Bump @intlify/core-base and vue-i18n #4663
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [@intlify/core-base](https://github.com/intlify/vue-i18n/tree/HEAD/packages/core) to 9.14.2 and updates ancestor dependency [vue-i18n](https://github.com/intlify/vue-i18n/tree/HEAD/packages/vue-i18n). These dependencies need to be updated together. Updates `@intlify/core-base` from 9.13.1 to 9.14.2 - [Release notes](https://github.com/intlify/vue-i18n/releases) - [Changelog](https://github.com/intlify/vue-i18n/blob/master/CHANGELOG.md) - [Commits](https://github.com/intlify/vue-i18n/commits/v9.14.2/packages/core) Updates `vue-i18n` from 9.13.1 to 9.14.2 - [Release notes](https://github.com/intlify/vue-i18n/releases) - [Changelog](https://github.com/intlify/vue-i18n/blob/master/CHANGELOG.md) - [Commits](https://github.com/intlify/vue-i18n/commits/v9.14.2/packages/vue-i18n) --- updated-dependencies: - dependency-name: "@intlify/core-base" dependency-type: indirect - dependency-name: vue-i18n dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
| @@ -36079,6 +41405,12 @@ | |||
| "url": "https://github.com/sindresorhus/invert-kv?sponsor=1" | |||
| } | |||
| }, | |||
| "node_modules/ip": { | |||
There was a problem hiding this comment.
ℹ️ Codacy found a minor Security issue: Insecure dependency [email protected] (CVE-2023-42282: nodejs-ip: arbitrary code execution via the isPublic() function) (update to 1.1.9)
The issue identified by the Trivy linter is a security vulnerability in the ip package version 1.1.5, specifically a CVE (CVE-2023-42282) that allows for arbitrary code execution via the isPublic() function. This vulnerability can potentially be exploited by an attacker to execute arbitrary code within the application, which poses a significant security risk.
To resolve this issue, you need to update the ip package to a secure version, as suggested by the linter. The recommended version to upgrade to is 1.1.9.
Here is the code suggestion to fix the issue by updating the version of the ip package:
| "node_modules/ip": { | |
| "node_modules/ip": { "version": "1.1.9", ... |
Make sure to also update your package.json or package-lock.json accordingly to reflect this change.
This comment was generated by an experimental AI tool.
| "object-assign": "^4.1.1" | ||
| } | ||
| }, | ||
| "node_modules/@teambit/legacy/node_modules/semver": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-25883: nodejs-semver: Regular expression denial of service) (update to 7.5.2, 6.3.1, 5.7.2)
The issue identified by the Trivy linter is a security vulnerability in the semver package, specifically version 7.3.4. This vulnerability, documented as CVE-2022-25883, involves a regular expression denial of service (ReDoS) attack, which can potentially allow an attacker to exploit the way the package processes certain inputs, leading to performance degradation or denial of service.
To fix this issue, you need to update the semver dependency to a secure version that is not affected by this vulnerability. The recommended versions to upgrade to are 7.5.2, 6.3.1, or 5.7.2.
Here’s the single line change you can make to update the version of semver:
| "node_modules/@teambit/legacy/node_modules/semver": { | |
| "node_modules/@teambit/legacy/node_modules/semver": { "version": "7.5.2", ... |
Make sure to update the package in your package.json or lock file accordingly, and then run your package manager to install the updated version.
This comment was generated by an experimental AI tool.
| @@ -44899,6 +50780,146 @@ | |||
| "node": ">=10" | |||
| } | |||
| }, | |||
| "node_modules/mockery": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-37614: mockery is vulnerable to prototype pollution) (update to )
The issue identified by the Trivy linter pertains to a known vulnerability in the mockery package, specifically version 2.1.0. This vulnerability, tracked under CVE-2022-37614, allows for prototype pollution, which can lead to security risks such as arbitrary code execution or denial of service. Prototype pollution occurs when an attacker is able to modify the prototype of a base object, potentially affecting the behavior of all objects that inherit from it.
To mitigate this security risk, it is essential to update the mockery package to a version that has addressed this vulnerability. As of the time of writing, the latest version of mockery is 2.1.1, which resolves this issue.
Here’s the single line change you can make to update the mockery dependency:
| "node_modules/mockery": { | |
| "node_modules/mockery": { "version": "2.1.1", ... |
This change will ensure that you are using a secure version of the mockery package.
This comment was generated by an experimental AI tool.
| @@ -58379,6 +67349,16 @@ | |||
| "node": ">=4.0.0" | |||
| } | |||
| }, | |||
| "node_modules/vue-template-compiler": { | |||
There was a problem hiding this comment.
The issue identified by the Trivy linter is a security vulnerability in the vue-template-compiler package, specifically version 2.6.12. This version is vulnerable to a client-side Cross-Site Scripting (XSS) attack, which can allow an attacker to execute arbitrary scripts in the context of a user's browser. The recommended action is to update the package to a secure version, which in this case is 3.0.0 or higher.
To resolve this issue, you should update the version of vue-template-compiler in your package.json file. Here’s the single line change you need to make:
| "node_modules/vue-template-compiler": { | |
| "vue-template-compiler": "^3.0.0", |
This comment was generated by an experimental AI tool.
| "node_modules/sprintf-js": { | ||
| "version": "1.0.3", | ||
| "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", | ||
| "integrity": "sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==", | ||
| "license": "BSD-3-Clause" | ||
| }, | ||
| "node_modules/ssh2": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2020-26301: nodejs-ssh2: Command injection by calling vulnerable method with untrusted input) (update to 1.4.0)
The issue identified by the Trivy linter is related to a security vulnerability in the ssh2 package, specifically version 0.8.9. This vulnerability (CVE-2020-26301) allows for command injection due to the use of a vulnerable method that can be exploited when untrusted input is passed to it. To mitigate this security risk, it is recommended to update the ssh2 package to a version that has patched this vulnerability. The suggested version to upgrade to is 1.4.0.
To fix this issue, you can change the version of the ssh2 dependency in your package.json file to the recommended version. Here’s the single line change you should make:
"node_modules/ssh2": {
"version": "1.4.0",This comment was generated by an experimental AI tool.
| "pjv": "bin/pjv" | ||
| } | ||
| }, | ||
| "node_modules/package-json-validator/node_modules/minimist": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2020-7598: nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or proto payload) (update to 0.2.1, 1.2.3)
The issue identified by the Trivy linter is related to a known security vulnerability in the minimist package version 0.0.10. This vulnerability, CVE-2020-7598, allows for prototype pollution, which can lead to the modification of properties on Object.prototype. This can potentially allow attackers to exploit the application by injecting malicious payloads.
To resolve this issue, you should update the minimist dependency to a secure version. The suggested secure versions are 0.2.1 or 1.2.3. However, since minimist is a sub-dependency of optimist, you would typically need to update optimist to a version that uses a secure version of minimist.
Here’s the code suggestion to fix the issue by updating optimist to a version that does not depend on the vulnerable minimist:
| "node_modules/package-json-validator/node_modules/minimist": { | |
| "optimist": "^0.6.2" |
This change updates the optimist dependency to a version that uses a secure version of minimist, thus resolving the security vulnerability.
This comment was generated by an experimental AI tool.
| "node": ">=10" | ||
| } | ||
| }, | ||
| "node_modules/@teambit/legacy/node_modules/minimatch": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function) (update to 3.0.5)
The issue identified by the Trivy linter is a security vulnerability associated with the minimatch package, specifically version 3.0.4. This version has a known vulnerability (CVE-2022-3517) that allows for a Regular Expression Denial of Service (ReDoS) attack via the braceExpand function. This vulnerability can be exploited by an attacker to cause significant performance degradation in applications that use this package, potentially leading to denial of service.
To resolve this issue, you should update the minimatch dependency to a secure version, specifically 3.0.5 or later, which has addressed this vulnerability.
Here’s the code suggestion to fix the issue:
"node_modules/@teambit/legacy/node_modules/minimatch": {
"version": "3.0.5",This change updates the version of minimatch from 3.0.4 to 3.0.5, thus mitigating the identified security risk.
This comment was generated by an experimental AI tool.
| @@ -36079,6 +41405,12 @@ | |||
| "url": "https://github.com/sindresorhus/invert-kv?sponsor=1" | |||
| } | |||
| }, | |||
| "node_modules/ip": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2023-42282: nodejs-ip: arbitrary code execution via the isPublic() function) (update to 2.0.1, 1.1.9)
The issue identified by the Trivy linter is related to a security vulnerability in the ip package, specifically version 1.1.8, which is susceptible to arbitrary code execution through its isPublic() function. This vulnerability is documented as CVE-2023-42282. To mitigate this security risk, it is recommended to update the ip package to a secure version, either 2.0.1 or 1.1.9, which have addressed this vulnerability.
To fix the issue, you should update the version of the ip package in your package.json or directly in your dependency management file. Here is the single line change needed:
| "node_modules/ip": { | |
| "node_modules/ip": { "version": "1.1.9", ... |
This change ensures that you are using a version of the ip package that is not affected by the identified security vulnerability.
This comment was generated by an experimental AI tool.
| "pjv": "bin/pjv" | ||
| } | ||
| }, | ||
| "node_modules/package-json-validator/node_modules/minimist": { |
There was a problem hiding this comment.
