[Snyk] Upgrade jsonc-parser from 2.0.2 to 2.3.1

[adamlaska]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade jsonc-parser from 2.0.2 to 2.3.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 7 versions ahead of your current version.
• The recommended version was released 4 years ago, on 2020-09-16.

Release notes

Package name: jsonc-parser

• 2.3.1 - 2020-09-16
  

  2.3.1

• 2.3.0 - 2020-07-03
  

  2.3.0

• 2.2.1 - 2020-02-21
  

  2.2.1

• 2.2.0 - 2019-10-25
  

  2.2.0

• 2.1.1 - 2019-08-21
  

  2.1.1

• 2.1.0 - 2019-03-29
  

  2.1.0

• 2.0.3 - 2019-02-04
  

  2.0.3

• 2.0.2 - 2018-08-27
  

  2.0.2

from jsonc-parser GitHub release notes

Commit messages

Package name: jsonc-parser

• 4b182b7 2.3.1
• 6307670 update dependencies
• ad06ba4 Merge pull request [Snyk] Security upgrade socket.io-client from 2.3.0 to 4.0.0 #34 from mbullington/optimize-parse-literal
• 318ee82 Merge pull request [Snyk] Security upgrade socket.io-client from 2.3.0 to 2.4.0 #39 from microsoft/dependabot/npm_and_yarn/lodash-4.17.19
• d546d2b Bump lodash from 4.17.15 to 4.17.19
• 2933e72 fix changelog wording
• f170a13 2.3.0
• 7afc898 fix compile script
• 9533d14 update dependencies, tslit to eslint
• f53c7ba replace `inPlace` with optional ModificationOptions.formattingOptions
• b905205 Merge pull request [Snyk] Security upgrade socket.io-client from 2.4.0 to 4.0.0 #35 from mbullington/edit-features
• 0d78fe6 add support for isArrayInsertion
• 7505449 switch from parseFloat to Number
• 54d7cfd Add inPlace formatting option & array mods
• 0eaf189 optimize parseLiteral for number-heavy JSON files (ala GeoJSON)
• e38baa7 2.2.1
• 53456f5 Parse errors make parsed tree useless. Fixes [Snyk] Security upgrade socket.io-client from 2.4.0 to 4.0.0 #32
• 83b7f3d corrected CHANGELOG : ParseOptions.allowEmptyContent. For [Snyk] Security upgrade gatsby from 2.32.12 to 3.0.0 #31
• 390c1ab 2.2.0
• 2972f16 fix github urls
• 324426b Source map referenced but not included in published package. Fixes [Snyk] Upgrade jsonc-parser from 2.1.1 to 2.3.1 #4
• b814cdc added ParseOptions.allowTrailingComma
• 050c488 Merge branch 'master' of https://github.com/microsoft/node-jsonc-parser
• 931ddf0 parse: report error for empty

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@astrojs/language-server@0.13.2	None	0	320 kB	fredkschott
npm/@astrojs/ts-plugin@0.2.1	None	0	119 kB	fredkschott
npm/@emmetio/html-matcher@0.3.3	None	+2	50.2 kB	emmetio
npm/@types/glob@7.2.0	None	+2	2.08 MB	types
npm/@types/mocha@2.2.33	None	0	9.85 kB	types
npm/@types/mocha@2.2.48	None	0	12.1 kB	types
npm/@types/node@10.17.60	None	0	632 kB	types
npm/@types/node@6.14.13	None	0	209 kB	types
npm/@types/node@8.0.33	None	0	449 kB	types
npm/glob@7.2.3	filesystem	+1	90 kB	isaacs
npm/image-size@0.5.5	filesystem	0	19.2 kB	netroy
npm/js-yaml@3.14.1	eval Transitive: environment, filesystem	+3	757 kB	vitaly
npm/jsonc-parser@2.3.1	None	0	170 kB	aeschli
npm/mocha@3.5.3	environment, filesystem Transitive: network, shell	+12	1.39 MB	boneskull
npm/nodemon@1.19.4	environment, filesystem, shell Transitive: network	+163	3.57 MB	remy
npm/tinycolor2@1.6.0	None	0	285 kB	bgrins
npm/toml@2.3.6	None	0	144 kB	binarymuse
npm/typescript@2.5.2	None	0	28 MB	typescript
npm/vscode-css-languageservice@3.0.13	None	+1	2.53 MB	octref
npm/vscode-languageclient@2.6.3	environment, network, shell	+2	290 kB	aeschli
npm/vscode-languageclient@5.2.1	environment, filesystem, shell Transitive: network	+3	787 kB	dbaeumer
npm/vscode-languageclient@7.0.0	environment, filesystem, shell Transitive: network	+7	1.28 MB	dbaeumer
npm/vscode-languageserver@2.6.2	environment, network, shell	+2	226 kB	dbaeumer
npm/vscode-languageserver@5.2.1	environment, filesystem, shell Transitive: network	+4	644 kB	dbaeumer
npm/vscode-nls@4.1.2	environment, filesystem	0	26.1 kB	dbaeumer
npm/vscode@1.1.37	Transitive: environment, filesystem, network, shell	+14	2.08 MB	octref

