fix(deps): update dependency bower to v1.8.8 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
bower (source)	1.7.5 -> 1.8.8

GitHub Vulnerability Alerts

CVE-2019-5484

Versions of bower prior to 1.8.8 are affected by an arbitrary file write vulnerability. The vulnerability occurs because bower does not verify that extracted symbolic links do not resolve to targets outside of the extraction root directory.

Recommendation

Update to version 1.8.8 or later

---

Release Notes

bower/bower

v1.8.8

Compare Source

Fix security issue connected to extracting .tar.gz archives

This bug allows to write arbitrary file on filesystem when Bower extracts malicious package

Needlessly to say, please upgrade

v1.8.7

Compare Source

Fixes side effect of fix from v1.8.6 that caused improper permissions for extracted folders

https://github.com/bower/bower/issues/2532

v1.8.6

Compare Source

Fix Zip Slip Vulnerability of decompress-zip package: https://snyk.io/research/zip-slip-vulnerability

Note: v1.8.5 has been unpublished because of missing files

v1.8.4

Compare Source

• Fixes release 1.8.3 by publishing with npm@3 instead of npm@5 (to include lib/node_modules)

v1.8.3

Compare Source

• 451c60e Do not store resolutions if --save is not used, fixes #​2344 (#​2508)
• 50ee729 Allow to disable shorthand resolver (#​2507)
• bb17839 Allow shallow cloning when source is a ssh protocol (#​2506)
• 5a6ae54 Add support for Arrays in Environment Variable replacement (#​2411)
• 74af42c Only replace last @ after (if any) last / with # (#​2395)
• 💯Make tests work on Windows / Linux / OSX on node versions 0.10 / 0.12 / 4 / 6 / 8 / 9
• 💅Format source code with prettier

v1.8.2

Compare Source

Migrate registry url from http://bower.herokuapp.com to https://registry.bower.io

It is so we leverage CDN and offload Heroku instance reducing costs.

v1.8.0

• Download tar archives from GitHub when possible (#​2263)
  • Change default shorthand resolver for github from git:// to https://
• Fix ssl handling by not setting GIT_SSL_NO_VERIFY=false (#​2361)
• Allow for removing components with url instead of name (#​2368)
• Show in warning message location of malformed bower.json (#​2357)
• Improve handling of non-semver versions in git resolver (#​2316)
• Fix handling of cached releases pluginResolverFactory (#​2356)
• Allow to type the entire version when conflict occured (#​2243)
• Allow owner/reponame shorthand for registering components (#​2248)
• Allow single-char repo names and package names (#​2249)
• Make bower version no longer honor version in bower.json (#​2232)
• Add postinstall hook (#​2252)
• Allow for @ instead of # for install and info commands (#​2322)
• Upgrade all bundled modules

v1.7.9

Compare Source

• Show warnings for invalid bower.json fields
• Update bower-json
  • Less strict validation on package name (allow spaces, slashes, and "@​")

v1.7.8

Compare Source

• Don't ask for git credentials in non-interactive session, fixes #​956 #​1009
• Prevent swallowing exceptions with programmatic api, fixes #​2187
• Update graceful-fs to 4.x in all dependences, fixes nodejs/node#​5213
• Resolve pluggable resolvers using cwd and fallback to global modules, fixes #​1919
• Upgrade handlebars to 4.0.5, closes #​2195
• Replace all % chatacters in defined scripts, instead of only first one, fixes #​2174
• Update opn package to fix issues with "bower open" command on Windows
• Update bower-config
  • Do not interpolate environment variables in script hooks, fixes bower/config#​47
• Update bower-json
  • Validate package name more strictly and allow only latin letters, dots, dashes and underscores
• Add support for "save" and "save-exact" in .bowerrc, #​2161

v1.7.7

Compare Source

Revert locations of all files while still packaging node_modules.

It's because people are depending on internals of bower, like
bower/lib/renderers/StandardRenderer. We want to preserve this
implicit contract, but we discourage it. The only official way
to use bower programmatically is through require('bower').

v1.7.6

Compare Source

• Revert location of "bin/bower" as developers are using it directly (#​2157)
  Note: Correctly, you should use an alias created in npm bin --global.

---

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.

[pull-assistant]

Best reviewed: commit by commit

---

Optimal code review plan

     Update dependency bower to v1.8.8 [SECURITY]

Powered by Pull Assistant. Last update 244f3ac ... 244f3ac. Read the comment docs.