[Snyk] Upgrade bower from 1.1.2 to 1.8.8

[snyk-bot]

Snyk has created this PR to upgrade bower from 1.1.2 to 1.8.8.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 54 versions ahead of your current version.
• The recommended version was released a year ago, on 2019-01-23.

The recommended version fixes:

Severity	Issue	Exploit Maturity
	Improper minification of non-boolean comparisons npm:uglify-js:20150824	No Known Exploit
	Prototype Override Protection Bypass npm:qs:20170213	No Known Exploit
	Denial of Service (DoS) npm:qs:20140806	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	No Known Exploit
	Prototype Pollution npm:deep-extend:20180409	No Known Exploit
	Symlink File Overwrite npm:tar:20151103	No Known Exploit
	Arbitrary File Overwrite SNYK-JS-TAR-174125	No Known Exploit
	Arbitrary Command Injection npm:open:20180512	Mature
	Arbitrary Code Injection SNYK-JS-OPEN-174041	No Known Exploit
	Prototype Pollution SNYK-JS-LODASH-73638	No Known Exploit
	Prototype Pollution SNYK-JS-LODASH-450202	Proof of Concept
	Prototype Pollution SNYK-JS-HANDLEBARS-534988	No Known Exploit
	Arbitrary Code Execution SNYK-JS-HANDLEBARS-534478	No Known Exploit
	Prototype Pollution SNYK-JS-HANDLEBARS-469063	No Known Exploit
	Prototype Pollution SNYK-JS-HANDLEBARS-173692	No Known Exploit
	Arbitrary File Overwrite SNYK-JS-FSTREAM-174725	No Known Exploit
	Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JS-BOWER-73627	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	No Known Exploit
	Uninitialized Memory Exposure npm:tunnel-agent:20170305	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:semver:20150403	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:semver:20150403	No Known Exploit
	Remote Memory Exposure npm:request:20160119	No Known Exploit
	Remote Memory Exposure npm:request:20160119	No Known Exploit
	Denial of Service (DoS) npm:qs:20140806-1	No Known Exploit
	Timing Attack npm:http-signature:20150122	No Known Exploit
	Prototype Pollution npm:hoek:20180212	No Known Exploit
	Prototype Pollution SNYK-JS-MINIMIST-559764	Proof of Concept
	Prototype Pollution npm:lodash:20180130	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No Known Exploit
	Cross-site Scripting (XSS) npm:handlebars:20151207	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:hawk:20160119	No Known Exploit

Release notes

Package name: bower

• 1.8.8 - 2019-01-23
  

  Fix security issue connected to extracting .tar.gz archives

  This bug allows to write arbitrary file on filesystem when Bower extracts malicious package

  Needlessly to say, please upgrade

• 1.8.7 - 2019-01-17
  

  Fixes side effect of fix from v1.8.6 that caused improper permissions for extracted folders

  #2532

• 1.8.6 - 2019-01-17
  

  Fix Zip Slip Vulnerability of decompress-zip package: https://snyk.io/research/zip-slip-vulnerability

  Note: v1.8.5 has been unpublished because of missing files

• 1.8.4 - 2018-03-28
  
  • Fixes release 1.8.3 by publishing with npm@3 instead of npm@5 (to include lib/node_modules)
• 1.8.3 - 2018-03-28
  
  • 451c60e Do not store resolutions if --save is not used, fixes #2344 (#2508)
  • 50ee729 Allow to disable shorthand resolver (#2507)
  • bb17839 Allow shallow cloning when source is a ssh protocol (#2506)
  • 5a6ae54 Add support for Arrays in Environment Variable replacement (#2411)
  • 74af42c Only replace last @ after (if any) last / with # (#2395)
  • 💯Make tests work on Windows / Linux / OSX on node versions 0.10 / 0.12 / 4 / 6 / 8 / 9
  • 💅Format source code with prettier
• 1.8.2 - 2017-09-13
  

  Migrate registry url from http://bower.herokuapp.com to https://registry.bower.io

  It is so we leverage CDN and offload Heroku instance reducing costs.

• 1.8.0 - 2016-11-07
  
  • Download tar archives from GitHub when possible (#2263)
    • Change default shorthand resolver for github from git:// to https://
  • Fix ssl handling by not setting GIT_SSL_NO_VERIFY=false (#2361)
  • Allow for removing components with url instead of name (#2368)
  • Show in warning message location of malformed bower.json (#2357)
  • Improve handling of non-semver versions in git resolver (#2316)
  • Fix handling of cached releases pluginResolverFactory (#2356)
  • Allow to type the entire version when conflict occured (#2243)
  • Allow owner/reponame shorthand for registering components (#2248)
  • Allow single-char repo names and package names (#2249)
  • Make bower version no longer honor version in bower.json (#2232)
  • Add postinstall hook (#2252)
  • Allow for @ instead of # for install and info commands (#2322)
  • Upgrade all bundled modules
• 1.7.10 - 2017-09-13
• 1.7.9 - 2016-04-05
  
  • Show warnings for invalid bower.json fields
  • Update bower-json
    • Less strict validation on package name (allow spaces, slashes, and "@")
• 1.7.8 - 2016-04-04
• 1.7.7 - 2016-01-27
• 1.7.6 - 2016-01-27
• 1.7.5 - 2016-01-26
• 1.7.2 - 2015-12-31
• 1.7.1 - 2015-12-11
• 1.7.0 - 2015-12-07
• 1.6.9 - 2015-12-04
• 1.6.8 - 2015-11-27
• 1.6.7 - 2015-11-26
• 1.6.6 - 2015-11-25
• 1.6.5 - 2015-10-24
• 1.6.4 - 2015-10-24
• 1.6.3 - 2015-10-16
• 1.6.2 - 2015-10-15
• 1.5.4 - 2015-11-24
• 1.5.3 - 2015-09-24
• 1.5.2 - 2015-08-25
• 1.5.1 - 2015-08-23
• 1.5.0 - 2015-08-23
• 1.4.2 - 2015-11-24
• 1.4.1 - 2015-04-01
• 1.4.0 - 2015-03-30
• 1.3.12 - 2014-09-28
• 1.3.11 - 2014-09-18
• 1.3.10 - 2014-09-13
• 1.3.9 - 2014-08-06
• 1.3.8 - 2014-07-11
• 1.3.7 - 2014-07-04
• 1.3.6 - 2014-07-02
• 1.3.5 - 2014-06-08
• 1.3.4 - 2014-06-02
• 1.3.3 - 2014-04-24
• 1.3.2 - 2014-04-07
• 1.3.1 - 2014-03-11
• 1.3.0 - 2014-03-11
• 1.2.8 - 2013-12-02
• 1.2.7 - 2013-09-29
• 1.2.6 - 2013-09-04
• 1.2.5 - 2013-08-28
• 1.2.4 - 2013-08-23
• 1.2.3 - 2013-08-22
• 1.2.2 - 2013-08-20
• 1.2.1 - 2013-08-19
• 1.2.0 - 2013-08-19
• 1.1.2 - 2013-08-10

from bower GitHub release notes

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}