Bump axios, @slack/rtm-api and @slack/web-api in /Tools/WebKitBot#157
Bump axios, @slack/rtm-api and @slack/web-api in /Tools/WebKitBot#157dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [axios](https://github.com/axios/axios), [@slack/rtm-api](https://github.com/slackapi/node-slack-sdk) and [@slack/web-api](https://github.com/slackapi/node-slack-sdk). These dependencies needed to be updated together. Updates `axios` from 0.19.2 to 1.16.0 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v0.19.2...v1.16.0) Updates `@slack/rtm-api` from 5.0.5 to 7.0.4 - [Release notes](https://github.com/slackapi/node-slack-sdk/releases) - [Commits](https://github.com/slackapi/node-slack-sdk/compare/@slack/rtm-api@5.0.5...@slack/rtm-api@7.0.4) Updates `@slack/web-api` from 5.10.0 to 7.15.2 - [Release notes](https://github.com/slackapi/node-slack-sdk/releases) - [Commits](https://github.com/slackapi/node-slack-sdk/compare/@slack/web-api@5.10.0...@slack/web-api@7.15.2) --- updated-dependencies: - dependency-name: axios dependency-version: 1.16.0 dependency-type: direct:production - dependency-name: "@slack/rtm-api" dependency-version: 7.0.4 dependency-type: direct:production - dependency-name: "@slack/web-api" dependency-version: 7.15.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
|
|
![semgrep-code-squarespace[bot]](https://avatars.githubusercontent.com/u/722929?s=60&v=4){kind=small}
| "version": "5.0.0", | ||
| "resolved": "https://registry.npmjs.org/throat/-/throat-5.0.0.tgz", | ||
| "integrity": "sha512-fcwX4mndzpLQKBS1DVYhGAcYaYt7vsHNIvQV+WXMvnow5cgjPphq5CaayLaGsjRdSCKZFNGt7/GYAuXaNOiYCA==" | ||
| }, | ||
| "tmpl": { | ||
| "node_modules/tmpl": { |
There was a problem hiding this comment.
High severity vulnerability introduced by a package you're using:
Line 5950 lists a dependency (tmpl) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
tmpl versions before 1.0.5 are vulnerable to Uncontrolled Resource Consumption when formatting a string.
To resolve this comment:
Upgrade this dependency to at least version 1.0.5 at Tools/WebKitBot/package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| "@babel/code-frame": "^7.10.3", | ||
| "@babel/parser": "^7.10.3", | ||
| "@babel/types": "^7.10.3" | ||
| } | ||
| }, | ||
| "@babel/traverse": { | ||
| "node_modules/@babel/traverse": { |
There was a problem hiding this comment.
Critical severity vulnerability may affect your project—review required:
Line 378 lists a dependency (@babel/traverse) with a known Critical severity vulnerability.
ℹ️ Why this matters
Affected versions of @babel/traverse and babel-traverse are vulnerable to Incomplete List of Disallowed Inputs / Incorrect Comparison. Compiling untrusted code with Babel using plugins that invoke the internal path.evaluate() or path.evaluateTruthy() methods (for example @babel/plugin-transform-runtime, @babel/preset-env with useBuiltIns, or any polyfill‐provider plugin) allows a maliciously crafted AST to execute arbitrary code on the build machine during compilation.
To resolve this comment:
Check if you use Babel to compile untrusted JavaScript.
- If you're affected, upgrade this dependency to at least version 7.23.2 at Tools/WebKitBot/package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
1 participant
Bumps axios, @slack/rtm-api and @slack/web-api. These dependencies needed to be updated together.
Updates
axiosfrom 0.19.2 to 1.16.0Release notes
Sourced from axios's releases.
... (truncated)
Changelog
Sourced from axios's changelog.
... (truncated)
Commits
df53d7dchore(release): prepare release 1.16.0 (#10834)9d92bcdfix: gadgets and smaller issues (#10833)5107ee6fix: prevent undefined error codes in settle (#7276)e573499fix(fetch): defer global access in fetch adapter (#7260)ad68e1afix(http): honor timeout during connect without redirects (#10819)2a51828fix(http): decode URL basic auth credentials (#10825)0e8b6bbfix(http): preserve user-supplied Host header when forwarding through a proxy...79f39e1docs: document paramsSerializer.encode for strict RFC 3986 query encoding (#1...0fe3a5f[Docs/Types] UpdateparseReviverTypeScript definitions for ES2023 and add ...cd6737fchore: matches the sibling responseStream.on(aborted) handler and added tests...Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.
Install script changes
This version adds
preparescript that runs during installation. Review the package contents before updating.Updates
@slack/rtm-apifrom 5.0.5 to 7.0.4Release notes
Sourced from @slack/rtm-api's releases.
... (truncated)
Commits
18c4af4chore(rtm-api): release@slack/rtm-api@7.0.4 (#2347)dab6705chore(socket-mode): release@slack/socket-mode@2.0.5 (#2346)00b7d18chore(oauth): release@slack/oauth@3.0.4 (#2345)4a03081chore(socket-mode): bump@slack/web-apito 7.10.0 (#2343)d6701f7chore(rtm-api): bump@slack/web-apito 7.10.0 (#2342)d56fc1achore(oauth): bump@slack/web-apito 7.10.0 (#2341)b4632b5docs: autogenerate package reference to language specific paths (#2337)d871f63chore(types): release@slack/web-api@7.10.0 (#2340)013f5d9chore(webhook): release@slack/webhook@7.0.6 (#2338)ab3412bchore(types): release@slack/types@2.16.0 (#2339)Maintainer changes
This version was pushed to npm by e-zim, a new releaser for
@slack/rtm-apisince your current version.Updates
@slack/web-apifrom 5.10.0 to 7.15.2Release notes
Sourced from @slack/web-api's releases.
... (truncated)
Commits
fde2a7achore: release (#2577)4b6fe3afeat(web-api): add authorship arguments to assistant threads and chat stream ...f5696c3cli-test(fix): wait for cli run start trace instead of activity output (#2355)11dd0f5feat(types): add Card, Carousel, and Alert block types (#2567)4f03ee8feat(types): add Card, Carousel, and Alert block types (#2567)a5a2954chore(deps): bump slackapi/slack-github-action from 3.0.1 to 3.0.3 (#2574)14f98c9chore(deps): bump dependabot/fetch-metadata from 3.0.0 to 3.1.0 (#2575)b8b88cbchore(deps): bump uuid from 13.0.1 to 14.0.0 in /examples/openid-connect (#2576)ea8998bchore(deps): bump actions/setup-node from 6.3.0 to 6.4.0 (#2573)4af912dci: simplify test scripts and separate coverage from test runs (#2566)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for
@slack/web-apisince your current version.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.