[Snyk] Upgrade @bubblewrap/cli from 1.7.0 to 1.18.0

[MarcelRaschke]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade @bubblewrap/cli from 1.7.0 to 1.18.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 34 versions ahead of your current version.
• The recommended version was released 2 months ago, on 2022-07-05.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Arbitrary File Write SNYK-JS-TAR-1579155	425/1000 Why? CVSS 8.5	No Known Exploit
	Arbitrary File Write SNYK-JS-TAR-1579152	425/1000 Why? CVSS 8.5	No Known Exploit
	Arbitrary File Write SNYK-JS-TAR-1579147	425/1000 Why? CVSS 8.5	No Known Exploit
	Arbitrary File Overwrite SNYK-JS-TAR-1536531	425/1000 Why? CVSS 8.5	No Known Exploit
	Arbitrary File Overwrite SNYK-JS-TAR-1536528	425/1000 Why? CVSS 8.5	No Known Exploit
	Arbitrary File Write SNYK-JS-TAR-1579155	425/1000 Why? CVSS 8.5	No Known Exploit
	Arbitrary File Write SNYK-JS-TAR-1579152	425/1000 Why? CVSS 8.5	No Known Exploit
	Arbitrary File Write SNYK-JS-TAR-1579147	425/1000 Why? CVSS 8.5	No Known Exploit
	Arbitrary File Overwrite SNYK-JS-TAR-1536531	425/1000 Why? CVSS 8.5	No Known Exploit
	Arbitrary File Overwrite SNYK-JS-TAR-1536528	425/1000 Why? CVSS 8.5	No Known Exploit
	Information Exposure SNYK-JS-SIMPLEGET-2361683	425/1000 Why? CVSS 8.5	Proof of Concept
	Information Exposure SNYK-JS-SIMPLEGET-2361683	425/1000 Why? CVSS 8.5	Proof of Concept
	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	425/1000 Why? CVSS 8.5	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-NORMALIZEURL-1296539	425/1000 Why? CVSS 8.5	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238	425/1000 Why? CVSS 8.5	Proof of Concept
	Directory Traversal SNYK-JS-MOMENT-2440688	425/1000 Why? CVSS 8.5	No Known Exploit
	Command Injection SNYK-JS-LODASH-1040724	425/1000 Why? CVSS 8.5	Proof of Concept
	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	425/1000 Why? CVSS 8.5	No Known Exploit
	Denial of Service (DoS) SNYK-JS-JPEGJS-2859218	425/1000 Why? CVSS 8.5	Proof of Concept
	Prototype Pollution SNYK-JS-INI-1048974	425/1000 Why? CVSS 8.5	Proof of Concept
	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	425/1000 Why? CVSS 8.5	Proof of Concept
	Prototype Pollution SNYK-JS-CACHEDPATHRELATIVE-2342653	425/1000 Why? CVSS 8.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	425/1000 Why? CVSS 8.5	Proof of Concept
	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	425/1000 Why? CVSS 8.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	425/1000 Why? CVSS 8.5	Proof of Concept
	Denial of Service (DoS) SNYK-JS-NWSAPI-2841516	425/1000 Why? CVSS 8.5	No Known Exploit
	Information Exposure SNYK-JS-NODEFETCH-2342118	425/1000 Why? CVSS 8.5	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	425/1000 Why? CVSS 8.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ISSVG-1243891	425/1000 Why? CVSS 8.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ISSVG-1085627	425/1000 Why? CVSS 8.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HOSTEDGITINFO-1088355	425/1000 Why? CVSS 8.5	Proof of Concept
	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	425/1000 Why? CVSS 8.5	No Known Exploit
	Arbitrary Code Injection SNYK-JS-EJS-1049328	425/1000 Why? CVSS 8.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-COLORSTRING-1082939	425/1000 Why? CVSS 8.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BROWSERSLIST-1090194	425/1000 Why? CVSS 8.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	425/1000 Why? CVSS 8.5	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	425/1000 Why? CVSS 8.5	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-STRIPTAGS-1312310	425/1000 Why? CVSS 8.5	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: @bubblewrap/cli

