build(deps-dev): bump @cyclonedx/bom from 3.10.6 to 4.0.3 by dependabot[bot] · Pull Request #58 · boilerplate-language/boilerplate-nodejs

dependabot · 2022-12-16T15:04:13Z

Bumps @cyclonedx/bom from 3.10.6 to 4.0.3.

Release notes

Sourced from @cyclonedx/bom's releases.

4.0.3

Docs

fix CI/CT shield (badges/shields#8671 via #346)

#346: CycloneDX/cyclonedx-node-module#346

4.0.2

Docs

Fixed some typos

4.0.1

Docs:

Describe the "Out of Scope" section (via #342)

Fixed some typos

#342: CycloneDX/cyclonedx-node-module#342

4.0.0

⚠️ BREAKING CHANGES

This package became a so-called meta-package, it does no longer ship any own functionality, but it is a collection of dependencies. (via #321)

This package's dependencies are tools with one purpose in common: generate CycloneDX Software Bill-of-Materials (SBOM) from node-based projects.

for npm-based projects: @cyclonedx/cyclonedx-npm

for yarn-based projects: to be announced

for pnpm-based projects: to be announced

If you are looking for a JavaScript/TypeScript library for working with CycloneDX, its data models or serialization, then you might want to try @cyclonedx/cyclonedx-library.

#321: CycloneDX/cyclonedx-node-module#321

Previous versions

This project used to be a tool-set and a library to work and generate CycloneDX Software Bill-of-Materials (SBOM) from npm and yarn based projects.
Since version 4.0, this was all split to individual projects, and this project changed to a bare meta-package.

Previous versions of this very package are still available via npmjs versions and github releases.

4.0.0-rc.1

No release notes provided.

Changelog

Sourced from @cyclonedx/bom's changelog.

4.0.3 - 2022-12-16

Docs

fix CI/CT shield (badges/shields#8671 via #346)

#346: CycloneDX/cyclonedx-node-module#346

4.0.2 - 2022-10-21

Docs:

Fixed some typos

4.0.1 - 2022-10-21

Docs:

Describe the "Out of Scope" section (via #342)

Fixed some typos

#342: CycloneDX/cyclonedx-node-module#342

4.0.0 - 2022-10-21

This became a so-called meta-package, it does not ship any own functionality, but it is a collection of dependencies. (via #321)

This package's dependencies are tools with one purpose in common: generate CycloneDX Software Bill-of-Materials (SBOM) from node-based projects.

for npm-based projects: @cyclonedx/cyclonedx-npm

for yarn-based projects: to be announced

for pnpm-based projects: to be announced

If you are looking for a JavaScript/TypeScript library for working with CycloneDX, its data models or serialization, then you might want to try @cyclonedx/cyclonedx-library.

#321: CycloneDX/cyclonedx-node-module#321

Commits

494c826 4.0.3
1571856 chore: prepare v4.0.3
24ea201 docs: fix shields (#346)
e1cc603 docs: CONTRIBUTING sign off
c3b6e1a docs: add linebreak in readme
4078b41 4.0.2
fe05582 prepare v4.0.2
acba6ad docs: fix npmjs links
dbe0bfb 4.0.1
d68612e docs: describe scope (#342)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

github-actions · 2022-12-16T15:05:16Z

=== npm audit security report ===                        
                                                                                
# Run  npm update superagent --depth 2  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ qs vulnerable to Prototype Pollution                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ qs                                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ supertest [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ supertest > superagent > formidable > qs                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-hrpp-h998-j3pp            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Sandbox Bypass Leading to Arbitrary Code Execution in        │
│               │ constantinople                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ constantinople                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jade                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jade > constantinople                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-4vmm-mhcq-4x9j            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Incorrect Handling of Non-Boolean Comparisons During         │
│               │ Minification in uglify-js                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ uglify-js                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.4.24                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jade                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jade > transformers > uglify-js                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-34r7-q49f-h37c            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service in uglify-js            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ uglify-js                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.6.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jade                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jade > transformers > uglify-js                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c9f4-xj24-8jqx            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service in clean-css            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ clean-css                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.1.11                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jade                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jade > clean-css                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-wxhq-pm8v-cw75            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 5 vulnerabilities (1 low, 2 high, 2 critical) in 828 scanned packages
  run `npm audit fix` to fix 1 of them.
  4 vulnerabilities require manual review. See the full report for details.

