build(deps-dev): bump @cyclonedx/bom from 3.10.6 to 4.0.2 by dependabot[bot] · Pull Request #43 · boilerplate-language/boilerplate-nodejs

dependabot · 2022-10-21T15:16:03Z

Bumps @cyclonedx/bom from 3.10.6 to 4.0.2.

Release notes

Sourced from @cyclonedx/bom's releases.

4.0.2

Docs

Fixed some typos

4.0.1

Docs:

Describe the "Out of Scope" section (via #342)

Fixed some typos

#342: CycloneDX/cyclonedx-node-module#342

4.0.0

This package became a so-called meta-package, it does not ship any own functionality, but it is a collection of dependencies. (via #321)

This package's dependencies are tools with one purpose in common: generate CycloneDX Software Bill-of-Materials (SBOM) from node-based projects.

for npm-based projects: @cyclonedx/cyclonedx-npm

for yarn-based projects: to be announced

for pnpm-based projects: to be announced

If you are looking for a JavaScript/TypeScript library for working with CycloneDX, its data models or serialization, then you might want to try @cyclonedx/cyclonedx-library.

#321: CycloneDX/cyclonedx-node-module#321

Previous versions

This project used to be a tool-set and a library to work and generate CycloneDX Software Bill-of-Materials (SBOM) from npm and yarn based projects.
Since version 4.0, this was all split to individual projects, and this project changed to a bare meta-package.

Previous versions of this very package are still available via npmjs versions and github releases.

4.0.0-rc.1

No release notes provided.

Changelog

Sourced from @cyclonedx/bom's changelog.

4.0.2 - 2022-10-21

Docs:

Fixed some typos

4.0.1 - 2022-10-21

Docs:

Describe the "Out of Scope" section (via #342)

Fixed some typos

#342: CycloneDX/cyclonedx-node-module#342

4.0.0 - 2022-10-21

This became a so-called meta-package, it does not ship any own functionality, but it is a collection of dependencies. (via #321)

This package's dependencies are tools with one purpose in common: generate CycloneDX Software Bill-of-Materials (SBOM) from node-based projects.

for npm-based projects: @cyclonedx/cyclonedx-npm

for yarn-based projects: to be announced

for pnpm-based projects: to be announced

If you are looking for a JavaScript/TypeScript library for working with CycloneDX, its data models or serialization, then you might want to try @cyclonedx/cyclonedx-library.

#321: CycloneDX/cyclonedx-node-module#321

Commits

4078b41 4.0.2
fe05582 prepare v4.0.2
acba6ad docs: fix npmjs links
dbe0bfb 4.0.1
d68612e docs: describe scope (#342)
c5179a0 typo
5a44cc1 4.0.0
f5d9636 prepare v4.0.0
a8b7028 Bump pnpm/action-setup from 2.2.2 to 2.2.4 (#340)
78ea046 CI: remove set-output
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

github-actions · 2022-10-21T15:16:32Z

=== npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Sandbox Bypass Leading to Arbitrary Code Execution in        │
│               │ constantinople                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ constantinople                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jade                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jade > constantinople                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-4vmm-mhcq-4x9j            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Incorrect Handling of Non-Boolean Comparisons During         │
│               │ Minification in uglify-js                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ uglify-js                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.4.24                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jade                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jade > transformers > uglify-js                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-34r7-q49f-h37c            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service in uglify-js            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ uglify-js                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.6.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jade                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jade > transformers > uglify-js                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c9f4-xj24-8jqx            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service in clean-css            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ clean-css                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.1.11                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jade                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jade > clean-css                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-wxhq-pm8v-cw75            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 4 vulnerabilities (1 low, 1 high, 2 critical) in 825 scanned packages
  4 vulnerabilities require manual review. See the full report for details.

github-actions · 2022-10-21T15:16:34Z

# npm audit report

clean-css  <4.1.11
Regular Expression Denial of Service in clean-css - https://github.com/advisories/GHSA-wxhq-pm8v-cw75
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/clean-css
  jade  >=0.30.0
  Depends on vulnerable versions of clean-css
  Depends on vulnerable versions of constantinople
  Depends on vulnerable versions of transformers
  node_modules/jade

constantinople  <3.1.1
Severity: critical
Sandbox Bypass Leading to Arbitrary Code Execution in constantinople - https://github.com/advisories/GHSA-4vmm-mhcq-4x9j
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/constantinople

uglify-js  <=2.5.0
Severity: critical
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js - https://github.com/advisories/GHSA-34r7-q49f-h37c
Regular Expression Denial of Service in uglify-js - https://github.com/advisories/GHSA-c9f4-xj24-8jqx
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/transformers/node_modules/uglify-js
  transformers  2.0.0 - 3.0.1
  Depends on vulnerable versions of uglify-js
  node_modules/transformers

