Update dependency bower to v1.8.8 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
bower (source)	1.3.12 -> 1.8.8

GitHub Vulnerability Alerts

CVE-2019-5484

Versions of bower prior to 1.8.8 are affected by an arbitrary file write vulnerability. The vulnerability occurs because bower does not verify that extracted symbolic links do not resolve to targets outside of the extraction root directory.

Recommendation

Update to version 1.8.8 or later

---

Release Notes

bower/bower

v1.8.8

Compare Source

Fix security issue connected to extracting .tar.gz archives

This bug allows to write arbitrary file on filesystem when Bower extracts malicious package

Needlessly to say, please upgrade

v1.8.7

Compare Source

Fixes side effect of fix from v1.8.6 that caused improper permissions for extracted folders

https://github.com/bower/bower/issues/2532

v1.8.6

Compare Source

Fix Zip Slip Vulnerability of decompress-zip package: https://snyk.io/research/zip-slip-vulnerability

Note: v1.8.5 has been unpublished because of missing files

v1.8.4

Compare Source

• Fixes release 1.8.3 by publishing with npm@3 instead of npm@5 (to include lib/node_modules)

v1.8.3

Compare Source

• 451c60e Do not store resolutions if --save is not used, fixes #​2344 (#​2508)
• 50ee729 Allow to disable shorthand resolver (#​2507)
• bb17839 Allow shallow cloning when source is a ssh protocol (#​2506)
• 5a6ae54 Add support for Arrays in Environment Variable replacement (#​2411)
• 74af42c Only replace last @ after (if any) last / with # (#​2395)
• 💯Make tests work on Windows / Linux / OSX on node versions 0.10 / 0.12 / 4 / 6 / 8 / 9
• 💅Format source code with prettier

v1.8.2

Compare Source

Migrate registry url from http://bower.herokuapp.com to https://registry.bower.io

It is so we leverage CDN and offload Heroku instance reducing costs.

v1.8.0

• Download tar archives from GitHub when possible (#​2263)
  • Change default shorthand resolver for github from git:// to https://
• Fix ssl handling by not setting GIT_SSL_NO_VERIFY=false (#​2361)
• Allow for removing components with url instead of name (#​2368)
• Show in warning message location of malformed bower.json (#​2357)
• Improve handling of non-semver versions in git resolver (#​2316)
• Fix handling of cached releases pluginResolverFactory (#​2356)
• Allow to type the entire version when conflict occured (#​2243)
• Allow owner/reponame shorthand for registering components (#​2248)
• Allow single-char repo names and package names (#​2249)
• Make bower version no longer honor version in bower.json (#​2232)
• Add postinstall hook (#​2252)
• Allow for @ instead of # for install and info commands (#​2322)
• Upgrade all bundled modules

v1.7.9

Compare Source

• Show warnings for invalid bower.json fields
• Update bower-json
  • Less strict validation on package name (allow spaces, slashes, and "@​")

v1.7.8

Compare Source

• Don't ask for git credentials in non-interactive session, fixes #​956 #​1009
• Prevent swallowing exceptions with programmatic api, fixes #​2187
• Update graceful-fs to 4.x in all dependences, fixes nodejs/node#​5213
• Resolve pluggable resolvers using cwd and fallback to global modules, fixes #​1919
• Upgrade handlebars to 4.0.5, closes #​2195
• Replace all % chatacters in defined scripts, instead of only first one, fixes #​2174
• Update opn package to fix issues with "bower open" command on Windows
• Update bower-config
  • Do not interpolate environment variables in script hooks, fixes bower/config#​47
• Update bower-json
  • Validate package name more strictly and allow only latin letters, dots, dashes and underscores
• Add support for "save" and "save-exact" in .bowerrc, #​2161

v1.7.7

Compare Source

Revert locations of all files while still packaging node_modules.

It's because people are depending on internals of bower, like
bower/lib/renderers/StandardRenderer. We want to preserve this
implicit contract, but we discourage it. The only official way
to use bower programmatically is through require('bower').

v1.7.6

Compare Source

• Revert location of "bin/bower" as developers are using it directly (#​2157)
  Note: Correctly, you should use an alias created in npm bin --global.

v1.7.5

Compare Source

• Remove analytics from Bower, fixes (#​2150)
• Default to ^ operator on bower install --save (#​2145)
• Support absolute path in .bowerrc directory option (#​2130)
• Display user's name upon bower login command (#​2133)
• Decompress gzip files (#​2092)
• Prevent name clashes in package extraction (#​2102)
• When strictSsl is false, set GIT_SSL_NO_VERIFY=true (#​2129)
• Distribute bower with npm@3 for better Windows support (#​2146)
• Update request to 2.67.0 and fs-write-stream-atomic to 1.0.8
• Documentation improvements

v1.7.2

Compare Source

• Lock "fs-write-stream-atomic" to 1.0.5

v1.7.1

Compare Source

• Rollback "Add bower update --save functionality", it causes issues and needs more testing
• Fix backward-compatibility of bower search --json (#​2066)
• Ignore prerelease versions from bower info output
• Update update-notifier to 0.6.0
• Better formatting of help messages (bower/bower@de3e108)
• Add help menu for update --save and update --save-dev (bower/bower@612aaa8)

v1.7.0

Compare Source

• Add bower update --save functionality (#​2035)
• bower search shows help message when no package name is specified (#​2066)
• Update only those packages that are explicitly requested by the user. Related Issues
  • #​256
  • #​924
  • #​1770
• Allow for @​ in username for SVN on windows (#​1650)
• Update bower config
  • Loads the .bowerrc file from the cwd specified on the command line
  • Allow the use of environment variables in .bowerrc (#​41)
  • Allow for array notation in ENV variables (#​44)

v1.6.9

Compare Source

• Change git version of fs-write-stream-atomic back to npm version (#​2079)

v1.6.8

Compare Source

• Use fs-write-stream-atomic for downloads
• Improved downloader that properly cleans after itself
• Fix shallow host detection (#​2040)
• Upgrade to (bower-config#​1.2.3)
  • Properly restore env variables if they are undefined at the beginning
  • Properly handle default setting for config.ca
  • Display proper error if .bowerrc is a directory instead of file

v1.6.7

Compare Source

• Bundless all the dependencies again

v1.6.6

Compare Source

• Fixes regression with the published npm version

v1.6.5

Compare Source

• Updates to tests and documentation
• Fixes passing options when requesting downloads

v1.6.4

Compare Source

• Fix ignoring dependencies on multiple install run (#​1970)
• Use --non-interactive when running svn client (#​1969)
• Fix downloading of URLs ending with slash (#​1956)
• Add user-agent field for downloads by Bower (#​1960)

v1.6.3

Compare Source

Fixes regression issues introduced with 1.6.2, specifically:

• Allow for bower_components to be a symlink
• Allow setting custom registry in .bowerrc

v1.6.2

Compare Source

Fix dependency issues of 1.6.1. First published release of 1.6.x.

v1.5.4

Compare Source

• [fix] Lock lru-cache dependency to 2.7.0

v1.5.3

Compare Source

• Revert auto sorting of bower dependencies, fixes (#​1897)
• Fix --save-exact feature for github endpoints, fixes (#​1925)
• Fix bower init to support private flag again (#​1819)
• Bump insight dependency to support prompt timeout (#​1102)

v1.5.2

Compare Source

• Revert update semver version from 2.x to 5.x, fixes (#​1896)
• Make bower commands work from subdirectories, fixes (#​1893)
• Put auto shallow cloning for git behind a flag, fixes (#​1764)

v1.5.1

Compare Source

• If cwd provided explicitly, force using it, fixes #​1866

v1.5.0

Compare Source

• Pluggable Resolvers! http://bower.io/docs/pluggable-resolvers/
• Update semver version from 2.x to 5.x (#​1852)
• Auto-sort dependencies alphabetically (#​1381)
• Make bower commands work from subdirectories (#​1866)
• No longer prefer installing bower as global module (#​1865)

v1.4.2

Compare Source

• [fix] Lock lru-cache dependency to 2.7.0

v1.4.1

Compare Source

• [fix] Reading .bowerrc upwards directory tree (#​1763)
• [fix] Update bower-registry-client so it uses the same bower-config as bower

v1.4.0

Compare Source

• Add login and unregister commands (#​1719)
• Automatically detecting smart Git hosts (#​1628)
• [bower/config#​23] Allow npm config variables (#​1711)
• [bower/config#​24] Merge .bowerrc files upwards directory tree (#​1689)
• Better homedir detection (514eb8f)
• Add --save-exact flag (#​1654)
• Ensure extracted files are readable (tar-fs) (#​1548)
• The version command in the programmatic API now returns the new version (#​1755)
• Some minor fixes: #​1639, #​1620, #​1576, #​1557, 962a565, a464f5a
• Improved Windows support (AppVeyor CI, tests actually passing on Windows)
• OSX testing enabled on TravisCI

It also includes improved test coverage (~60% -> ~85%) and many refactors.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[pull-assistant]

Best reviewed: commit by commit

---

Optimal code review plan

     Update dependency bower to v1.8.8 [SECURITY]

Powered by Pull Assistant. Last update 721a96d ... 721a96d. Read the comment docs.