Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade bootstrap-vue from 2.0.0-rc.11 to 2.23.1 #9

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Upgrade bootstrap-vue from 2.0.0-rc.11 to 2.23.1 #9

wants to merge 1 commit into from

Conversation

OKEAMAH
Copy link
Member

@OKEAMAH OKEAMAH commented Aug 18, 2024

snyk-top-banner

Snyk has created this PR to upgrade bootstrap-vue from 2.0.0-rc.11 to 2.23.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 60 versions ahead of your current version.

  • The recommended version was released on 2 years ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Prototype Pollution
SNYK-JS-LODASH-608086		 150 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 150 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 150 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASH-6139239		 150 Proof of Concept
high severity Cross-site Scripting (XSS)
SNYK-JS-BOOTSTRAPVUE-73558		 150 Proof of Concept
high severity Code Injection
SNYK-JS-LODASH-1040724		 150 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASH-450202		 150 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASH-567746		 150 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-MINIMIST-559764		 150 Proof of Concept
medium severity Information Exposure
SNYK-JS-NODEFETCH-2342118		 150 No Known Exploit
medium severity Denial of Service
SNYK-JS-NODEFETCH-674311		 150 No Known Exploit
medium severity Cross-site Scripting (XSS)
SNYK-JS-BOOTSTRAP-173700		 150 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905		 150 Proof of Concept
low severity Prototype Pollution
SNYK-JS-MINIMIST-2429795		 150 Proof of Concept
Release notes
Package name: bootstrap-vue
  • 2.23.1 - 2022-10-26

    chore(release): v2.23.1

  • 2.23.0 - 2022-10-25

    chore(release): v2.23.0

  • 2.22.0 - 2022-04-17

    🚀 Features

    • b-link
      • #6811 Support exact-path and exact-path-active-class props for router link
    • b-form-tags
      • #6395 Adds focusin & focusout to wrapper and prevents firing multiple focus/blur events
      • #6347 Add feedback-aria-live prop
    • general
      • #6375 Add headerTag and footerTag props to all componets with header and footer
    • b-dropdown
      • #6339 Add toggle-attrs prop

    🐛 Bug Fixes

    • general
      • #6834 Replace sass division with multiplication
    • b-table
      • #6645 Selected table header text no longer prevents table row selection
      • #6606 Fix range selection of b-table
      • #6603 Set aria-sort when using sortKey and no-local-sorting
      • #6383 Default role to grid when selectable and table otherwise
      • #6382 Prefer user-provided role attribute
      • #6372 Add missing role="grid" when selectable
      • #6371 Header cell overflow for .sr-only sort label
      • #6355 Add missing sortKey field type and correct a typo
    • b-skeleton
      • #6858 Accepts custom attributes
    • nav-item-dropdown
      • 97bb97b Update dropdown to set correct aria-controls
    • b-dropdown
      • #6865 Set correct aria-haspopup attribute for the toggle button
      • #6367 Decrease delay when hiding inside a navbar on no-touch devices
    • utils/dom
    • docs
      • #6545 Use https:// urls in docs
    • b-form-group
      • #6346 Remove role="alert" from valid/invalid feedback
    • b-input-tags
      • #6389 Respect custom $input-color
    • b-link
      • #6374 Remove default values from vue-router pass-down props
    • b-img-lazy
      • #6349 Fix blank placeholder for Firefox
      • #6302 Fix blank-src not working
    • b-form-input/b-form-textarea
      • #6345 Legacy browser support

    🏡 Chore

    • tests
      • 8ce291b Refactor tests not to use $children
      • b16514b Remove useless localVue usage
      • ac8ebfe Replace find with findComponents
      • d113cc7 Remove createContainer helper
    • b-form-tags
      • #6752 Correct typo b-from-tags to b-form-tags
    • icons
      • #6611 Update Bootstrap Icons to v1.5.0
    • docs
      • #6466 Add new "Vuexy - Admin Dashboard" theme
      • #6368 Make sure the clicked anchor target is reflected in URL
    • ci
      • #6592 Update workflows to new Node.js versions
    • refactor
      • #6381 Move away from lifecycle hook listeners
      • #6356 Unify event variable names

    💖 Thanks to

    • Andrei Gheorghiu
    • Connor Forbes
    • Illya Klymov
    • JD
    • James Pickard
    • Jingsong Gao
    • John Franey
    • Jonathan Guberman
    • Joshua Wu
    • Konstantin
    • Lei Wang
    • Olena Horal
    • Pete Hegman
    • Rare Kang
    • Samuel Denis-D'Ortun
    • William
    • William Teixeira
    • magical-l
    • ochowei
    • xenolithviktor
  • 2.21.2 - 2021-01-01

