Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(deps): [security] bump npm from 6.10.1 to 6.13.4 (#159)
Bumps [npm](https://github.com/npm/cli) from 6.10.1 to 6.13.4. **This update includes security fixes.** <details> <summary>Vulnerabilities fixed</summary> *Sourced from The GitHub Security Advisory Database.* > **Low severity vulnerability that affects npm** > ## Unauthorized File Access > > Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of the`node_modules` folder through the `bin` field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. > > This behavior is possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. > > Thank you Daniel Ruf for responsibly reporting the issue! > > Further information: [npm blog post](https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli) > > Affected versions: < 6.13.3 *Sourced from The GitHub Security Advisory Database.* > **Low severity vulnerability that affects npm** > ## Arbitrary File Write > > Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended `node_modules` folder through the `bin` field. A properly constructed entry in the package.json `bin` field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed. > > This behavior is possible through install scripts. This vulnerability bypasses a user using the `--ignore-scripts` install option. > > Thank you Daniel Ruf for reporting the issue! > > Further information: [npm blog post](https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli) > > Affected versions: < 6.13.3 *Sourced from The GitHub Security Advisory Database.* > **Low severity vulnerability that affects npm** > ## Arbitrary File Overwrite > > Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a `serve` binary, any subsequent installs of packages that also create a `serve` binary would overwrite the previous `serve` binary. > > This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. > > Thank you to Daniel Ruf for reporting the issue! > > Further information: [npm blog post](https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli) > > Affected versions: < 6.13.4 </details> <details> <summary>Release notes</summary> *Sourced from [npm's releases](https://github.com/npm/cli/releases).* > ## v6.13.4 > ## 6.13.4 (2019-12-11) > > ## BUGFIXES > > * [`320ac9aee`](npm/cli@320ac9a) [npm/bin-links#12](https://github-redirect.dependabot.com/npm/bin-links/pull/12) [npm/gentle-fs#7](https://github-redirect.dependabot.com/npm/gentle-fs/pull/7) Do not remove global bin/man links inappropriately ([@​isaacs](https://github.com/isaacs)) > > ## DEPENDENCIES > > * [`52fd21061`](npm/cli@52fd210) `gentle-fs@2.3.0` ([@​isaacs](https://github.com/isaacs)) > * [`d06f5c0b0`](npm/cli@d06f5c0) `bin-links@1.1.6` ([@​isaacs](https://github.com/isaacs)) > > ## v6.13.3 > ## 6.13.3 (2019-12-09) > > ### DEPENDENCIES > > * [`19ce061a2`](npm/cli@19ce061) `bin-links@1.1.5` Properly normalize, sanitize, and verify `bin` entries in `package.json`. > * [`59c836aae`](npm/cli@59c836a) `npm-packlist@1.4.7` > * [`fb4ecd7d2`](npm/cli@fb4ecd7) `pacote@9.5.11` > * [`5f33040`](npm/pacote@5f33040) [#476](https://github-redirect.dependabot.com/npm/cli/issues/476) [npm/pacote#22](https://github-redirect.dependabot.com/npm/pacote/issues/22) [npm/pacote#14](https://github-redirect.dependabot.com/npm/pacote/issues/14) fix: Do not drop perms in git when not root ([isaacs](https://github.com/isaacs), [@​darcyclarke](https://github.com/darcyclarke)) > * [`6f229f7`](https://github.com/npm/pacote/6f229f78d9911b4734f0a19c6afdc5454034c759) sanitize and normalize package bin field ([isaacs](https://github.com/isaacs)) > * [`1743cb339`](npm/cli@1743cb3) `read-package-json@2.1.1` > > ## v6.13.2 > ## 6.13.2 (2019-12-03) > > ### BUG FIXES > > * [`4429645b3`](npm/cli@4429645) [#546](https://github-redirect.dependabot.com/npm/cli/pull/546) fix docs target typo ([@​richardlau](https://github.com/richardlau)) > * [`867642942`](npm/cli@8676429) [#142](https://github-redirect.dependabot.com/npm/cli/pull/142) fix(packageRelativePath): fix 'where' for file deps ([@​larsgw](https://github.com/larsgw)) > * [`d480f2c17`](npm/cli@d480f2c) [#527](https://github-redirect.dependabot.com/npm/cli/pull/527) Revert "windows: Add preliminary WSL support for npm and npx" ([@​craigloewen-msft](https://github.com/craigloewen-msft)) > * [`e4b97962e`](npm/cli@e4b9796) [#504](https://github-redirect.dependabot.com/npm/cli/pull/504) remove unnecessary package.json