Bump the npm_and_yarn group across 1 directories with 17 updates

[dependabot]

Bumps the npm_and_yarn group with 16 updates in the /. directory:

Package	From	To
protobufjs	6.11.3	6.11.4
lodash	4.17.15	4.17.21
babel-eslint	4.1.8	10.1.0
eslint	1.10.3	8.56.0
minimist	1.2.0	1.2.8
mkdirp	0.5.1	0.5.6
browserify-sign	4.0.4	4.2.2
decode-uri-component	0.2.0	0.2.2
loader-utils	1.2.3	1.4.2
webpack-cli	3.3.8	3.3.12
follow-redirects	1.15.2	1.15.5
fsevents	1.2.9	1.2.13
ip	1.1.8	1.1.9
node-forge	0.10.0	1.3.1
webpack-dev-server	3.11.3	5.0.2
terser	4.3.1	4.8.1

Updates protobufjs from 6.11.3 to 6.11.4

Commits

• See full diff in compare view

Updates lodash from 4.17.15 to 4.17.21

Commits

• f299b52 Bump to v4.17.21
• c4847eb Improve performance of toNumber, trim and trimEnd on large input strings
• 3469357 Prevent command injection through _.template's variable option
• ded9bc6 Bump to v4.17.20.
• 63150ef Documentation fixes.
• 00f0f62 test.js: Remove trailing comma.
• 846e434 Temporarily use a custom fork of lodash-cli.
• 5d046f3 Re-enable Travis tests on 4.17 branch.
• aa816b3 Remove /npm-package.
• d7fbc52 Bump to v4.17.19
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by bnjmnt4n, a new releaser for lodash since your current version.

Updates babel-eslint from 4.1.8 to 10.1.0

Release notes

Sourced from babel-eslint's releases.

v10.1.0

• Added ability to parse Flow enums #812 (@​gkz)

v10.0.3

Fixes babel/babel-eslint#791, also eslint/eslint#12117

Some context: babel/babel-eslint#793

We ended up going with @​JLHwung's PR babel/babel-eslint#794 which uses ESLint's deps instead of going with peerDeps since it really depends on the version being used and we don't want users to have to install it directly on their own.

babel-eslint is patching patches of the dependencies of ESLint itself so these kinds of issues have happened in the past. We'll need to look into figuring out how to have a more solid way of modifying behavior instead of this monkeypatching type of thing for future releases.

v10.0.2

Fixes babel/babel-eslint#772

v10.0.1

• Reverting babel/babel-eslint#584

The TypeAlias "conversion" to a function has issues. Sounds like we need to rethink the change, most likely we can just actually change the scoping rather than hardcode an AST change.

v10.0.0

Small breaking change: add a peerDependency starting from the ESLint version that added a parser feature that we were monkeypatching before (and drop that code). If already using ESLint 5 shouldn't be any different.

• Bugfix for TypeAlias: babel/babel-eslint#584

/* @flow */
type Node<T> = { head: T; tail: Node<T> }
// or
type File = {chunks: Array<Chunk>}
type Chunk = {file: File}

• Update to test against ESLint 5, add a peerDependency: babel/babel-eslint#689
• Drop monkeypatching behavior: babel/babel-eslint#690

v9.0.0

We've released v7: https://twitter.com/left_pad/status/1034204330352500736, so this just updates babel-eslint to use those versions internally. That in itself doesn't break anything but:

• Babel now supports the new decorators proposal by default, so we need to switch between the new and the old proposal. This is a breaking change.

To enable the legacy decorators proposal users should add a specific parser option:

{
</tr></table> 

... (truncated)

Commits

• 4bd049e 10.1.0
• 2c754a8 Update Babel to ^7.7.0 and enable Flow enums parsing (#812)
• 183d13e 10.0.3
• 354953d fix: require eslint dependencies from eslint base (#794)
• 48f6d78 10.0.2
• 0241b48 removed unused file reference (#773)
• 4cf0a21 10.0.1
• 98c1f13 Revert #584 (#697)
• 8f78e28 10.0.0
• 717fba7 test value should be switched
• Additional commits viewable in compare view

Updates eslint from 1.10.3 to 8.56.0

Release notes

Sourced from eslint's releases.

