Bump @typescript-eslint/eslint-plugin from 7.18.0 to 8.18.0 #4673
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 7.18.0 to 8.18.0. - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.18.0/packages/eslint-plugin) --- updated-dependencies: - dependency-name: "@typescript-eslint/eslint-plugin" dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
the
dependencies
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
Sorry, only users with push access can use that command. |
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
| @@ -35312,6 +40322,12 @@ | |||
| "node": ">= 0.6" | |||
| } | |||
| }, | |||
| "node_modules/http-cache-semantics": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-25881: http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability) (update to 4.1.1)
The issue identified by the Trivy linter is a security vulnerability in the http-cache-semantics package, specifically version 3.8.1. This vulnerability, designated as CVE-2022-25881, is a Regular Expression Denial of Service (ReDoS) vulnerability. It can potentially allow an attacker to exploit the regular expression processing in the package, leading to performance degradation or application denial of service.
To resolve this issue, you should update the http-cache-semantics package to a secure version. The recommended version is 4.1.1, which does not have this vulnerability.
Here is the code suggestion to fix the issue by updating the version of http-cache-semantics:
"node_modules/http-cache-semantics": {
"version": "4.1.1",This change updates the version of the http-cache-semantics package to the secure version, mitigating the identified vulnerability.
This comment was generated by an experimental AI tool.
| @@ -44899,6 +51043,146 @@ | |||
| "node": ">=10" | |||
| } | |||
| }, | |||
| "node_modules/mockery": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-37614: mockery is vulnerable to prototype pollution) (update to )
The issue identified by the Trivy linter is related to a security vulnerability in the mockery package, specifically version 2.1.0. This vulnerability, classified as CVE-2022-37614, allows for prototype pollution, which can lead to potential security risks such as unauthorized access or modification of object properties in JavaScript applications.
To address this issue, the recommended solution is to update the mockery package to a version that does not have this vulnerability. The latest version at the time of this response should be checked on the npm registry for a secure version.
Assuming that a newer, secure version of mockery is available (for example, 2.1.1 or later), the code suggestion to fix the issue would be:
| "node_modules/mockery": { | |
| "node_modules/mockery": { "version": "2.1.1", ... |
Make sure to replace 2.1.1 with the actual latest secure version available.
This comment was generated by an experimental AI tool.
| @@ -57672,6 +66771,112 @@ | |||
| "integrity": "sha512-x00IRNXNy63jwGkJmzPigoySHbaqpNuzKbBOmzK+g2OdZpQ9w+sxCN+VSB3ja7IAge2OP2qpfxTjeNcyjmW1uw==", | |||
| "license": "ISC" | |||
| }, | |||
| "node_modules/utile": { | |||
There was a problem hiding this comment.
ℹ️ Codacy found a minor Security issue: Insecure dependency [email protected] (NSWG-ECO-445: Out-of-bounds Read) (no fix available)
The issue identified by the Trivy linter refers to a security vulnerability in the utile package version 0.3.0, specifically an "Out-of-bounds Read" vulnerability. This type of vulnerability can allow an attacker to read data beyond the bounds of allocated memory, potentially leading to information leakage or application crashes. Since there is no fix available for this version, it is advisable to remove or replace the vulnerable package.
A common approach to handle such vulnerabilities is to upgrade to a more secure version of the package or to remove it altogether if it is not critical to the application. However, since utile is a dependency that may be used by other packages, a more practical solution is to remove it from the dependency tree.
To address the issue, you can remove the utile package from your package.json file. Here’s the single line change you could make:
| "node_modules/utile": { | |
| "node_modules/utile": null, |
This indicates that utile should be removed as a dependency, effectively mitigating the security risk associated with it. However, keep in mind that you will need to ensure that any code relying on utile is updated accordingly.
This comment was generated by an experimental AI tool.
| "node_modules/sprintf-js": { | ||
| "version": "1.0.3", | ||
| "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", | ||
| "integrity": "sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==", | ||
| "license": "BSD-3-Clause" | ||
| }, | ||
| "node_modules/ssh2": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2020-26301: nodejs-ssh2: Command injection by calling vulnerable method with untrusted input) (update to 1.4.0)
The issue reported by the Trivy linter is related to a security vulnerability in the ssh2 package version 0.8.9, specifically identified by CVE-2020-26301. This vulnerability allows for command injection when using certain methods with untrusted input, potentially leading to unauthorized command execution on the server. To mitigate this risk, it is recommended to update the ssh2 package to a secure version, which in this case is version 1.4.0 or higher.
To fix the issue, you can update the ssh2 dependency in your package.json file to the recommended version. Here’s the code suggestion:
| "node_modules/ssh2": { | |
| "ssh2": "^1.4.0" |
Make sure to run npm install after making this change to update your dependencies and ensure that the vulnerable version is replaced with the secure one.
This comment was generated by an experimental AI tool.
| @@ -58379,6 +67645,16 @@ | |||
| "node": ">=4.0.0" | |||
| } | |||
| }, | |||
| "node_modules/vue-template-compiler": { | |||
There was a problem hiding this comment.
The issue identified by the Trivy linter is a known vulnerability in the vue-template-compiler package, specifically version 2.6.12, which is susceptible to a client-side Cross-Site Scripting (XSS) attack. This vulnerability can allow an attacker to inject malicious scripts into web pages viewed by other users, potentially compromising user data and security.
To mitigate this vulnerability, it is recommended to update the vue-template-compiler to a secure version, such as 3.0.0 or higher, where this issue has been addressed.
Here is the code suggestion to fix the issue by updating the version of vue-template-compiler:
"node_modules/vue-template-compiler": {
"version": "3.0.0",This comment was generated by an experimental AI tool.
| @@ -36079,6 +41668,12 @@ | |||
| "url": "https://github.com/sindresorhus/invert-kv?sponsor=1" | |||
| } | |||
| }, | |||
| "node_modules/ip": { | |||
There was a problem hiding this comment.
ℹ️ Codacy found a minor Security issue: Insecure dependency [email protected] (CVE-2023-42282: nodejs-ip: arbitrary code execution via the isPublic() function) (update to 1.1.9)
The issue identified by the Trivy linter is a security vulnerability in the ip package version 1.1.5, specifically related to CVE-2023-42282. This vulnerability allows for arbitrary code execution through the isPublic() function in the ip package. To mitigate this risk, it is recommended to update the ip package to a safer version, specifically version 1.1.9 or later.
To address this issue, you can update the version of the ip package in your package.json file. Here is the single line change you should make:
| "node_modules/ip": { | |
| "node_modules/ip": { "version": "1.1.9", ... } |
Make sure to run npm install after making this change to ensure that the updated version is installed.
This comment was generated by an experimental AI tool.
| "object-assign": "^4.1.1" | ||
| } | ||
| }, | ||
| "node_modules/@teambit/legacy/node_modules/semver": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-25883: nodejs-semver: Regular expression denial of service) (update to 7.5.2, 6.3.1, 5.7.2)
The issue identified by the Trivy linter is related to a known security vulnerability in the semver package version 7.3.4, specifically CVE-2022-25883. This vulnerability is categorized as a Regular Expression Denial of Service (ReDoS) issue, which can potentially allow an attacker to cause a denial of service by exploiting certain regular expressions used in the library. To mitigate this risk, it is recommended to update the semver package to a version that is not affected by this vulnerability, such as 7.5.2, 6.3.1, or 5.7.2.
To fix the issue, you can update the version of semver in your package.json or wherever this dependency is defined. Here is a single line change that achieves this:
| "node_modules/@teambit/legacy/node_modules/semver": { | |
| "node_modules/@teambit/legacy/node_modules/semver": { "version": "7.5.2", ... |
This change updates the version of semver to 7.5.2, which is a secure version and resolves the identified vulnerability.
This comment was generated by an experimental AI tool.
| "pjv": "bin/pjv" | ||
| } | ||
| }, | ||
| "node_modules/package-json-validator/node_modules/minimist": { |
There was a problem hiding this comment.
The issue identified by the Trivy linter is related to the minimist package, specifically version 0.0.10. This version is vulnerable to a security flaw known as prototype pollution, which allows an attacker to add or modify properties of Object.prototype. This can lead to unexpected behavior in applications that rely on the integrity of JavaScript objects. The recommended action is to update minimist to a version that is not affected by this vulnerability, specifically to version 0.2.1 or higher.
To fix this issue, you should update the minimist dependency in the package-json-validator package to a secure version. Since minimist is a sub-dependency of optimist, you may need to update optimist to a version that depends on a secure version of minimist.
Here's the suggested change to update the minimist version:
"node_modules/package-json-validator/node_modules/minimist": {
"version": "0.2.1",
"resolved": "https://registry.npmjs.org/minimist/-/minimist-0.2.1.tgz",
"integrity": "sha512-<new-integrity-hash>",
"peer": true
},Note: You would need to replace <new-integrity-hash> with the actual integrity hash for the updated version of minimist. Additionally, ensure that you update the optimist dependency if it does not already require a secure version of minimist.
This comment was generated by an experimental AI tool.
| @@ -36079,6 +41668,12 @@ | |||
| "url": "https://github.com/sindresorhus/invert-kv?sponsor=1" | |||
| } | |||
| }, | |||
| "node_modules/ip": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2023-42282: nodejs-ip: arbitrary code execution via the isPublic() function) (update to 2.0.1, 1.1.9)
The issue identified by the Trivy linter pertains to a security vulnerability in the ip package, specifically version 1.1.8, which is susceptible to arbitrary code execution via the isPublic() function. This vulnerability is documented under CVE-2023-42282. To mitigate this risk, it is recommended to update the ip package to a non-vulnerable version, either 2.0.1 or 1.1.9.
To address this issue, you can update the version of the ip package in your package.json file. Here’s the single line change you would make:
| "node_modules/ip": { | |
| "ip": "^1.1.9", |
This change specifies that the ip package should be updated to version 1.1.9 or higher, which resolves the security vulnerability.
This comment was generated by an experimental AI tool.
| "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==", | ||
| "peer": true | ||
| }, | ||
| "node_modules/moment": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-24785: Moment.js: Path traversal in moment.locale) (update to 2.29.2)
The issue identified by the Trivy linter pertains to a security vulnerability in the moment library, specifically version 2.29.1. The vulnerability, tracked as CVE-2022-24785, involves a path traversal issue in the moment.locale function, which could potentially allow an attacker to manipulate file paths in certain scenarios. To mitigate this vulnerability, it is recommended to update the moment library to a secure version, which in this case is 2.29.2 or later.
To fix the issue, you can update the version of the moment dependency in your package.json file. Here’s the suggested change:
"node_modules/moment": {
"version": "2.29.2",This comment was generated by an experimental AI tool.
| "node": ">=10" | ||
| } | ||
| }, | ||
| "node_modules/@teambit/legacy/node_modules/minimatch": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function) (update to 3.0.5)
The issue identified by the Trivy linter pertains to a known vulnerability in the minimatch package, specifically version 3.0.4. This vulnerability, identified as CVE-2022-3517, is related to a Regular Expression Denial of Service (ReDoS) that can be exploited through the braceExpand function. Essentially, this means that an attacker could potentially craft input that takes an excessive amount of time to process, leading to denial of service for the application using this package.
To resolve this issue, you should update the minimatch package to a secure version that does not have this vulnerability. The recommended version is 3.0.5 or higher.
Here’s the single line change to update the version of minimatch:
| "node_modules/@teambit/legacy/node_modules/minimatch": { | |
| "minimatch": "^3.0.5" |
This comment was generated by an experimental AI tool.
| "pjv": "bin/pjv" | ||
| } | ||
| }, | ||
| "node_modules/package-json-validator/node_modules/minimist": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2020-7598: nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or proto payload) (update to 0.2.1, 1.2.3)
The issue identified by the Trivy linter is related to a security vulnerability in the minimist package, specifically version 0.0.10. This version is affected by a prototype pollution vulnerability (CVE-2020-7598), which allows an attacker to manipulate the properties of Object.prototype through crafted input, potentially leading to unexpected behavior or security issues. The recommended action is to update minimist to a safer version, such as 0.2.1 or 1.2.3, which have addressed this vulnerability.
To fix the issue, you can update the version of minimist in your package.json or the relevant dependency tree. Here’s the single line change you can make:
| "node_modules/package-json-validator/node_modules/minimist": { | |
| "node_modules/package-json-validator/node_modules/minimist": { "version": "0.2.1", ... } |
Make sure to replace the ... with the other properties that were originally present in that object to maintain the integrity of the configuration.
This comment was generated by an experimental AI tool.
|
Superseded by #4683. |
dependabot
bot
deleted the
dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-8.18.0
branch
Bumps @typescript-eslint/eslint-plugin from 7.18.0 to 8.18.0.
Release notes
Sourced from
@typescript-eslint/eslint-plugin's releases.... (truncated)
Changelog
Sourced from
@typescript-eslint/eslint-plugin's changelog.... (truncated)
Commits
c60dbabchore(release): publish 8.18.00d65f17chore: enforce repo nullish check style (#10419)a54a8e1fix(eslint-plugin): [use-unknown-in-catch-callback-variable] only flag functi...24a1510fix(eslint-plugin): [no-base-to-string] handle more robustly when multiple `t...47f1ab3feat(eslint-plugin): [switch-exhaustiveness-check] add support for "no defaul...772bd43fix(eslint-plugin): [no-deprecated] check if a JSX attribute is deprecated (#...4cb2cf8fix: typescript peer dependency (#10373)0cc7919feat(eslint-plugin): [no-deprecated] report on super call of deprecated const...2c8a75echore(release): publish 8.17.0670df27feat(eslint-plugin): [prefer-promise-reject-errors] options to allow any and ...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)