Bump @typescript-eslint/eslint-plugin from 7.18.0 to 8.16.0 #4661
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 7.18.0 to 8.16.0. - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.16.0/packages/eslint-plugin) --- updated-dependencies: - dependency-name: "@typescript-eslint/eslint-plugin" dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
the
dependencies
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
Sorry, only users with push access can use that command. |
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
| @@ -35312,6 +40336,12 @@ | |||
| "node": ">= 0.6" | |||
| } | |||
| }, | |||
| "node_modules/http-cache-semantics": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-25881: http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability) (update to 4.1.1)
The issue identified by the Trivy linter pertains to the http-cache-semantics package, specifically version 3.8.1, which has a known vulnerability classified as CVE-2022-25881. This vulnerability is related to a Regular Expression Denial of Service (ReDoS) attack, which can potentially allow an attacker to exploit certain regular expressions in the library to cause performance degradation or denial of service.
To resolve this security issue, you should update the http-cache-semantics package to a safer version, specifically 4.1.1, which has addressed this vulnerability.
Here is the code suggestion to fix the issue by updating the version of http-cache-semantics:
"node_modules/http-cache-semantics": {
"version": "4.1.1",This comment was generated by an experimental AI tool.
| @@ -44899,6 +51057,146 @@ | |||
| "node": ">=10" | |||
| } | |||
| }, | |||
| "node_modules/mockery": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-37614: mockery is vulnerable to prototype pollution) (update to )
The issue reported by the Trivy linter indicates that the mockery package version 2.1.0 has a vulnerability related to prototype pollution (CVE-2022-37614). Prototype pollution is a security flaw that allows an attacker to modify the prototype of an object, potentially leading to unexpected behavior or security breaches in the application.
To fix this issue, you should update the mockery package to a version that has addressed this vulnerability. You can check the latest version of mockery on the npm registry and update it accordingly.
Assuming the latest version is 2.1.1, the code suggestion to fix this issue would be:
| "node_modules/mockery": { | |
| "node_modules/mockery": { "version": "2.1.1", ... |
Make sure to verify the latest version and update the version number accordingly.
This comment was generated by an experimental AI tool.
| "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==", | ||
| "peer": true | ||
| }, | ||
| "node_modules/moment": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-24785: Moment.js: Path traversal in moment.locale) (update to 2.29.2)
The issue identified by the Trivy linter is related to a security vulnerability (CVE-2022-24785) in the Moment.js library version 2.29.1. This vulnerability is a path traversal issue that can potentially allow an attacker to access files outside of the intended directory structure. The recommended action is to update Moment.js to a secure version, specifically 2.29.2 or later, where this vulnerability has been addressed.
To resolve this issue, you can simply change the version of the Moment.js dependency in your package configuration. Here’s the suggested code change:
"node_modules/moment": {
"version": "2.29.2",This comment was generated by an experimental AI tool.
| @@ -58379,6 +67659,16 @@ | |||
| "node": ">=4.0.0" | |||
| } | |||
| }, | |||
| "node_modules/vue-template-compiler": { | |||
There was a problem hiding this comment.
The issue identified by the Trivy linter is a vulnerability in the vue-template-compiler package, specifically version 2.6.12. This version has been flagged for a Cross-Site Scripting (XSS) vulnerability (CVE-2024-6783), which could potentially allow an attacker to inject malicious scripts into web applications that use this package. To mitigate this security risk, it is recommended to update vue-template-compiler to a safer version, which is 3.0.0 or later.
To address this issue, you should update the vue-template-compiler dependency in your project. Here is the single line change you can make to fix the issue:
| "node_modules/vue-template-compiler": { | |
| "vue-template-compiler": "^3.0.0", |
This comment was generated by an experimental AI tool.
| "pjv": "bin/pjv" | ||
| } | ||
| }, | ||
| "node_modules/package-json-validator/node_modules/minimist": { |
There was a problem hiding this comment.
The issue identified by the Trivy linter pertains to the minimist package, specifically version 0.0.10. This version is vulnerable to a prototype pollution attack, which can allow an attacker to manipulate properties of Object.prototype, leading to potential security risks in the application. The recommended action is to upgrade minimist to a safer version, specifically at least version 0.2.1, which addresses this vulnerability.
To resolve this issue, you can update the version of the minimist dependency in your package's package.json file. Here's the single line change you can make:
| "node_modules/package-json-validator/node_modules/minimist": { | |
| "minimist": "^0.2.1" |
This change will ensure that the application uses a secure version of the minimist package, thereby mitigating the identified security vulnerability.
