This repository has been archived by the owner on Jan 29, 2023. It is now read-only.
Update dependency bower to v1.8.8 [SECURITY] #23
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.3.12
->1.8.8
GitHub Vulnerability Alerts
CVE-2019-5484
Versions of
bower
prior to 1.8.8 are affected by an arbitrary file write vulnerability. The vulnerability occurs becausebower
does not verify that extracted symbolic links do not resolve to targets outside of the extraction root directory.Recommendation
Update to version 1.8.8 or later
Release Notes
bower/bower
v1.8.8
Compare Source
Fix security issue connected to extracting .tar.gz archives
This bug allows to write arbitrary file on filesystem when Bower extracts malicious package
Needlessly to say, please upgrade
v1.8.7
Compare Source
Fixes side effect of fix from v1.8.6 that caused improper permissions for extracted folders
https://github.com/bower/bower/issues/2532
v1.8.6
Compare Source
Fix Zip Slip Vulnerability of decompress-zip package: https://snyk.io/research/zip-slip-vulnerability
Note: v1.8.5 has been unpublished because of missing files
v1.8.4
Compare Source
lib/node_modules
)v1.8.3
Compare Source
451c60e
Do not store resolutions if --save is not used, fixes #2344 (#2508)50ee729
Allow to disable shorthand resolver (#2507)bb17839
Allow shallow cloning when source is a ssh protocol (#2506)5a6ae54
Add support for Arrays in Environment Variable replacement (#2411)74af42c
Only replace last@
after (if any) last/
with#
(#2395)v1.8.2
Compare Source
Migrate registry url from http://bower.herokuapp.com to https://registry.bower.io
It is so we leverage CDN and offload Heroku instance reducing costs.
v1.8.0
git://
tohttps://
owner/reponame
shorthand for registering components (#2248)bower version
no longer honorversion
in bower.json (#2232)postinstall
hook (#2252)@
instead of#
forinstall
andinfo
commands (#2322)v1.7.9
Compare Source
v1.7.8
Compare Source
v1.7.7
Compare Source
Revert locations of all files while still packaging
node_modules
.It's because people are depending on internals of bower, like
bower/lib/renderers/StandardRenderer
. We want to preserve thisimplicit contract, but we discourage it. The only official way
to use bower programmatically is through
require('bower')
.v1.7.6
Compare Source
Note: Correctly, you should use an alias created in
npm bin --global
.v1.7.5
Compare Source
bower install --save
(#2145)bower login
command (#2133)v1.7.2
Compare Source
v1.7.1
Compare Source
bower update --save
functionality", it causes issues and needs more testingbower search --json
(#2066)bower info
output--save
andupdate --save-dev
(bower/bower@612aaa8)v1.7.0
Compare Source
bower update --save
functionality (#2035)bower search
shows help message when no package name is specified (#2066)v1.6.9
Compare Source
v1.6.8
Compare Source
default
setting for config.cav1.6.7
Compare Source
v1.6.6
Compare Source
v1.6.5
Compare Source
v1.6.4
Compare Source
v1.6.3
Compare Source
Fixes regression issues introduced with 1.6.2, specifically:
v1.6.2
Compare Source
Fix dependency issues of 1.6.1. First published release of 1.6.x.
v1.5.4
Compare Source
v1.5.3
Compare Source
bower init
to support private flag again (#1819)v1.5.2
Compare Source
v1.5.1
Compare Source
v1.5.0
Compare Source
v1.4.2
Compare Source
v1.4.1
Compare Source
v1.4.0
Compare Source
514eb8f
)962a565
,a464f5a
It also includes improved test coverage (~60% -> ~85%) and many refactors.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.