[Snyk] Fix for 3 vulnerabilities

[aliscco]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • deps/npm/node_modules/pacote/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @npmcli/run-script

The new version differs by 116 commits.

• fcebe38 chore: release 7.0.2
• 30623cf deps: bump node-gyp from 9.4.1 to 10.0.0
• 54e5bd0 chore: postinstall for dependabot template-oss PR
• 7d95e9f chore: bump @ npmcli/template-oss from 4.18.1 to 4.19.0
• 90bcf54 chore: postinstall for dependabot template-oss PR
• ba0ab48 chore: bump @ npmcli/template-oss from 4.18.0 to 4.18.1
• 43ccfc7 chore: release 7.0.1
• f61fd84 deps: bump @ npmcli/promise-spawn from 6.0.2 to 7.0.0
• 87b740b chore: release 7.0.0
• e1b1a3c fix: drop node14 support
• a8045a9 deps: bump which from 3.0.1 to 4.0.0
• c4f4fb4 chore: postinstall for dependabot template-oss PR
• dacd67e chore: bump @ npmcli/template-oss from 4.17.0 to 4.18.0
• 9d2d807 chore: postinstall for dependabot template-oss PR
• 8b21725 chore: bump @ npmcli/template-oss from 4.15.1 to 4.17.0
• d9a0cc0 chore: release 6.0.2
• 545f3be fix: handle signals more correctly ([Snyk] Security upgrade tap from 14.11.0 to 15.0.0 #142)
• 1cbd286 chore: bump @ npmcli/template-oss from 4.14.1 to 4.15.1 ([Snyk] Security upgrade xo from 0.37.1 to 0.42.0 #151)
• 581be58 docs: fix syntax in example ([Snyk] Fix for 4 vulnerabilities #141)
• 24f12b2 chore: release 6.0.1
• 728b270 chore: enable auto-publish ([Snyk] Security upgrade mocha from 6.2.3 to 10.1.0 #150)
• 6c1cb21 chore: bump @ npmcli/template-oss from 4.12.1 to 4.14.1 ([Snyk] Fix for 4 vulnerabilities #148)
• 3a8f085 fix: remove unused dependency on minipass ([Snyk] Fix for 4 vulnerabilities #147)
• 72c3e2f chore: bump @ npmcli/template-oss from 4.12.0 to 4.12.1 ([Snyk] Fix for 11 vulnerabilities #144)

See the full diff

Package name: npm-packlist

The new version differs by 58 commits.

• 6a805d1 chore: release 6.0.0 ([Snyk] Fix for 4 vulnerabilities #124)
• c37371b feat: change interactions between `files` array and ignore files to be more consistent (build(deps): bump minimatch from 3.0.4 to 3.1.2 in /tools/clang-format #88)
• a2c96ef feat!: postinstall for dependabot template-oss PR
• 925c5b8 chore: bump @ npmcli/template-oss from 3.6.0 to 4.3.2
• 01c4799 chore(main): release 5.1.3 ([Snyk] Security upgrade mocha from 6.2.3 to 10.1.0 #114)
• de5e96b deps: bump npm-bundled from 1.1.2 to 2.0.0 ([Snyk] Fix for 3 vulnerabilities #113)
• 50d06c4 chore(main): release 5.1.2 ([Snyk] Fix for 13 vulnerabilities #112)
• c97d1a8 deps: bump npm-normalize-package-bin from 1.0.1 to 2.0.0 ([Snyk] Fix for 6 vulnerabilities #110)
• 8356e02 chore: postinstall for dependabot template-oss PR
• 8b5ba6f chore: bump @ npmcli/template-oss from 3.5.0 to 3.6.0
• 7e8be74 chore(main): release 5.1.1 ([Snyk] Fix for 19 vulnerabilities #109)
• da1ba4a fix: correctly ignore .gitignore when a .npmignore is present ([Snyk] Security upgrade tap from 1.4.1 to 12.6.2 #108)
• 9393e2e chore(main): release 5.1.0 ([Snyk] Fix for 3 vulnerabilities #105)
• d74bdd1 feat: correctly handle workspace roots ([Snyk] Security upgrade mocha from 6.2.3 to 10.1.0 #104)
• 1461039 chore(main): release 5.0.4 ([Snyk] Security upgrade tap from 14.11.0 to 15.0.0 #103)
• 34f416f chore: bump @ npmcli/template-oss from 3.4.3 to 3.5.0 ([Snyk] Fix for 4 vulnerabilities #100)
• 0f31f71 fix: do not pack workspaces by default
• 839e6e8 fix: respect gitignore and npmignore files in workspace roots
• 7e1fc71 chore: bump @ npmcli/template-oss from 3.4.2 to 3.4.3 ([Snyk] Security upgrade tap from 14.11.0 to 15.0.0 #99)
• 084fa24 chore(main): release 5.0.3 ([Snyk] Security upgrade tap from 14.11.0 to 15.0.0 #98)
• ceea51d chore: bump @ npmcli/template-oss from 3.4.2 to 3.4.3 ([Snyk] Security upgrade tap from 14.11.0 to 15.0.0 #96)
• 9f519b7 fix: strip leading ./ from files array entries ([Snyk] Security upgrade eslint from 4.19.1 to 5.0.0 #97)
• ce176f7 chore: postinstall for dependabot template-oss PR
• 70ba466 chore: bump @ npmcli/template-oss from 3.4.1 to 3.4.2

See the full diff

Package name: npm-registry-fetch

The new version differs by 76 commits.

