[Snyk] Upgrade @snyk/protect from 1.1200.0 to 1.1294.2

[X-oss-byte]

Snyk has created this PR to upgrade @snyk/protect from 1.1200.0 to 1.1294.2.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 111 versions ahead of your current version.

• The recommended version was released on 22 days ago.

Release notes

Package name: @snyk/protect

• 1.1294.2 - 2024-11-26
  

  1.1294.2 (2024-11-26)

  The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

  Bug Fixes

  • container: ignore npm/yarn default cache directories
  • container: fix: avoid possible unhandled promise rejections
• 1.1294.1 - 2024-11-20
  

  1.1294.1 (2024-11-20)

  Bug Fixes

  • container: unable to process RedHat images when the “content_sets” attribute was missing in the redhat-content-manifests file. (snyk/snyk-docker-plugin#615)
  • container: skip optional dependencies when testing Python projects to prevent "too many vulnerable paths for conversion to legacy test output" error (snyk/snyk-docker-plugin#614)
  • container, test, monitor prevents "Invalid JSON" being produced when debugging is enabled and policies are being applied. (#5583)
• 1.1294.0 - 2024-10-23
  

  1.1294.0 (2024-10-23)

  The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

  News

  • CycloneDX 1.6 SBOM support This new version now supports generating CycloneDX 1.6 SBOMs using the snyk sbom command, providing you with more comprehensive and detailed information about your software components and their dependencies. Read more about the CycloneDX version announcement here.
  • Improved CLI monitoring of large Cocoapods projects When doing a snyk monitor on very large Cocoapods applications, the CLI sometimes returned an Invalid String OOM error and the operation would fail. Although this error was rare, we have fixed it so large Cocoapods applications can now be monitored successfully.
  • Fix for security issue The Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted (PHP|Gradle) project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk always recommends not scanning untrusted projects.

  Features

  • sbom: add CycloneDX 1.6 SBOM support (1330fc2)
  • deployment: Deploy alpine arm64 binaries (9daace4)
  • monitor: enable cocoapods to send graphs for cli monitor (ca56c69)
  • iac: pass allow analytics flag to snyk-iac-test [IAC-3017] (b12d3ac)

  Bug Fixes

  • all: restore cert file if it was externally removed (ef1547f)
  • auth: missing auth issue with oauth (57ae95c)
  • iac: upgrade iac custom rules ext to address vulns [IAC-3065] (d6cc509)
  • iac: upgrade snyk-iac-test to v0.55.1 [IAC-2940] (0dadc90)
  • monitor: add normalize help for deriving target files [CLI-448] (82efb50)
  • sbom: include CVE in JSON output of sbom test command (a543179)
  • sbom: add missing option --gradle-normalize-deps to SBOM command (151f63d)
  • test: default limit to max vulnerable paths per vuln, add override option --max-vulnerable-paths (302d7ac)
  • test: do not show test deps for Dverbose mvn with dependencyManagement (67e0de9)
  • test: fixed support for pnpm alias packages (d506de1)
  • test: point snyk policy out urls to snyk.io (28509a3)
  • test: scan non publishable projects on improved net (a6c0e67)
  • test: scan nuget with PublishSingleFile turned on (2c74298)
  • dependencies: update snyk-nodejs-plugin to fix micromatch vuln (baef934)
  • dependencies: address security vulnerability in snyk-php-plugin CVE-2024-48963 (7798d13)
  • dependencies: address security vulnerability in snyk-gradle-plugin CVE-2024-48964 (c614284)
  • dependencies: upgrade go-getter to 1.7.5 (970de96)
  • dependencies: upgrade iac extension and snyk-iac-test (9134c05)
  • dependencies: upgrade slack/webhook to 7.0.3 (8ab4433)
• 1.1293.1 - 2024-09-11
  

  1.1293.1 (2024-09-10)

  The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

  News

  • Starting with this version, Snyk cli binaries will be distributed via downloads.snyk.io instead of static.snyk.io. This includes intallation from npm.
• 1.1293.0 - 2024-08-28
  

  1.1293.0 (2024-08-28)

  The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

  News

  • Starting with this version, Snyk cli binaries will be distributed via downloads.snyk.io instead of static.snyk.io. This includes intallation from npm, homebrew and scoop as well as many of the CI/CD integrations.

