Bump eslint-plugin-tsdoc from 0.2.17 to 0.4.0 #4660
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [eslint-plugin-tsdoc](https://github.com/microsoft/tsdoc/tree/HEAD/eslint-plugin) from 0.2.17 to 0.4.0. - [Changelog](https://github.com/microsoft/tsdoc/blob/main/eslint-plugin/CHANGELOG.md) - [Commits](https://github.com/microsoft/tsdoc/commits/eslint-plugin-tsdoc_v0.4.0/eslint-plugin) --- updated-dependencies: - dependency-name: eslint-plugin-tsdoc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
the
dependencies
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
Sorry, only users with push access can use that command. |
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
| @@ -36079,6 +41370,12 @@ | |||
| "url": "https://github.com/sindresorhus/invert-kv?sponsor=1" | |||
| } | |||
| }, | |||
| "node_modules/ip": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2023-42282: nodejs-ip: arbitrary code execution via the isPublic() function) (update to 2.0.1, 1.1.9)
The issue identified by the Trivy linter pertains to a security vulnerability in the ip package, specifically version 1.1.8. This vulnerability (CVE-2023-42282) allows for arbitrary code execution through the isPublic() function, which can be exploited if an attacker can control the input to this function. The recommendation is to update the ip package to a safer version, either 2.0.1 or 1.1.9, which have patched this vulnerability.
To address this security issue, you should update the version of the ip package in your package.json file to a version that is not affected by this vulnerability.
Here’s the code suggestion to fix the issue:
| "node_modules/ip": { | |
| "node_modules/ip": { "version": "1.1.9", ... } |
Make sure to run npm install after making this change to update the package in your project.
This comment was generated by an experimental AI tool.
| "pjv": "bin/pjv" | ||
| } | ||
| }, | ||
| "node_modules/package-json-validator/node_modules/minimist": { |
There was a problem hiding this comment.
The issue reported by the Trivy linter is related to a known vulnerability in the minimist package, specifically version 0.0.10. This vulnerability, identified as CVE-2020-7598, allows for prototype pollution, which can lead to security risks by allowing an attacker to add or modify properties on Object.prototype. This can potentially result in unexpected behavior in the application or even allow for remote code execution.
To resolve this vulnerability, you should update the minimist dependency to a secure version. The recommended secure version is 0.2.1 or later, as it addresses the prototype pollution issue.
Here’s the single line change you can make to update the version of minimist in your package.json:
| "node_modules/package-json-validator/node_modules/minimist": { | |
| "node_modules/package-json-validator/node_modules/minimist": { "version": "0.2.1", ... |
Make sure to also update the package.json file or your dependency management system to reflect this change for the minimist package. After making this change, run your package manager's install command to ensure that the updated version is installed.
This comment was generated by an experimental AI tool.
| "object-assign": "^4.1.1" | ||
| } | ||
| }, | ||
| "node_modules/@teambit/legacy/node_modules/semver": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-25883: nodejs-semver: Regular expression denial of service) (update to 7.5.2, 6.3.1, 5.7.2)
The issue identified by the Trivy linter is a security vulnerability in the semver package, specifically version 7.3.4. This version is affected by a Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25883). This type of vulnerability can be exploited by attackers to cause a denial of service by crafting specific input that takes a long time to evaluate, potentially leading to server unresponsiveness.
To resolve this issue, you should update the version of the semver package to a non-vulnerable version. The suggested safe versions are 7.5.2, 6.3.1, or 5.7.2.
Here's the single line code suggestion to update the version of semver:
| "node_modules/@teambit/legacy/node_modules/semver": { | |
| "node_modules/@teambit/legacy/node_modules/semver": { "version": "7.5.2", ... |
Make sure to update the version string in the relevant section of your package dependencies. After making this change, it's advisable to run your tests to ensure compatibility and functionality.
This comment was generated by an experimental AI tool.
| "pjv": "bin/pjv" | ||
| } | ||
| }, | ||
| "node_modules/package-json-validator/node_modules/minimist": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2020-7598: nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or proto payload) (update to 0.2.1, 1.2.3)
The issue identified by the Trivy linter is related to a vulnerability in the minimist package, specifically version 0.0.10. This version is susceptible to prototype pollution, which can allow an attacker to modify properties of Object.prototype. This vulnerability is documented under CVE-2020-7598. To mitigate this security risk, it is recommended to update the minimist dependency to a safer version, such as 0.2.1 or 1.2.3, which do not have this vulnerability.