    🐛 Bug Fixes

    • b-dropdown
      • #6274 Only apply heading role to header when not a header tag
    • b-table
      • #6266 Allow responsive and stacked props together
      • #6251 Only set aria-describedby when caption really exists
    • general
      • #6265 Clean up props inheritance
      • #6226 Environment detection based on userAgent
    • b-form-datepicker/b-form-timepicker
    • b-sidebar
      • #6234 Make sure to not exceed 100% in height
    • b-icon
      • #6233 Title render handling

    🏡 Chore

    • docs
      • #6263 Correct typos and improve wording in theming section
      • #6244 Fix typos in <b-form-select> and <b-form-textarea> docs
      • d94edfe Fix typo on "Getting started" page
      • #6232 Remove label-for from <b-form-group>'s with <b-form-file> component
      • #6231 Fix typos in the Dropdown README
      • #6222 Improve Bootstrap/BootstrapVue style import guide in "Getting started" docs
    • icons
      • #6252 Update Bootstrap Icons to v1.2.2
    • general
      • #6227 Add Nuxt.js CodeSanbox CI template

    💖 Thanks to

    • Rich Klein
    • a-kriya
    • cvn
    • darrelfrancis
  • 2.21.1 - 2020-12-16

    🐛 Bug Fixes

    • b-tabs
      • #6208 Restore correct active tab detection logic
    • b-badge
      • #6217 Attribute inheritance
    • b-pagination
      • #6200 Don't set initial page count twice
    • b-dropdown

    🏡 Chore

    • docs
      • #6206 Fix <b-form-timepicker> "Button only mode" example markup
  • 2.21.0 - 2020-12-14

    🚀 Features

    • b-form-group
      • #6178 Add content-cols props and scoped default slot
    • b-sidebar
    • b-form-tags
      • #6163 Add no-tags-remove prop
    • refactor
      • #6141 Code enhancements for easier Vue 3 migration

    🐛 Bug Fixes

    • b-form-datepicker/b-form-timepicker
      • #6186 Label styles when in button-only mode
    • b-tabs
      • #6154 Cleanup rendering logic
    • b-form-datepicker
      • #6159 valueAsDate prop handling
    • table
      • #6153 Default sort compare logic for date strings
      • c375ce9 Use original value for fallback when number parsing fails in defaultSortCompare

    🏡 Chore

    • icons
      • #6194 Update Bootstrap Icons to v1.2.1
      • #6180 Update Bootstrap Icons to v1.2.0
    • refactor
      • b0f5f63 Prefer multiple constants over constants object
    • docs
      • #6148 Update highlight.js to v10

    💖 Thanks to

    • magical-l
  • 2.20.1 - 2020-12-01

    🐛 Bug Fixes

    • general
      • #6113 User supplied prop function detection
    • table
      • c375ce9 Use original value for fallback when number parsing fails in defaultSortCompare
  • 2.20.0 - 2020-11-30

    🚀 Features

    • b-form-tags

    🐛 Bug Fixes

    • b-table
      • #6105 Sort handling for numeric string values
      • #6102 Only set tabindex="0" for sortable TH's
    • b-form-tags
      • #6103 Required handling
    • b-form-spinbutton
    • general
      • #6070 User supplied prop function detection
    • b-form-input
      • #6084 Modified value handling

    🏡 Chore

    • refactor
      • #6100 Improved code sharing between form components
    • docs
      • #6043 Update "Can I use" links
      • #6040 Fix gull & dexam preview image link
      • 25080ca Correct comment to Nuxt.js module icons option

    💖 Thanks to

    • naime-hossain
  • 2.19.0 - 2020-11-08

    🚀 Features

    • config
      • #5981 Improved defaults handling
    • b-media
      • #5965 Improve aside right handling
    • icons
      • #5977 update Bootstrap Icons to v1.1.0

    🐛 Bug Fixes

    • b-dropdown
      • #6009 Click handling on close
    • b-form-group
      • #6006 Accessibility when label-for prop not set
    • b-form-checkbox/b-form-radio
      • #6008 change event timing
    • b-avatar
      • #5975 Badge z-index handling
      • #5963 Prevent avatar from being squished