This comment was generated by an experimental AI tool.
| @@ -57672,6 +66785,112 @@ | |||
| "integrity": "sha512-x00IRNXNy63jwGkJmzPigoySHbaqpNuzKbBOmzK+g2OdZpQ9w+sxCN+VSB3ja7IAge2OP2qpfxTjeNcyjmW1uw==", | |||
| "license": "ISC" | |||
| }, | |||
| "node_modules/utile": { | |||
There was a problem hiding this comment.
ℹ️ Codacy found a minor Security issue: Insecure dependency [email protected] (NSWG-ECO-445: Out-of-bounds Read) (no fix available)
The issue identified by the Trivy linter is related to the utile package version 0.3.0, which has been flagged for having an out-of-bounds read vulnerability. This type of vulnerability can potentially allow an attacker to read sensitive data from memory that should not be accessible, which can lead to security breaches.
Since the vulnerability has no fix available for this specific version, the best course of action is to remove the insecure dependency altogether or replace it with a more secure alternative. If utile is not explicitly required in your project, you can simply remove it. However, if it is a dependency of another package, you may need to look for an updated version that does not include utile or find a suitable replacement.
For a quick fix, you can remove the utile dependency from your package.json file. Here’s the suggested change:
| "node_modules/utile": { | |
| "node_modules/utile": null, |
This effectively removes the utile dependency from the module tree, mitigating the security risk associated with it. If you need to keep the functionality provided by utile, consider looking for alternative libraries that offer similar capabilities without the security vulnerabilities.
This comment was generated by an experimental AI tool.
| "object-assign": "^4.1.1" | ||
| } | ||
| }, | ||
| "node_modules/@teambit/legacy/node_modules/semver": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-25883: nodejs-semver: Regular expression denial of service) (update to 7.5.2, 6.3.1, 5.7.2)
The issue reported by the Trivy linter is a security vulnerability in the semver package, specifically version 7.3.4, which is affected by a Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25883). This vulnerability can potentially allow an attacker to exploit the regular expressions used in the package to cause a denial of service by consuming excessive CPU resources.
To mitigate this issue, you should upgrade the semver package to a secure version that is not affected by the vulnerability. The recommended versions are 7.5.2, 6.3.1, or 5.7.2.
Here's the code suggestion to update the version of semver:
"node_modules/@teambit/legacy/node_modules/semver": {
"version": "7.5.2",By changing the version from 7.3.4 to 7.5.2, you will resolve the security vulnerability.
This comment was generated by an experimental AI tool.
| "node": ">=10" | ||
| } | ||
| }, | ||
| "node_modules/@teambit/legacy/node_modules/minimatch": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function) (update to 3.0.5)
The issue identified by the Trivy linter is related to a security vulnerability in the minimatch package version 3.0.4. Specifically, it is a Regular Expression Denial of Service (ReDoS) vulnerability, which can be exploited through the braceExpand function. This vulnerability allows an attacker to craft input that can cause the regex engine to take an excessive amount of time to process, potentially leading to denial of service.
To fix this issue, you should update the minimatch dependency to at least version 3.0.5, which includes the necessary security patches.
Here's the code suggestion to update the version:
"node_modules/@teambit/legacy/node_modules/minimatch": {
"version": "3.0.5",This comment was generated by an experimental AI tool.
| @@ -36079,6 +41682,12 @@ | |||
| "url": "https://github.com/sindresorhus/invert-kv?sponsor=1" | |||
| } | |||
| }, | |||
| "node_modules/ip": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2023-42282: nodejs-ip: arbitrary code execution via the isPublic() function) (update to 2.0.1, 1.1.9)
The issue identified by the Trivy linter pertains to a vulnerability in the ip package, specifically version 1.1.5, which is susceptible to arbitrary code execution via the isPublic() function. This vulnerability is cataloged as CVE-2023-42282. To mitigate this security risk, it is recommended to update the ip package to a secure version, either 1.1.9 or 2.0.1.
To fix the issue, you can update the version of the ip package in your package.json file or wherever the dependency is specified. Assuming you are managing dependencies directly in the package.json, the change would look like this:
"node_modules/ip": {
"version": "1.1.9",
...
}If you are using a package.json file to manage your dependencies, the better approach would be to run the following command in your terminal to ensure that the latest secure version is installed:
| "node_modules/ip": { | |
| npm install ip@^1.1.9 |
This command will update the package to a secure version and update your package-lock.json accordingly.
