[Snyk] Fix for 1 vulnerabilities #7

snyk-bot · 2023-04-25T02:33:53Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- packages/scripts/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	768/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5	Uncaught Exception SNYK-JS-YAML-5458867	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: npm-package-json-lint

The new version differs by 250 commits.

f183e59 feat: export write method (Fix parsing empty post content with TinyMCE WordPress/gutenberg#875)
e73c4f6 build(deps): Bump minimatch, recursive-readdir and serve-handler (Backspace does not seem to cause a selectionChange event WordPress/gutenberg#883)
213a0fe build(deps-dev): Bump prettier from 2.7.1 to 2.8.0 (Add/365 freeform block WordPress/gutenberg#880)
b19e5aa build(deps-dev): Bump @ typescript-eslint/eslint-plugin (Remove wp.element; embrace React WordPress/gutenberg#876)
8a48bcb build(deps): Bump cosmiconfig from 7.1.0 to 8.0.0 (Quote: can get stuck with empty source placeholder WordPress/gutenberg#877)
65607ec build(deps-dev): Bump esbuild from 0.15.14 to 0.15.15 ("Magic" (read: auto-detected) Editable transforms, merging, focus WordPress/gutenberg#878)
f6c70d4 build(deps): Bump minimatch from 3.0.4 to 3.1.2 (The server-side rendering block matcher doesn't match blocks with - (hyphen) WordPress/gutenberg#882)
b4bb20a build(deps-dev): Bump eslint-plugin-jest from 27.1.5 to 27.1.6 (Only show inline boundaries on focus WordPress/gutenberg#881)
310372a build(deps-dev): Bump eslint from 8.27.0 to 8.28.0 (Update demo content. WordPress/gutenberg#874)
db7d832 build(deps-dev): Bump esbuild from 0.15.13 to 0.15.14 (Inserter: update categories and height WordPress/gutenberg#872)
7b1b5f0 build(deps): Bump loader-utils from 1.4.1 to 1.4.2 in /website (Show toolbar on meta key press WordPress/gutenberg#873)
ae78720 build(deps-dev): Bump typescript from 4.8.4 to 4.9.3 (Chrome: Adding the post excerpt panel WordPress/gutenberg#871)
32763fb build(deps-dev): Bump @ typescript-eslint/eslint-plugin ((srcset) sizes attribute WordPress/gutenberg#869)
568da73 build(deps): Bump cosmiconfig from 7.0.1 to 7.1.0 (Add "Latest Posts" Block WordPress/gutenberg#870)
f041301 build(deps-dev): Bump eslint-plugin-jest from 27.1.4 to 27.1.5 (Framework: redirecting to wp-admin URL WordPress/gutenberg#867)
7e62185 build(deps-dev): Bump @ typescript-eslint/eslint-plugin (Discussion: Block attributes initialization WordPress/gutenberg#865)
d44f8bb build(deps): Bump type-fest from 3.1.0 to 3.2.0 (Register mce plugin scripts WordPress/gutenberg#863)
ab69c6e build(deps): Bump loader-utils from 1.4.0 to 1.4.1 in /website (Use value instead of defaultValue on textarea WordPress/gutenberg#866)
1afbbb3 build(deps-dev): Bump eslint from 8.26.0 to 8.27.0 (Editor: add suggestedPostFormat selector. WordPress/gutenberg#864)
d6dee75 Fix links to rules documentation and Node API in README (Sidebar: Add Post Format panel, or infer post formats WordPress/gutenberg#857)
85e8ac8 build(deps-dev): Bump @ typescript-eslint/eslint-plugin (Inserter: optimize for mobile WordPress/gutenberg#859)
d69d546 build(deps-dev): Bump @ types/node from 18.11.7 to 18.11.9 (Mobile: Improve toolbar WordPress/gutenberg#860)
e8f52bd build(deps-dev): Bump esbuild from 0.15.12 to 0.15.13 (Show UI on text selection WordPress/gutenberg#861)
21c85cf build(deps-dev): Bump eslint-plugin-jest from 27.1.3 to 27.1.4 (Chrome: Adding the trash post link to the sidebar WordPress/gutenberg#862)

See the full diff

Package name: postcss-loader

The new version differs by 61 commits.

