[Snyk] Upgrade npm from 6.2.0 to 6.13.7

[snyk-bot]

Snyk has created this PR to upgrade npm from 6.2.0 to 6.13.7.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 47 versions ahead of your current version.
• The recommended version was released a month ago, on 2020-01-28.

The recommended version fixes:

Severity	Issue	Exploit Maturity
	Arbitrary File Overwrite SNYK-JS-TAR-174125	No Known Exploit
	Arbitrary File Write SNYK-JS-NPM-537606	Proof of Concept
	Arbitrary File Overwrite SNYK-JS-NPM-537603	Proof of Concept
	Arbitrary File Overwrite SNYK-JS-FSTREAM-174725	No Known Exploit
	Arbitrary File Write SNYK-JS-BINLINKS-537610	Proof of Concept
	Arbitrary File Overwrite SNYK-JS-BINLINKS-537608	Proof of Concept
	Denial of Service (DoS) npm:mem:20180117	No Known Exploit
	Man-in-the-Middle (MitM) SNYK-JS-HTTPSPROXYAGENT-469131	Proof of Concept
	Unauthorized File Access SNYK-JS-NPM-537604	Proof of Concept
	Unauthorized File Access SNYK-JS-BINLINKS-537609	Proof of Concept

Release notes

Package name: npm

• 6.13.7 - 2020-01-28
  

  6.13.7 (2020-01-28)

  BUG FIXES

  • 7dbb91438 #655 Update CI detection cases (@isaacs)

  DEPENDENCIES

  • 0fb1296c7 libnpx@10.2.2 (@mikemimik)
  • c9b69d569 node-gyp@5.0.7 (@mikemimik)
  • e8dbaf452 bin-links@1.1.7 (@mikemimik)
    • #613 Fixes bin entry for package
• 6.13.6 - 2020-01-09
  

  6.13.6 (2020-01-09)

  DEPENDENCIES

  • 6dba897a1 pacote@9.5.12:
    • d2f4176 fix(git): Do not drop uid/gid when executing in root-owned directory (@isaacs)
• 6.13.5 - 2020-01-09
  

  6.13.5 (2020-01-09)

  BUG FIXES

  • fd0a802ec #550 Fix cache location for npm ci (@zhenyavinogradov)
  • 4b30f3cca #648 fix(version): using 'allow-same-version', git commit --allow-empty and git tag -f (@rhengles)

  TESTING

  • e16f68d30 test(ci): add failing cache config test (@ruyadorno)
  • 3f009fbf2 #659 test: fix bin-overwriting test on Windows (@isaacs)
  • 43ae0791f #601 ci: Allow builds to run even if one fails (@XhmikosR)
  • 4a669bee4 #603 Remove the unused appveyor.yml (@XhmikosR)
  • 9295046ac #600 ci: switch to actions/checkout@v2 (@XhmikosR)

  DOCUMENTATION

  • f2d770ac7 #569 fix netlify publish path config (@claudiahdz)
  • 462cf0983 #627 update gatsby dependencies (@felixonmars)
  • 6fb5dbb72 #532 docs: clarify usage of global prefix (@jgehrcke)
• 6.13.4 - 2019-12-11
  

  6.13.4 (2019-12-11)

  BUGFIXES

  • 320ac9aee npm/bin-links#12 npm/gentle-fs#7 Do not remove global bin/man links inappropriately (@isaacs)

  DEPENDENCIES

  • 52fd21061 gentle-fs@2.3.0 (@isaacs)
  • d06f5c0b0 bin-links@1.1.6 (@isaacs)
• 6.13.3 - 2019-12-10
  

  6.13.3 (2019-12-09)

  DEPENDENCIES

  • 19ce061a2 bin-links@1.1.5 Properly normalize, sanitize, and verify bin entries in package.json.
  • 59c836aae npm-packlist@1.4.7
  • fb4ecd7d2 pacote@9.5.11
    • 5f33040 #476 npm/pacote#22 npm/pacote#14 fix: Do not drop perms in git when not root (isaacs, @darcyclarke)
    • 6f229f7 sanitize and normalize package bin field (isaacs)
  • 1743cb339 read-package-json@2.1.1
• 6.13.2 - 2019-12-03
  