To address this issue, you can update the version of minimist in the package-json-validator dependency. Since minimist is a transitive dependency, you can add a resolution in your package.json to ensure that a secure version is used.
Here’s the suggested change:
| "node_modules/package-json-validator/node_modules/minimist": { | |
| "node_modules/package-json-validator/node_modules/minimist": { "version": "1.2.3", ... } |
This line change updates the minimist version to 1.2.3, which is not affected by the prototype pollution vulnerability. Make sure to also run npm install or yarn install after making this change to ensure the updated version is installed.
This comment was generated by an experimental AI tool.
| "node_modules/sprintf-js": { | ||
| "version": "1.0.3", | ||
| "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", | ||
| "integrity": "sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==", | ||
| "license": "BSD-3-Clause" | ||
| }, | ||
| "node_modules/ssh2": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2020-26301: nodejs-ssh2: Command injection by calling vulnerable method with untrusted input) (update to 1.4.0)
The issue identified by the Trivy linter pertains to a security vulnerability in the ssh2 package version 0.8.9, which is susceptible to command injection attacks due to the use of untrusted input in certain methods. This vulnerability is documented as CVE-2020-26301. The recommended action is to update the ssh2 package to a safer version, specifically version 1.4.0 or later, which addresses this issue.
To resolve this vulnerability, you can update the version of the ssh2 dependency in your package.json file.
Here’s the single line change to fix the issue:
| "node_modules/ssh2": { | |
| "ssh2": "^1.4.0", |
This comment was generated by an experimental AI tool.
| "node": ">=10" | ||
| } | ||
| }, | ||
| "node_modules/@teambit/legacy/node_modules/minimatch": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function) (update to 3.0.5)
The issue identified by the Trivy linter pertains to a known vulnerability in the minimatch package version 3.0.4, specifically related to a Regular Expression Denial of Service (ReDoS) vulnerability that can be exploited through the braceExpand function. This vulnerability (CVE-2022-3517) allows an attacker to craft input that can cause the application to hang or slow down significantly, potentially leading to denial of service.
To resolve this issue, you should update the minimatch dependency to a version that is not vulnerable, specifically version 3.0.5 or later.
Here’s the single line change you can make to fix the issue:
| "node_modules/@teambit/legacy/node_modules/minimatch": { | |
| "node_modules/@teambit/legacy/node_modules/minimatch": { "version": "3.0.5", ... |
This change updates the version of minimatch to 3.0.5, which addresses the security vulnerability.
This comment was generated by an experimental AI tool.
| @@ -44899,6 +50745,146 @@ | |||
| "node": ">=10" | |||
| } | |||
| }, | |||
| "node_modules/mockery": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-37614: mockery is vulnerable to prototype pollution) (update to )
The issue identified by the Trivy linter is that the mockery package version 2.1.0 has a known vulnerability related to prototype pollution (CVE-2022-37614). Prototype pollution is a security vulnerability that allows an attacker to manipulate an application's prototype chain, potentially leading to unauthorized access or modification of data.
To fix this issue, you should update the mockery package to a secure version that does not have this vulnerability. The latest version at the time of this writing may vary, but you should check the npm registry for the most recent stable version of mockery that addresses this vulnerability.
Assuming that a safe version, such as 2.1.1, is available, the code suggestion to update the dependency would be as follows:
| "node_modules/mockery": { | |
| "node_modules/mockery": { "version": "2.1.1", ... |
Make sure to run npm install after making this change to ensure the updated version is installed.
This comment was generated by an experimental AI tool.
| @@ -58379,6 +67315,16 @@ | |||
| "node": ">=4.0.0" | |||
| } | |||
| }, | |||
| "node_modules/vue-template-compiler": { | |||
There was a problem hiding this comment.
The issue identified by the Trivy linter is that the vue-template-compiler package version 2.6.12 has a known vulnerability (CVE-2024-6783) that exposes applications to client-side Cross-Site Scripting (XSS) attacks. This vulnerability can allow an attacker to inject malicious scripts into web applications, potentially compromising user data and application integrity.
To fix this issue, you need to update the vue-template-compiler package to a safe version, specifically version 3.0.0 or higher, as recommended.
