[Snyk] Fix for 1 vulnerabilities

[hojatA1]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	823/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.6	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: @npmcli/run-script

The new version differs by 15 commits.

• fcebe38 chore: release 7.0.2
• 30623cf deps: bump node-gyp from 9.4.1 to 10.0.0
• 54e5bd0 chore: postinstall for dependabot template-oss PR
• 7d95e9f chore: bump @ npmcli/template-oss from 4.18.1 to 4.19.0
• 90bcf54 chore: postinstall for dependabot template-oss PR
• ba0ab48 chore: bump @ npmcli/template-oss from 4.18.0 to 4.18.1
• 43ccfc7 chore: release 7.0.1
• f61fd84 deps: bump @ npmcli/promise-spawn from 6.0.2 to 7.0.0
• 87b740b chore: release 7.0.0
• e1b1a3c fix: drop node14 support
• a8045a9 deps: bump which from 3.0.1 to 4.0.0
• c4f4fb4 chore: postinstall for dependabot template-oss PR
• dacd67e chore: bump @ npmcli/template-oss from 4.17.0 to 4.18.0
• 9d2d807 chore: postinstall for dependabot template-oss PR
• 8b21725 chore: bump @ npmcli/template-oss from 4.15.1 to 4.17.0

See the full diff

Package name: libnpmaccess

The new version differs by 250 commits.

• d0e7491 chore: release 10.0.0
• b8a5764 chore: fix flaky log file tests
• 7f81e96 chore: use maxSockets:1 for some flaky arborist reify tests
• fb31c7e feat: trigger release process
• 48a7b07 feat: remove prerelease flags
• 52cb638 chore: release 10.0.0-pre.1
• 9e444ca chore: fix bundle version in libnpmpublish tests (chore: fix bundle version in libnpmpublish tests npm/cli#6748)
• 171b8a0 chore: remove extra git dirty check from ci
• 323cc4f chore: drop node14 support in private mock-globals workspace
• 5ab3f7e deps: @ npmcli/git@5.0.3
• eb41977 deps: @ npmcli/run-script@7.0.1
• f30c9e3 deps: @ npmcli/git@5.0.2
• f334466 deps: pacote@17.0.4
• bb63bf9 deps: @ npmcli/run-script@7.0.0
• 75642c6 deps: @ npmcli/promise-spawn@7.0.0
• dbb18f4 deps: @ npmcli/agent@2.1.0
• 812aa6d deps: sigstore@2.1.0
• 7fab9d3 deps: @ sigstore/tuf@2.1.0
• 12337cc deps: which@4.0.0
• b1ad3ad deps: npm-packlist@8.0.0
• 43831d0 deps: pacote@17.0.3
• 44e8fec deps: pacote@17.0.2
• 0d2e2c9 deps: bump sigstore from 1.7.0 to 2.0.0
• ec7a430 chore: audit fix for semver in nested dev deps

See the full diff

Package name: libnpmhook

The new version differs by 250 commits.

• d0e7491 chore: release 10.0.0
• b8a5764 chore: fix flaky log file tests
• 7f81e96 chore: use maxSockets:1 for some flaky arborist reify tests
• fb31c7e feat: trigger release process
• 48a7b07 feat: remove prerelease flags
• 52cb638 chore: release 10.0.0-pre.1
• 9e444ca chore: fix bundle version in libnpmpublish tests (chore: fix bundle version in libnpmpublish tests npm/cli#6748)
• 171b8a0 chore: remove extra git dirty check from ci
• 323cc4f chore: drop node14 support in private mock-globals workspace
• 5ab3f7e deps: @ npmcli/git@5.0.3
• eb41977 deps: @ npmcli/run-script@7.0.1
• f30c9e3 deps: @ npmcli/git@5.0.2
• f334466 deps: pacote@17.0.4
• bb63bf9 deps: @ npmcli/run-script@7.0.0
• 75642c6 deps: @ npmcli/promise-spawn@7.0.0
• dbb18f4 deps: @ npmcli/agent@2.1.0
• 812aa6d deps: sigstore@2.1.0
• 7fab9d3 deps: @ sigstore/tuf@2.1.0
• 12337cc deps: which@4.0.0
• b1ad3ad deps: npm-packlist@8.0.0
• 43831d0 deps: pacote@17.0.3
• 44e8fec deps: pacote@17.0.2
• 0d2e2c9 deps: bump sigstore from 1.7.0 to 2.0.0
• ec7a430 chore: audit fix for semver in nested dev deps