This comment was generated by an experimental AI tool.
| "node_modules/sprintf-js": { | ||
| "version": "1.0.3", | ||
| "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", | ||
| "integrity": "sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==", | ||
| "license": "BSD-3-Clause" | ||
| }, | ||
| "node_modules/ssh2": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2020-26301: nodejs-ssh2: Command injection by calling vulnerable method with untrusted input) (update to 1.4.0)
The issue identified by the Trivy linter refers to a known vulnerability in the ssh2 package version 0.8.9, which is susceptible to command injection due to the use of untrusted input in certain methods. This vulnerability has been assigned CVE-2020-26301 and can potentially allow an attacker to execute arbitrary commands on the server.
To mitigate this security risk, it is recommended to upgrade the ssh2 package to a safer version, specifically version 1.4.0 or higher, where this vulnerability has been addressed.
Here is the code suggestion to update the ssh2 dependency:
| "node_modules/ssh2": { | |
| "ssh2": "^1.4.0", |
This comment was generated by an experimental AI tool.
| @@ -36079,6 +41682,12 @@ | |||
| "url": "https://github.com/sindresorhus/invert-kv?sponsor=1" | |||
| } | |||
| }, | |||
| "node_modules/ip": { | |||
There was a problem hiding this comment.
ℹ️ Codacy found a minor Security issue: Insecure dependency [email protected] (CVE-2023-42282: nodejs-ip: arbitrary code execution via the isPublic() function) (update to 1.1.9)
The issue identified by the Trivy linter pertains to a security vulnerability in the ip package version 1.1.5. Specifically, this vulnerability (CVE-2023-42282) allows for arbitrary code execution through the isPublic() function within the package. This means that an attacker could potentially exploit this function to execute malicious code, posing a significant risk to applications that depend on this version of the ip package.
To resolve this issue, you should update the ip package to a secure version (1.1.9 or later). This can typically be done by modifying the package version in your package.json file or by running an update command.
Here is the code suggestion to update the ip package to version 1.1.9:
| "node_modules/ip": { | |
| "node_modules/ip": { "version": "1.1.9", ... } |
This line change will ensure that your application uses the fixed version of the ip package, mitigating the identified security vulnerability.
This comment was generated by an experimental AI tool.
| "pjv": "bin/pjv" | ||
| } | ||
| }, | ||
| "node_modules/package-json-validator/node_modules/minimist": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2020-7598: nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or proto payload) (update to 0.2.1, 1.2.3)
The issue reported by the Trivy linter is related to a security vulnerability in the minimist package version 0.0.10. Specifically, this version is affected by CVE-2020-7598, which allows for prototype pollution. This vulnerability can be exploited to add or modify properties of Object.prototype, potentially leading to unexpected behavior or security issues in applications.
To resolve this security vulnerability, you need to update the minimist dependency to a version that is not affected by this issue. The recommended versions to update to are 0.2.1 or 1.2.3.
Here’s the code suggestion for the update:
"node_modules/package-json-validator/node_modules/minimist": {
"version": "1.2.3",
"resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.3.tgz",
"integrity": "sha512-<new-integrity-hash>",
"peer": true
},Note: You will need to replace <new-integrity-hash> with the actual integrity hash for minimist version 1.2.3, which you can obtain from the npm registry after installing the updated version.
This comment was generated by an experimental AI tool.
|
Superseded by #4670. |
dependabot
bot
deleted the
dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-8.16.0
branch
Bumps @typescript-eslint/eslint-plugin from 7.18.0 to 8.16.0.
Release notes
Sourced from
@typescript-eslint/eslint-plugin's releases.... (truncated)
Changelog
Sourced from
@typescript-eslint/eslint-plugin's changelog.... (truncated)
Commits
f74a8fachore(release): publish 8.16.02e2433bfeat(eslint-plugin): [no-base-to-string] check Array.prototype.join (#10287)88e4c66docs(eslint-plugin): add missing>inarray-type.mdx(#10371)71243dbchore: correct lint errors in CI (#10370)cdbc669feat(eslint-plugin): [max-params] add function overload and function type sup...cac88cachore: set no-else-return allowIfElse to false (#10325)2444351chore(release): publish 8.15.06c27d08chore: bump eslint dependencies (#10354)f5e23e2fix(utils): add defaultOptions to meta in rule (#10339)12ce800docs(eslint-plugin): [no-confusing-void-expression] add a default value for `...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)