b5c55fb chore(release): 7.1.0
8114be4 feat(deps): update `cosmiconfig` (Improve editor toolbar toggle buttons accessibility WordPress/gutenberg#628)
054ee90 docs: fix default value of config (Parser: Use an HTML like attribute syntax for comment attributes WordPress/gutenberg#626) (Undo/Redo and command+z WordPress/gutenberg#627)
f6e1cde chore(deps-dev): bump webpack from 5.75.0 to 5.76.0 (Headings: h2 and h3 have the same size WordPress/gutenberg#625)
d7070b2 chore: update dependencies to the latest version (Remove and prevent DOM access in block attributes matchers WordPress/gutenberg#624)
5128bee ci: use LTS node version in lint job (Force POSIX implementation for strings relative path output WordPress/gutenberg#622)
e1e5195 chore: update dependencies to the latest version (Inserting a new block should scroll to that block WordPress/gutenberg#621)
e6b2282 ci: use concurrency in github workflows (Inline links are hard to see WordPress/gutenberg#620)
fa8ebf6 chore: update ignorePaths in .cspell.json (Add "Separator" (hr) block to the library. WordPress/gutenberg#619)
5999338 chore(deps): bump json5 from 1.0.1 to 1.0.2 (Editable: Adding a prop to opt-for formatting controls WordPress/gutenberg#618)
bef937b chore: update dependency review action (Setup server side unit tests WordPress/gutenberg#617)
2e7f227 chore: update dependencies to the latest version (Blocks: add "Button" WordPress/gutenberg#616)
c3f6c57 chore: update dependencies to the latest version (chore: Use ESLint comma-dangle with always-multiline WordPress/gutenberg#615)
2129116 chore(release): 7.0.2
955085f fix: support ESM version of `postcss.config.js` and `postcss.config.mjs` (Remove generated gutenberg.pot file from repository WordPress/gutenberg#614)
b0f4749 chore: update styfle/cancel-workflow-action (Add eslint rule for trailing commas WordPress/gutenberg#612)
ab3ff44 chore: add cSpell to check spelling issues (Add basic 'dirty state' handling WordPress/gutenberg#610)
3177135 chore: update dependencies to the latest version (Question: How can we surface expected attributes of a block? WordPress/gutenberg#609)
08b19c7 docs: update cla link (Remove and prevent DOM access in attributes parsing WordPress/gutenberg#608)
49a0943 ci: add node v19 (Pullquote Block WordPress/gutenberg#607)
d274f90 ci: add dependency review action (Fix text colour of ‘Post Settings’ button when the sidebar is toggled. WordPress/gutenberg#606)
64af37b chore: update dependencies to the latest version (Add inline documentation to blocks index. WordPress/gutenberg#605)
548e8aa chore: update commitlint action (Reconsider including gutenberg.pot in the repository WordPress/gutenberg#604)
42a085f chore: run cancel workflow on pull request (Add embed block placeholder. WordPress/gutenberg#603)

See the full diff

Package name: stylelint

The new version differs by 90 commits.

