyadorno)
  • b49c5535b #471 should not publish tap-snapshot folder (@ruyadorno)
  • 3471d5200 #253 Add preliminary WSL support for npm and npx (@infinnie)
  • 3ef295f23 #486 print quick audit report for human output (@isaacs)

  TESTING

  • dbbf977ac #278 added workflow to trigger and run benchmarks (@mikemimik)
  • b4f5e3825 #457 feat(docs): adding tests and updating docs to reflect changes in registry teams API. (@nomadtechie)
  • 454c7dd60 #456 fix git configs for git 2.23 and above (@isaacs)

  DOCUMENTATION

  • b8c1576a4 30b013ae8 26c1b2ef6 9f943a765 c0346b158 8e09d5ad6 4a2f551ee 87d67258c 5c3b32722 b150eaeff 7555a743c b89423e2f #463 #285 #268 #232 #485 #453 docs cleanup: typos, styling and content (@claudiahdz) (@XhmikosR) (@mugli) (@brettz9) (@mkotsollaris)

  DEPENDENCIES

  • 661d86cd2 make-fetch-happen@5.0.2 (@claudiahdz)
• 6.13.0 - 2019-11-05
  

  6.13.0 (2019-11-05)

  NEW FEATURES

  • 4414b06d9 #273 add fund command (@ruyadorno)

  DOCUMENTATION

  • ae4c74d04 #274 migrate existing docs to gatsby (@claudiahdz)
  • 4ff1bb180 #277 updated documentation copy (@oletizi)

  BUG FIXES

  • e4455409f #281 delete ps1 files on package removal (@NoDocCat)
  • cd14d4701 #279 update supported node list to remove v6.0, v6.1, v9.0 - v9.2 (@ljharb)

  DEPENDENCIES

  • a37296b20 pacote@9.5.9
  • d3cb3abe8 read-cmd-shim@1.0.5

  TESTING

  • 688cd97be #272 use github actions for CI (@JasonEtco)
  • 9a2d8af84 #240 Clean up some flakiness and inconsistency (@isaacs)
• 6.12.1 - 2019-10-29
  

  6.12.1 (2019-10-29)

  BUG FIXES

  • 6508e833d #269 add node v13 as a supported version (@ljharb)
  • b6588a8f7 #265 Fix regression in lockfile repair for sub-deps (@feelepxyz)
  • d5dfe57a1 #266 resolve circular dependency in pack.js (@addaleax)

  DEPENDENCIES

  • 73678bb59 chownr@1.1.3
  • 4b76926e2 graceful-fs@4.2.3
  • c691f36a9 libcipm@4.0.7
  • 5e1a14975 npm-packlist@1.4.6
  • c194482d6 npm-registry-fetch@4.0.2
  • bc6a8e0ec tar@4.4.1
  • 4dcca3cbb uuid@3.3.3
• 6.12.0 - 2019-10-08
  

  6.12.0 (2019-10-08):

  Now npm ci runs prepare scripts for git dependencies, and respects the --no-optional argument. Warnings for engine mismatches are printed again. Various other fixes and cleanups.

  BUG FIXES

  • 890b245dc #252 ci: add dirPacker to options (@claudiahdz)
  • f3299acd0 #257 npm.community#4792 warn message on engine mismatch (@ruyadorno)
  • bbc92fb8f #259 npm.community#10288 Fix figgyPudding error in npm token (@benblank)
  • 70f54dcb5 #241 doctor: Make OK more consistent (@gemal)

  FEATURES

  • ed993a29c #249 Add CI environment variables to user-agent (@isaacs)
  • f6b0459a4 #248 Add option to save package-lock without formatting Adds a new config --format-package-lock, which defaults to true. (@bl00mber)

  DEPENDENCIES

  • 0ca063c5d npm-lifecycle@3.1.4:
    • fix: filter functions and undefined out of makeEnv (@isaacs)
  • 5df6b0ea2 libcipm@4.0.4:
    • fix: pack git directories properly (@claudiahdz)
    • respect no-optional argument (@cruzdanilo)
  • 7e04f728c tar@4.4.12
  • 5c380e5a3 stringify-package@1.0.1 (@isaacs)
  • 62f2ca692 node-gyp@5.0.5 (@isaacs)
  • 0ff0ea47a npm-install-checks@3.0.2 (@isaacs)
  • f46edae94 hosted-git-info@2.8.5 (@isaacs)

  TESTING

  • 44a2b036b #262 fix root-ownership race conditions in meta-test (@isaacs)
• 6.12.0-next.0 - 2019-09-26
• 6.11.3 - 2019-09-03
• 6.11.2 - 2019-08-22
• 6.11.1 - 2019-08-21
• 6.11.0 - 2019-08-20
• 6.10.3 - 2019-08-06
• 6.10.2 - 2019-07-23
• 6.10.2-next.3 - 2019-07-22
• 6.10.2-next.2 - 2019-07-21
• 6.10.2-next.1 - 2019-07-17
• 6.10.2-next.0 - 2019-07-16
• 6.10.1 - 2019-07-11
• 6.10.1-next.2 - 2019-07-10
• 6.10.1-next.1 - 2019-07-03
• 6.10.1-next.0 - 2019-07-03
• 6.10.0 - 2019-07-03
• 6.10.0-next.0 - 2019-07-01
• 6.9.2 - 2019-06-27
• 6.9.1-next.0 - 2019-03-20
• 6.9.0 - 2019-03-06
• 6.9.0-next.0 - 2019-02-21
• 6.8.0 - 2019-02-13
• 6.8.0-next.2 - 2019-02-07
• 6.8.0-next.1 - 2019-02-06
• 6.8.0-next.0 - 2019-01-31
• 6.7.0 - 2019-01-23
• 6.6.0 - 2019-01-17
• 6.6.0-next.1 - 2019-01-10
• 6.6.0-next.0 - 2018-12-12
• 6.5.0 - 2018-12-10
• 6.5.0-next.0 - 2018-11-28
• 6.4.1 - 2018-08-29

