fix(deps): update dependency bower to v1.8.8 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
bower (source)	1.7.10 -> 1.8.8

GitHub Vulnerability Alerts

CVE-2019-5484

Versions of bower prior to 1.8.8 are affected by an arbitrary file write vulnerability. The vulnerability occurs because bower does not verify that extracted symbolic links do not resolve to targets outside of the extraction root directory.

Recommendation

Update to version 1.8.8 or later

---

Release Notes

bower/bower

v1.8.8

Compare Source

Fix security issue connected to extracting .tar.gz archives

This bug allows to write arbitrary file on filesystem when Bower extracts malicious package

Needlessly to say, please upgrade

v1.8.7

Compare Source

Fixes side effect of fix from v1.8.6 that caused improper permissions for extracted folders

https://github.com/bower/bower/issues/2532

v1.8.6

Compare Source

Fix Zip Slip Vulnerability of decompress-zip package: https://snyk.io/research/zip-slip-vulnerability

Note: v1.8.5 has been unpublished because of missing files

v1.8.4

Compare Source

• Fixes release 1.8.3 by publishing with npm@3 instead of npm@5 (to include lib/node_modules)

v1.8.3

Compare Source

• 451c60e Do not store resolutions if --save is not used, fixes #​2344 (#​2508)
• 50ee729 Allow to disable shorthand resolver (#​2507)
• bb17839 Allow shallow cloning when source is a ssh protocol (#​2506)
• 5a6ae54 Add support for Arrays in Environment Variable replacement (#​2411)
• 74af42c Only replace last @ after (if any) last / with # (#​2395)
• 💯Make tests work on Windows / Linux / OSX on node versions 0.10 / 0.12 / 4 / 6 / 8 / 9
• 💅Format source code with prettier

v1.8.2

Compare Source

Migrate registry url from http://bower.herokuapp.com to https://registry.bower.io

It is so we leverage CDN and offload Heroku instance reducing costs.

v1.8.0

• Download tar archives from GitHub when possible (#​2263)
  • Change default shorthand resolver for github from git:// to https://
• Fix ssl handling by not setting GIT_SSL_NO_VERIFY=false (#​2361)
• Allow for removing components with url instead of name (#​2368)
• Show in warning message location of malformed bower.json (#​2357)
• Improve handling of non-semver versions in git resolver (#​2316)
• Fix handling of cached releases pluginResolverFactory (#​2356)
• Allow to type the entire version when conflict occured (#​2243)
• Allow owner/reponame shorthand for registering components (#​2248)
• Allow single-char repo names and package names (#​2249)
• Make bower version no longer honor version in bower.json (#​2232)
• Add postinstall hook (#​2252)
• Allow for @ instead of # for install and info commands (#​2322)
• Upgrade all bundled modules

---

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.

[pull-assistant]

Best reviewed: commit by commit

---

Optimal code review plan

     fix(deps): update dependency bower to v1.8.8 [security]

Powered by Pull Assistant. Last update c8d7d73 ... c8d7d73. Read the comment docs.