build(deps): bump degenerator and bitgo

[dependabot]

Bumps degenerator to 3.0.2 and updates ancestor dependency bitgo. These dependencies need to be updated together.

Updates degenerator from 1.0.4 to 3.0.2

Release notes

Sourced from degenerator's releases.

3.0.2

Patches

• Update vm2 to v3.9.8: f690e194041f9dacba5341d5a98bbd1a65996048

3.0.1

Patches

• Fix return undefined: ccc3445354135398b6eb1a04c7d27c13b833f2d5
• Fix filename option: 9d25bb67d957bc2e5425fea7bf7a58b3fc64ff9e

3.0.0

Major Changes

• Remove "generator" output mode: #12
• Use vm2 module to prevent privilege escalation of untrusted code: #11

Minor Changes

• Add any default return type to compile(): e0b9fc83faabb101944b63bc73b710be7787f15b

2.2.0

Minor Changes

• Update @types/node to v12.12.17: 9835e04511cb06676d5af96c1723387663f342d9
• Update typescript to v3.7.3: b9cbd261cad40736a92a1ab1aebb788a4834b678
• Make CompileOptions be an interface: ffe0931e4f5b28a94c6af21ebdb949b4c18c92c0
• More strict "output" type: 1fc0f45f63601cd00dd421dc4ae09d30cbd19e0c
• Export supportsAsync: d56395cf8400e6d36af31db595d6caa1c9e54aba
• toString() contains the compiled code for "generator" mode: d5bea6018876fbc19034c0f6cfe6e63d0e43ccd8
• Update "description": 9c8d43adfeb7b5ff926d7886b771f0e1ae62c345

Patches

• Fix test: 9b8a8da8834249524e56e2d683339fc80d67c30e
• Fix comment: fcf682393407bfc3db0cc6735abea7f124f7023a
• Fix nested yield statements: d41a91d2b66b27b954662d90f3d36ce5480e1710

2.1.4

Patches

• Fix passing arguments to converted generator function: 3aa6caa70ef87047f52c786c097f2c9f8ab1f2ad
• Include returnName in error message: 1da95f51666c0c365065217dd842315a8ae7d667

2.1.3

Patches

• Fix regular sync functions into async: 66f0229943a4f91f154b98023c107b4cf0c6471f

2.1.2

... (truncated)

Commits

• 3b60955 3.0.2
• f690e19 Update vm2 to v3.9.8
• 5cf4ab2 3.0.1
• 9d25bb6 Fix filename option
• ccc3445 Fix return undefined
• dc10ee9 3.0.0
• e0b9fc8 Add any default return type to compile()
• 852043f Use vm2 module to prevent privilege escalation of untrusted code (#11)
• 7ad1041 Remove "generator" output mode (#12)
• b9bc71e 2.2.0
• Additional commits viewable in compare view

Updates bitgo from 11.1.1 to 14.2.1

Changelog

Sourced from bitgo's changelog.

14.2.1 (2022-07-21)

Note: Version bump only for package bitgo

14.2.1-rc.2 (2022-07-21)

Note: Version bump only for package bitgo

14.2.1-rc.1 (2022-07-21)

Note: Version bump only for package bitgo

14.2.1-rc.0 (2022-07-20)

Note: Version bump only for package bitgo

14.2.0 (2022-07-19)

Note: Version bump only for package bitgo

14.2.0-rc.42 (2022-07-19)

Features

• sdk-coin-ada: implement key pair and utils for ada sdk (9a1aabb)

... (truncated)

Commits

• 8765912 chore(release): publish modules
• 15b2bb5 chore(release): publish modules
• 586990f Merge branch 'master' into rel/rc
• 65c92cf chore(release): publish modules
• e2972fb chore(release): publish modules
• 4b6aef5 chore(release): publish modules
• d1e269f chore(release): publish modules
• 4df05a9 Merge branch 'master' into rel/rc
• e5fa975 chore: move usd and ofc coins to sdk-core
• fcc6d16 Merge pull request #2498 from BitGo/BG-50795-account-lib-implement-keypair-an...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by mmcshinsky-bitgo, a new releaser for bitgo since your current version.

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[socket-security]

Socket Security Pull Request Report

Dependency issues detected. If you merge this pull request, you will not be alerted to the instances of these issues again.

📜 Install scripts

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Package	Script field	Source
bigint-buffer@1.1.5 (added)	binding.gyp	package.json
bufferutil@4.0.7 (added)	binding.gyp	package.json
eccrypto@1.1.6 (added)	binding.gyp	package.json
sodium-native@3.4.1 (added)	binding.gyp	package.json
utf-8-validate@5.0.10 (added)	binding.gyp	package.json
bigint-buffer@1.1.5 (added)	install	package.json
web3-bzz@1.3.6 (added)	postinstall	package.json
web3@1.3.6 (added)	postinstall	package.json
eccrypto@1.1.6 (added)	install	package.json
web3-shh@1.3.6 (added)	postinstall	package.json
protobufjs@6.11.3 (added)	postinstall	package.json
protobufjs@7.1.2 (added)	postinstall	package.json via @grpc/proto-loader@0.7.4
bufferutil@4.0.7 (added)	install	package.json
sodium-native@3.4.1 (added)	install	package.json
utf-8-validate@5.0.10 (added)	install	package.json
es5-ext@0.10.62 (added)	postinstall	package.json

🫣 Native code

Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.

Ensure that native code bindings are expected. Consumers may consider pure JS and functionally similar alternatives to avoid the challenges and risks associated with native code bindings.

Package	Location	Source
bigint-buffer@1.1.5 (added)	binding.gyp	package.json
bufferutil@4.0.7 (added)	binding.gyp	package.json
eccrypto@1.1.6 (added)	binding.gyp	package.json
sodium-native@3.4.1 (added)	binding.gyp	package.json
utf-8-validate@5.0.10 (added)	binding.gyp	package.json

😵‍💫 Bin script confusion

This package has multiple bin scripts with the same name. This can cause non-deterministic behavior when installing or could be a sign of a supply chain attack

Consider removing one of the conflicting packages. Packages should only export bin scripts with their name

Package	Bin script	Source
@ethereumjs/rlp@4.0.0 (added)	rlp	package.json
rlp@2.2.6 (upgraded)	rlp	package.json

🧌 Protestware/Troll package

This package is a joke, parody, or includes undocumented or hidden behavior unrelated to its primary function.

Package	Note	Source
es5-ext@0.10.62 (added)	This package prints a protestware console message on install regarding Ukraine for users with Russian language locale	package.json

Pull request report summary

Issue	Status
Install scripts	⚠️ 16 issues
Native code	⚠️ 5 issues
Bin script confusion	⚠️ 2 issues
Bin script shell injection	✅ 0 issues
Unresolved require	✅ 0 issues
Invalid package.json	✅ 0 issues
HTTP dependency	✅ 0 issues
Git dependency	✅ 0 issues
Potential typo squat	✅ 0 issues
Known Malware	✅ 0 issues
Telemetry	✅ 0 issues
Protestware/Troll package	⚠️ 1 issue

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@2.4.2

• @SocketSecurity ignore bigint-buffer@1.1.5
• @SocketSecurity ignore bufferutil@4.0.7
• @SocketSecurity ignore eccrypto@1.1.6
• @SocketSecurity ignore sodium-native@3.4.1
• @SocketSecurity ignore utf-8-validate@5.0.10

Powered by socket.dev