4f49f93 15.0.0
f6e48bc Prepare changelog
7e3d5f5 Add link to migration guide
c82b560 Prepare release 15.0.0 (Paste: Single-line pastes should conform to current block WordPress/gutenberg#6555)
aa0e5db Refactor to remove needless code about `v15` branch (Copying and pasting lists adds empty list items WordPress/gutenberg#6621)
6db4908 Merge pull request Add FontSizePicker component and refactor paragraph block to use it. WordPress/gutenberg#6618 from stylelint/v15
bf9f222 Refactor `declaration-property-value-no-unknown` to reuse parsed CSSTree node (Error in color palette depreciation message WordPress/gutenberg#6616)
a479b03 Prepare docs for website (Can't write post: TypeError: Object(...) is not a function WordPress/gutenberg#6612)
392c6cd Add declaration-property-value-no-unknown (fix: Remove block alignment from paragraph block (fix #6476) WordPress/gutenberg#6511)
450757b Bump typescript from 4.9.4 to 4.9.5 (Draft auto WordPress/gutenberg#6614)
b3af7d2 Add `ignore: ["custom-elements"]` to `selector-max-type` (Build Tools: Parallel option for Docker Compose is deprecated WordPress/gutenberg#6588)
731a4c4 Fix `keyframe-selector-notation` false positives for named timeline range (Add shortcut tooltips for main toolbar WordPress/gutenberg#6605)
3358401 Fix `selector-not-notation` autofix for "simple" option ([Review/Help needed] Gutenblock for Slider/Slideshow WordPress/gutenberg#6608)
e8654fd Bump http-cache-semantics from 4.1.0 to 4.1.1 (Fix spelling error in post-featured-image/index.js WordPress/gutenberg#6609)
673dc46 Merge branch 'main' into v15
3234fcf Bump @ csstools/css-tokenizer from 2.0.0 to 2.0.1 (No background image alignment options for Cover Image block WordPress/gutenberg#6602)
101c437 Bump @ csstools/css-parser-algorithms from 2.0.0 to 2.0.1 (docs: Copy edits to theme extensibility WordPress/gutenberg#6601)
a6e6702 Bump jest from 29.3.1 to 29.4.1 ([2.8] does not assign new URL permalink, except at initial save WordPress/gutenberg#6603)
35bae12 Bump deepmerge from 4.2.2 to 4.3.0 (Fix caretRangeFromPoint for Firefox WordPress/gutenberg#6598)
0de0c61 Bump @ csstools/selector-specificity from 2.1.0 to 2.1.1 (Data: Refactor resolver fulfillment / request progress as data state WordPress/gutenberg#6600)
a7c0e9f Bump jest-watch-typeahead from 2.2.1 to 2.2.2 (columns block inline problem WordPress/gutenberg#6599)
7300302 Bump eslint from 8.32.0 to 8.33.0 (Convert to shared block - Cancel - Admin Message WordPress/gutenberg#6597)
ecbed06 Bump @ csstools/media-query-list-parser from 2.0.0 to 2.0.1 (WP 4.5.6 beta - GDPR Privacy Notes don't play nice with Gutenberg WordPress/gutenberg#6596)
f8988a1 Add `ignoreFunctions: []` to `unit-disallowed-list` ("Add block" button missing under the Paragraph block WordPress/gutenberg#6592)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-YAML-5458867

vercel · 2023-04-25T02:34:57Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
gutenberg	❌ Failed (Inspect)			Apr 25, 2023 2:37am
gutenberg-wd9x	❌ Failed (Inspect)			Apr 25, 2023 2:37am

socket-security · 2023-04-25T02:36:41Z

New dependency changes detected. Learn more about Socket for GitHub ↗︎

🚨 Potential security issues found in this pull request. To accept the risk, merge this PR and you will not be notified again.

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] bar@* or ignore all packages with @SocketSecurity ignore-all

@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore @csstools/[email protected]
@SocketSecurity ignore @csstools/[email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore @tsconfig/[email protected]
@SocketSecurity ignore @tsconfig/[email protected]
@SocketSecurity ignore @tsconfig/[email protected]
@SocketSecurity ignore @tsconfig/[email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore @cspotcode/[email protected]
@SocketSecurity ignore @jridgewell/[email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]

⚠️ Filesystem access

Accesses the file system, and could potentially read sensitive data.

If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Package	Module	Location	Source
[email protected] (added)	fs	create-require.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	fs	dist-raw/node-internal-modules-cjs-loader.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	fs	dist-raw/node-internal-modules-esm-resolve.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	fs	dist-raw/node-internalBinding-fs.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	fs	dist/repl.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	fs	v8-compile-cache.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]

⚠️ Shell access

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Package	Module	Location	Source
[email protected] (added)	child_process	dist/child/spawn-child.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]

⚠️ Debug access

Uses debug, reflection and dynamic code execution features.

Removing the use of debug will reduce the risk of any reflection and dynamic code execution.

Package	Module	Location	Source
[email protected] (added)	vm	dist/repl.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	vm	v8-compile-cache.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	repl	dist-raw/node-internal-repl-await.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	repl	dist/repl.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	module	create-require.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	module	lib/data-patch.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via @svgr/[email protected], [email protected]
[email protected] (added)	module	lib/data.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via @svgr/[email protected], [email protected]
[email protected] (added)	module	lib/version.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via @svgr/[email protected], [email protected]
[email protected] (added)	module	lib/data-patch.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via @svgr/[email protected], [email protected], [email protected]
[email protected] (added)	module	lib/version.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via @svgr/[email protected], [email protected], [email protected]
[email protected] (added)	module	lib/version.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via @svgr/[email protected], [email protected]
[email protected] (added)	module	dist-raw/node-internal-modules-cjs-helpers.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	module	dist-raw/node-internal-modules-cjs-loader.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	module	dist-raw/node-internal-modules-cjs-loader.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	module	dist-raw/node-internal-modules-esm-resolve.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	module	dist-raw/node-nativemodule.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	module	dist/bin.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	module	dist/cjs-resolve-hooks.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	module	dist/esm.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	module	dist/index.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	module	dist/repl.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	module	dist/util.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	module	esm.mjs	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	module	esm/transpile-only.mjs	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	module	v8-compile-cache.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	v8-compile-cache-lib	dist/util.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]

⚠️ URL strings

Package contains fragments of external URLs or IP addresses, which may indicate that it covertly exfiltrates data.

Avoid using packages that make connections to the network, since this helps to leak data.

Package	URL Fragment	Location	Source
[email protected] (added)	https://stylelint.io/user-guide/rules/media-feature-name-unit-allowed-list	lib/rules/media-feature-name-unit-allowed-list/index.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json`
[email protected] (added)	https://stylelint.io/user-guide/rules/selector-anb-no-unmatchable	lib/rules/selector-anb-no-unmatchable/index.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json`
[email protected] (added)	https://stylelint.io/user-guide/rules/declaration-property-value-no-unknown	lib/rules/declaration-property-value-no-unknown/index.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json`
[email protected] (added)	https://stylelint.io/user-guide/rules/no-unknown-custom-properties	lib/rules/no-unknown-custom-properties/index.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json`

⚠️ Dynamic require

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code.

Package	Location	Source
[email protected] (added)	dist/index.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	dist/transpilers/swc.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	dist/transpilers/swc.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]

⚠️ Environment variable access

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Package	Location	Source
[email protected] (added)	index.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	dist-raw/node-options.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	dist-raw/node-options.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	dist-raw/node-options.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	dist-raw/node-options.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	dist/index.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	v8-compile-cache.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	v8-compile-cache.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	v8-compile-cache.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
[email protected] (added)	v8-compile-cache.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]

⚠️ Minified code

This package contains minified code. This may be harmless in some cases where minified code is included in packaged libraries, however packages on npm should not minify code.

In many cases minified code is harmless, however minified code can be used to hide a supply chain attack. Consider not shipping minified code on npm.

Package	Confidence	Location	Source
@csstools/[email protected] (added)	1.00	dist/index.cjs	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]
@csstools/[email protected] (added)	1.00	dist/index.cjs	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via [email protected]

⚠️ Bidirectional unicode control characters

Source files contain bidirectional unicode control characters. This could indicate a Trojan source supply chain attack. See: trojansource.codes for more information.

Remove bidirectional unicode control characters, or clearly document what they are used for.

Package	Location	Source
[email protected] (added)	dist/svgo.browser.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via @svgr/[email protected], [email protected]
[email protected] (added)	dist/svgo.browser.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via @svgr/[email protected], [email protected]
[email protected] (added)	dist/svgo.browser.js	`package.json` via @wordpress/[email protected], @wordpress/[email protected], `packages/e2e-tests/package.json` via @wordpress/[email protected], `packages/scripts/package.json` via @svgr/[email protected], [email protected]

fix: packages/scripts/package.json to reduce vulnerabilities

1f53d49

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-YAML-5458867

vercel bot had a problem deploying to Preview – gutenberg April 25, 2023 02:36 Failure

vercel bot had a problem deploying to Preview – gutenberg-wd9x April 25, 2023 02:37 Failure

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Fix for 1 vulnerabilities #7

[Snyk] Fix for 1 vulnerabilities #7

snyk-bot commented Apr 25, 2023

vercel bot commented Apr 25, 2023 •

edited

Loading

socket-security bot commented Apr 25, 2023

[Snyk] Fix for 1 vulnerabilities #7

Are you sure you want to change the base?

[Snyk] Fix for 1 vulnerabilities #7

Conversation

snyk-bot commented Apr 25, 2023

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

vercel bot commented Apr 25, 2023 • edited Loading

socket-security bot commented Apr 25, 2023

vercel bot commented Apr 25, 2023 •

edited

Loading