v8.56.0

Features

• 0dd9704 feat: Support custom severity when reporting unused disable directives (#17212) (Bryan Mishkin)
• 31a7e3f feat: fix no-restricted-properties false negatives with unknown objects (#17818) (Arka Pratim Chaudhuri)

Bug Fixes

• 7d5e5f6 fix: TypeError: fs.exists is not a function on read-only file system (#17846) (Francesco Trotta)
• 74739c8 fix: suggestion with invalid syntax in no-promise-executor-return rule (#17812) (Bryan Mishkin)

Documentation

• 9007719 docs: update link in ways-to-extend.md (#17839) (Amel SELMANE)
• 3a22236 docs: Update README (GitHub Actions Bot)
• 54c3ca6 docs: fix migration-guide example (#17829) (Tanuj Kanti)
• 4391b71 docs: check config comments in rule examples (#17815) (Francesco Trotta)
• fd28363 docs: remove mention about ESLint stylistic rules in readme (#17810) (Zwyx)
• 48ed5a6 docs: Update README (GitHub Actions Bot)

Chores

• ba6af85 chore: upgrade @​eslint/js@​8.56.0 (#17864) (Milos Djermanovic)
• 60a531a chore: package.json update for @​eslint/js release (Jenkins)
• ba87a06 chore: update dependency markdownlint to ^0.32.0 (#17783) (renovate[bot])
• 9271d10 chore: add GitHub issue template for docs issues (#17845) (Josh Goldberg ✨)
• 70a686b chore: Convert rule tests to FlatRuleTester (#17819) (Nicholas C. Zakas)
• f3a599d chore: upgrade eslint-plugin-unicorn to v49.0.0 (#17837) (唯然)
• 905d4b7 chore: upgrade eslint-plugin-eslint-plugin v5.2.1 (#17838) (唯然)
• 4d7c3ce chore: update eslint-plugin-n v16.4.0 (#17836) (唯然)
• fd0c60c ci: unpin Node.js 21.2.0 (#17821) (Francesco Trotta)

v8.55.0

Features

• 8c9e6c1 feat: importNamePattern option in no-restricted-imports (#17721) (Tanuj Kanti)

Documentation

• 83ece2a docs: fix typo --rules -> --rule (#17806) (OKURA Masafumi)
• fffca5c docs: remove "Open in Playground" buttons for removed rules (#17791) (Francesco Trotta)
• a6d9442 docs: fix correct/incorrect examples of rules (#17789) (Tanuj Kanti)
• 383e999 docs: update and fix examples for no-unused-vars (#17788) (Tanuj Kanti)
• 5a8efd5 docs: add specific stylistic rule for each deprecated rule (#17778) (Etienne)

Chores

• eb8950c chore: upgrade @​eslint/js@​8.55.0 (#17811) (Milos Djermanovic)
• 93df384 chore: package.json update for @​eslint/js release (Jenkins)
• fe4b954 chore: upgrade @​eslint/eslintrc@​2.1.4 (#17799) (Milos Djermanovic)
• bd8911d ci: pin Node.js 21.2.0 (#17809) (Milos Djermanovic)
• b29a16b chore: fix several cli tests to run in the intended flat config mode (#17797) (Milos Djermanovic)
• de165c1 chore: remove unused config-extends fixtures (#17781) (Milos Djermanovic)
• d4304b8 chore: remove formatting/stylistic rules from new rule templates (#17780) (Francesco Trotta)
• 21024fe chore: check rule examples for syntax errors (#17718) (Francesco Trotta)

v8.54.0

... (truncated)

Changelog

Sourced from eslint's changelog.