See the full diff

Package name: libnpmsearch

The new version differs by 250 commits.

• d0e7491 chore: release 10.0.0
• b8a5764 chore: fix flaky log file tests
• 7f81e96 chore: use maxSockets:1 for some flaky arborist reify tests
• fb31c7e feat: trigger release process
• 48a7b07 feat: remove prerelease flags
• 52cb638 chore: release 10.0.0-pre.1
• 9e444ca chore: fix bundle version in libnpmpublish tests (chore: fix bundle version in libnpmpublish tests npm/cli#6748)
• 171b8a0 chore: remove extra git dirty check from ci
• 323cc4f chore: drop node14 support in private mock-globals workspace
• 5ab3f7e deps: @ npmcli/git@5.0.3
• eb41977 deps: @ npmcli/run-script@7.0.1
• f30c9e3 deps: @ npmcli/git@5.0.2
• f334466 deps: pacote@17.0.4
• bb63bf9 deps: @ npmcli/run-script@7.0.0
• 75642c6 deps: @ npmcli/promise-spawn@7.0.0
• dbb18f4 deps: @ npmcli/agent@2.1.0
• 812aa6d deps: sigstore@2.1.0
• 7fab9d3 deps: @ sigstore/tuf@2.1.0
• 12337cc deps: which@4.0.0
• b1ad3ad deps: npm-packlist@8.0.0
• 43831d0 deps: pacote@17.0.3
• 44e8fec deps: pacote@17.0.2
• 0d2e2c9 deps: bump sigstore from 1.7.0 to 2.0.0
• ec7a430 chore: audit fix for semver in nested dev deps

See the full diff

Package name: libnpmversion

The new version differs by 250 commits.

• d0e7491 chore: release 10.0.0
• b8a5764 chore: fix flaky log file tests
• 7f81e96 chore: use maxSockets:1 for some flaky arborist reify tests
• fb31c7e feat: trigger release process
• 48a7b07 feat: remove prerelease flags
• 52cb638 chore: release 10.0.0-pre.1
• 9e444ca chore: fix bundle version in libnpmpublish tests (chore: fix bundle version in libnpmpublish tests npm/cli#6748)
• 171b8a0 chore: remove extra git dirty check from ci
• 323cc4f chore: drop node14 support in private mock-globals workspace
• 5ab3f7e deps: @ npmcli/git@5.0.3
• eb41977 deps: @ npmcli/run-script@7.0.1
• f30c9e3 deps: @ npmcli/git@5.0.2
• f334466 deps: pacote@17.0.4
• bb63bf9 deps: @ npmcli/run-script@7.0.0
• 75642c6 deps: @ npmcli/promise-spawn@7.0.0
• dbb18f4 deps: @ npmcli/agent@2.1.0
• 812aa6d deps: sigstore@2.1.0
• 7fab9d3 deps: @ sigstore/tuf@2.1.0
• 12337cc deps: which@4.0.0
• b1ad3ad deps: npm-packlist@8.0.0
• 43831d0 deps: pacote@17.0.3
• 44e8fec deps: pacote@17.0.2
• 0d2e2c9 deps: bump sigstore from 1.7.0 to 2.0.0
• ec7a430 chore: audit fix for semver in nested dev deps

See the full diff

Package name: make-fetch-happen

The new version differs by 14 commits.