• 1.18.0 - 2022-07-05
  

  v1.18.0 (2022-07-05)

  🚀 Enhancement

  • cli, core
    • #704 Closes #615 Add Meta Quest support (@ FluorescentHallucinogen)

  Committers: 1

  • Alexey Rodionov (@ FluorescentHallucinogen)
• 1.17.2 - 2022-05-11
  

  v1.17.2 (2022-05-11)

  📝 Documentation

  • #695 Add publishing docs. (@ PEConn)

  Committers: 1

  • @ PEConn
• 1.17.1 - 2022-05-09
  

  v1.17.1 (2022-05-09)

  🚀 Enhancement

  • cli, core, validator
    • #689 Update billing library reference. (@ PEConn)
  • core
    • #685 Skips BOM on Web Manifests (@ andreban)

  Committers: 2

  • André Cipriani Bandarra (@ andreban)
  • @ PEConn
• 1.17.0 - 2022-04-29
  

  What's Changed

  • Fix tests for Doctor by @ andreban in #677
  • Remove criteria validation from the build step by @ andreban in #675
  • Handle Java keywords for applicatoinIds by @ andreban in #676
  • Escape gradle string in shareTarget / build.gradle by @ andreban in #674
  • Bump minimist from 1.2.5 to 1.2.6 by @ dependabot in #669
  • Bump minimist from 1.2.5 to 1.2.6 in /packages/core by @ dependabot in #671
  • Bump node-fetch from 2.6.1 to 2.6.7 by @ dependabot in #683
  • Bump simple-get from 3.1.0 to 3.1.1 in /packages/core by @ dependabot in #682
  • Bump node-fetch from 2.6.1 to 2.6.7 in /packages/core by @ dependabot in #681
  • Bump node-fetch from 2.6.1 to 2.6.7 in /packages/validator by @ dependabot in #680
  • Bump trim-off-newlines from 1.0.1 to 1.0.3 by @ dependabot in #684

  Full Changelog: v1.16.0...v1.17.0

• 1.16.0 - 2022-03-25
  

  v1.16.0 (2022-03-25)

  🚀 Enhancement

  • cli
    • #632 Update JDK 8 to JDK 11 (@ nohe427)

  🐛 Bug Fix

  • core
    • #665 Fixes check for JDK version (@ andreban)
    • #639 Set a default user-agent (@ nohe427)
    • #646 Report icon url when svg2img throws an error. (@ PEConn)
  • cli, core
    • #654 Fix JDK version to 11.0.9.1+1 (@ julwil)

  Committers: 4

  • Alexander Nohe (@ nohe427)
  • André Cipriani Bandarra (@ andreban)
  • Julius Willems (@ julwil)
  • @ PEConn
• 1.15.0 - 2022-01-10
  

  v1.15.0 (2022-01-10)

  🚀 Enhancement

  • cli, core
    • #631 Merge Play Experiment (@ nohe427)
  • core
    • #620 Adds the ArCore feature (@ andreban)

  🐛 Bug Fix

  • cli
    • #636 Pin colors library to version 1.4.0 (@ andreban)

  Committers: 2

  • Alexander Nohe (@ nohe427)
  • André Cipriani Bandarra (@ andreban)
• 1.14.0 - 2021-11-09
  

  v1.14.0 (2021-11-09)

  🚀 Enhancement

  • core
    • #617 Support and use targetSdk 31 (@ andreban)
    • #538 Makes svg2img an optional dependency (@ andreban)

  🐛 Bug Fix

  • cli
    • #610 Fix a typo (@ googol7)
  • core
    • #596 Improves escaping for shell commands (@ andreban)

