Skip to content

chore(deps): [security] bump node-notifier from 8.0.0 to 8.0.1 #1815

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 21, 2020
Merged

chore(deps): [security] bump node-notifier from 8.0.0 to 8.0.1 #1815

merged 1 commit into from
Dec 21, 2020

Conversation

dependabot-preview[bot]
Copy link
Contributor

@dependabot-preview dependabot-preview bot commented Dec 21, 2020
edited
Loading

Bumps node-notifier from 8.0.0 to 8.0.1. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

OS Command Injection in node-notifier This affects the package node-notifier before 8.0.1. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Affected versions: < 8.0.1

Changelog

Sourced from node-notifier's changelog.

v8.0.1

  • fixes possible injection issue for notify-send
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will merge this PR once CI passes on it, as requested by @trivikr.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in the .dependabot/config.yml file in this repo:

  • Update frequency
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

@dependabot-preview dependabot-preview bot added dependencies This issue is a problem in a dependency. SECURITY SECURITY ISSUE labels Dec 21, 2020
@codecov-io
Copy link

Codecov Report

Merging #1815 (65209f6) into master (de75f7e) will decrease coverage by 0.49%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1815      +/-   ##
==========================================
- Coverage   79.77%   79.28%   -0.50%     
==========================================
  Files         325      367      +42     
  Lines       12087    15116    +3029     
  Branches     2553     3221     +668     
==========================================
+ Hits         9643    11985    +2342     
- Misses       2444     3131     +687
Impacted Files Coverage Δ
protocol_tests/aws-json/models/models_0.ts 79.36% <0.00%> (-20.64%) ⬇️
packages/util-user-agent-node/src/index.ts 88.88% <0.00%> (-11.12%) ⬇️
protocol_tests/aws-restjson/models/models_0.ts 89.43% <0.00%> (-10.57%) ⬇️
...rotocol_tests/aws-restxml/protocols/Aws_restXml.ts 64.10% <0.00%> (-2.15%) ⬇️
...ackages/node-http-handler/src/node-http-handler.ts 98.00% <0.00%> (-2.00%) ⬇️
packages/middleware-sdk-sqs/src/send-message.ts 86.66% <0.00%> (-0.84%) ⬇️
protocol_tests/aws-query/protocols/Aws_query.ts 66.34% <0.00%> (-0.38%) ⬇️
...kages/middleware-sdk-sqs/src/send-message-batch.ts 92.30% <0.00%> (-0.29%) ⬇️
...kages/fetch-http-handler/src/fetch-http-handler.ts 9.30% <0.00%> (-0.23%) ⬇️
protocol_tests/aws-ec2/protocols/Aws_ec2.ts 66.93% <0.00%> (-0.01%) ⬇️
... and 188 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 842e2a0...65209f6. Read the comment docs.

@trivikr trivikr merged commit d4cb977 into master Dec 21, 2020
@trivikr trivikr deleted the dependabot/npm_and_yarn/node-notifier-8.0.1 branch December 21, 2020 18:37
@github-actions
Copy link

github-actions bot commented Jan 8, 2021

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 8, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@trivikr trivikr trivikr approved these changes

Assignees
No one assigned
Labels
dependencies This issue is a problem in a dependency. SECURITY SECURITY ISSUE
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@codecov-io @trivikr