  6.13.2 (2019-12-03)

  BUG FIXES

  • 4429645b3 #546 fix docs target typo (@richardlau)
  • 867642942 #142 fix(packageRelativePath): fix 'where' for file deps (@larsgw)
  • d480f2c17 #527 Revert "windows: Add preliminary WSL support for npm and npx" (@craigloewen-msft)
  • e4b97962e #504 remove unnecessary package.json read when reading shrinkwrap (@Lighting-Jack)
  • 1c65d26ac #501 fix(fund): open url for string shorthand (@ruyadorno)
  • ae7afe565 #263 Don't log error message if git tagging is disabled (@woppa684)
  • 4c1b16f6a #182 Warn the user that it is uninstalling npm-install (@Hoidberg)
• 6.13.1 - 2019-11-18
  

  6.13.1 (2019-11-18)

  BUG FIXES

  • 938d6124d #472 fix(fund): support funding string shorthand (@ruyadorno)
  • b49c5535b #471 should not publish tap-snapshot folder (@ruyadorno)
  • 3471d5200 #253 Add preliminary WSL support for npm and npx (@infinnie)
  • 3ef295f23 #486 print quick audit report for human output (@isaacs)

  TESTING

  • dbbf977ac #278 added workflow to trigger and run benchmarks (@mikemimik)
  • b4f5e3825 #457 feat(docs): adding tests and updating docs to reflect changes in registry teams API. (@nomadtechie)
  • 454c7dd60 #456 fix git configs for git 2.23 and above (@isaacs)

  DOCUMENTATION

  • b8c1576a4 30b013ae8 26c1b2ef6 9f943a765 c0346b158 8e09d5ad6 4a2f551ee 87d67258c 5c3b32722 b150eaeff 7555a743c b89423e2f #463 #285 #268 #232 #485 #453 docs cleanup: typos, styling and content (@claudiahdz) (@XhmikosR) (@mugli) (@brettz9) (@mkotsollaris)

  DEPENDENCIES

  • 661d86cd2 make-fetch-happen@5.0.2 (@claudiahdz)
• 6.13.0 - 2019-11-05
  

  6.13.0 (2019-11-05)

  NEW FEATURES

  • 4414b06d9 #273 add fund command (@ruyadorno)

  DOCUMENTATION

  • ae4c74d04 #274 migrate existing docs to gatsby (@claudiahdz)
  • 4ff1bb180 #277 updated documentation copy (@oletizi)

  BUG FIXES

  • e4455409f #281 delete ps1 files on package removal (@NoDocCat)
  • cd14d4701 #279 update supported node list to remove v6.0, v6.1, v9.0 - v9.2 (@ljharb)

  DEPENDENCIES

  • a37296b20 pacote@9.5.9
  • d3cb3abe8 read-cmd-shim@1.0.5

  TESTING

  • 688cd97be #272 use github actions for CI (@JasonEtco)
  • 9a2d8af84 #240 Clean up some flakiness and inconsistency (@isaacs)
• 6.12.1 - 2019-10-29
  

  6.12.1 (2019-10-29)

  BUG FIXES

  • 6508e833d #269 add node v13 as a supported version (@ljharb)
  • b6588a8f7 #265 Fix regression in lockfile repair for sub-deps (@feelepxyz)
  • d5dfe57a1 #266 resolve circular dependency in pack.js (@addaleax)

  DEPENDENCIES

  • 73678bb59 chownr@1.1.3
  • 4b76926e2 graceful-fs@4.2.3
  • c691f36a9 libcipm@4.0.7
  • 5e1a14975 npm-packlist@1.4.6
  • c194482d6 npm-registry-fetch@4.0.2
  • bc6a8e0ec tar@4.4.1
  • 4dcca3cbb uuid@3.3.3
• 6.12.0 - 2019-10-08
  

  6.12.0 (2019-10-08):

  Now npm ci runs prepare scripts for git dependencies, and respects the --no-optional argument. Warnings for engine mismatches are printed again. Various other fixes and cleanups.