  Committers: 2

  • André Cipriani Bandarra (@ andreban)
  • Philipp Metzler (@ googol7)
• 1.14.0-alpha.3 - 2021-11-08
• 1.13.7-alpha.3 - 2021-11-08
• 1.13.6 - 2021-09-16
  

  v1.13.6 (2021-09-16)

  🐛 Bug Fix

  • core
    • #594 Pins canvg version to 3.0.7 (@ andreban)

  Committers: 1

  • André Cipriani Bandarra (@ andreban)
• 1.13.5 - 2021-08-27
  

  v1.13.5 (2021-08-27)

  🏠 Internal

  • core
    • #589 Bump android-browser-helper billing dependency (@ joycetoh8)
  • cli
    • #570 Await the saveConfig (@ nohe427)

  Committers: 2

  • Alexander Nohe (@ nohe427)
  • Joyce Toh (@ joycetoh8)
• 1.13.4 - 2021-08-10
  

  v1.13.4 (2021-08-10)

  🐛 Bug Fix

  • core
    • #581 Revert billing dependency (@ joycetoh8)

  Committers: 1

  • Joyce Toh (@ joycetoh8)
• 1.13.3 - 2021-07-29
• 1.13.2 - 2021-06-03
• 1.13.1 - 2021-05-24
• 1.13.0 - 2021-05-18
• 1.12.3 - 2021-05-13
• 1.12.2 - 2021-05-04
• 1.12.2-alpha.4 - 2021-05-04
• 1.12.2-alpha.3 - 2021-05-04
• 1.12.2-alpha.0 - 2021-05-04
• 1.12.1 - 2021-04-20
• 1.12.0 - 2021-04-20
• 1.11.2-alpha.8 - 2021-04-20
• 1.11.2-alpha.7 - 2021-04-20
• 1.11.1 - 2021-03-04
• 1.11.0 - 2021-03-04
• 1.10.0 - 2021-02-15
• 1.9.0 - 2021-01-27
• 1.8.2 - 2021-01-07
• 1.8.1 - 2020-12-10
• 1.8.0 - 2020-12-08
• 1.8.0-alpha.23 - 2020-11-25
• 1.8.0-alpha.1 - 2020-11-06
• 1.7.0 - 2020-10-13

from @bubblewrap/cli GitHub release notes

Commit messages

Package name: @bubblewrap/cli

• e971358 v1.18.0
• f8563a8 Fix #615 Add Meta Quest support (#704)
• 69ed1dd Bump jpeg-js from 0.4.3 to 0.4.4 in /packages/cli (#708)
• 9a44b75 Bump jpeg-js from 0.4.1 to 0.4.4 in /packages/core (#709)
• 1ec4b63 v1.17.2
• 3fe939f Merge pull request #695 from GoogleChromeLabs/PublishInfo
• 7d2f203 Add publishing docs.
• 3635b02 v1.17.1
• c972bdb Update billing library reference. (#689)
• a93e945 Skips BOM on Web Manifests (#685)
• 260f449 Update nodejs.yml
• 5e1c81f Bump trim-off-newlines from 1.0.1 to 1.0.3 (#684)
• 01b1f11 Bump node-fetch from 2.6.1 to 2.6.7 in /packages/validator (#680)
• 3c6ae82 Bump node-fetch from 2.6.1 to 2.6.7 in /packages/core (#681)
• 2498f8d Bump simple-get from 3.1.0 to 3.1.1 in /packages/core (#682)
• ffebb09 Bump node-fetch from 2.6.1 to 2.6.7 (#683)
• 8d5661b Bump minimist from 1.2.5 to 1.2.6 in /packages/core (#671)
• 6c6ea82 Bump minimist from 1.2.5 to 1.2.6 (#669)
• 7ff07f2 Escape gradle string in shareTarget / build.gradle (#674)
• 24ec1ac Handle Java keywords for applicatoinIds (#676)
• 8d936ea Remove criteria validation from the build step (#675)
• 640b1f1 Fix tests for Doctor (#677)
• 8936e33 v1.16.0
• c7ec932 Updated package-lock.json

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs