Bump @teambit/react.eslint-config-bit-react from 0.0.824 to 1.0.229

[dependabot]

Bumps @teambit/react.eslint-config-bit-react from 0.0.824 to 1.0.229.

Release notes

Sourced from @​teambit/react.eslint-config-bit-react's releases.

v1.0.0

Breaking changes between 1.0.0 and previous versions

These are the major changes coming to version 1.0.0 and how to adapt them to your workflow.

• Default registry for dependency resolution changed for teams using bit.cloud. Starting from version 1.0.0, dependencies will be resolved from node-registry.bit.cloud instead of node.bit.cloud. You will need to delete your lockfile for this to take effect. node.bit.cloud is still supported, but we recommend migrating to node-registry.bit.cloud.
• Remote builds turned "on" by default. This change comes to integrate your workspaces with RippleCI. We urge you to take a look at this flow.
  • If your automation flow uses bit tag --soft and bit tag --persist combo, it is still supported and you do not need to make any changes.
  • If you run your tag or snap fully from your local, you will need to add the --build flag to your syntax, or set bit config set force_local_build true for Bit's local config.

Please read more about these changes in Bit's announcement post for RippleCI on our blog.

Changes

• Set remote build to true to build on Ripple (#7859)
• Set new registry by default (node-registry.bit.cloud) (#7870)
• Skip validating any component issues for components marked to be deleted (#7896)
• Remove versions from lockfile of envs from the current workspace (#7888)
• update command to support multiple, comma-separated patterns (#7881)
• Removed teambit.workspace/variants from base workspace.jsonc template (#7879)
• Removed outdated video from tests blank state screen (#7893)

Performance

• Update pnpm to a newest version that leverages worker threads (#7875)

Bug Fixes

• Re-render bit start when component ID changes, to update according to the current workspace state (#7895)
• Prefer versions in .bitmap to be tags, if possible (#7891)
• Fix issues causing Yarn to fail when configured for bit install (#7887)
• Fix an issue where packages containing hard links failed to extract (#7882)
• Fix links in the component tree where namespace and name are identical (#7861)
• Fix an issue where forked components ported "rename" information from the original component (#7867)
• Improve examples in update's --help output (#7803)
• Fix links to docs from .bitmap (#7869)
• Fix cases where bit start was not open on default browser (#7899)
• Fix a case where previous env was set for a forked component (#7918)
• Fix an issue where generated package.json was in a broken state (#7919)
• Add more descriptive error when there is no scope available on tag (#7912)
• Improve error message when a component template was not found (#7886)
• Stop the checkout if some components failed (#7904)
• Fix issue where a Vue workspace failed to generate (#7894)

Internal

• Reduce the amount of paths ws-config write targets to write config files (#7865)
• Write to fs-cache gracefully (#7883)
• Preserve pnpm stack-trace when re-throwing errors from Bit (#7889)
• Allow passing metadata from the previous build to the deploy pipeline (#7874)

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

@dependabot merge

[dependabot]

Sorry, only users with push access can use that command.

[codacy-production]

ℹ️ Codacy found a minor Security issue: Insecure dependency [email protected] (CVE-2023-42282: nodejs-ip: arbitrary code execution via the isPublic() function) (update to 1.1.9)

The issue identified by the Trivy linter is a security vulnerability in the ip package version 1.1.5, which is affected by CVE-2023-42282. This vulnerability allows for arbitrary code execution through the isPublic() function in the nodejs-ip library. To mitigate this security risk, it is recommended to upgrade the ip package to version 1.1.9 or later, where the vulnerability has been addressed.

To fix the issue, you can update the version of the ip package in your package.json file. The code suggestion for this change is as follows:

Suggested change

	"node_modules/ip": {
	"node_modules/ip": { "version": "1.1.9", ...

However, in practice, you would typically run the following command in your terminal to update the package:

Suggested change

	"node_modules/ip": {
	npm install [email protected]

This command updates the ip package to the specified version, ensuring that the vulnerability is resolved.