• bb3a5f5 chore: release 12.0.0
• 5318d23 deps: bump minipass from 5.0.0 to 7.0.2 (Windows: Add preliminary WSL support for npm and npx npm/cli#253)
• 3059b28 fix: drop node14 support (Fix figgyPudding error in npm token npm/cli#259)
• 096e2b8 chore: bump @ npmcli/template-oss from 4.15.1 to 4.18.0 (Create run comand lastest ubantu npm/cli#256)
• efd1e2f docs: update readme
• 7c25367 feat: move to @ npmcli/agent
• 5493550 deps: remove lru-cache
• 193b901 deps: remove socks-proxy-agent
• fc35622 deps: remove agentkeepalive
• e78fcdf deps: remove https-proxy-agent
• a4089a0 deps: remove http-proxy-agent
• 92c3226 deps: add @ npmcli/agent
• ca26378 chore: postinstall for dependabot template-oss PR
• 9493980 chore: bump @ npmcli/template-oss from 4.14.1 to 4.15.1

See the full diff

Package name: node-gyp

The new version differs by 40 commits.

• 9acb4c7 chore: release 10.0.0
• 3032e10 chore: run tests after release please PR
• 864a979 feat!: use .npmignore file to limit which files are published ([BUG] Dev dependency should not throw “unsupported platform” error when using --production flag on npm install npm/cli#2921)
• 4e493d4 chore: misc testing fixes (fix(uninstall): use correct local prefix npm/cli#2930)
• d52997e feat: convert internal classes from util.inherits to classes
• 355622f feat: convert all internal functions to async/await
• 1b3bd34 feat!: drop node 14 support (fix(install): ignore auditLevel npm/cli#2929)
• e388255 deps: which@4.0.0 ([BUG] EACCES error with npm remove on npm@7.7.0 npm/cli#2928)
• 059bb6f deps: make-fetch-happen@13.0.0 ([BUG] npm uninstall doesn't work in 7.7.0 npm/cli#2927)
• 4bef1ec deps: glob@10.3.10 ([BUG] npm 7.7.0 lost progress bar on npm install npm/cli#2926)
• 21a7249 chore: add check engines script to CI (Release/v7.7.0 npm/cli#2922)
• 707927c feat(gyp): update gyp to v0.16.1 (fix(audit-level): add info audit level npm/cli#2923)
• d644ce4 docs: update applicable GitHub links from master to main ([BUG] "ERR! must provide string spec" when running "npm install" npm/cli#2843)
• 4a50fe3 chore: empty commit to add changelog entries from package-lock changes depending upon name of project folder npm/cli#2770
• 26683e9 chore: GitHub Workflows security hardening ([BUG] NPM 7.x broke the "--json" CLI parameter npm/cli#2740)
• 91fd8ff Python lint: ruff --format is now --output-format
• b3d41ae doc: Add note about Python symlinks (PR 2362) to CHANGELOG.md for 9.1.0 ([BUG] workspace packages using different major versions of the same package causes issues npm/cli#2783)
• 5746691 test: update expired certs (fix(usage): tie usage to config npm/cli#2908)
• d3615c6 Fix incorrect Xcode casing in README ([BUG] Fix ERESOLVE error output npm/cli#2896)
• bb93b94 docs: README.md Do not hardcode the supported versions of Python ([BUG] npm on windows can't run scripts with ".", relative paths "../" npm/cli#2880)
• 0f1f667 fix: create Python symlink only during builds, and clean it up after ([BUG] cannot read property 'length' of undefined with npm npm/cli#2721)
• 445c28f test: increase mocha timeout ([BUG] sudo prompt is not shown in scripts, causing install and tests to hang npm/cli#2887)
• 1bfb083 Fix Python lint error by using an f-string (feat: add exec workspaces npm/cli#2886)
• c9caa2e docs: Update windows installation instructions in README.md ([DOC] Wiki has broken link npm/cli#2882)

See the full diff

Package name: npm-profile

The new version differs by 27 commits.