    🏡 Chore

    • docs
      • #6019 Add another pageOptions setting example
      • #6014 Improve component name formatting
      • #5995 Add gull & dexam themes
    • general
      • #6015 Unify interval/timeout handling
      • #6002 Add SECURITY.md
      • #5990 Migrate from node-sass to sass (Dart Sass)
    • ci
      • #6004 Move to Dependabot for all dependency updates
      • #6003 Add CodeQL action
      • #6001 Update Node.js versions

    💖 Thanks to

    • 82amp
    • JD
    • Joris Lacance
    • Tal Koren
    • naime-hossain
  • 2.18.1 - 2020-10-21

    🐛 Bug Fixes

    • b-icon
      • #5939 Local component lookup
    • b-link
      • #5934 href handling with live router
    • b-form-group
      • #5933 Content element ID handling

    🏡 Chore

    • docs
      • #5935 Add example on how to alias Vue with Vue CLI
  • 2.18.0 - 2020-10-19
  • 2.17.3 - 2020-09-18
  • 2.17.2 - 2020-09-18
  • 2.17.1 - 2020-09-16
  • 2.17.0 - 2020-09-13
  • 2.16.0 - 2020-07-28
  • 2.15.0 - 2020-05-22
  • 2.14.0 - 2020-05-12
  • 2.13.1 - 2020-05-06
  • 2.13.0 - 2020-04-27
  • 2.12.0 - 2020-04-20
  • 2.11.0 - 2020-04-08
  • 2.10.1 - 2020-04-02
  • 2.10.0 - 2020-04-01
  • 2.9.0 - 2020-03-26
  • 2.8.0 - 2020-03-22
  • 2.7.0 - 2020-03-14
  • 2.6.1 - 2020-03-06
  • 2.6.0 - 2020-03-05
  • 2.5.0 - 2020-02-18
  • 2.4.2 - 2020-02-15
  • 2.4.1 - 2020-02-13
  • 2.4.0 - 2020-02-01
  • 2.3.0 - 2020-01-24
  • 2.2.2 - 2020-01-15
  • 2.2.1 - 2020-01-14
  • 2.2.0 - 2020-01-09
  • 2.1.0 - 2019-11-13
  • 2.0.4 - 2019-10-11
  • 2.0.3 - 2019-10-05
  • 2.0.2 - 2019-09-20
  • 2.0.1 - 2019-09-13
  • 2.0.0 - 2019-09-07
  • 2.0.0-rc.28 - 2019-08-12
  • 2.0.0-rc.27 - 2019-07-22
  • 2.0.0-rc.26 - 2019-07-09
  • 2.0.0-rc.25 - 2019-06-30
  • 2.0.0-rc.24 - 2019-06-17
  • 2.0.0-rc.23 - 2019-06-14
  • 2.0.0-rc.22 - 2019-05-31
  • 2.0.0-rc.21 - 2019-05-26
  • 2.0.0-rc.20 - 2019-05-12
  • 2.0.0-rc.19 - 2019-04-21
  • 2.0.0-rc.18 - 2019-04-08
  • 2.0.0-rc.17 - 2019-04-08
  • 2.0.0-rc.16 - 2019-03-28
  • 2.0.0-rc.15 - 2019-03-18
  • 2.0.0-rc.14 - 2019-03-08
  • 2.0.0-rc.13 - 2019-02-19
  • 2.0.0-rc.12 - 2019-02-14
  • 2.0.0-rc.11 - 2018-05-20
from bootstrap-vue GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