The issue identified by the Trivy linter is related to a security vulnerability in the minimist package, specifically version 0.0.10. This version is susceptible to prototype pollution, which allows an attacker to modify properties of Object.prototype by using a crafted payload. This can lead to security risks such as denial of service or unintended behavior in the application.
To resolve this vulnerability, you should update the minimist dependency to a safer version. The recommendation is to update to at least version 0.2.1, which is not affected by this vulnerability.
Here’s the single line change to update the version of minimist:
| "node_modules/package-json-validator/node_modules/minimist": { | |
| "minimist": "^0.2.1" |
This change should be made in the dependencies section of the package-json-validator or wherever the minimist dependency is defined in your project. After making this change, ensure that you run npm install to update the package in your node_modules.
This comment was generated by an experimental AI tool.
| "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==", | ||
| "peer": true | ||
| }, | ||
| "node_modules/moment": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-24785: Moment.js: Path traversal in moment.locale) (update to 2.29.2)
The issue identified by the Trivy linter is a security vulnerability in the moment library version 2.29.1. Specifically, it relates to a path traversal vulnerability (CVE-2022-24785) that can potentially allow an attacker to read arbitrary files on the server where the application is running. This vulnerability has been addressed in version 2.29.2 of the moment library.
To resolve this issue, you should update the moment dependency to at least version 2.29.2. This can typically be done by modifying the package.json file or by running an appropriate command to update the package. However, since you requested a single line change in the provided code fragment, the suggestion is as follows:
"node_modules/moment": {
"version": "2.29.2",This change updates the version of the moment library to the secure version, thereby mitigating the identified security risk.
This comment was generated by an experimental AI tool.
| @@ -57672,6 +66476,112 @@ | |||
| "integrity": "sha512-x00IRNXNy63jwGkJmzPigoySHbaqpNuzKbBOmzK+g2OdZpQ9w+sxCN+VSB3ja7IAge2OP2qpfxTjeNcyjmW1uw==", | |||
| "license": "ISC" | |||
| }, | |||
| "node_modules/utile": { | |||
There was a problem hiding this comment.
ℹ️ Codacy found a minor Security issue: Insecure dependency [email protected] (NSWG-ECO-445: Out-of-bounds Read) (no fix available)
The issue identified by the Trivy linter pertains to the package [email protected], which has a known security vulnerability categorized as an "Out-of-bounds Read." This type of vulnerability can lead to potential information leaks or application crashes, as it may allow an attacker to read data outside the intended buffer boundaries. Unfortunately, there is no fix available for this specific version of the package.
To address this security concern, the best course of action is to remove the insecure dependency from your project. If utile is not directly required, you can simply remove it. If it is a dependency of another package, you may need to look for an alternative package or a more secure version of the package that does not include the vulnerability.
Assuming utile is not essential, you can remove it by deleting it from your package.json and package-lock.json files. Here's a single line code suggestion to remove the package:
| "node_modules/utile": { | |
| npm uninstall utile |
If utile is a necessary dependency, you would need to investigate further for alternatives or updates that do not have this vulnerability.
This comment was generated by an experimental AI tool.
| @@ -35312,6 +40059,12 @@ | |||
| "node": ">= 0.6" | |||
| } | |||
| }, | |||
| "node_modules/http-cache-semantics": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-25881: http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability) (update to 4.1.1)
The issue identified by the Trivy linter is a security vulnerability associated with the http-cache-semantics package version 3.8.1. Specifically, it is affected by a Regular Expression Denial of Service (ReDoS) vulnerability, which can be exploited to cause performance degradation or denial of service by using specially crafted input that takes a long time to process. The suggested resolution is to upgrade the package to version 4.1.1, where this vulnerability is fixed.
To address this issue, you can update the version of the http-cache-semantics package in your dependency file. The following code suggestion reflects this change:
"node_modules/http-cache-semantics": {
"version": "4.1.1",This comment was generated by an experimental AI tool.
Bumps @intlify/core-base to 9.14.2 and updates ancestor dependency vue-i18n. These dependencies need to be updated together.
Updates
@intlify/core-basefrom 9.13.1 to 9.14.2Release notes
Sourced from
@intlify/core-base's releases.Changelog
Sourced from
@intlify/core-base's changelog.... (truncated)
Commits
5448139release: v9.14.2af67265release: v9.14.18e9f6d5release: v9.14.0Updates
vue-i18nfrom 9.13.1 to 9.14.2Release notes
Sourced from vue-i18n's releases.
Changelog
Sourced from vue-i18n's changelog.
... (truncated)
Commits
5448139release: v9.14.2af67265release: v9.14.18e9f6d5release: v9.14.0b07a9a4fix: vue-i18n type definition for vue package (#1919)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.