from npm GitHub release notes

Commit messages

Package name: npm

• f533d61 6.13.7
• 5897df4 update AUTHORS
• dcafdd9 updated changelog for npm@6.13.7
• 0fb1296 libnpx@10.2.2
• 1a5d209 chore: removed reference to package.community as a source for npm team support
• 68fc88e docs: updated the CONTRIBUTING file; added references to benchmarking
• 1ce0344 feat: updated workflow for pull-ruquest benchmark dispatch requests
• 5967fa4 feat: added workflow file for commenting on a pull-request to dispatch trigger benchmark suite
• 3590e40 fix: removed authorization header from benchmark dispatch request
• c9b69d5 node-gyp@5.0.7
• e8dbaf4 bin-links@1.1.7
• 7230e13 docs: fix header parsing that was breaking misc config manpage
• 7dbb914 Update CI detection cases
• 7852c0c Use the npm lint script on CI.
• b1aeeb6 docs: mention --no-optional in package-json
• 88cfb88 chore: fixes nodejs tests
• ac3739f 6.13.6
• c56c847 docs: changelog for 6.13.6
• 6dba897 pacote@9.5.12
• 787bb66 6.13.5
• e099866 update AUTHORS
• 4812866 docs: changelog for 6.13.5
• 6fb5dbb npm-link: clarify usage of global prefix
• 4b30f3c feat(version): using 'allow-same-version', git commit --allow-empty and git tag -f

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[//]: # (snyk:metadata:{"dependencies":[{"name":"npm","from":"6.4.1","to":"6.13.7"}],"packageManager":"npm","type":"auto","projectUrl":"https://app.snyk.io/org/ali8668/project/36e5b4c4-41bd-433c-9e45-f93745c533ff?utm_source=github&utm_medium=upgrade-pr","projectPublicId":"36e5b4c4-41bd-433c-9e45-f93745c533ff","env":"prod","prType":"upgrade","vulns":["SNYK-JS-NPM-537606","SNYK-JS-NPM-537603","SNYK-JS-FSTREAM-174725","SNYK-JS-BINLINKS-537610","SNYK-JS-BINLINKS-537608","npm:mem:20180117","SNYK-JS-HTTPSPROXYAGENT-469131","SNYK-JS-NPM-537604","SNYK-JS-BINLINKS-537609"],"issuesToFix":[{"issueId":"SNYK-JS-NPM-537606","severity":"high","title":"Arbitrary File Write","exploitMaturity":"proof-of-concept"},{"issueId":"SNYK-JS-NPM-537603","severity":"high","title":"Arbitrary File Overwrite","exploitMaturity":"proof-of-concept"},{"issueId":"SNYK-JS-FSTREAM-174725","severity":"high","title":"Arbitrary File Overwrite","exploitMaturity":"no-known-exploit"},{"issueId":"SNYK-JS-BINLINKS-537610","severity":"high","title":"Arbitrary File Write","exploitMaturity":"proof-of-concept"},{"issueId":"SNYK-JS-BINLINKS-537608","severity":"high","title":"Arbitrary File Overwrite","exploitMaturity":"proof-of-concept"},{"issueId":"npm:mem:20180117","severity":"medium","title":"Denial of Service (DoS)","exploitMaturity":"no-known-exploit"},{"issueId":"SNYK-JS-HTTPSPROXYAGENT-469131","severity":"medium","title":"Man-in-the-Middle (MitM)","exploitMaturity":"proof-of-concept"},{"issueId":"SNYK-JS-NPM-537604","severity":"low","title":"Unauthorized File Access","exploitMaturity":"proof-of-concept"},{"issueId":"SNYK-JS-BINLINKS-537609","severity":"low","title":"Unauthorized File Access","exploitMaturity":"proof-of-concept"}],"upgrade":["SNYK-JS-NPM-537606","SNYK-JS-NPM-537603","SNYK-JS-FSTREAM-174725","SNYK-JS-BINLINKS-537610","SNYK-JS-BINLINKS-537608","npm:mem:20180117","SNYK-JS-HTTPSPROXYAGENT-469131","SNYK-JS-NPM-537604","SNYK-JS-BINLINKS-537609"],"upgradeInfo":{"versionsDiff":41,"publishedDate":"2020-01-28T19:09:13.959Z"},"templateVariants":[],"hasFixes":true,"isMajorUpgrade":false,"isBreakingChange":false})

[ghost]

Congratulations 🍻. DeepCode analyzed your code in 0.102 seconds and we found no issues. Enjoy a moment of no bugs ☀️.

💬 This comment has been generated by the DeepCode bot, installed by the owner of the repository. The DeepCode bot protects your repository by detecting and commenting on security vulnerabilities or other critical issues.

---

☺️ If you want to provide feedback on our bot, here is how to contact us.