Bumps [@cyclonedx/bom](https://github.com/CycloneDX/cyclonedx-node-module) from 3.10.6 to 4.0.3. - [Release notes](https://github.com/CycloneDX/cyclonedx-node-module/releases) - [Changelog](https://github.com/CycloneDX/cyclonedx-node-module/blob/master/HISTORY.md) - [Commits](CycloneDX/cyclonedx-node-module@v3.10.6...v4.0.3) --- updated-dependencies: - dependency-name: "@cyclonedx/bom" dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2023-01-14T01:17:47Z

# npm audit report

clean-css  <4.1.11
Regular Expression Denial of Service in clean-css - https://github.com/advisories/GHSA-wxhq-pm8v-cw75
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/clean-css
  jade  >=0.30.0
  Depends on vulnerable versions of clean-css
  Depends on vulnerable versions of constantinople
  Depends on vulnerable versions of transformers
  node_modules/jade

constantinople  <3.1.1
Severity: critical
Sandbox Bypass Leading to Arbitrary Code Execution in constantinople - https://github.com/advisories/GHSA-4vmm-mhcq-4x9j
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/constantinople

uglify-js  <=2.5.0
Severity: critical
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js - https://github.com/advisories/GHSA-34r7-q49f-h37c
Regular Expression Denial of Service in uglify-js - https://github.com/advisories/GHSA-c9f4-xj24-8jqx
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/transformers/node_modules/uglify-js
  transformers  2.0.0 - 3.0.1
  Depends on vulnerable versions of uglify-js
  node_modules/transformers

5 vulnerabilities (1 low, 4 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force

github-actions · 2023-01-14T01:17:47Z

=== npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Sandbox Bypass Leading to Arbitrary Code Execution in        │
│               │ constantinople                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ constantinople                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jade                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jade > constantinople                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-4vmm-mhcq-4x9j            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service in clean-css            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ clean-css                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.1.11                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jade                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jade > clean-css                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-wxhq-pm8v-cw75            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Incorrect Handling of Non-Boolean Comparisons During         │
│               │ Minification in uglify-js                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ uglify-js                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.4.24                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jade                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jade > transformers > uglify-js                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-34r7-q49f-h37c            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service in uglify-js            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ uglify-js                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.6.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jade                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jade > transformers > uglify-js                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c9f4-xj24-8jqx            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 4 vulnerabilities (1 low, 1 high, 2 critical) in 830 scanned packages
  4 vulnerabilities require manual review. See the full report for details.

dependabot Bot added the dependencies Pull requests that update a dependency file label Dec 16, 2022

dependabot Bot assigned kannkyo Dec 16, 2022

dependabot Bot mentioned this pull request Dec 16, 2022

build(deps-dev): bump @cyclonedx/bom from 3.10.6 to 4.0.2 #43

Closed

dependabot Bot force-pushed the dependabot/npm_and_yarn/cyclonedx/bom-4.0.3 branch from e756916 to f870a9c Compare January 14, 2023 01:16

dependabot Bot force-pushed the dependabot/npm_and_yarn/cyclonedx/bom-4.0.3 branch from f870a9c to af69bc1 Compare January 14, 2023 01:17

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps-dev): bump @cyclonedx/bom from 3.10.6 to 4.0.3#58

build(deps-dev): bump @cyclonedx/bom from 3.10.6 to 4.0.3#58
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/cyclonedx/bom-4.0.3

dependabot Bot commented on behalf of github Dec 16, 2022 •

edited

Loading

Uh oh!

github-actions Bot commented Dec 16, 2022

Uh oh!

github-actions Bot commented Jan 14, 2023

Uh oh!

github-actions Bot commented Jan 14, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github Dec 16, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

4.0.3

Docs

4.0.2

Docs

4.0.1

Docs:

4.0.0

⚠️ BREAKING CHANGES

Previous versions

4.0.0-rc.1

4.0.3 - 2022-12-16

4.0.2 - 2022-10-21

4.0.1 - 2022-10-21

4.0.0 - 2022-10-21

Uh oh!

github-actions Bot commented Dec 16, 2022

Uh oh!

github-actions Bot commented Jan 14, 2023

Uh oh!

github-actions Bot commented Jan 14, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

dependabot Bot commented on behalf of github Dec 16, 2022 •

edited

Loading