• 32cf63c chore: release 8.0.0
• 96370c2 deps: bump npm-registry-fetch from 14.0.5 to 15.0.0
• 384988c chore: turn on autopublish
• cfd2d07 fix: drop node14 support
• f20ba2b chore: merge old changelog to current format
• 444ca44 chore: postinstall for dependabot template-oss PR
• 3369a3d chore: bump @ npmcli/template-oss from 4.17.0 to 4.18.0
• 3219ad5 chore: postinstall for dependabot template-oss PR
• ef6d9df chore: bump @ npmcli/template-oss from 4.15.1 to 4.17.0
• 446b025 chore: postinstall for dependabot template-oss PR
• 17904ca chore: bump @ npmcli/template-oss from 4.14.1 to 4.15.1
• 1c17cd1 chore: bump @ npmcli/template-oss from 4.12.1 to 4.14.1 ([Snyk] Security upgrade nyc from 11.9.0 to 13.0.0 #88)
• d7055e6 chore: bump @ npmcli/template-oss from 4.12.0 to 4.12.1 ([Snyk] Security upgrade nyc from 11.9.0 to 13.0.0 #86)
• e88a3de chore: postinstall for dependabot template-oss PR
• 2771943 chore: bump @ npmcli/template-oss from 4.11.4 to 4.12.0
• 78bbb4c chore: postinstall for dependabot template-oss PR
• 9b39807 chore: bump @ npmcli/template-oss from 4.11.3 to 4.11.4
• 4bc95d9 chore: postinstall for dependabot template-oss PR
• 8009557 chore: bump @ npmcli/template-oss from 4.11.0 to 4.11.3
• f89f346 chore: postinstall for dependabot template-oss PR
• 6767e40 chore: bump @ npmcli/template-oss from 4.10.0 to 4.11.0
• b7f6f2b chore: postinstall for dependabot template-oss PR
• 5c8f187 chore: bump @ npmcli/template-oss from 4.8.0 to 4.10.0
• 47530f1 chore: postinstall for dependabot template-oss PR

See the full diff

Package name: npm-registry-fetch

The new version differs by 10 commits.

• 16893c3 chore: release 15.0.0
• a97564f deps: bump make-fetch-happen from 11.1.1 to 12.0.0 (Added ARM64 platform check  npm/cli#195)
• e154d49 deps: bump minipass from 5.0.0 to 7.0.2
• b875c26 fix: drop node14 support (Check save-prefix satisfies requested install version range npm/cli#193)
• baaa886 chore: postinstall for dependabot template-oss PR
• 5d15eeb chore: bump @ npmcli/template-oss from 4.17.0 to 4.18.0
• 7e4427e chore: postinstall for dependabot template-oss PR
• e02d4ef chore: bump @ npmcli/template-oss from 4.15.1 to 4.17.0
• 1136eae chore: postinstall for dependabot template-oss PR
• c267ac6 chore: bump @ npmcli/template-oss from 4.14.1 to 4.15.1

See the full diff

Package name: pacote

The new version differs by 29 commits.

• 18e760f chore: release 17.0.4
• ba8f790 deps: bump @ npmcli/promise-spawn from 6.0.2 to 7.0.0
• 2c0d3ae deps: bump @ npmcli/run-script from 6.0.2 to 7.0.0
• 7aa2062 chore: release 17.0.3
• ace7c28 deps: bump npm-packlist from 7.0.4 to 8.0.0
• f1efd0c chore: release 17.0.2
• c3b892d deps: bump sigstore from 1.3.0 to 2.0.0
• c75d7d5 chore: release 17.0.1
• 6ddae13 deps: bump npm-registry-fetch from 15.0.0 to 16.0.0
• 42bf787 deps: bump npm-pick-manifest from 8.0.2 to 9.0.0
• 9fa2de9 chore: release 17.0.0
• e9e964b deps: bump read-package-json from 6.0.4 to 7.0.0
• f69d844 chore: hosted-git-info@7.0.0
• 5d26500 deps: bump npm-package-arg from 10.1.0 to 11.0.0
• d13bb9c deps: bump @ npmcli/git from 4.1.0 to 5.0.0
• 7a25e39 deps: bump cacache from 17.1.4 to 18.0.0
• 2db2fb5 fix: drop node 16.13.x support
• 5cdbfd1 chore: release 16.0.0
• 8dc6a32 deps: bump minipass from 5.0.0 to 7.0.2
• 7cebf19 deps: bump npm-registry-fetch from 14.0.5 to 15.0.0
• 73b6297 fix: drop node14 support ([FEATURE] Provide credentials to npm trough environment variables npm/cli#290)
• 53cf17e chore: postinstall for dependabot template-oss PR
• 865d5c7 chore: bump @ npmcli/template-oss from 4.17.0 to 4.18.0
• 040add9 chore: postinstall for dependabot template-oss PR