v8.56.0 - December 15, 2023

• ba6af85 chore: upgrade @​eslint/js@​8.56.0 (#17864) (Milos Djermanovic)
• 60a531a chore: package.json update for @​eslint/js release (Jenkins)
• 0dd9704 feat: Support custom severity when reporting unused disable directives (#17212) (Bryan Mishkin)
• 31a7e3f feat: fix no-restricted-properties false negatives with unknown objects (#17818) (Arka Pratim Chaudhuri)
• ba87a06 chore: update dependency markdownlint to ^0.32.0 (#17783) (renovate[bot])
• 7d5e5f6 fix: TypeError: fs.exists is not a function on read-only file system (#17846) (Francesco Trotta)
• 9271d10 chore: add GitHub issue template for docs issues (#17845) (Josh Goldberg ✨)
• 70a686b chore: Convert rule tests to FlatRuleTester (#17819) (Nicholas C. Zakas)
• 9007719 docs: update link in ways-to-extend.md (#17839) (Amel SELMANE)
• f3a599d chore: upgrade eslint-plugin-unicorn to v49.0.0 (#17837) (唯然)
• 905d4b7 chore: upgrade eslint-plugin-eslint-plugin v5.2.1 (#17838) (唯然)
• 4d7c3ce chore: update eslint-plugin-n v16.4.0 (#17836) (唯然)
• 3a22236 docs: Update README (GitHub Actions Bot)
• 54c3ca6 docs: fix migration-guide example (#17829) (Tanuj Kanti)
• 4391b71 docs: check config comments in rule examples (#17815) (Francesco Trotta)
• fd28363 docs: remove mention about ESLint stylistic rules in readme (#17810) (Zwyx)
• fd0c60c ci: unpin Node.js 21.2.0 (#17821) (Francesco Trotta)
• 48ed5a6 docs: Update README (GitHub Actions Bot)
• 74739c8 fix: suggestion with invalid syntax in no-promise-executor-return rule (#17812) (Bryan Mishkin)

v8.55.0 - December 1, 2023

• eb8950c chore: upgrade @​eslint/js@​8.55.0 (#17811) (Milos Djermanovic)
• 93df384 chore: package.json update for @​eslint/js release (Jenkins)
• fe4b954 chore: upgrade @​eslint/eslintrc@​2.1.4 (#17799) (Milos Djermanovic)
• 8c9e6c1 feat: importNamePattern option in no-restricted-imports (#17721) (Tanuj Kanti)
• 83ece2a docs: fix typo --rules -> --rule (#17806) (OKURA Masafumi)
• bd8911d ci: pin Node.js 21.2.0 (#17809) (Milos Djermanovic)
• b29a16b chore: fix several cli tests to run in the intended flat config mode (#17797) (Milos Djermanovic)
• fffca5c docs: remove "Open in Playground" buttons for removed rules (#17791) (Francesco Trotta)
• a6d9442 docs: fix correct/incorrect examples of rules (#17789) (Tanuj Kanti)
• 383e999 docs: update and fix examples for no-unused-vars (#17788) (Tanuj Kanti)
• 5a8efd5 docs: add specific stylistic rule for each deprecated rule (#17778) (Etienne)
• de165c1 chore: remove unused config-extends fixtures (#17781) (Milos Djermanovic)
• d4304b8 chore: remove formatting/stylistic rules from new rule templates (#17780) (Francesco Trotta)
• 21024fe chore: check rule examples for syntax errors (#17718) (Francesco Trotta)

v8.54.0 - November 17, 2023

• d644de9 chore: upgrade @​eslint/js@​8.54.0 (#17773) (Milos Djermanovic)
• 1e6e314 chore: package.json update for @​eslint/js release (Jenkins)
• 98926e6 fix: Ensure that extra data is not accidentally stored in the cache file (#17760) (Milos Djermanovic)
• a7a883b feat: for-direction rule add check for condition in reverse order (#17755) (Angelo Annunziata)
• 1452dc9 feat: Add suggestions to no-console (#17680) (Joel Mathew Koshy)
• 6fb8805 chore: Fixed grammar in issue_templates/rule_change (#17770) (Joel Mathew Koshy)
• becfdd3 docs: Make clear when rules are removed (#17728) (Nicholas C. Zakas)
• e8cf9f6 fix: Make dark scroll bar in dark theme (#17753) (Pavel)
• 85db724 chore: upgrade markdownlint to 0.31.1 (#17754) (Nitin Kumar)

... (truncated)

Commits

• 8e8e9f8 8.56.0
• 085978b Build: changelog update for 8.56.0
• ba6af85 chore: upgrade @​eslint/js@​8.56.0 (#17864)
• 60a531a chore: package.json update for @​eslint/js release
• 0dd9704 feat: Support custom severity when reporting unused disable directives (#17212)
• 31a7e3f feat: fix no-restricted-properties false negatives with unknown objects (#17818)
• ba87a06 chore: update dependency markdownlint to ^0.32.0 (#17783)
• 7d5e5f6 fix: TypeError: fs.exists is not a function on read-only file system (#17846)
• 9271d10 chore: add GitHub issue template for docs issues (#17845)
• 70a686b chore: Convert rule tests to FlatRuleTester (#17819)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by eslintbot, a new releaser for eslint since your current version.

