chore(deps): update dependency npm to 8.11.0 [security] (!37) · Merge requests · Perun / Perun ProxyIdP / v1 / simplesamlphp-module-authswitcher

Project 'perun-proxy-aai/simplesamlphp/simplesamlphp-module-authswitcher' was moved to 'perun/perun-proxyidp/v1/simplesamlphp-module-authswitcher'. Please update any links and bookmarks that may still have the old path.

Merged Pavel Břoušek requested to merge renovate/npm-npm-vulnerability into main 3 years ago

Created by: renovate[bot]

This PR contains the following updates:

Package	Change
npm	`8.10.0` -> `8.11.0`

GitHub Vulnerability Alerts

CVE-2022-29244

Impact

npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish inside a workspace, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.

Patch

Upgrade to the latest, patched version of npm (v8.11.0), run: npm i -g npm@latest
Node.js versions v16.15.1, v17.19.1 & v18.3.0 include the patched v8.11.0 version of npm

Steps to take to see if you're impacted

Run npm publish --dry-run or npm pack with an npm version >=7.9.0 & <8.11.0 inside the project's root directory using a workspace flag like: --workspaces or --workspace=<name> (ex. npm pack --workspace=foo)
Check the output in your terminal which will list the package contents (note: tar -tvf <package-on-disk> also works)
If you find that there are files included you did not expect, you should: 3.1. Create & publish a new release excluding those files (ref. "Keeping files out of your Package") 3.2. Deprecate the old package (ex. npm deprecate <pkg>[@<version>] <message>) 3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed

References

Configuration

Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

Activity

Pavel Břoušek @433364 · 3 years ago

Author Contributor

Merged by: melanger at 2022-06-02 18:52:46 UTC
Pavel Břoušek @433364 · 2 years ago

Author Contributor

Created by: github-actions[bot]

This PR is included in version 10.5.1

The release is available on GitHub release

Your semantic-release bot :package::rocket:

Please register or sign in to reply

chore(deps): update dependency npm to 8.11.0 [security]

GitHub Vulnerability Alerts

CVE-2022-29244

Impact

Patch

Steps to take to see if you're impacted

References

Configuration

Merge request reports

Activity