[//]: # 'snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"bootstrap-vue","from":"2.0.0-rc.11","to":"2.23.1"}],"env":"prod","hasFixes":true,"isBreakingChange":false,"isMajorUpgrade":false,"issuesToFix":[{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-LODASH-608086","issue_id":"SNYK-JS-LODASH-608086","priority_score":150,"priority_score_factors":[{"name":"confidentiality","value":"low"},{"name":"integrity","value":"low"},{"name":"availability","value":"low"},{"name":"scope","value":"unchanged"},{"name":"exploitCodeMaturity","value":"proofOfConcept"},{"name":"userInteraction","value":"none"},{"name":"privilegesRequired","value":"none"},{"name":"attackComplexity","value":"low"},{"name":"attackVector","value":"network"},{"name":"epss","value":0.01055},{"name":"isTrending","value":false},{"name":"publicationDate","value":"Fri Aug 21 2020 12:53:03 GMT+0000 (Coordinated Universal Time)"},{"name":"isReachable","value":false},{"name":"isTransitive","value":true},{"name":"isMalicious","value":false},{"name":"businessCriticality","value":"high"},{"name":"relativeImportance","value":"high"},{"name":"relativePopularityRank","value":99},{"name":"impact","value":5.62},{"name":"likelihood","value":2.67},{"name":"scoreVersion","value":"V5"}],"severity":"high","title":"Prototype Pollution"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-ANSIREGEX-1583908","issue_id":"SNYK-JS-ANSIREGEX-1583908","priority_score":159,"priority_score_factors":[{"name":"confidentiality","value":"none"},{"name":"integrity","value":"none"},{"name":"availability","value":"high"},{"name":"scope","value":"unchanged"},{"name":"exploitCodeMaturity","value":"proofOfConcept"},{"name":"userInteraction","value":"none"},{"name":"privilegesRequired","value":"none"},{"name":"attackComplexity","value":"low"},{"name":"attackVector","value":"network"},{"name":"epss","value":0.00396},{"name":"isTrending","value":false},{"name":"publicationDate","value":"Sun Sep 12 2021 12:52:37 GMT+0000 (Coordinated Universal Time)"},{"name":"isReachable","value":false},{"name":"isTransitive","value":true},{"name":"isMalicious","value":false},{"name":"businessCriticality","value":"high"},{"name":"relativeImportance","value":"high"},{"name":"relativePopularityRank","value":99},{"name":"impact","value":5.99},{"name":"likelihood","value":2.65},{"name":"scoreVersion","value":"V5"}],"severity":"high","title":"Regular Expression Denial of Service (ReDoS)"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-ANSIREGEX-1583908","issue_id":"SNYK-JS-ANSIREGEX-1583908","priority_score":159,"priority_score_factors":[{"name":"confidentiality","value":"none"},{"name":"integrity","value":"none"},{"name":"availability","value":"high"},{"name":"scope","value":"unchanged"},{"name":"exploitCodeMaturity","value":"proofOfConcept"},{"name":"userInteraction","value":"none"},{"name":"privilegesRequired","value":"none"},{"name":"attackComplexity","value":"low"},{"name":"attackVector","value":"network"},{"name":"epss","value":0.00396},{"name":"isTrending","value":false},{"name":"publicationDate","value":"Sun Sep 12 2021 12:52:37 GMT+0000 (Coordinated Universal Time)"},{"name":"isReachable","value":false},{"name":"isTransitive","value":true},{"name":"isMalicious","value":false},{"name":"businessCriticality","value":"high"},{"name":"relativeImportance","value":"high"},{"name":"relativePopularityRank","value":99},{"name":"impact","value":5.99},{"name":"likelihood","value":2.65},{"name":"scoreVersion","value":"V5"}],"severity":"high","title":"Regular Expression Denial of Service (ReDoS)"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-LODASH-6139239","issue_id":"SNYK-JS-LODASH-6139239","priority_score":170,"priority_score_factors":[{"name":"confidentiality","value":"none"},{"name":"integrity","value":"none"},{"name":"availability","value":"high"},{"name":"scope","value":"unchanged"},{"name":"exploitCodeMaturity","value":"proofOfConcept"},{"name":"userInteraction","value":"none"},{"name":"privilegesRequired","value":"none"},{"name":"attackComplexity","value":"low"},{"name":"attackVector","value":"network"},{"name":"epss","value":0.01055},{"name":"isTrending","value":false},{"name":"publicationDate","value":"Mon Apr 15 2024 13:48:35 GMT+0000 (Coordinated Universal Time)"},{"name":"isReachable","value":false},{"name":"isTransitive","value":true},{"name":"isMalicious","value":false},{"name":"businessCriticality","value":"high"},{"name":"relativeImportance","value":"high"},{"name":"relativePopularityRank","value":99},{"name":"impact","value":5.99},{"name":"likelihood","value":2.83},{"name":"scoreVersion","value":"V5"}]...

@snyk-bot
fix: upgrade bootstrap-vue from 2.0.0-rc.11 to 2.23.1
5cc2730 
Snyk has created this PR to upgrade bootstrap-vue from 2.0.0-rc.11 to 2.23.1.

See this package in npm:
bootstrap-vue

See this project in Snyk:
https://app.snyk.io/org/okeamah/project/0ab18772-444e-4ffb-9359-976b5cdedfce?utm_source=github&utm_medium=referral&page=upgrade-pr
sourcery-ai[bot]
sourcery-ai bot reviewed Aug 18, 2024
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have skipped reviewing this pull request. Here's why:

  • It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
  • We don't review packaging changes - Let us know if you'd like us to change this.