  Features

  • sbom: add support for license issues in sbom test (6948668)
  • auth: Use OAuth2 as default authentication mechanism (35949c4)
  • config: Introduce config environment command (0d8dd2b)
  • container: When docker is not installed, platform parameter is now supported (64b405d)

  Bug Fixes

  • auth: align auth failure error messages for oauth (e3bfec3)
  • auth: ensure environment variable precedence for auth tokens (24417d6)
  • test: fix a bug related to multi-project .NET folder structures (755a38f)
  • test: multiple pnpm workspace improvements (da5c14f)
  • test: fixes a bug regarding Snyk attempting to get the dependencies from the wrong nuget *.deps.json file.(2e17434)
  • test: support for pipenv with python 3.12 (09df3bc)
  • test: support multi-part comparison for python pip versions. (b625eb9)
  • container: container monitor with --json now outputs valid json(039c9bd)
  • container: support hashing large .jar files (6f82231)
  • sbom: fix issues in JSON output of sbom test command, include CWE values on CWE property (#5331) (99773c3)
  • sbom: include all detected dep-graphs of a container image (ea43977)
  • iac: fixed an issue where the resource path was missing for certain Terraform resources. IAC-3015
  • general: map previously unhandled exit codes to exit code 2 (9fde4fe)
  • general: use entitlements when signing bundled macos binaries (bebc59c)
• 1.1292.4 - 2024-08-12
  

  1.1292.4 (2024-08-12)

  The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

  Complete changelog

  Bug Fixes

  • deployment: Rollback of digital signature for the bundled macOS binary (#5416)
• 1.1292.3 - 2024-08-12
  

  1.1292.3 (2024-08-12)

  The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

  Complete changelog

  Bug Fixes

  • deployment: Add digital signature for the bundled macOS binary
    (#5404)
• 1.1292.2 - 2024-08-01
  

  1.1292.2 (2024-08-01)

  The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

  Complete changelog

  Bug Fixes

  • container test: Improve the accuracy of identifying npm projects within docker images by removing the explicit folder ignore rules
    (#5384)
  • container test: Pass platform parameter when pulling an image from a container registry (#5360)
• 1.1292.1 - 2024-06-27
  

  1.1292.1 (2024-06-27)

  The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

  Complete changelog

  Bug Fixes

  • test,monitor: fix improper permission error handling when accessing 'enablePnpmCli' feature flag
• 1.1292.0 - 2024-06-26
  

  1.1292.0 (2024-06-26)

  The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

  News

  This Snyk CLI release delivers an assortment of bug fixes and improvements.

  • We've added support for pnpm, giving you more flexibility in your project setup.
  • You can now scan npm/yarn projects even without lockfiles, ensuring comprehensive vulnerability detection regardless of your dependency management approach.
  • We're committed to strengthening security. This release includes redaction of additional sensitive data in debug logs, minimizing potential risks.

  Complete changelog

  Features

  • test: Added pnpm support under 'enablePnpmCli' feature flag (#5181) (46769cc)
  • test: Support scan of npm/yarn projects without lockfiles (e2d77a9)
  • monitor: Set target-reference in the monitor request (51ed8f5)
  • code: Centrally check if code test is enabled (#5239) (e5a00e2)
  • sbom: Improve depgraph for Maven projects (fbb33d7)
  • sbom: Use RFC 3339 for all timestamps in sbom test result (#5204) (91bf191)
  • language-server: Add --all-projects flag scans by default IDE-318 (fdcf30e)
  • language-server: Enable incremental scanning IDE-275 (d198685)
  • language-server: Add support for IDE themes (c1c4d08)
  • language-server: Consistent styling across intellij and vscode (#5282) (9aa6f76)
  • logging: Redact additional types of sensitive data from debug logs (#5254) (056cdab)

