Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade bower from 1.8.0 to 1.8.8 #1

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Upgrade bower from 1.8.0 to 1.8.8 #1

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link

@snyk-bot snyk-bot commented Dec 5, 2019

Snyk has created this PR to upgrade bower from 1.8.0 to 1.8.8.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
  • The recommended version is 6 versions ahead of your current version.
  • The recommended version was released 10 months ago, on 2019-01-23.

The recommended version fixes:

Severity Issue
Arbitrary File Write via Archive Extraction (Zip Slip)
SNYK-JS-BOWER-73627
Release notes
Package name: bower
  • 1.8.8 - 2019-01-23

    Fix security issue connected to extracting .tar.gz archives

    This bug allows to write arbitrary file on filesystem when Bower extracts malicious package

    Needlessly to say, please upgrade

  • 1.8.7 - 2019-01-17

    Fixes side effect of fix from v1.8.6 that caused improper permissions for extracted folders

    #2532

  • 1.8.6 - 2019-01-17

    Fix Zip Slip Vulnerability of decompress-zip package: https://snyk.io/research/zip-slip-vulnerability

    Note: v1.8.5 has been unpublished because of missing files

  • 1.8.4 - 2018-03-28
    • Fixes release 1.8.3 by publishing with npm@3 instead of npm@5 (to include lib/node_modules)
  • 1.8.3 - 2018-03-28
    • 451c60e Do not store resolutions if --save is not used, fixes #2344 (#2508)
    • 50ee729 Allow to disable shorthand resolver (#2507)
    • bb17839 Allow shallow cloning when source is a ssh protocol (#2506)
    • 5a6ae54 Add support for Arrays in Environment Variable replacement (#2411)
    • 74af42c Only replace last @ after (if any) last / with # (#2395)
    • 💯Make tests work on Windows / Linux / OSX on node versions 0.10 / 0.12 / 4 / 6 / 8 / 9
    • 💅Format source code with prettier
  • 1.8.2 - 2017-09-13

    Migrate registry url from http://bower.herokuapp.com to https://registry.bower.io

    It is so we leverage CDN and offload Heroku instance reducing costs.

  • 1.8.0 - 2016-11-07
    • Download tar archives from GitHub when possible (#2263)
      • Change default shorthand resolver for github from git:// to https://
    • Fix ssl handling by not setting GIT_SSL_NO_VERIFY=false (#2361)
    • Allow for removing components with url instead of name (#2368)
    • Show in warning message location of malformed bower.json (#2357)
    • Improve handling of non-semver versions in git resolver (#2316)
    • Fix handling of cached releases pluginResolverFactory (#2356)
    • Allow to type the entire version when conflict occured (#2243)
    • Allow owner/reponame shorthand for registering components (#2248)
    • Allow single-char repo names and package names (#2249)
    • Make bower version no longer honor version in bower.json (#2232)
    • Add postinstall hook (#2252)
    • Allow for @ instead of # for install and info commands (#2322)
    • Upgrade all bundled modules
from bower GitHub release notes

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@snyk-bot