codecov - npm Package Compare versions

Comparing version 3.6.4 to 3.6.5

lib/codecov.js

@@ -8,3 +8,2 @@ var fs = require('fs')
 var execSync = require('child_process').execSync
-var validator = require('validator')
 
@@ -398,9 +397,9 @@ var detectProvider = require('./detect')
           'find ' +
-          (args.options['gcov-root'] || root) +
+          (sanitizeVar(args.options['gcov-root']) || root) +
           " -type f -name '*.gcno' " +
           gcg +
           ' -exec ' +
-          (validator.escape(args.options['gcov-exec']) || 'gcov') +
+          (sanitizeVar(args.options['gcov-exec']) || 'gcov') +
           ' ' +
-          (validator.escape(args.options['gcov-args']) || '') +
+          (sanitizeVar(args.options['gcov-args']) || '') +
           ' {} +'
@@ -414,5 +413,5 @@ } else {
           "') do " +
-          (args.options['gcov-exec'] || 'gcov') +
+          (sanitizeVar(args.options['gcov-exec']) || 'gcov') +
           ' ' +
-          (args.options['gcov-args'] || '') +
+          (sanitizeVar(args.options['gcov-args']) || '') +
           ' %g'
@@ -562,3 +561,8 @@ }
 
+function sanitizeVar(arg) {
+  return arg.replace(/&/g, '')
+}
+
 module.exports = {
+  sanitizeVar: sanitizeVar,
   upload: upload,
@@ -565,0 +569,0 @@ version: version,

package.json

 {
   "name": "codecov",
-  "version": "3.6.4",
+  "version": "3.6.5",
   "description": "Uploading report to Codecov: https://codecov.io",
@@ -38,4 +38,3 @@ "main": "index.js",
     "teeny-request": "6.0.1",
-    "urlgrey": "0.4.4",
-    "validator": "12.2.0"
+    "urlgrey": "0.4.4"
   },
@@ -42,0 +41,0 @@ "devDependencies": {

test/index.test.js

@@ -279,2 +279,8 @@ var fs = require('fs')
   })
+
+  it('can sanitize inputs', function() {
+    expect(codecov.sanitizeVar('real & run unsafe & command')).toEqual(
+      'real  run unsafe  command'
+    )
+  })
 })

New alerts

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 45 instances in 1 package

Fixed alerts

Telemetry

Supply chain risk

This package contains telemetry which tracks how it is used.

Found 1 instance in 1 package

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

75777

increased by0.28%

Dependency count

5

decreased by-16.67%

Lines of code

1985

increased by0.4%

Number of high supply chain risk alerts

0

decreased by-100%

Number of low supply chain risk alerts

260

decreased by-23.53%

Worsened metrics

Number of medium supply chain risk alerts

6

increased by20%

Dependency changes

• - Removedvalidator@12.2.0

• - Removedvalidator@12.2.0(transitive)