  Bug Fixes

  • auth: Autodetect IDE usage and fallback to API token based authentication (#5241) (4c795e0)
  • iac: Upgrade iac custom rules to address Vulnerabilities IAC-2944 (453db24)
  • language-server: Caching problem when no vulnerabilities in the IDE (#5223) (89c9491)
  • language-server: Remove incorrect /v1 path (#5214) (cf16470)
  • dependencies: Update dependencies to reduce vulnerabilities (#5131) (4c7cb3c)
  • sbom: sbom test output padding (e3b7cac)
  • sbom: Fix container purl generation for apt and rpm (#5207) (fa9d512)
  • sbom: Retain error code during SBOM generation (#5202) (5e98aaa)
  • test: support cyclic dependencies in maven with dverbose (#5208) (fb24c02)
  • test: Add tool version and informationUri to sarif output (#5203) (b899fd3)
  • test: fixing several .NET bugs (#5217) (c27d767)
  • test: fixing a bug causing .NET beta scanning to fail on older versions of .NET (#5228) (5fdecf7)
  • test: .NET runtime resolution testing now supports projects targeting .NET Standard frameworks (#5169) (44d0861)
  • test: fix issues of type 'Cannot find module ...' in snyk-docker-plugin (#5301) (88efd54)
  • monitor: fix project name when using assets-project-name flag (#5077) (57dc718)
• 1.1291.1 - 2024-05-27
• 1.1291.0 - 2024-04-30
• 1.1290.0 - 2024-04-19
• 1.1289.0 - 2024-04-16
• 1.1288.1 - 2024-04-15
• 1.1288.0 - 2024-04-09
• 1.1287.0 - 2024-04-04
• 1.1286.4 - 2024-04-04
• 1.1286.3 - 2024-04-03
• 1.1286.2 - 2024-03-29
• 1.1286.1 - 2024-03-26
• 1.1286.0 - 2024-03-25
• 1.1285.1 - 2024-03-25
• 1.1285.0 - 2024-03-18
• 1.1284.0 - 2024-03-14
• 1.1283.1 - 2024-03-13
• 1.1283.0 - 2024-03-06
• 1.1282.1 - 2024-03-05
• 1.1282.0 - 2024-03-05
• 1.1281.0 - 2024-02-28
• 1.1280.1 - 2024-02-20
• 1.1280.0 - 2024-02-15
• 1.1279.0 - 2024-02-12
• 1.1278.0 - 2024-02-06
• 1.1277.0 - 2024-02-05
• 1.1276.0 - 2024-01-30
• 1.1275.0 - 2024-01-26
• 1.1274.0 - 2024-01-23
• 1.1273.0 - 2024-01-23
• 1.1272.0 - 2024-01-22
• 1.1271.0 - 2024-01-19
• 1.1270.0 - 2024-01-18
• 1.1269.0 - 2024-01-10
• 1.1268.0 - 2024-01-08
• 1.1267.0 - 2024-01-02
• 1.1266.0 - 2023-12-20
• 1.1265.0 - 2023-12-20
• 1.1264.0 - 2023-12-14
• 1.1263.0 - 2023-12-14
• 1.1262.0 - 2023-12-13
• 1.1261.0 - 2023-12-12
• 1.1260.0 - 2023-12-04
• 1.1259.0 - 2023-11-30
• 1.1258.0 - 2023-11-29
• 1.1257.0 - 2023-11-28
• 1.1256.0 - 2023-11-27
• 1.1255.0 - 2023-11-27
• 1.1254.0 - 2023-11-27
• 1.1253.0 - 2023-11-24
• 1.1252.0 - 2023-11-22
• 1.1251.0 - 2023-11-21
• 1.1250.0 - 2023-11-20
• 1.1249.0 - 2023-11-20
• 1.1248.0 - 2023-11-16
• 1.1247.0 - 2023-11-16
• 1.1246.0 - 2023-11-15
• 1.1245.0 - 2023-11-14
• 1.1244.0 - 2023-11-13
• 1.1243.0 - 2023-11-09
• 1.1242.0 - 2023-11-08
• 1.1241.0 - 2023-11-08
• 1.1240.0 - 2023-11-07
• 1.1239.0 - 2023-11-07
• 1.1238.0 - 2023-10-31
• 1.1237.0 - 2023-10-24
• 1.1236.0 - 2023-10-18
• 1.1235.0 - 2023-10-16
• 1.1234.0 - 2023-10-11
• 1.1233.0 - 2023-10-09
• 1.1232.0 - 2023-10-05
• 1.1231.0 - 2023-10-05
• 1.1230.0 - 2023-10-04
• 1.1229.0 - 2023-10-03
• 1.1228.0 - 2023-09-28
• 1.1227.0 - 2023-09-25
• 1.1226.0 - 2023-09-21
• 1.1225.0 - 2023-09-19
• 1.1224.0 - 2023-09-19
• 1.1223.0 - 2023-09-19
• 1.1222.0 - 2023-09-19
• 1.1221.0 - 2023-09-18
• 1.1220.0 - 2023-09-14
• 1.1219.0 - 2023-09-14
• 1.1218.0 - 2023-09-14
• 1.1217.0 - 2023-09-12
• 1.1216.0 - 2023-09-11
• 1.1215.0 - 2023-09-08
• 1.1214.0 - 2023-09-07
• 1.1213.0 - 2023-09-06
• 1.1212.0 - 2023-09-05
• 1.1211.0 - 2023-09-04
• 1.1210.0 - 2023-09-04
• 1.1209.0 - 2023-08-31
• 1.1208.0 - 2023-08-31
• 1.1207.0 - 2023-08-28
• 1.1206.0 - 2023-08-23
• 1.1205.0 - 2023-08-21
• 1.1204.0 - 2023-08-21
• 1.1203.0 - 2023-08-17
• 1.1202.0 - 2023-08-15
• 1.1201.0 - 2023-08-15
• 1.1200.0 - 2023-08-03