🚮 Removed packages: npm/@babel/code-frame@7.10.4, npm/@babel/parser@7.10.5, npm/@babel/traverse@7.10.5, npm/@babel/types@7.10.5, npm/@prettier/plugin-pug@1.6.1, npm/@starptech/prettyhtml@0.10.0, npm/@types/eslint-scope@3.7.0, npm/@types/eslint-visitor-keys@1.0.0, npm/@types/eslint@7.2.2, npm/@types/glob@7.1.3, npm/@types/js-beautify@1.11.0, npm/@types/json-schema@7.0.5, npm/@types/lodash@4.14.161, npm/@types/mocha@8.0.3, npm/@types/node@14.11.1, npm/@types/prettier@2.1.1, npm/@types/read-pkg-up@6.0.0, npm/@types/resolve@1.17.1, npm/@types/unist@2.0.3, npm/acorn@7.4.0, npm/ajv@6.12.0, npm/ansi-colors@4.1.1, npm/anymatch@3.1.1, npm/bootstrap-vue-helper-json@1.1.1, npm/braces@3.0.2, npm/ccount@1.0.4, npm/chalk@4.1.0, npm/codecov@3.7.2, npm/collapse-white-space@1.0.5, npm/commander@2.19.0, npm/core-js@3.6.5, npm/cross-spawn@7.0.3, npm/debug@4.1.1, npm/decamelize-keys@1.1.0, npm/deep-is@0.1.3, npm/define-properties@1.1.3, npm/element-helper-json@2.0.6, npm/es-abstract@1.17.6, npm/eslint-plugin-vue@7.0.0-beta.3, npm/eslint-scope@5.1.0, npm/eslint-utils@2.1.0, npm/eslint-visitor-keys@1.3.0, npm/eslint@7.9.0, npm/esquery@1.3.1, npm/estraverse@4.2.0, npm/fast-levenshtein@2.0.6, npm/find-up@2.1.0, npm/fsevents@2.1.3, npm/glob-parent@5.1.1, npm/glob@7.1.6, npm/graceful-fs@4.1.15, npm/gridsome-helper-json@1.0.3, npm/has-symbols@1.0.1, npm/has@1.0.3, npm/hast-util-has-property@1.0.3, npm/hast-util-is-element@1.0.3, npm/ini@1.3.5, npm/is-binary-path@2.1.0, npm/is-callable@1.2.0, npm/is-decimal@1.0.3, npm/is-descriptor@1.0.2, npm/is-glob@4.0.1, npm/is-hidden@1.1.2, npm/is-regex@1.1.0, npm/is-string@1.0.5, npm/istanbul-lib-coverage@3.0.0, npm/js-beautify@1.13.0, npm/js-yaml@3.13.1, npm/json5@2.1.3, npm/kind-of@6.0.2, npm/levn@0.4.1, npm/lodash.assign@4.2.0, npm/lodash@4.17.20, npm/make-dir@3.1.0, npm/mimic-response@1.0.1, npm/minimist@1.2.5, npm/mkdirp@1.0.4, npm/mocha@8.1.3, npm/node-fetch@2.6.0, npm/nuxt-helper-json@1.0.0, npm/nyc@15.1.0, npm/object.assign@4.1.0, npm/parse-gitignore@1.0.1, npm/picomatch@2.2.1, npm/prettier-eslint@11.0.0, npm/prettier-tslint@0.4.2, npm/prettier@2.1.2, npm/read-pkg-up@7.0.1, npm/readdirp@3.4.0, npm/resolve@1.17.0

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Install scripts	npm/fsevents@1.2.13	Install script: install Source: node install.js	standalone-packages/vscode-extensions/out/extensions/ahmadawais.shades-of-purple-4.10.0/package.json
Install scripts	npm/nodemon@1.19.4	Install script: postinstall Source: node bin/postinstall || exit 0	standalone-packages/vscode-extensions/out/extensions/ahmadawais.shades-of-purple-4.10.0/package.json

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/fsevents@1.2.13
• @SocketSecurity ignore npm/nodemon@1.19.4