Updates minimatch from 2.0.10 to 3.0.4

Changelog

Sourced from minimatch's changelog.

change log

9.0

• No default export, only named exports.

8.0

• Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions
• Bump required Node.js version

7.4

• Add escape() method
• Add unescape() method
• Add Minimatch.hasMagic() method

7.3

• Add support for posix character classes in a unicode-aware way.

7.2

• Add windowsNoMagicRoot option

7.1

• Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

7.0

• Preprocess patterns to simplify complicated patterns and reduce out .. pattern portions where possible. Note that this means a pattern like a/b/../* will be equivalent to a/*, and will not match the string a/b/../c. If this causes problems, it can be addressed in a patch release by resolving .. portions in the test string.

6.2

• Add nocaseMagicOnly flag

6.1

... (truncated)

Commits

• e46989a v3.0.4
• ddfacbd update brace-expansion
• 55ed736 update package scripts and deps
• eed8949 v3.0.3
• ecabc57 Do not throw on unfinished !( extglob patterns
• 81edb7c v3.0.2
• 6944abf Handle extremely long and terrible patterns more gracefully
• 8ac560e v3.0.1
• 4f3a8bc update tap
• 9cf2d88 Remove mentions of cache from readme
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for minimatch since your current version.

Updates minimist from 1.2.0 to 1.2.8

Changelog

Sourced from minimist's changelog.

v1.2.8 - 2023-02-09

Merged

• [Fix] Fix long option followed by single dash [#17](https://github.com/minimistjs/minimist/issues/17)
• [Tests] Remove duplicate test [#12](https://github.com/minimistjs/minimist/issues/12)
• [Fix] opt.string works with multiple aliases [#10](https://github.com/minimistjs/minimist/issues/10)

Fixed

• [Fix] Fix long option followed by single dash (#17) [#15](https://github.com/minimistjs/minimist/issues/15)
• [Tests] Remove duplicate test (#12) [#8](https://github.com/minimistjs/minimist/issues/8)
• [Fix] Fix long option followed by single dash [#15](https://github.com/minimistjs/minimist/issues/15)
• [Fix] opt.string works with multiple aliases (#10) [#9](https://github.com/minimistjs/minimist/issues/9)
• [Fix] Fix handling of short option with non-trivial equals [#5](https://github.com/minimistjs/minimist/issues/5)
• [Tests] Remove duplicate test [#8](https://github.com/minimistjs/minimist/issues/8)
• [Fix] opt.string works with multiple aliases [#9](https://github.com/minimistjs/minimist/issues/9)

Commits

• Merge tag 'v0.2.3' a026794
• [eslint] fix indentation and whitespace 5368ca4
• [eslint] fix indentation and whitespace e5f5067
• [eslint] more cleanup 62fde7d
• [eslint] more cleanup 36ac5d0
• [meta] add auto-changelog 73923d2
• [actions] add reusable workflows d80727d
• [eslint] add eslint; rules to enable later are warnings 48bc06a
• [eslint] fix indentation 34b0f1c
• [readme] rename and add badges 5df0fe4
• [Dev Deps] switch from covert to nyc a48b128
• [Dev Deps] update covert, tape; remove unnecessary tap f0fb958
• [meta] create FUNDING.yml; add funding in package.json 3639e0c
• [meta] use npmignore to autogenerate an npmignore file be2e038
• Only apps should have lockfiles 282b570
• isConstructorOrProto adapted from PR ef9153f
• [Dev Deps] update @ljharb/eslint-config, aud 098873c
• [Dev Deps] update @ljharb/eslint-config, aud 3124ed3
• [meta] add safe-publish-latest 4b927de
• [Tests] add aud in posttest b32d9bd
• [meta] update repo URLs f9fdfc0
• [actions] Avoid 0.6 tests due to build failures ba92fe6
• [Dev Deps] update tape 950eaa7
• [Dev Deps] add missing npmignore dev dep 3226afa
• Merge tag 'v0.2.2' 980d7ac

v1.2.7 - 2022-10-10

Commits

... (truncated)