See the full diff

Package name: sigstore

The new version differs by 179 commits.

• f0b49a0 Version Packages ([QUESTION] How can I unset env variable when run npm script? npm/cli#680)
• 4e49006 Bump @ tufjs/repo-mock from 1.4.0 to 2.0.0 ([QUESTION] installing package dependencies when doing npm install <folder> npm/cli#702)
• 3bc1817 update tuf-js to v2.0.0 ([BUG] npm.community references npm/cli#698)
• 0ce790f Bump actions/setup-node from 3.8.0 to 3.8.1 (allow new majors of node to be automatically considered supported npm/cli#697)
• 1e0fb61 Bump nock from 13.3.2 to 13.3.3 (chore: fixes nodejs tests npm/cli#696)
• 06ea684 Bump @ sigstore/protobuf-specs from 0.2.0 to 0.2.1 ([BUG] /tmp/npm-${PID}-* directories should be cleaned when "npm pack" gets terminated npm/cli#695)
• 829e123 flatten public interface of client package ([BUG] Transient ENOENT / file not found in npm ci npm/cli#694)
• faca7de Bump the dev-dependencies group with 1 update ([BUG] Cannot read property 'loaded' of undefined npm/cli#691)
• d0053a3 bump make-fetch-happen to v13 ([BUG] Missing required argument #1 npm/cli#681)
• 8a83280 Bump the dev-dependencies group with 2 updates ([BUG] npm error caused by a single quote in username npm/cli#690)
• 3bd0fbb remove sigstore-utils from public interface of client package (Update message for newer node version npm/cli#684)
• d5060c0 remove oauth provider from client package ([FEATURE] Flatten output of npm fund npm/cli#685)
• 4455f7f remove tuf helpers from client package ([FEATURE] Show warning when publishing package larger than 10MB npm/cli#683)
• e36bbfa remove legacy CLI from client package (npm install react-scripts --save npm/cli#682)
• f12ee66 Bump the dev-dependencies group with 2 updates ([BUG] Publishing package fails with ENETUNREACH npm/cli#687)
• 153eded Bump the oclif group with 1 update ([BUG] <EMISSINGARG> npm/cli#688)
• 7802a6b Bump actions/setup-node from 3.7.0 to 3.8.0 (Benchmarks / Contributing Updates npm/cli#689)
• c8de4e9 fix-up dependency in mock package ([BUG] Error installing "forever" npm/cli#679)
• 591db8d Version Packages (docs: update gatsby dependencies npm/cli#627)
• abcebbf promote @ sigstore/sign to v1.0.0 (Release 6.13.6 npm/cli#673)
• c6a99a1 Bump the oclif group with 1 update (Error installing a dependency package that already exists npm/cli#678)
• 9586810 Bump the dev-dependencies group with 1 update (Comments in package.json: @comment prefix npm/cli#677)
• 23dd744 Bump the oclif group with 1 update (Use String.includes() when possible npm/cli#675)
• 78ec545 Bump the dev-dependencies group with 2 updates (Fix a few lgtm.com issues. npm/cli#674)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-side Request Forgery (SSRF)