Here's the single line code suggestion to update the version:
| "node_modules/vue-template-compiler": { | |
| "vue-template-compiler": "^3.0.0", |
This comment was generated by an experimental AI tool.
| "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==", | ||
| "peer": true | ||
| }, | ||
| "node_modules/moment": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-24785: Moment.js: Path traversal in moment.locale) (update to 2.29.2)
The issue identified by the Trivy linter is a security vulnerability in the Moment.js library, specifically version 2.29.1. This vulnerability (CVE-2022-24785) relates to a path traversal issue in the moment.locale function, which could potentially allow an attacker to access files outside of the intended directory structure. To mitigate this security risk, it is recommended to update Moment.js to a secure version (2.29.2 or later).
To fix the issue, you can update the version of Moment.js in your package configuration. Here’s the code suggestion to change the version of Moment.js:
"node_modules/moment": {
"version": "2.29.2",This change updates the version of Moment.js to 2.29.2, which addresses the reported vulnerability.
This comment was generated by an experimental AI tool.
| @@ -35312,6 +40024,12 @@ | |||
| "node": ">= 0.6" | |||
| } | |||
| }, | |||
| "node_modules/http-cache-semantics": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-25881: http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability) (update to 4.1.1)
The issue identified by the Trivy linter is a security vulnerability in the http-cache-semantics package, specifically version 3.8.1. This vulnerability, known as CVE-2022-25881, is a Regular Expression Denial of Service (ReDoS) vulnerability. It allows an attacker to exploit the regular expressions used in the package, potentially leading to performance degradation or denial of service by causing excessive backtracking in certain inputs.
To resolve this issue, you should update the version of http-cache-semantics to a secure version, which is 4.1.1 or later. This can typically be done by updating your package.json file or directly modifying the lock file if you are using npm or yarn.
Here’s the single line change you need to make in your lock file:
| "node_modules/http-cache-semantics": { | |
| "node_modules/http-cache-semantics": { "version": "4.1.1", ... |
This comment was generated by an experimental AI tool.
| @@ -57672,6 +66441,112 @@ | |||
| "integrity": "sha512-x00IRNXNy63jwGkJmzPigoySHbaqpNuzKbBOmzK+g2OdZpQ9w+sxCN+VSB3ja7IAge2OP2qpfxTjeNcyjmW1uw==", | |||
| "license": "ISC" | |||
| }, | |||
| "node_modules/utile": { | |||
There was a problem hiding this comment.
ℹ️ Codacy found a minor Security issue: Insecure dependency [email protected] (NSWG-ECO-445: Out-of-bounds Read) (no fix available)
The issue identified by the Trivy linter indicates that the utile package version 0.3.0 has a security vulnerability classified as an "Out-of-bounds Read." This type of vulnerability can lead to unintended behavior or data leakage, as it involves accessing memory outside the boundaries of allocated buffers. Since there is no fix available for this specific version of utile, it is advisable to remove or replace it with a more secure alternative if possible.
To address the security issue, the simplest approach is to remove the dependency on utile entirely, assuming it is not critical to your application. This can be done by updating your package.json and removing the entry for utile.
Here is the single line change to remove the utile dependency:
| "node_modules/utile": { | |
| "node_modules/utile": null, |
This effectively indicates that the utile package should not be included in your project, which mitigates the security risk associated with its usage.
This comment was generated by an experimental AI tool.
| @@ -36079,6 +41370,12 @@ | |||
| "url": "https://github.com/sindresorhus/invert-kv?sponsor=1" | |||
| } | |||
| }, | |||
| "node_modules/ip": { | |||
There was a problem hiding this comment.
ℹ️ Codacy found a minor Security issue: Insecure dependency [email protected] (CVE-2023-42282: nodejs-ip: arbitrary code execution via the isPublic() function) (update to 1.1.9)
The issue identified by the Trivy linter is related to a security vulnerability in the ip package, specifically version 1.1.5. This vulnerability (CVE-2023-42282) allows for arbitrary code execution via the isPublic() function in the package. The recommended action is to update the package to a secure version, which in this case is 1.1.9 or later.
To fix the issue, you need to update the version of the ip package in your package.json file. Here is the code suggestion to make that change:
| "node_modules/ip": { | |
| "node_modules/ip": { "version": "1.1.9", ... |
This change updates the version of the ip package to 1.1.9, which addresses the security vulnerability. Make sure to run npm install after making this change to ensure the updated package is installed.
This comment was generated by an experimental AI tool.
Bumps eslint-plugin-tsdoc from 0.2.17 to 0.4.0.
Changelog
Sourced from eslint-plugin-tsdoc's changelog.
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)