Commits

• 6901ee2 v1.2.8
• a026794 Merge tag 'v0.2.3'
• c0b2661 v0.2.3
• 63b8fee [Fix] Fix long option followed by single dash (#17)
• 72239e6 [Tests] Remove duplicate test (#12)
• 34b0f1c [eslint] fix indentation
• 3226afa [Dev Deps] add missing npmignore dev dep
• 098873c [Dev Deps] update @ljharb/eslint-config, aud
• 9ec4d27 [Fix] Fix long option followed by single dash
• ba92fe6 [actions] Avoid 0.6 tests due to build failures
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for minimist since your current version.

Updates mkdirp from 0.5.1 to 0.5.6

Commits

• 92f086d 0.5.6
• 2a28125 clean up tests
• c905d65 update minimist
• 049cf18 0.5.5
• bea6382 Remove unnecessary umask calls
• 42a012c 0.5.4
• 2867920 fix infinite loop on windows machines
• d784e70 0.5.3
• d612c5d add files list so this package isn't a monster
• b2e7ba0 0.5.2
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for mkdirp since your current version.

Updates browserify-sign from 4.0.4 to 4.2.2

Changelog

Sourced from browserify-sign's changelog.

v4.2.2 - 2023-10-25

Fixed

• [Tests] log when openssl doesn't support cipher [#37](https://github.com/crypto-browserify/browserify-sign/issues/37)

Commits

• Only apps should have lockfiles 09a8995
• [eslint] switch to eslint 83fe463
• [meta] add npmignore and auto-changelog 4418183
• [meta] fix package.json indentation 9ac5a5e
• [Tests] migrate from travis to github actions d845d85
• [Fix] sign: throw on unsupported padding scheme 8767739
• [Fix] properly check the upper bound for DSA signatures 85994cd
• [Tests] handle openSSL not supporting a scheme f5f17c2
• [Deps] update bn.js, browserify-rsa, elliptic, parse-asn1, readable-stream, safe-buffer a67d0eb
• [Dev Deps] update nyc, standard, tape cc5350b
• [Tests] always run coverage; downgrade nyc 75ce1d5
• [meta] add safe-publish-latest dcf49ce
• [Tests] add npm run posttest 75dd8fd
• [Dev Deps] update tape 3aec038
• [Tests] skip unsupported schemes 703c83e
• [Tests] node < 6 lacks array includes 3aa43cf
• [Dev Deps] fix eslint range 98d4e0d

v4.2.1 - 2020-08-04

Merged

• bump elliptic [#58](https://github.com/crypto-browserify/browserify-sign/issues/58)

v4.2.0 - 2020-05-18

Merged

• switch to safe buffer [#53](https://github.com/crypto-browserify/browserify-sign/issues/53)

v4.1.0 - 2020-05-05

Merged

• update deps, modernise usage, use readable-stream [#49](https://github.com/crypto-browserify/browserify-sign/issues/49)

Commits

• 4af5a90 v4.2.2
• 3aec038 [Dev Deps] update tape
• 85994cd [Fix] properly check the upper bound for DSA signatures
• 9ac5a5e [meta] fix package.json indentation
• dcf49ce [meta] add safe-publish-latest
• 4418183 [meta] add npmignore and auto-changelog
• 8767739 [Fix] sign: throw on unsupported padding scheme
• 5f6fb17 [Tests] log when openssl doesn't support cipher
• f5f17c2 [Tests] handle openSSL not supporting a scheme
• d845d85 [Tests] migrate from travis to github actions
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for browserify-sign since your current version.