• 8f61d95 chore: release 14.0.0 ([Snyk] Security upgrade mocha from 6.2.3 to 10.1.0 #139)
• c1a2c5a chore: bump cacache from 16.1.3 to 17.0.0 ([Snyk] Fix for 4 vulnerabilities #147)
• b5aeed0 deps: bump make-fetch-happen from 10.2.1 to 11.0.0 ([Snyk] Fix for 2 vulnerabilities #146)
• c1c203e chore: postinstall for dependabot template-oss PR
• dcff56f chore: bump @ npmcli/template-oss from 4.4.4 to 4.5.1
• 8762c37 chore: postinstall for dependabot template-oss PR
• 428d241 chore: bump @ npmcli/template-oss from 4.3.2 to 4.4.4
• 104a51f feat!: postinstall for dependabot template-oss PR
• 36f576a chore: bump @ npmcli/template-oss from 3.6.0 to 4.3.2
• ed6304c chore: postinstall for dependabot template-oss PR
• 4a08dd4 chore: bump @ npmcli/template-oss from 3.5.0 to 3.6.0
• de64201 chore(main): release 13.3.1 ([Snyk] Fix for 19 vulnerabilities #128)
• c9a8727 fix: linting
• a72fb7c chore: rimraf@3.0.2
• 79bddb9 chore: mkdirp@1.0.4
• 8d40cbb chore(main): release 13.3.0 ([Snyk] Fix for 16 vulnerabilities #126)
• 42d605c feat: respect registry-scoped certfile and keyfile options ([Snyk] Security upgrade mocha from 7.2.0 to 10.1.0 #125)
• 43c91f5 chore(main): release 13.2.0 ([Snyk] Fix for 4 vulnerabilities #124)
• 893ea1c chore: bump @ npmcli/template-oss from 3.4.2 to 3.4.3 ([Snyk] Security upgrade tap from 7.1.2 to 15.0.0 #121)
• ff4ed65 feat: set 'npm-auth-type' header depending on config option ([Snyk] Security upgrade tap from 14.11.0 to 15.0.0 #123)
• 0db6cf8 chore: postinstall for dependabot template-oss PR
• 0c1795e chore: bump @ npmcli/template-oss from 3.4.1 to 3.4.2
• 5f9f823 chore: bump @ npmcli/template-oss from 3.3.2 to 3.4.1 ([Snyk] Security upgrade mocha from 5.2.0 to 10.1.0 #119)
• b9848ba chore(main): release 13.1.1 ([Snyk] Fix for 6 vulnerabilities #110)

See the full diff

Package name: rimraf

The new version differs by 40 commits.

• 3b6b098 4.0.0
• e0cffea ci: reduce workload even more
• 0e6646d ci: remove unnecessary lint filter
• 546e017 update action versions
• 6d88a65 tone down benchmark intensity
• 842a8d2 fix benchmark workflow yaml
• 1b91697 chore: add copyright year to license
• 08bbb06 rewrite in TS, export hybrid, update changelog, docs
• 1b3f46e drop support for node versions below 14
• 2e1f003 gh actions workflow for benchmarks
• 52f9370 tests for retry-busy behavior
• 188e3ed don't test on very old node versions
• d1d5495 test for fix-eperm
• e7501cd prettier formatting
• 40f64ec windows: only fall back to move-remove when absolutely necessary
• b6f7819 update tap
• 99496cd test: run posix test on windows, why not?
• 51d43c1 benchmarks
• 6b8aa29 doc: correct os.tmp default
• 4b228c9 do not ever actually try to rmdir /
• 2442655 consolidate all the spellings of 'opt' into one
• d4eec2e add cli script
• 0c82d74 accept strings, arrays of strings, and no other types
• ad4f2db Do not rimraf /, override with preserveRoot:false

See the full diff

Package name: tap

The new version differs by 250 commits.

• 793c1c0 update versions
• 47a2289 add missing @ tapjs/mock service key polyfill
• 6622dca snapshot: update snapshot
• 556e520 mock: actually be resilient against multiple instances
• 2c135b0 Add `t.mockAll` method
• d7e7e4f clean process.cwd() out of snapshots by default
• 4c0dc72 use the released version of tshy
• c858f37 need to check in .tshy configs for typedoc to work
• 82f48cd update versions
• 0f27f73 TypeScript 5.2, use tshy for hybrid builds
• de09096 remove my home directory from parser snapshots
• 46e2bbb repl: mkdirp the .tap dir if missing
• acfae01 link typedocs to main website
• 2ece1da core spawn test even less flaky
• a7a12d2 update typedoc to latest, ts-node to temporary fork
• a5c0e0c some changelog updates
• caf8d81 document repl
• a5dc854 Store t.testdir() fixtures in .tap/fixtures
• 6914d23 remove docs from source control
• 1dcc6a7 exclude test files themselves from coverage
• aff25fc update versions
• c5972e7 core: make spawn timeout test less flaky
• 1c11b37 stack: properly parse ErrnoException errors
• 1280a55 parser: remove node v12 skip check

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-side Request Forgery (SSRF)
🦉 Prototype Pollution