Update dependencies #402

vio · 2024-12-17T22:10:43Z

No description provided.

socket-security · 2025-01-08T22:42:37Z

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@release-it/conventional-changelog@10.0.0	Transitive: environment, eval, filesystem, shell	`+62`	8.01 MB	webpro
npm/@types/node@22.10.5	None	`+1`	2.37 MB	types
npm/release-it@18.1.1	Transitive: environment, eval, filesystem, network, shell, unsafe	`+268`	25.3 MB	webpro
npm/rollup@4.30.1	None	`+21`	49.6 MB	eventualbuddha, lukastaegert, rich_harris, ...2 more
npm/typescript@5.7.3	None	`0`	22.7 MB	andrewbranch, minestarks, rbuckton, ...5 more

🚮 Removed packages: npm/@release-it/conventional-changelog@9.0.3, npm/@types/node@22.10.2, npm/release-it@17.10.0, npm/rollup@4.28.1, npm/typescript@5.7.2

View full report↗︎

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.4.3 to 4.5.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.4.3...v4.5.0) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [rollup](https://github.com/rollup/rollup) from 4.28.1 to 4.29.1. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.28.1...v4.29.1) --- updated-dependencies: - dependency-name: rollup dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [@release-it/conventional-changelog](https://github.com/release-it/conventional-changelog) from 9.0.3 to 9.0.4. - [Release notes](https://github.com/release-it/conventional-changelog/releases) - [Commits](release-it/conventional-changelog@9.0.3...9.0.4) --- updated-dependencies: - dependency-name: "@release-it/conventional-changelog" dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [release-it](https://github.com/release-it/release-it) from 17.10.0 to 17.11.0. - [Release notes](https://github.com/release-it/release-it/releases) - [Changelog](https://github.com/release-it/release-it/blob/main/CHANGELOG.md) - [Commits](release-it/release-it@17.10.0...17.11.0) --- updated-dependencies: - dependency-name: release-it dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 22.10.2 to 22.10.3. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 22.10.3 to 22.10.4. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [rollup](https://github.com/rollup/rollup) from 4.29.1 to 4.29.2. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.29.1...v4.29.2) --- updated-dependencies: - dependency-name: rollup dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 22.10.4 to 22.10.5. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [rollup](https://github.com/rollup/rollup) from 4.29.2 to 4.30.1. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.29.2...v4.30.1) --- updated-dependencies: - dependency-name: rollup dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [release-it](https://github.com/release-it/release-it) and [@release-it/conventional-changelog](https://github.com/release-it/conventional-changelog). These dependencies needed to be updated together. Updates `release-it` from 17.11.0 to 18.1.1 - [Release notes](https://github.com/release-it/release-it/releases) - [Changelog](https://github.com/release-it/release-it/blob/main/CHANGELOG.md) - [Commits](release-it/release-it@17.11.0...18.1.1) Updates `@release-it/conventional-changelog` from 9.0.4 to 10.0.0 - [Release notes](https://github.com/release-it/conventional-changelog/releases) - [Commits](release-it/conventional-changelog@9.0.4...10.0.0) --- updated-dependencies: - dependency-name: release-it dependency-type: direct:development update-type: version-update:semver-major - dependency-name: "@release-it/conventional-changelog" dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [typescript](https://github.com/microsoft/TypeScript) from 5.7.2 to 5.7.3. - [Release notes](https://github.com/microsoft/TypeScript/releases) - [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release.yml) - [Commits](microsoft/TypeScript@v5.7.2...v5.7.3) --- updated-dependencies: - dependency-name: typescript dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

…te-dependencies/typescript-5.7.3 build(deps-dev): bump typescript from 5.7.2 to 5.7.3

…te-dependencies/multi-25e7bc6a37 build(deps-dev): bump release-it and @release-it/conventional-changelog

socket-security · 2025-01-09T20:58:47Z

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
License Policy Violation	npm/typescript@5.7.3	License: CC-BY-4.0 - Not allowed by license policy (package/ThirdPartyNoticeText.txt) License: W3C-20150513 - Not allowed by license policy (package/ThirdPartyNoticeText.txt)	`package-lock.json` `package.json`	⚠︎

View full report↗︎

Next steps

What is a license policy violation?

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

@SocketSecurity ignore npm/typescript@5.7.3

vio marked this pull request as ready for review January 9, 2025 20:41

dependabot bot added 9 commits January 9, 2025 21:42

vio force-pushed the update-dependencies branch from 9f0220d to ff09cbe Compare January 9, 2025 20:44

chore: regenerate package-lock

27dbce7

vio force-pushed the update-dependencies branch from ff09cbe to 27dbce7 Compare January 9, 2025 20:47

dependabot bot and others added 4 commits January 9, 2025 20:56

Merge pull request #416 from relative-ci/dependabot/npm_and_yarn/upda…

da8ad32

…te-dependencies/typescript-5.7.3 build(deps-dev): bump typescript from 5.7.2 to 5.7.3

Merge pull request #415 from relative-ci/dependabot/npm_and_yarn/upda…

1a4224d

…te-dependencies/multi-25e7bc6a37 build(deps-dev): bump release-it and @release-it/conventional-changelog

vio merged commit 9331513 into master Jan 9, 2025
14 checks passed

vio deleted the update-dependencies branch January 9, 2025 21:23

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependencies #402

Update dependencies #402

vio commented Dec 17, 2024

socket-security bot commented Jan 8, 2025 •

edited

Loading

socket-security bot commented Jan 9, 2025

Update dependencies #402

Update dependencies #402

Conversation

vio commented Dec 17, 2024

socket-security bot commented Jan 8, 2025 • edited Loading

socket-security bot commented Jan 9, 2025

Next steps

socket-security bot commented Jan 8, 2025 •

edited

Loading