  BUG FIXES

  • 890b245dc #252 ci: add dirPacker to options (@claudiahdz)
  • f3299acd0 #257 npm.community#4792 warn message on engine mismatch (@ruyadorno)
  • bbc92fb8f #259 npm.community#10288 Fix figgyPudding error in npm token (@benblank)
  • 70f54dcb5 #241 doctor: Make OK more consistent (@gemal)

  FEATURES

  • ed993a29c #249 Add CI environment variables to user-agent (@isaacs)
  • f6b0459a4 #248 Add option to save package-lock without formatting Adds a new config --format-package-lock, which defaults to true. (@bl00mber)

  DEPENDENCIES

  • 0ca063c5d npm-lifecycle@3.1.4:
    • fix: filter functions and undefined out of makeEnv (@isaacs)
  • 5df6b0ea2 libcipm@4.0.4:
    • fix: pack git directories properly (@claudiahdz)
    • respect no-optional argument (@cruzdanilo)
  • 7e04f728c tar@4.4.12
  • 5c380e5a3 stringify-package@1.0.1 (@isaacs)
  • 62f2ca692 node-gyp@5.0.5 (@isaacs)
  • 0ff0ea47a npm-install-checks@3.0.2 (@isaacs)
  • f46edae94 hosted-git-info@2.8.5 (@isaacs)

  TESTING

  • 44a2b036b #262 fix root-ownership race conditions in meta-test (@isaacs)
• 6.12.0-next.0 - 2019-09-26
• 6.11.3 - 2019-09-03
• 6.11.2 - 2019-08-22
• 6.11.1 - 2019-08-21
• 6.11.0 - 2019-08-20
• 6.10.3 - 2019-08-06
• 6.10.2 - 2019-07-23
• 6.10.2-next.3 - 2019-07-22
• 6.10.2-next.2 - 2019-07-21
• 6.10.2-next.1 - 2019-07-17
• 6.10.2-next.0 - 2019-07-16
• 6.10.1 - 2019-07-11
• 6.10.1-next.2 - 2019-07-10
• 6.10.1-next.1 - 2019-07-03
• 6.10.1-next.0 - 2019-07-03
• 6.10.0 - 2019-07-03
• 6.10.0-next.0 - 2019-07-01
• 6.9.2 - 2019-06-27
• 6.9.1-next.0 - 2019-03-20
• 6.9.0 - 2019-03-06
• 6.9.0-next.0 - 2019-02-21
• 6.8.0 - 2019-02-13
• 6.8.0-next.2 - 2019-02-07
• 6.8.0-next.1 - 2019-02-06
• 6.8.0-next.0 - 2019-01-31
• 6.7.0 - 2019-01-23
• 6.6.0 - 2019-01-17
• 6.6.0-next.1 - 2019-01-10
• 6.6.0-next.0 - 2018-12-12
• 6.5.0 - 2018-12-10
• 6.5.0-next.0 - 2018-11-28
• 6.4.1 - 2018-08-29
• 6.4.1-next.0 - 2018-08-23
• 6.4.0 - 2018-08-15
• 6.4.0-next.0 - 2018-08-09
• 6.3.0 - 2018-08-02
• 6.3.0-next.0 - 2018-07-25
• 6.2.0 - 2018-07-14

