diff --git a/CHANGELOG.md b/CHANGELOG.md index 1d968712c8e7d..4741217e23150 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ ## v1.5.0 +- [security] updated version range of `decompress` to fix the known [security vulnerability](https://snyk.io/vuln/npm:decompress) [#8924](https://github.com/eclipse-theia/theia/pull/8294) + - Note: the updated dependency may have a [performance impact](https://github.com/eclipse-theia/theia/pull/7715#issuecomment-667434288) on the deployment of plugins. + [Breaking Changes:](#breaking_changes_1.5.0) - [output] `OutputWidget#setInput` has been removed. The _Output_ view automatically shows the channel when calling `OutputChannel#show`. Moved the `OutputCommands` namespace from the `output-contribution` to its dedicated `output-commands` module to overcome a DI cycle. [#8243](https://github.com/eclipse-theia/theia/pull/8243) diff --git a/packages/plugin-ext/package.json b/packages/plugin-ext/package.json index 44ef25c0d5a17..2a6ceb39f7e86 100644 --- a/packages/plugin-ext/package.json +++ b/packages/plugin-ext/package.json @@ -27,7 +27,7 @@ "@types/mime": "^2.0.1", "@types/serve-static": "^1.13.3", "connect": "^3.7.0", - "decompress": "4.2.0", + "decompress": "^4.2.1", "escape-html": "^1.0.3", "filenamify": "^4.1.0", "jsonc-parser": "^2.0.2", diff --git a/yarn.lock b/yarn.lock index 4b8fb3e1462e4..c1774fa085041 100644 --- a/yarn.lock +++ b/yarn.lock @@ -4846,10 +4846,10 @@ decompress-unzip@^4.0.1: pify "^2.3.0" yauzl "^2.4.2" -decompress@4.2.0: - version "4.2.0" - resolved "https://registry.yarnpkg.com/decompress/-/decompress-4.2.0.tgz#7aedd85427e5a92dacfe55674a7c505e96d01f9d" - integrity sha1-eu3YVCflqS2s/lVnSnxQXpbQH50= +decompress@^4.2.1: + version "4.2.1" + resolved "https://registry.yarnpkg.com/decompress/-/decompress-4.2.1.tgz#007f55cc6a62c055afa37c07eb6a4ee1b773f118" + integrity sha512-e48kc2IjU+2Zw8cTb6VZcJQ3lgVbS4uuB1TfCHbiZIP/haNXm+SVyhu+87jts5/3ROpd82GSVCoNs/z8l4ZOaQ== dependencies: decompress-tar "^4.0.0" decompress-tarbz2 "^4.0.0"