Bump @nx/storybook from 19.5.7 to 20.1.3 #4655
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
dependabot
bot
added
the
dependencies
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
Sorry, only users with push access can use that command. |
Bumps [@nx/storybook](https://github.com/nrwl/nx/tree/HEAD/packages/storybook) from 19.5.7 to 20.1.3. - [Release notes](https://github.com/nrwl/nx/releases) - [Commits](https://github.com/nrwl/nx/commits/20.1.3/packages/storybook) --- updated-dependencies: - dependency-name: "@nx/storybook" dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/nx/storybook-20.1.3
branch
from
77b8cea
to
fde074a
Compare
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
| @@ -36079,6 +42000,12 @@ | |||
| "url": "https://github.com/sindresorhus/invert-kv?sponsor=1" | |||
| } | |||
| }, | |||
| "node_modules/ip": { | |||
There was a problem hiding this comment.
ℹ️ Codacy found a minor Security issue: Insecure dependency [email protected] (CVE-2023-42282: nodejs-ip: arbitrary code execution via the isPublic() function) (update to 1.1.9)
The issue identified by the Trivy linter is a security vulnerability in the ip package version 1.1.5. Specifically, this vulnerability (CVE-2023-42282) allows for arbitrary code execution through the isPublic() function. To mitigate this security risk, it is recommended to update the ip package to a secure version, specifically version 1.1.9 or later.
To fix this issue, you can update the version of the ip package in your package.json or directly in the lock file if you are using one. Here’s a single line change to update the version of the ip package:
| "node_modules/ip": { | |
| "node_modules/ip": { "version": "1.1.9", ... } |
Make sure to run npm install afterwards to update the package in your project.
This comment was generated by an experimental AI tool.
| "node_modules/sprintf-js": { | ||
| "version": "1.0.3", | ||
| "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", | ||
| "integrity": "sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==", | ||
| "license": "BSD-3-Clause" | ||
| }, | ||
| "node_modules/ssh2": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2020-26301: nodejs-ssh2: Command injection by calling vulnerable method with untrusted input) (update to 1.4.0)
The issue identified by the Trivy linter pertains to a security vulnerability in the ssh2 package version 0.8.9, specifically CVE-2020-26301. This vulnerability allows for command injection if untrusted input is passed to certain methods within the library, potentially leading to unauthorized command execution on the server. To mitigate this risk, it is recommended to update the ssh2 package to a secure version, which in this case is 1.4.0 or later.
To resolve this issue, you can update the version of the ssh2 dependency in your package.json file. Here’s the single line change you need to make:
| "node_modules/ssh2": { | |
| "ssh2": "^1.4.0", |
Make sure to replace the existing version of ssh2 with this suggestion in the dependencies section of your package.json. After making this change, run npm install to update the package.
This comment was generated by an experimental AI tool.
| @@ -57672,6 +67206,112 @@ | |||
| "integrity": "sha512-x00IRNXNy63jwGkJmzPigoySHbaqpNuzKbBOmzK+g2OdZpQ9w+sxCN+VSB3ja7IAge2OP2qpfxTjeNcyjmW1uw==", | |||
| "license": "ISC" | |||
| }, | |||
| "node_modules/utile": { | |||
There was a problem hiding this comment.
ℹ️ Codacy found a minor Security issue: Insecure dependency [email protected] (NSWG-ECO-445: Out-of-bounds Read) (no fix available)
The issue reported by the Trivy linter indicates that the utile package version 0.3.0 has a known security vulnerability (specifically, an out-of-bounds read) and there is no fix available for this version. This means that using this version could potentially expose your application to security risks.
To address this issue, the best course of action is to remove the insecure dependency from your project. This can be done by updating your package.json to remove utile or by replacing it with a more secure alternative if needed.
Here's a code suggestion to remove the utile dependency:
| "node_modules/utile": { | |
| "node_modules/utile": null, |
This change effectively removes the utile dependency from your dependency tree, mitigating the security risk associated with it. However, if utile is a required dependency for your project, you should look for a secure alternative or a different version that does not have the vulnerability.
This comment was generated by an experimental AI tool.
| @@ -44899,6 +51375,146 @@ | |||
| "node": ">=10" | |||
| } | |||
| }, | |||
| "node_modules/mockery": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-37614: mockery is vulnerable to prototype pollution) (update to )
The issue identified by the Trivy linter is related to the mockery package version 2.1.0, which has a known vulnerability (CVE-2022-37614) that allows for prototype pollution. This vulnerability can potentially allow an attacker to modify the prototype of built-in objects, leading to security issues in the application.
To resolve this issue, you should update the mockery package to a version that has addressed this vulnerability. The recommended action is to upgrade to a safer version of the package.