read when reading shrinkwrap ([@​Lighting-Jack](https://github.com/Lighting-Jack)) > * [`1c65d26ac`](npm/cli@1c65d26) [#501](https://github-redirect.dependabot.com/npm/cli/pull/501) fix(fund): open url for string shorthand ([@​ruyadorno](https://github.com/ruyadorno)) > * [`ae7afe565`](npm/cli@ae7afe5) [#263](https://github-redirect.dependabot.com/npm/cli/pull/263) Don't log error message if git tagging is disabled ([@​woppa684](https://github.com/woppa684)) > * [`4c1b16f6a`](npm/cli@4c1b16f) [#182](https://github-redirect.dependabot.com/npm/cli/pull/182) Warn the user that it is uninstalling npm-install ([@​Hoidberg](https://github.com/Hoidberg)) > > ## v6.13.1 > ## 6.13.1 (2019-11-18) > > ### BUG FIXES > > * [`938d6124d`](npm/cli@938d612) [#472](https://github-redirect.dependabot.com/npm/cli/pull/472) fix(fund): support funding string shorthand ([@​ruyadorno](https://github.com/ruyadorno)) > * [`b49c5535b`](npm/cli@b49c553) [#471](https://github-redirect.dependabot.com/npm/cli/pull/471) should not publish tap-snapshot folder ([@​ruyadorno](https://github.com/ruyadorno)) > * [`3471d5200`](npm/cli@3471d52) [#253](https://github-redirect.dependabot.com/npm/cli/pull/253) Add preliminary WSL support for npm and npx ([@​infinnie](https://github.com/infinnie)) > * [`3ef295f23`](npm/cli@3ef295f) [#486](https://github-redirect.dependabot.com/npm/cli/pull/486) print quick audit report for human output ([@​isaacs](https://github.com/isaacs)) > > ### TESTING > > * [`dbbf977ac`](npm/cli@dbbf977) [#278](https://github-redirect.dependabot.com/npm/cli/pull/278) added workflow to trigger and run benchmarks ([@​mikemimik](https://github.com/mikemimik)) ></tr></table> ... (truncated) </details> <details> <summary>Changelog</summary> *Sourced from [npm's changelog](https://github.com/npm/cli/blob/latest/CHANGELOG.md).* > ## 6.13.4 (2019-12-11) > > ## BUGFIXES > > * [`320ac9aee`](npm/cli@320ac9a) > [npm/bin-links#12](https://github-redirect.dependabot.com/npm/bin-links/pull/12) > [npm/gentle-fs#7](https://github-redirect.dependabot.com/npm/gentle-fs/pull/7) > Do not remove global bin/man links inappropriately > ([@​isaacs](https://github.com/isaacs)) > > ## DEPENDENCIES > > * [`52fd21061`](npm/cli@52fd210) > `gentle-fs@2.3.0` > ([@​isaacs](https://github.com/isaacs)) > * [`d06f5c0b0`](npm/cli@d06f5c0) > `bin-links@1.1.6` > ([@​isaacs](https://github.com/isaacs)) > > ## 6.13.3 (2019-12-09) > > ### DEPENDENCIES > > * [`19ce061a2`](npm/cli@19ce061) > `bin-links@1.1.5` Properly normalize, sanitize, and verify `bin` entries > in `package.json`. > * [`59c836aae`](npm/cli@59c836a) > `npm-packlist@1.4.7` > * [`fb4ecd7d2`](npm/cli@fb4ecd7) > `pacote@9.5.11` > * [`5f33040`](npm/pacote@5f33040) > [#476](https://github-redirect.dependabot.com/npm/cli/issues/476) > [npm/pacote#22](https://github-redirect.dependabot.com/npm/pacote/issues/22) > [npm/pacote#14](https://github-redirect.dependabot.com/npm/pacote/issues/14) fix: Do not > drop perms in git when not root ([isaacs](https://github.com/isaacs), > [@​darcyclarke](https://github.com/darcyclarke)) > * [`6f229f7`](https://github.com/npm/pacote/6f229f78d9911b4734f0a19c6afdc5454034c759) > sanitize and normalize package bin field > ([isaacs](https://github.com/isaacs)) > * [`1743cb339`](npm/cli@1743cb3) > `read-package-json@2.1.1` > > > ## 6.13.2 (2019-12-03) > > ### BUG FIXES > > * [`4429645b3`](npm/cli@4429645) > [#546](https://github-redirect.dependabot.com/npm/cli/pull/546) > fix docs target typo ></tr></table> ... (truncated) </details> <details> <summary>Commits</summary> - [`fd29398`](npm/cli@fd29398) 6.13.4 - [`f2aca36`](npm/cli@f2aca36) docs: changelog for 6.13.4 - [`320ac9a`](npm/cli@320ac9a) Do not remove global bin/man links inappropriately - [`d06f5c0`](npm/cli@d06f5c0) bin-links@1.1.6 - [`52fd210`](npm/cli@52fd210) gentle-fs@2.3.0 - [`45482c2`](npm/cli@45482c2) 6.13.3 - [`118bc96`](npm/cli@118bc96) docs: changelog for 6.13.3 - [`1743cb3`](npm/cli@1743cb3) read-package-json@2.1.1 - [`fb4ecd7`](npm/cli@fb4ecd7) pacote@9.5.11 - [`59c836a`](npm/cli@59c836a) npm-packlist@1.4.7 - Additional commits viewable in [compare view](npm/cli@v6.10.1...v6.13.4) </details> <br /> [](https://dependabot.com/compatibility-score.html?dependency-name=npm&package-manager=npm_and_yarn&previous-version=6.10.1&new-version=6.13.4) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) </details>
- Loading branch information
1 parent
3639dbb
commit 8933fb1