Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump semver, postman-collection and core-js-compat in /web #9

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github May 12, 2024

Bumps semver to 7.5.4 and updates ancestor dependencies semver, postman-collection and core-js-compat. These dependencies need to be updated together.

Updates semver from 7.0.0 to 7.5.4

Release notes

Sourced from semver's releases.

v7.5.4

7.5.4 (2023-07-07)

Bug Fixes

v7.5.3

7.5.3 (2023-06-22)

Bug Fixes

Documentation

v7.5.2

7.5.2 (2023-06-15)

Bug Fixes

v7.5.1

7.5.1 (2023-05-12)

Bug Fixes

v7.5.0

7.5.0 (2023-04-17)

Features

Bug Fixes

v7.4.0

7.4.0 (2023-04-10)

... (truncated)

Changelog

Sourced from semver's changelog.

7.5.4 (2023-07-07)

Bug Fixes

7.5.3 (2023-06-22)

Bug Fixes

Documentation

7.5.2 (2023-06-15)

Bug Fixes

7.5.1 (2023-05-12)

Bug Fixes

7.5.0 (2023-04-17)

Features

Bug Fixes

7.4.0 (2023-04-10)

Features

... (truncated)

Commits
  • 36cd334 chore: release 7.5.4
  • 8456d87 chore: postinstall for dependabot template-oss PR
  • dde1f00 chore: postinstall for dependabot template-oss PR
  • dffcd1b chore: bump @​npmcli/template-oss from 4.16.0 to 4.17.0
  • d619f66 chore: postinstall for dependabot template-oss PR
  • 3bc4247 chore: bump @​npmcli/template-oss from 4.15.1 to 4.16.0
  • cc6fde2 fix: trim each range set before parsing
  • 99d8287 fix: correctly parse long build ids as valid (#583)
  • 4f0f6b1 chore: fix arguments in whitespace test (#574)
  • 6bd1a37 chore: remove duplicate test in semver class (#575)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by npm-cli-ops, a new releaser for semver since your current version.


Updates postman-collection from 4.1.4 to 4.4.0

Changelog

Sourced from postman-collection's changelog.

4.4.0: date: 2024-02-28 new features: - GH-1356 Add new key packages to Script chores: - >- GH-1357 Fixed a bug where invalid JSDoc prevented generating docs and types - GH-1357 Update types for getPath

4.3.0: date: 2023-11-18 new features: - GH-1339 Added getPath method on Item chores: - Updated dependencies

4.2.1: date: 2023-09-11 fixed bugs: - >- GH-1332 Fixed a bug where Variable~update was not updating the description chores: - Updated dependencies

4.2.0: date: 2023-08-03 new features: - GH-1329 Added support for fileName property in formdata request body - GH-1329 Retain string file content while parsing formdata and file bodies chores: - Updated dependencies

4.1.7: date: 2023-01-24 fixed bugs: - GH-1300 Fixed incorrect using typeof operator chores: - GH-1302 Migrate to GitHub Actions - Updated dependencies

4.1.6: date: 2022-11-28 chores: - Updated Travis configuration to use an updated Ubuntu distribution - Updated dependencies

4.1.5: date: 2022-08-02

... (truncated)

Commits
  • 9b99f37 Merge branch 'release/4.4.0'
  • f907abe Release v4.4.0
  • 28b67b1 Add key packages in Script (#1356)
  • 13f7ebd Merge pull request #1357 from postmanlabs/fix/jsdoc-error
  • a264f03 Update CHANGELOG
  • b4ab6e6 Fix errors in generating docs and types
  • d332e0c Merge branch 'release/4.3.0'
  • a175ec3 Merge branch 'release/4.3.0' into develop
  • 1d6e0dd Release v4.3.0
  • 64b1c59 Merge pull request #1340 from postmanlabs/dependabot/npm_and_yarn/babel/trave...
  • Additional commits viewable in compare view

Updates core-js-compat from 3.21.0 to 3.37.0

Changelog

Sourced from core-js-compat's changelog.