from npm GitHub release notes

Commit messages

Package name: npm

• f533d61 6.13.7
• 5897df4 update AUTHORS
• dcafdd9 updated changelog for npm@6.13.7
• 0fb1296 libnpx@10.2.2
• 1a5d209 chore: removed reference to package.community as a source for npm team support
• 68fc88e docs: updated the CONTRIBUTING file; added references to benchmarking
• 1ce0344 feat: updated workflow for pull-ruquest benchmark dispatch requests
• 5967fa4 feat: added workflow file for commenting on a pull-request to dispatch trigger benchmark suite
• 3590e40 fix: removed authorization header from benchmark dispatch request
• c9b69d5 node-gyp@5.0.7
• e8dbaf4 bin-links@1.1.7
• 7230e13 docs: fix header parsing that was breaking misc config manpage
• 7dbb914 Update CI detection cases
• 7852c0c Use the npm lint script on CI.
• b1aeeb6 docs: mention --no-optional in package-json
• 88cfb88 chore: fixes nodejs tests
• ac3739f 6.13.6
• c56c847 docs: changelog for 6.13.6
• 6dba897 pacote@9.5.12
• 787bb66 6.13.5
• e099866 update AUTHORS
• 4812866 docs: changelog for 6.13.5
• 6fb5dbb npm-link: clarify usage of global prefix
• 4b30f3c feat(version): using 'allow-same-version', git commit --allow-empty and git tag -f

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[//]: # (snyk:metadata:{"dependencies":[{"name":"npm","from":"6.2.0","to":"6.13.7"}],"packageManager":"npm","type":"auto","projectUrl":"https://app.snyk.io/org/phillipgraniero-rxi/project/2958b718-1a0e-4eb7-bf1f-99ec96c329f3?utm_source=github&utm_medium=upgrade-pr","projectPublicId":"2958b718-1a0e-4eb7-bf1f-99ec96c329f3","env":"prod","prType":"upgrade","vulns":["SNYK-JS-TAR-174125","SNYK-JS-NPM-537606","SNYK-JS-NPM-537603","SNYK-JS-FSTREAM-174725","SNYK-JS-BINLINKS-537610","SNYK-JS-BINLINKS-537608","npm:mem:20180117","SNYK-JS-HTTPSPROXYAGENT-469131","SNYK-JS-NPM-537604","SNYK-JS-BINLINKS-537609"],"issuesToFix":[{"issueId":"SNYK-JS-TAR-174125","severity":"high","title":"Arbitrary File Overwrite","exploitMaturity":"no-known-exploit"},{"issueId":"SNYK-JS-NPM-537606","severity":"high","title":"Arbitrary File Write","exploitMaturity":"proof-of-concept"},{"issueId":"SNYK-JS-NPM-537603","severity":"high","title":"Arbitrary File Overwrite","exploitMaturity":"proof-of-concept"},{"issueId":"SNYK-JS-FSTREAM-174725","severity":"high","title":"Arbitrary File Overwrite","exploitMaturity":"no-known-exploit"},{"issueId":"SNYK-JS-BINLINKS-537610","severity":"high","title":"Arbitrary File Write","exploitMaturity":"proof-of-concept"},{"issueId":"SNYK-JS-BINLINKS-537608","severity":"high","title":"Arbitrary File Overwrite","exploitMaturity":"proof-of-concept"},{"issueId":"npm:mem:20180117","severity":"medium","title":"Denial of Service (DoS)","exploitMaturity":"no-known-exploit"},{"issueId":"SNYK-JS-HTTPSPROXYAGENT-469131","severity":"medium","title":"Man-in-the-Middle (MitM)","exploitMaturity":"proof-of-concept"},{"issueId":"SNYK-JS-NPM-537604","severity":"low","title":"Unauthorized File Access","exploitMaturity":"proof-of-concept"},{"issueId":"SNYK-JS-BINLINKS-537609","severity":"low","title":"Unauthorized File Access","exploitMaturity":"proof-of-concept"}],"upgrade":["SNYK-JS-TAR-174125","SNYK-JS-NPM-537606","SNYK-JS-NPM-537603","SNYK-JS-FSTREAM-174725","SNYK-JS-BINLINKS-537610","SNYK-JS-BINLINKS-537608","npm:mem:20180117","SNYK-JS-HTTPSPROXYAGENT-469131","SNYK-JS-NPM-537604","SNYK-JS-BINLINKS-537609"],"upgradeInfo":{"versionsDiff":47,"publishedDate":"2020-01-28T19:09:13.959Z"},"templateVariants":[],"hasFixes":true,"isMajorUpgrade":false,"isBreakingChange":false})