Bump tmp and eslint#93
Conversation
Removes [tmp](https://github.com/raszi/node-tmp). It's no longer used after updating ancestor dependency eslint. These dependencies need to be updated together. Removes `tmp` Updates `eslint` from 4.18.2 to 10.4.0 --- updated-dependencies: - dependency-name: tmp dependency-version: dependency-type: indirect - dependency-name: eslint dependency-version: 10.4.0 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![semgrepcode-auth0[bot]](https://avatars.githubusercontent.com/in/977730?s=60&v=4){kind=small}
| }, | ||
| "jsonwebtoken": { | ||
| "node_modules/jsonwebtoken": { |
There was a problem hiding this comment.
Medium severity vulnerability may affect your project—review required:
Line 3681 lists a dependency (jsonwebtoken) with a known Medium severity vulnerability.
ℹ️ Why this matters
Affected versions of jsonwebtoken are vulnerable to Improper Authentication. Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC.
To resolve this comment:
Check if you are using a poorly implemented key retrieval function and your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function..
- If you're affected, upgrade this dependency to at least version 9.0.0 at package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| "version": "1.0.0", | ||
| "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", | ||
| "integrity": "sha1-FQStJSMVjKpA20onh8sBQRmU6k8=", | ||
| "dev": true | ||
| }, | ||
| "fsevents": { | ||
| "node_modules/fsevents": { |
There was a problem hiding this comment.
👿 Malicious dependency detected—remove immediately
The version 1.1.3 of fsevents contains malicious code and is a critical security risk. Upgrade
to 1.2.11 to resolve this issue.
ℹ️ Why this matters
This specific version of fsevents contains malicious code. Upgrade to the safe version immediately.
References: https://osv.dev/vulnerability/MAL-2023-462
To resolve this comment:
Upgrade this dependency to at least version 1.2.11 at package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| } | ||
| }, | ||
| "tree-kill": { | ||
| "node_modules/tree-kill": { |
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 5033 lists a dependency (tree-kill) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of tree-kill are vulnerable to Improper Control of Generation of Code ('Code Injection'). The tree-kill package is vulnerable to command injection on Windows. An attacker can control the unsanitized input passed to the kill function, potentially leading to arbitrary command execution on the host system.
To resolve this comment:
Check if you are using tree-kill Command Line Interface in Windows System.
- If you're affected, upgrade this dependency to at least version 1.2.2 at package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| }, | ||
| "jsonwebtoken": { | ||
| "node_modules/jsonwebtoken": { |
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 3681 lists a dependency (jsonwebtoken) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of jsonwebtoken are vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.
To resolve this comment:
Check if you are using a legacy, insecure key type with a supported algorithm; for example, DSA keys could be used with the RS256 algorithm.
- If you're affected, upgrade this dependency to at least version 9.0.0 at package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| "ms": "2.0.0" | ||
| } | ||
| }, | ||
| "node_modules/fsevents/node_modules/deep-extend": { |
There was a problem hiding this comment.
Critical severity vulnerability introduced by a package you're using:
Line 2207 lists a dependency (deep-extend) with a known Critical severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected version of deep-extend is vulnerable to Prototype Pollution. Malicious input passed to deep-extend allows an attacker to overwrite the prototype of Object, polluting all JavaScript objects with arbitrary properties. This can lead to Denial of Service or even Remote Code Execution.
To resolve this comment:
Upgrade this dependency to at least version 0.5.1 at package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
Removes tmp. It's no longer used after updating ancestor dependency eslint. These dependencies need to be updated together.
Removes
tmpUpdates
eslintfrom 4.18.2 to 10.4.0Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.