from @snyk/protect GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Summary by Sourcery

Upgrade @snyk/protect from version 1.1200.0 to 1.1294.2, introducing CycloneDX 1.6 SBOM support, various bug fixes, and enhancements including improved monitoring for large Cocoapods projects and deployment of Alpine ARM64 binaries.

New Features:

• Add support for CycloneDX 1.6 SBOM generation in Snyk CLI.

Bug Fixes:

• Fix unhandled promise rejections in container operations.
• Resolve issues with RedHat image processing when 'content_sets' attribute is missing.
• Prevent 'Invalid JSON' errors during debugging with policies applied.
• Address security vulnerabilities in snyk-php-plugin and snyk-gradle-plugin.

Enhancements:

• Improve CLI monitoring for large Cocoapods projects to prevent 'Invalid String OOM' errors.
• Enable Cocoapods to send graphs for CLI monitor.
• Deploy Alpine ARM64 binaries for Snyk CLI.

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[changeset-bot]

⚠️ No Changeset found

Latest commit: cdbcdcd

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[sourcery-ai]

Reviewer's Guide by Sourcery

This PR updates the @snyk/protect dependency from version 1.1200.0 to 1.1294.2. The update includes multiple bug fixes, security improvements, and feature enhancements across various Snyk CLI functionalities.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change	Details	Files
Update @snyk/protect dependency version	Update @snyk/protect from 1.1200.0 to 1.1294.2 Remove 'latest' version specifier in favor of explicit version	AppService/node_express_sampleApp/package.json AppService/node_express_sampleApp/package-lock.json
Security and functionality improvements from the new version	Add CycloneDX 1.6 SBOM support Fix security issues related to PHP and Gradle project scanning Improve container scanning and error handling Add support for pnpm package manager Enhance npm/yarn project scanning without lockfiles	AppService/node_express_sampleApp/package.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!