3.37.0 - 2024.04.17
3.36.1 - 2024.03.19

... (truncated)

Commits
  • 598d0b2 3.37.0
  • a7f3a96 URL.parse added and marked as supported from Bun 1.1.4
  • 8957db1 update pattern matching proposal
  • 9da401f add Math.sumPrecise
  • 80f1d23 add a fix of Safari { Object, Map }.groupBy bug that does not support itera...
  • 5b908c2 add a fix of Safari bug with double call of constructor in Array.fromAsync
  • 42627a6 Merge pull request #1336 from zloirock/bump-set-methods
  • 61abd15 add Opera Android 82 compat data mapping
  • 559081f move new Set methods to stable ES
  • 66e55a9 URL.parse added and marked as supported from FF 126
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [semver](https://github.com/npm/node-semver) to 7.5.4 and updates ancestor dependencies [semver](https://github.com/npm/node-semver), [postman-collection](https://github.com/postmanlabs/postman-collection) and [core-js-compat](https://github.com/zloirock/core-js/tree/HEAD/packages/core-js-compat). These dependencies need to be updated together.


Updates `semver` from 7.0.0 to 7.5.4
- [Release notes](https://github.com/npm/node-semver/releases)
- [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md)
- [Commits](npm/node-semver@v7.0.0...v7.5.4)

Updates `postman-collection` from 4.1.4 to 4.4.0
- [Release notes](https://github.com/postmanlabs/postman-collection/releases)
- [Changelog](https://github.com/postmanlabs/postman-collection/blob/develop/CHANGELOG.yaml)
- [Commits](postmanlabs/postman-collection@v4.1.4...v4.4.0)

Updates `core-js-compat` from 3.21.0 to 3.37.0
- [Release notes](https://github.com/zloirock/core-js/releases)
- [Changelog](https://github.com/zloirock/core-js/blob/master/CHANGELOG.md)
- [Commits](https://github.com/zloirock/core-js/commits/v3.37.0/packages/core-js-compat)

---
updated-dependencies:
- dependency-name: semver
  dependency-type: indirect
- dependency-name: postman-collection
  dependency-type: direct:production
- dependency-name: core-js-compat
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label May 12, 2024
Copy link

dryrunsecurity bot commented May 12, 2024

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Configured Codepaths Analyzer 0 findings
Sensitive Files Analyzer 2 findings
Authn/Authz Analyzer 0 findings
AppSec Analyzer 0 findings
Secrets Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖.
Note that this summary is auto-generated and not meant to be a definitive list of security issues
but rather a helpful summary from a security perspective.

Summary:

The code change in this pull request updates the version of the postman-collection dependency from 4.1.4 to 4.4.0 in the web/package.json file. From an application security perspective, this change is generally not concerning, as the postman-collection library is a utility for working with Postman collections, which are used for API testing and documentation. Upgrading to a newer version of this library is unlikely to introduce any significant security risks, as it is a well-established and widely-used library.

However, it's always a good practice to review the release notes or change logs for the new version of a dependency to ensure that there are no known security vulnerabilities or breaking changes that could impact your application. Additionally, you should consider running thorough integration and regression tests to verify that the updated dependency does not introduce any unexpected behavior or functionality issues. Overall, this code change appears to be a routine library update and does not raise any immediate security concerns. As an application security engineer, you should continue to monitor the security landscape and be prepared to address any potential vulnerabilities that may arise in the future.

Files Changed:

  • web/package.json: This file has been updated to change the version of the postman-collection dependency from 4.1.4 to 4.4.0.

Powered by DryRun Security

Copy link

guardrails bot commented May 12, 2024

⚠️ We detected 1 security issue in this pull request:

Vulnerable Libraries (1)
Severity Details
Medium pkg:npm/[email protected] upgrade to: > 4.4.0

More info on how to fix Vulnerable Libraries in JavaScript.


👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants