Skip to content

build(deps-dev): Bump lerna from 4.0.0 to 6.5.1#387

Closed
dependabot[bot] wants to merge 1 commit intodependabot_developfrom
dependabot/npm_and_yarn/dependabot_develop/lerna-6.5.1
Closed

build(deps-dev): Bump lerna from 4.0.0 to 6.5.1#387
dependabot[bot] wants to merge 1 commit intodependabot_developfrom
dependabot/npm_and_yarn/dependabot_develop/lerna-6.5.1

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 1, 2023
edited
Loading

Bumps lerna from 4.0.0 to 6.5.1.

Release notes

Sourced from lerna's releases.

6.5.1

6.5.1 (2023-02-14)

Bug Fixes

  • add missing dependency on js-yaml (187f480)

6.5.0

6.5.0 (2023-02-13)

Bug Fixes

  • create: normalize quotes and indents in generated test and lib files (#3529) (ad39fe2)
  • repair: re-enable repair generators (#3497) (510c3e9)

Features

  • publish: add --include-private option for testing private packages (#3503) (fa1f490)
  • publish: recover from network failure (#3513) (f03ee3e)
  • run: allow multiple script targets to be triggered at once (#3527) (937b02a)

v6.4.1

6.4.1 (2023-01-12)

Bug Fixes

v6.4.0

6.4.0 (2023-01-05)

Bug Fixes

  • run: add explicit nx dependency (#3486) (7e39397)
  • version: recognize .prettierignore when formatting files (#3482) (4e2c7a9)

Features

  • create: support relative path from root as lerna create location (#3478) (82825ce)
  • watch: Add lerna watch command (#3466) (008b995)

v6.3.0

6.3.0 (2022-12-26)

... (truncated)

Changelog

Sourced from lerna's changelog.

6.5.1 (2023-02-14)

Bug Fixes

  • add missing dependency on js-yaml (187f480)

6.5.0 (2023-02-13)

Features

  • publish: add --include-private option for testing private packages (#3503) (fa1f490)

6.4.1 (2023-01-12)

Bug Fixes

6.4.0 (2023-01-05)

Features

6.3.0 (2022-12-26)

Features

  • version: use npmClientArgs in npm install after lerna version (#3434) (e019e3f)

6.2.0 (2022-12-13)

Bug Fixes

  • schema: add the other format changelogPreset can assume (#3441) (d286973)

Features

6.1.0 (2022-11-29)

Features

  • version: bump prerelease versions from conventional commits (#3362) (2288b3a)

6.0.3 (2022-11-07)

Note: Version bump only for package lerna

... (truncated)

Commits
  • 0a7ac45 chore(misc): publish 6.5.1
  • 187f480 fix: add missing dependency on js-yaml
  • 5eafb62 chore: release 6.5.0
  • 02c534e chore: remove unnecessary write-json-file dep (#3534)
  • fa1f490 feat(publish): add --include-private option for testing private packages (#3503)
  • 6b50725 chore: remove non-runtime deps from lerna package.json (#3528)
  • aea79df chore(docs): add lerna watch -- build --include-dependents example (#3512)
  • fc094da chore: initial codebase refactor (#3517)
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by jameshenry, a new releaser for lerna since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot requested a review from aleksaToljic as a code owner March 1, 2023 12:00
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Mar 1, 2023
@dependabot dependabot bot mentioned this pull request Mar 1, 2023
Closed
@socket-security
Copy link

socket-security bot commented Mar 1, 2023

Socket Security Pull Request Report

Dependency issues detected: If you merge this pull request, you will not be alerted to the instances of these issues again.

📜 Install scripts

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Package Script field Source
nx@15.8.1 (added) postinstall package.json via lerna@6.5.1
🫣 Native code

Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.

Ensure that native code bindings are expected. Consumers may consider pure JS and functionally similar alternatives to avoid the challenges and risks associated with native code bindings.

Package Location Source
@parcel/watcher@2.0.4 (added) binding.gyp package.json via lerna@6.5.1
Pull request report summary
Issue Status
Install scripts ⚠️ 1 issue
Native code ⚠️ 1 issue
Bin script shell injection ✅ 0 issues
Unresolved require ✅ 0 issues
Invalid package.json ✅ 0 issues
HTTP dependency ✅ 0 issues
Git dependency ✅ 0 issues
Potential typo squat ✅ 0 issues
Known Malware ✅ 0 issues
Telemetry ✅ 0 issues
Protestware/Troll package ✅ 0 issues
Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@2.4.2

  • @SocketSecurity ignore nx@15.8.1
  • @SocketSecurity ignore @parcel/watcher@2.0.4

⚠️ Please accept the latest app permissions to ensure bot commands work properly. Accept the new permissions here.

Powered by socket.dev

@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/dependabot_develop/lerna-6.5.1 branch from 0062d02 to d045e94 Compare March 1, 2023 12:15
@dependabot
build(deps-dev): Bump lerna from 4.0.0 to 6.5.1
2f554ee 
Bumps [lerna](https://github.com/lerna/lerna/tree/HEAD/packages/lerna) from 4.0.0 to 6.5.1.
- [Release notes](https://github.com/lerna/lerna/releases)
- [Changelog](https://github.com/lerna/lerna/blob/main/packages/lerna/CHANGELOG.md)
- [Commits](https://github.com/lerna/lerna/commits/6.5.1/packages/lerna)

---
updated-dependencies:
- dependency-name: lerna
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/dependabot_develop/lerna-6.5.1 branch from d045e94 to 2f554ee Compare March 1, 2023 12:18
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Apr 1, 2023

Superseded by #399.

@dependabot dependabot bot closed this Apr 1, 2023
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/dependabot_develop/lerna-6.5.1 branch April 1, 2023 12:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aleksaToljic aleksaToljic Awaiting requested review from aleksaToljic aleksaToljic is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants

Comments