Here's the code suggestion to address this issue:
| "node_modules/mockery": { | |
| "node_modules/mockery": { "version": "2.1.1", ... |
Make sure to check the latest version available in the npm registry and update accordingly.
This comment was generated by an experimental AI tool.
| "object-assign": "^4.1.1" | ||
| } | ||
| }, | ||
| "node_modules/@teambit/legacy/node_modules/semver": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-25883: nodejs-semver: Regular expression denial of service) (update to 7.5.2, 6.3.1, 5.7.2)
The issue identified by the Trivy linter is a security vulnerability in the semver package version 7.3.4, which is susceptible to a Regular Expression Denial of Service (ReDoS) attack as described in CVE-2022-25883. This vulnerability can be exploited if an attacker sends specially crafted input that can cause the regular expressions used in the package to take an excessive amount of time to process, potentially leading to denial of service.
To resolve this issue, you should update the semver package to a secure version that is not affected by this vulnerability. The recommended versions provided are 7.5.2, 6.3.1, or 5.7.2.
Here’s the single line change to update the version of semver:
| "node_modules/@teambit/legacy/node_modules/semver": { | |
| "node_modules/@teambit/legacy/node_modules/semver": { "version": "7.5.2", ... |
This comment was generated by an experimental AI tool.
| "pjv": "bin/pjv" | ||
| } | ||
| }, | ||
| "node_modules/package-json-validator/node_modules/minimist": { |
There was a problem hiding this comment.
The issue identified by the Trivy linter is related to a security vulnerability in the minimist package, specifically version 0.0.10. This version is known to have a prototype pollution vulnerability (CVE-2020-7598), which allows an attacker to manipulate properties of Object.prototype through malicious payloads. This can lead to unexpected behavior in applications that use this package.
To resolve this security issue, you should upgrade minimist to a secure version. The suggested secure version is 0.2.1 or later.
Here’s the code suggestion to update the version of minimist:
"node_modules/package-json-validator/node_modules/minimist": {
"version": "0.2.1",
"resolved": "https://registry.npmjs.org/minimist/-/minimist-0.2.1.tgz",
"integrity": "sha512-<new-integrity-hash>",
"peer": true
}(Note: The <new-integrity-hash> should be replaced with the actual integrity hash for version 0.2.1, which you can obtain from the npm registry after updating the package.)
This comment was generated by an experimental AI tool.
| "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==", | ||
| "peer": true | ||
| }, | ||
| "node_modules/moment": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-24785: Moment.js: Path traversal in moment.locale) (update to 2.29.2)
The issue identified by the Trivy linter is a security vulnerability in the Moment.js library, specifically version 2.29.1. This vulnerability, identified as CVE-2022-24785, relates to a path traversal issue in the moment.locale function, which could potentially allow an attacker to access files outside of the intended directory structure. The recommended action is to update Moment.js to a patched version, 2.29.2 or higher, to mitigate this security risk.
To fix the issue, you need to update the version of Moment.js in your dependency configuration. Here's the suggested code change:
"node_modules/moment": {
"version": "2.29.2",This comment was generated by an experimental AI tool.
| @@ -35312,6 +40654,12 @@ | |||
| "node": ">= 0.6" | |||
| } | |||
| }, | |||
| "node_modules/http-cache-semantics": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-25881: http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability) (update to 4.1.1)
The issue identified by the Trivy linter pertains to a known vulnerability (CVE-2022-25881) in the http-cache-semantics package version 3.8.1. This vulnerability is classified as a Regular Expression Denial of Service (ReDoS) attack, which can be exploited by an attacker to cause a denial of service by making the application consume excessive resources. The recommended solution is to update the package to a version that has addressed this vulnerability, specifically to version 4.1.1 or later.
To fix the issue, you should update the version of http-cache-semantics in your package file. Here’s the single line change you can make:
| "node_modules/http-cache-semantics": { | |
| "node_modules/http-cache-semantics": { "version": "4.1.1", ... |
This change will ensure that you are using a secure version of the http-cache-semantics package, mitigating the vulnerability.
This comment was generated by an experimental AI tool.
| @@ -58379,6 +68080,16 @@ | |||
| "node": ">=4.0.0" | |||
| } | |||
| }, | |||
| "node_modules/vue-template-compiler": { | |||
There was a problem hiding this comment.
The issue identified by the Trivy linter relates to a known vulnerability in the vue-template-compiler package, specifically version 2.6.12. This vulnerability (CVE-2024-6783) exposes applications using this version to potential client-side Cross-Site Scripting (XSS) attacks. The recommended fix is to upgrade to a secure version, which is 3.0.0 or higher.