Updates decode-uri-component from 0.2.0 to 0.2.2

Release notes

Sourced from decode-uri-component's releases.

v0.2.2

• Prevent overwriting previously decoded tokens 980e0bf

SamVerschueren/decode-uri-component@v0.2.1...v0.2.2

v0.2.1

• Switch to GitHub workflows 76abc93
• Fix issue where decode throws - fixes #6 746ca5d
• Update license (#1) 486d7e2
• Tidelift tasks a650457
• Meta tweaks 66e1c28

SamVerschueren/decode-uri-component@v0.2.0...v0.2.1

Commits

• a0eea46 0.2.2
• 980e0bf Prevent overwriting previously decoded tokens
• 3c8a373 0.2.1
• 76abc93 Switch to GitHub workflows
• 746ca5d Fix issue where decode throws - fixes #6
• 486d7e2 Update license (#1)
• a650457 Tidelift tasks
• 66e1c28 Meta tweaks
• See full diff in compare view

Updates loader-utils from 1.2.3 to 1.4.2

Release notes

Sourced from loader-utils's releases.

v1.4.2

1.4.2 (2022-11-11)

Bug Fixes

• ReDoS problem (#226) (17cbf8f)

v1.4.1

1.4.1 (2022-11-07)

Bug Fixes

• security problem (#220) (4504e34)

v1.4.0

1.4.0 (2020-02-19)

Features

• the resourceQuery is passed to the interpolateName method (#163) (cd0e428)

v1.3.0

1.3.0 (2020-02-19)

Features

• support the [query] template for the interpolatedName method (#162) (469eeba)

Changelog

Sourced from loader-utils's changelog.

1.4.2 (2022-11-11)

Bug Fixes

• ReDoS problem (#226) (17cbf8f)

1.4.1 (2022-11-07)

Bug Fixes

• security problem (#220) (4504e34)

1.4.0 (2020-02-19)

Features

• the resourceQuery is passed to the interpolateName method (#163) (cd0e428)

1.3.0 (2020-02-19)

Features

• support the [query] template for the interpolatedName method (#162) (469eeba)

Commits

• 331ad50 chore(release): 1.4.2
• 17cbf8f fix: ReDoS problem (#226)
• 8f082b3 chore(release): 1.4.1
• 4504e34 fix: security problem (#220)
• d95b8b5 chore(release): 1.4.0
• cd0e428 feat: the resourceQuery is passed to the interpolateName method (#163)
• 06d36cf chore(release): 1.3.0
• 469eeba feat: support the [query] template for the interpolatedName method (#162)
• 909c99d chore: funding.yml config and CI fix (#159)
• b5b74f0 Set up CI with Azure Pipelines
• Additional commits viewable in compare view

Updates webpack-cli from 3.3.8 to 3.3.12

Changelog

Sourced from webpack-cli's changelog.

3.3.12 (2020-06-03)

Full Changelog

3.3.11 (2020-02-11)

Full Changelog

3.3.10 (2019-10-31)

Full Changelog

New Features

• add new flag and patch sec dep (#1102)

3.3.9 (2019-09-17)

Full Changelog

Fix

• use process.exitCode instead of process.exit in compilerCallback (ee001bd)

Commits

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/babel-eslint@10.1.0	Transitive: environment, eval, filesystem, shell, unsafe	+124	17.1 MB	kaicataldo
npm/eslint@8.56.0	environment, filesystem Transitive: eval, shell, unsafe	+89	10.7 MB	eslintbot
npm/webpack-cli@3.3.12	environment, filesystem, shell, unsafe Transitive: eval, network	+324	16.7 MB	evilebottnawi
npm/webpack-dev-server@5.0.2	environment, eval, network Transitive: filesystem, shell, unsafe	+478	32.3 MB	evilebottnawi
npm/webpack-notifier@1.8.0	Transitive: environment, filesystem, network, shell	+9	1.48 MB	turbo87
npm/webpack@4.39.3	environment, filesystem, unsafe Transitive: eval, network, shell	+287	16.2 MB	sokra

🚮 Removed packages: npm/babel-eslint@4.1.8, npm/eslint@1.10.3

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Native code	npm/fsevents@1.2.13	Location: Package overview	package-lock.json package.json
Install scripts	npm/fsevents@1.2.13	Install script: install Source: node install.js	package-lock.json package.json

View full report↗︎

Next steps

What's wrong with native code?

Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.

Ensure that native code bindings are expected. Consumers may consider pure JS and functionally similar alternatives to avoid the challenges and risks associated with native code bindings.

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/fsevents@1.2.13

[dependabot]

Superseded by #76.