---

This comment was generated by an experimental AI tool.

[codacy-production]

⚠️ Codacy found a medium Security issue: Insecure dependency [email protected] (CVE-2024-6783: vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)) (update to 3.0.0)

The issue identified by the Trivy linter pertains to a known security vulnerability (CVE-2024-6783) in the vue-template-compiler package version 2.6.12. This vulnerability exposes applications to client-side Cross-Site Scripting (XSS) attacks, which can allow an attacker to execute arbitrary scripts in the context of a user's session. The recommended action is to upgrade to a secure version of the package, specifically version 3.0.0 or higher, which addresses this security flaw.

To fix the issue, you should update the version of vue-template-compiler in your dependencies. Here’s the suggested change:

Suggested change

	"node_modules/vue-template-compiler": {
	"vue-template-compiler": "^3.0.0",

---

This comment was generated by an experimental AI tool.

[codacy-production]

❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function) (update to 3.0.5)

The issue identified by the Trivy linter pertains to a known security vulnerability in the minimatch package version 3.0.4, specifically related to a Regular Expression Denial of Service (ReDoS) vulnerability via the braceExpand function (CVE-2022-3517). This vulnerability can potentially allow an attacker to exploit the way certain inputs are processed, leading to performance degradation or denial of service.

To resolve this issue, you should upgrade the minimatch dependency to at least version 3.0.5, which addresses this vulnerability.

Here’s the single line change you can make to update the dependency:

Suggested change

	"node_modules/@teambit/legacy/node_modules/minimatch": {
	"minimatch": "^3.0.5"

This change should be made in the dependencies section where minimatch is specified.

---

This comment was generated by an experimental AI tool.

[codacy-production]

❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-37614: mockery is vulnerable to prototype pollution) (update to )

The issue identified by the Trivy linter is related to a security vulnerability in the mockery package, specifically version 2.1.0. This vulnerability, listed as CVE-2022-37614, pertains to prototype pollution, which can allow an attacker to manipulate the prototype of an object, potentially leading to unexpected behavior or security breaches in applications that rely on this package.

To resolve this issue, you should update the mockery package to a secure version that does not contain this vulnerability. The latest version of mockery should be checked for compatibility with your project and updated accordingly.

Here's a code suggestion to update the dependency:

Suggested change

	"node_modules/mockery": {
	"node_modules/mockery": { "version": "2.1.1", ... }

Make sure to replace 2.1.1 with the latest secure version available at the time of your update. After making this change, run npm install to ensure that the updated package is installed.

---

This comment was generated by an experimental AI tool.

[codacy-production]

❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-24785: Moment.js: Path traversal in moment.locale) (update to 2.29.2)

The issue identified by the Trivy linter is a security vulnerability in the Moment.js library version 2.29.1, specifically related to a path traversal vulnerability (CVE-2022-24785). This vulnerability can potentially allow an attacker to manipulate file paths in a way that could lead to unauthorized file access. The recommended fix is to update the Moment.js library to a secure version (2.29.2 or higher) that addresses this vulnerability.

To resolve this issue, you can update the version of Moment.js in your package.json file to the recommended version. Here's the single line change to make:

Suggested change

	"node_modules/moment": {
	"moment": "^2.29.2",

This change ensures that your project will use Moment.js version 2.29.2 or any later compatible version, thereby mitigating the security risk.

---

This comment was generated by an experimental AI tool.

[codacy-production]

❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2020-7598: nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or proto payload) (update to 0.2.1, 1.2.3)

The issue identified by the Trivy linter pertains to a security vulnerability in the minimist package, specifically version 0.0.10. This version is affected by a prototype pollution vulnerability (CVE-2020-7598), which allows an attacker to manipulate the properties of Object.prototype through malicious payloads. This could lead to unexpected behavior in the application, potentially causing security risks.

To address this issue, you should update the minimist dependency to a secure version. The recommended versions to upgrade to are 0.2.1 or 1.2.3, which are not affected by this vulnerability.

Here's the code suggestion to update the minimist dependency:

    "node_modules/package-json-validator/node_modules/minimist": {
      "version": "1.2.3",
      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.3.tgz",
      "integrity": "sha512-<new_integrity_hash>",
      "license": "MIT",
      "peer": true
    },

Make sure to replace <new_integrity_hash> with the actual integrity hash for version 1.2.3, which can be obtained from the npm registry after the update.

---

This comment was generated by an experimental AI tool.

[codacy-production]

❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2020-7753: nodejs-trim: Regular Expression Denial of Service (ReDoS) in trim function) (update to 0.0.3)

The issue identified by the Trivy linter pertains to a security vulnerability in the trim package version 0.0.1, which is susceptible to a Regular Expression Denial of Service (ReDoS) attack. This vulnerability can allow an attacker to exploit the regex patterns used in the package, potentially leading to performance degradation or denial of service. The recommended fix is to update the trim package to version 0.0.3 or later, where this vulnerability has been addressed.

To fix this issue, you can update the dependency in your package.json file. Here's the single line change you need to make:

    "node_modules/trim": {
      "version": "0.0.3",

This change updates the version of the trim package to 0.0.3, which resolves the security vulnerability.

---

This comment was generated by an experimental AI tool.

[codacy-production]

❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-25881: http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability) (update to 4.1.1)

The issue identified by the Trivy linter pertains to a security vulnerability in the http-cache-semantics package, specifically version 3.8.1. This vulnerability, designated as CVE-2022-25881, is a Regular Expression Denial of Service (ReDoS) vulnerability, which can potentially allow an attacker to exploit the regular expressions used in the package to cause performance degradation or denial of service.

To mitigate this vulnerability, the recommended action is to update the http-cache-semantics package to a secure version, specifically version 4.1.1 or later.

Here’s the single line change to update the package version:

Suggested change

	"node_modules/http-cache-semantics": {
	"node_modules/http-cache-semantics": { "version": "4.1.1", ...

---

This comment was generated by an experimental AI tool.

[codacy-production]

❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2020-26301: nodejs-ssh2: Command injection by calling vulnerable method with untrusted input) (update to 1.4.0)

The issue described by the Trivy linter indicates that the version of the ssh2 package (0.8.9) has a known vulnerability (CVE-2020-26301) related to command injection. This vulnerability arises when untrusted input is passed to certain methods within the ssh2 package, potentially allowing an attacker to execute arbitrary commands on the server.

To resolve this issue, the recommended action is to update the ssh2 package to a version that is not affected by this vulnerability. The suggested version to upgrade to is 1.4.0 or later.

Here’s the single line change to update the dependency:

Suggested change

	"node_modules/ssh2": {
	"ssh2": "^1.4.0"

---

This comment was generated by an experimental AI tool.

[codacy-production]

⚠️ Codacy found a medium Security issue: Insecure dependency [email protected] (CVE-2020-7598: nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or proto payload) (update to 0.2.1)

The issue identified by the Trivy linter is related to the minimist package, specifically version 0.0.10, which has a known vulnerability (CVE-2020-7598) that allows for prototype pollution. This vulnerability can be exploited to add or modify properties of Object.prototype, which can lead to security issues in applications that rely on this package.

To resolve this issue, you should update the minimist dependency to a secure version that does not have this vulnerability. The suggested secure version is 0.2.1.

Here's the single line change to update the version of minimist:

Suggested change

	"node_modules/package-json-validator/node_modules/minimist": {
	"minimist": "^0.2.1"

Make sure to also update the version in the package.json file or any relevant dependency management file to reflect this change.

---

This comment was generated by an experimental AI tool.

[github-actions]

@dependabot merge

[github-actions]

@dependabot merge