5 vulnerabilities (1 low, 4 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force

Bumps [@cyclonedx/bom](https://github.com/CycloneDX/cyclonedx-node-module) from 3.10.6 to 4.0.2. - [Release notes](https://github.com/CycloneDX/cyclonedx-node-module/releases) - [Changelog](https://github.com/CycloneDX/cyclonedx-node-module/blob/master/HISTORY.md) - [Commits](CycloneDX/cyclonedx-node-module@v3.10.6...v4.0.2) --- updated-dependencies: - dependency-name: "@cyclonedx/bom" dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2022-11-26T18:35:18Z

=== npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Sandbox Bypass Leading to Arbitrary Code Execution in        │
│               │ constantinople                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ constantinople                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jade                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jade > constantinople                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-4vmm-mhcq-4x9j            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Incorrect Handling of Non-Boolean Comparisons During         │
│               │ Minification in uglify-js                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ uglify-js                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.4.24                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jade                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jade > transformers > uglify-js                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-34r7-q49f-h37c            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service in uglify-js            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ uglify-js                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.6.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jade                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jade > transformers > uglify-js                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c9f4-xj24-8jqx            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service in clean-css            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ clean-css                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.1.11                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jade                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jade > clean-css                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-wxhq-pm8v-cw75            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 4 vulnerabilities (1 low, 1 high, 2 critical) in 828 scanned packages
  4 vulnerabilities require manual review. See the full report for details.

github-actions · 2022-11-26T18:35:22Z

# npm audit report

clean-css  <4.1.11
Regular Expression Denial of Service in clean-css - https://github.com/advisories/GHSA-wxhq-pm8v-cw75
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/clean-css
  jade  >=0.30.0
  Depends on vulnerable versions of clean-css
  Depends on vulnerable versions of constantinople
  Depends on vulnerable versions of transformers
  node_modules/jade

constantinople  <3.1.1
Severity: critical
Sandbox Bypass Leading to Arbitrary Code Execution in constantinople - https://github.com/advisories/GHSA-4vmm-mhcq-4x9j
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/constantinople

uglify-js  <=2.5.0
Severity: critical
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js - https://github.com/advisories/GHSA-34r7-q49f-h37c
Regular Expression Denial of Service in uglify-js - https://github.com/advisories/GHSA-c9f4-xj24-8jqx
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/transformers/node_modules/uglify-js
  transformers  2.0.0 - 3.0.1
  Depends on vulnerable versions of uglify-js
  node_modules/transformers

5 vulnerabilities (1 low, 4 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force

dependabot · 2022-12-16T15:04:16Z

Superseded by #58.

dependabot Bot added the dependencies Pull requests that update a dependency file label Oct 21, 2022

dependabot Bot assigned kannkyo Oct 21, 2022

dependabot Bot force-pushed the dependabot/npm_and_yarn/cyclonedx/bom-4.0.2 branch from 1bfb859 to 4a22542 Compare November 26, 2022 18:34

dependabot Bot closed this Dec 16, 2022

dependabot Bot deleted the dependabot/npm_and_yarn/cyclonedx/bom-4.0.2 branch December 16, 2022 15:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps-dev): bump @cyclonedx/bom from 3.10.6 to 4.0.2#43

build(deps-dev): bump @cyclonedx/bom from 3.10.6 to 4.0.2#43
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/cyclonedx/bom-4.0.2

dependabot Bot commented on behalf of github Oct 21, 2022 •

edited

Loading

Uh oh!

github-actions Bot commented Oct 21, 2022

Uh oh!

github-actions Bot commented Oct 21, 2022

Uh oh!

github-actions Bot commented Nov 26, 2022

Uh oh!

github-actions Bot commented Nov 26, 2022

Uh oh!

dependabot Bot commented on behalf of github Dec 16, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github Oct 21, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

4.0.2

Docs

4.0.1

Docs:

4.0.0

Previous versions

4.0.0-rc.1

4.0.2 - 2022-10-21

4.0.1 - 2022-10-21

4.0.0 - 2022-10-21

Uh oh!

github-actions Bot commented Oct 21, 2022

Uh oh!

github-actions Bot commented Oct 21, 2022

Uh oh!

github-actions Bot commented Nov 26, 2022

Uh oh!

github-actions Bot commented Nov 26, 2022

Uh oh!

dependabot Bot commented on behalf of github Dec 16, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

dependabot Bot commented on behalf of github Oct 21, 2022 •

edited

Loading