To resolve this issue, you should update the vue-template-compiler dependency in your package configuration. Here's the single line change you can make:
| "node_modules/vue-template-compiler": { | |
| "vue-template-compiler": "^3.0.0", |
This comment was generated by an experimental AI tool.
| @@ -36079,6 +42000,12 @@ | |||
| "url": "https://github.com/sindresorhus/invert-kv?sponsor=1" | |||
| } | |||
| }, | |||
| "node_modules/ip": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2023-42282: nodejs-ip: arbitrary code execution via the isPublic() function) (update to 2.0.1, 1.1.9)
The issue identified by the Trivy linter is a security vulnerability in the ip package, specifically version 1.1.8, which is associated with CVE-2023-42282. This vulnerability allows for arbitrary code execution via the isPublic() function, potentially compromising the security of applications that depend on this package.
To resolve this issue, the recommended action is to update the ip package to a secure version, either 2.0.1 or 1.1.9, which do not have this vulnerability.
Here’s the single line change needed to update the version of the ip package in your package.json file:
| "node_modules/ip": { | |
| "ip": "^1.1.9", |
This change specifies that the project should use version 1.1.9 or any compatible version above it, thereby mitigating the security risk associated with the earlier versions of the package.
This comment was generated by an experimental AI tool.
| "node": ">=10" | ||
| } | ||
| }, | ||
| "node_modules/@teambit/legacy/node_modules/minimatch": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function) (update to 3.0.5)
The issue identified by the Trivy linter pertains to a known vulnerability in the minimatch package, specifically version 3.0.4. This vulnerability (CVE-2022-3517) relates to a Regular Expression Denial of Service (ReDoS) that can occur via the braceExpand function. Attackers can exploit this vulnerability to cause excessive resource consumption, potentially leading to denial of service.
To resolve this issue, you should update the minimatch dependency to a secure version, which is at least 3.0.5. This can be done by modifying the version specified in your package.json or the relevant lock file.
Here's the suggested code change to update the version of minimatch:
"node_modules/@teambit/legacy/node_modules/minimatch": {
"version": "3.0.5",This change updates the version of minimatch from 3.0.4 to 3.0.5, which addresses the security vulnerability.
This comment was generated by an experimental AI tool.
| "concat-map": "0.0.1" | ||
| } | ||
| }, | ||
| "node_modules/npm-run-all/node_modules/cross-spawn": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2024-21538: Regular Expression Denial of Service (ReDoS) in cross-spawn) (update to 7.0.5)
The issue reported by the Trivy linter is a security vulnerability in the cross-spawn package, specifically version 6.0.5, which is affected by a Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2024-21538). This type of vulnerability can be exploited by an attacker to cause a denial of service by making the application consume excessive amounts of CPU time when processing certain inputs.
To resolve this issue, you should update the cross-spawn dependency to a secure version that is not affected by this vulnerability. The recommended version is 7.0.5.
Here is the single line code suggestion to update the version:
"node_modules/npm-run-all/node_modules/cross-spawn": {
"version": "7.0.5",This comment was generated by an experimental AI tool.
| "pjv": "bin/pjv" | ||
| } | ||
| }, | ||
| "node_modules/package-json-validator/node_modules/minimist": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2020-7598: nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or proto payload) (update to 0.2.1, 1.2.3)
The issue identified by the Trivy linter is related to a vulnerability in the minimist package, specifically version 0.0.10. This version is susceptible to a prototype pollution vulnerability (CVE-2020-7598), which can allow an attacker to manipulate the properties of Object.prototype. This can lead to unexpected behavior and security vulnerabilities in applications that rely on this package.
To fix this issue, you should update the minimist dependency to a secure version. The suggested versions to upgrade to are 0.2.1 or 1.2.3, which are not vulnerable to this issue.
Here’s the single line change to update the minimist dependency:
| "node_modules/package-json-validator/node_modules/minimist": { | |
| "node_modules/package-json-validator/node_modules/minimist": { "version": "1.2.3", ... |
This change updates minimist to a secure version, thus mitigating the vulnerability.
This comment was generated by an experimental AI tool.
Bumps @nx/storybook from 19.5.7 to 20.1.3.
Release notes
Sourced from
@nx/storybook's releases.... (truncated)
Commits
faf4483fix(nextjs): Remove deprecated export executor (#28702)013aaeefix(storybook): fix externalDependencies undefined (#28641)7839c80fix(storybook): fix yarn storybook upgrade 8 (#28605)018543ccleanup(misc): remove unused migrations (#28591)499300ffix(core): repair SIGINT signals on windows (#28496)a637f9echore(repo): remove v16 migrations (#28220)ec801b4feat(misc): enable new ts minimal setup by default and guard execution of gen...27edf71feat(misc): make directory a required option for generators (#28093)f221a41feat(misc): remove @nrwl/ scoped packages (#27858)5724debfix(storybook): only add@storybook/test-runnerto externalDependencies if in...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)