@socket-security Socket Security
Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@nuxt/opencollective@0.3.3 environment, filesystem, network, shell +6 116 kB danielroe
npm/bootstrap-vue@2.23.1 None 0 49.3 MB xanf
npm/bootstrap@4.6.2 None 0 4.56 MB xhmikosr
npm/consola@2.15.3 environment, filesystem 0 123 kB pi0
npm/node-fetch@2.7.0 network 0 162 kB node-fetch-bot
npm/popper.js@1.16.1 None 0 1.72 MB fezvrasta
npm/portal-vue@2.1.7 None 0 158 kB linusborg

🚮 Removed packages: npm/babel-polyfill@6.23.0, npm/bootstrap-vue@2.0.0-rc.11, npm/bootstrap@4.1.3, npm/encoding@0.1.12, npm/lodash.get@4.4.2, npm/lodash.startcase@4.4.0, npm/node-fetch@1.6.3, npm/opencollective@1.0.3, npm/popper.js@1.14.5, npm/psl@1.1.29, npm/public-encrypt@4.0.3, npm/pump@3.0.0, npm/pumpify@1.5.1, npm/punycode@2.1.1, npm/q@1.5.1, npm/querystring-es3@0.2.1, npm/querystring@0.2.0, npm/querystringify@2.1.0, npm/randombytes@2.0.6, npm/randomfill@1.0.4, npm/read-pkg@4.0.1, npm/readable-stream@2.3.6, npm/readdirp@2.2.1, npm/regenerate-unicode-properties@7.0.0, npm/regenerate@1.4.0, npm/regenerator-runtime@0.12.1, npm/regenerator-transform@0.13.3, npm/regex-not@1.0.2, npm/regexpp@1.1.0, npm/regexpu-core@4.2.0, npm/regjsgen@0.4.0, npm/regjsparser@0.3.0, npm/relateurl@0.2.7, npm/remove-trailing-separator@1.1.0, npm/renderkid@2.0.2, npm/repeat-element@1.1.3, npm/repeat-string@1.6.1, npm/request-promise-core@1.1.1, npm/request-promise-native@1.0.5, npm/request@2.88.0, npm/require-directory@2.1.1, npm/require-from-string@2.0.2, npm/require-main-filename@1.0.1, npm/require-uncached@1.0.3, npm/requires-port@1.0.0, npm/resolve-cwd@2.0.0, npm/resolve-from@1.0.1, npm/resolve-url@0.2.1, npm/resolve@1.8.1, npm/restore-cursor@2.0.0, npm/ret@0.1.15, npm/rgb-regex@1.0.1, npm/rgba-regex@1.0.0, npm/rimraf@2.6.2, npm/ripemd160@2.0.2, npm/run-async@2.3.0, npm/run-queue@1.0.3, npm/rx-lite-aggregates@4.0.8, npm/rx-lite@4.0.8, npm/rx@4.1.0, npm/rxjs@6.3.3, npm/safe-regex@1.1.0, npm/sax@1.2.4, npm/schema-utils@0.4.7, npm/select-hose@2.0.0, npm/selfsigned@1.10.4, npm/semver@5.6.0, npm/serialize-javascript@1.5.0, npm/serve-index@1.9.1, npm/set-blocking@2.0.0, npm/set-value@2.0.0, npm/setimmediate@1.0.5, npm/sha.js@2.4.11, npm/shebang-command@1.2.0, npm/shebang-regex@1.0.0, npm/shell-quote@1.6.1, npm/signal-exit@3.0.2, npm/simple-swizzle@0.2.2, npm/slash@1.0.0, npm/slice-ansi@1.0.0, npm/snapdragon-node@2.1.1, npm/snapdragon-util@3.0.1, npm/snapdragon@0.8.2, npm/sockjs-client@1.3.0, npm/sockjs@0.3.19, npm/source-list-map@2.0.1, npm/source-map-resolve@0.5.2, npm/source-map-support@0.5.9, npm/source-map-url@0.4.0, npm/source-map@0.5.7, npm/spdx-correct@3.0.2, npm/spdx-exceptions@2.2.0, npm/spdx-expression-parse@3.0.0, npm/spdx-license-ids@3.0.2, npm/spdy-transport@2.1.1, npm/spdy@3.4.7, npm/split-string@3.1.0, npm/sprintf-js@1.0.3, npm/sshpk@1.15.2, npm/ssri@6.0.1, npm/stable@0.1.8, npm/stackframe@1.0.4, npm/static-extend@0.1.2, npm/stealthy-require@1.1.1, npm/stream-browserify@2.0.1, npm/stream-each@1.2.3, npm/stream-http@2.8.3, npm/stream-shift@1.0.0, npm/string-width@2.1.1, npm/string.prototype.padend@3.0.0, npm/string.prototype.padstart@3.0.0, npm/string_decoder@1.1.1, npm/strip-ansi@4.0.0, npm/strip-eof@1.0.0, npm/strip-indent@2.0.0, npm/strip-json-comments@2.0.1, npm/stylehacks@4.0.1, npm/supports-color@5.5.0, npm/svgo@1.1.1, npm/table@4.0.2, npm/tapable@1.1.0, npm/terser-webpack-plugin@1.1.0, npm/terser@3.10.11, npm/text-table@0.2.0, npm/thread-loader@1.2.0, npm/through2@2.0.5, npm/thunky@1.0.3, npm/timers-browserify@2.0.10, npm/timsort@0.3.0, npm/tmp@0.0.33, npm/to-arraybuffer@1.0.1, npm/to-fast-properties@2.0.0, npm/to-object-path@0.3.0, npm/to-regex-range@2.1.1, npm/to-regex@3.0.2, npm/topo@3.0.3, npm/toposort@1.0.7, npm/tough-cookie@2.4.3, npm/trim-right@1.0.1, npm/tryer@1.0.1, npm/tslib@1.9.3, npm/tty-browserify@0.0.0, npm/tunnel-agent@0.6.0, npm/tweetnacl@0.14.5, npm/type-check@0.3.2, npm/typedarray@0.0.6, npm/uglify-js@3.4.9, npm/uglifyjs-webpack-plugin@1.3.0, npm/unicode-canonical-property-names-ecmascript@1.0.4, npm/unicode-match-property-ecmascript@1.0.4, npm/unicode-match-property-value-ecmascript@1.0.2, npm/unicode-property-aliases-ecmascript@1.0.4, npm/union-value@1.0.0, npm/uniq@1.0.1, npm/uniqs@2.0.0, npm/unique-filename@1.1.1, npm/unique-slug@2.0.1, npm/universalify@0.1.2, npm/unquote@1.1.1, npm/unset-value@1.0.0, npm/upath@1.1.0, npm/upper-case@1.1.3, npm/uri-js@4.2.2, npm/urix@0.1.0, npm/url-loader@1.1.2, npm/url-parse@1.4.4, npm/url@0.11.0, npm/use@3.1.1, npm/util-deprecate@1.0.2, npm/util.promisify@1.0.0, npm/utila@0.4.0, npm/uuid@3.3.2, npm/validate-npm-package-license@3.0.4, npm/vendors@1.0.2, npm/verror@1.10.0, npm/vm-browserify@0.0.4, npm/vue-eslint-parser@2.0.3, npm/vue-functional-data-merge@2.0.7, npm/vue-hot-reload-api@2.3.1, npm/vue-loader@15.4.2, npm/vue-style-loader@4.1.2, npm/vue-template-compiler@2.5.17, npm/vue-template-es2015-compiler@1.6.0, npm/vue@2.5.17, npm/watchpack@1.6.0, npm/wbuf@1.7.3, npm/wcwidth@1.0.1, npm/webpack-bundle-analyzer@3.0.3, npm/webpack-chain@4.12.1, npm/webpack-dev-middleware@3.4.0, npm/webpack-dev-server@3.1.10, npm/webpack-log@2.0.0, npm/webpack-merge@4.1.4, npm/webpack-sources@1.3.0, npm/webpack@4.25.1, npm/websocket-driver@0.7.0, npm/websocket-extensions@0.1.3, npm/which-module@2.0.0, npm/which@1.3.1, npm/wordwrap@1.0.0, npm/worker-farm@1.6.0, npm/wrap-ansi@2.1.0, npm/wrappy@1.0.2, npm/write@0.2.1, npm/ws@6.1.0, npm/xregexp@4.0.0, npm/y18n@4.0.0, npm/yallist@2.1.2, npm/yargs-parser@10.1.0, npm/yargs@12.0.2, npm/yorkie@2.0.0

View full report↗︎

@socket-security Socket Security
Copy link

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSourceCI
Install scripts npm/bootstrap-vue@2.23.1
  • Install script: postinstall
  • Source: opencollective || exit 0
 🚫

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

  • @SocketSecurity ignore npm/bootstrap-vue@2.23.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sourcery-ai Sourcery AI sourcery-ai left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@OKEAMAH @snyk-bot