This repository has been archived by the owner on Nov 23, 2021. It is now read-only.
fix(deps): update dependency bower to v1.8.8 [security] #26
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.7.10
->1.8.8
GitHub Vulnerability Alerts
CVE-2019-5484
Versions of
bower
prior to 1.8.8 are affected by an arbitrary file write vulnerability. The vulnerability occurs becausebower
does not verify that extracted symbolic links do not resolve to targets outside of the extraction root directory.Recommendation
Update to version 1.8.8 or later
Release Notes
bower/bower
v1.8.8
Compare Source
Fix security issue connected to extracting .tar.gz archives
This bug allows to write arbitrary file on filesystem when Bower extracts malicious package
Needlessly to say, please upgrade
v1.8.7
Compare Source
Fixes side effect of fix from v1.8.6 that caused improper permissions for extracted folders
https://github.com/bower/bower/issues/2532
v1.8.6
Compare Source
Fix Zip Slip Vulnerability of decompress-zip package: https://snyk.io/research/zip-slip-vulnerability
Note: v1.8.5 has been unpublished because of missing files
v1.8.4
Compare Source
lib/node_modules
)v1.8.3
Compare Source
451c60e
Do not store resolutions if --save is not used, fixes #2344 (#2508)50ee729
Allow to disable shorthand resolver (#2507)bb17839
Allow shallow cloning when source is a ssh protocol (#2506)5a6ae54
Add support for Arrays in Environment Variable replacement (#2411)74af42c
Only replace last@
after (if any) last/
with#
(#2395)v1.8.2
Compare Source
Migrate registry url from http://bower.herokuapp.com to https://registry.bower.io
It is so we leverage CDN and offload Heroku instance reducing costs.
v1.8.0
git://
tohttps://
owner/reponame
shorthand for registering components (#2248)bower version
no longer honorversion
in bower.json (#2232)postinstall
hook (#2252)@
instead of#
forinstall
andinfo
commands (#2322)Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.