[Snyk] Security upgrade cosmiconfig from 7.1.0 to 8.0.0

[naiba4]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/eslint-plugin/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	768/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5	Uncaught Exception SNYK-JS-YAML-5458867	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: cosmiconfig

The new version differs by 22 commits.

• 7d1dce9 Merge pull request TinyMCE per block: Fix small remaining bugs (Format toolbar and focusing the image) WordPress/gutenberg#274 from davidtheclark/prepare-v8
• 500dada correct changelog text
• 9254fb0 Merge branch 'main' into prepare-v8
• 68298d4 Merge pull request Plugin: Adding a build process WordPress/gutenberg#282 from davidtheclark/add-filepath-to-loader-errors
• 706c2ee add changelog entry
• fea5937 add filepath to loader errors
• ec975e4 Merge pull request Initial plugin readme.md based on template from dd32 WordPress/gutenberg#281 from vkrol/vkrol-patch-1
• 8b8bcf7 don't install latest npm
• 93c009a fix changelog
• 195a1c5 drop node 12 support
• 386ff8c Merge branch 'main' into prepare-v8
• c2e52ac fix minor typo in readme
• b85d869 Merge branch 'v7.1' into main
• 2a1a259 Fix the cosmiconfig() link in the cosmiconfigSync section
• 0160c2d Add "Maintainers wanted" note to readme (Enhancement: Improve Documentation WordPress/gutenberg#277)
• 19bd87b Fix js-yaml, type imports (Tiny with react ui WordPress/gutenberg#275)
• bf455a3 Prepare v8
• c7dc6ab Remove badges for Travis and Appveyor (Replaced icons with dashicons WordPress/gutenberg#273)
• 48c1e4a Add changelog note about yaml dependency (TinyMCE per block: Trying the temporary content editable approach for cross-block selection WordPress/gutenberg#272)
• 9155d8a @ types/parse-json should be a dev dependency (Full Width CSS for the iframe in embedded content! WordPress/gutenberg#256)
• 2ef8ce6 Switch from yaml to js-yaml (Update mockups WordPress/gutenberg#270)
• 457a69d Try GitHub actions for CI (Fix weirdly broken markdown WordPress/gutenberg#271)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
gutenberg	❌ Failed (Inspect)			Apr 30, 2023 1:11pm
gutenberg-wd9x	❌ Failed (Inspect)			Apr 30, 2023 1:11pm

[socket-security]

New dependency changes detected. Learn more about Socket for GitHub ↗︎

---

🚨 Potential security issues found in this pull request. To accept the risk, merge this PR and you will not be notified again.

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore unbox-primitive@1.0.2

⚠️ Unmaintained

Package has not been updated in more than a year and may be unmaintained. Problems with the package may go unaddressed.

Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance.

Package	Last Publish Date	Source
unbox-primitive@1.0.2 (added)	4/25/2022, 5:35:15 AM	package.json via @storybook/manager-webpack5@6.5.7, @storybook/react@6.5.7, @wordpress/e2e-tests@6.4.0, @wordpress/eslint-plugin@14.0.0, @wordpress/scripts@25.4.0, eslint-plugin-import@2.25.2, npm-run-all@4.1.5, packages/e2e-tests/package.json via @wordpress/scripts@25.4.0, packages/eslint-plugin/package.json via eslint-plugin-import@2.25.2, eslint-plugin-jsx-a11y@6.7.1, eslint-plugin-react@7.32.2, packages/scripts/package.json via @wordpress/eslint-plugin@14.0.0

Pull request alert summary

Issue	Status
Critical CVE	✅ 0 issues
CVE	✅ 0 issues
Mild CVE	✅ 0 issues
Install scripts	✅ 0 issues
Native code	✅ 0 issues
Bin script confusion	✅ 0 issues
Bin script shell injection	✅ 0 issues
Filesystem access	✅ 0 issues
Shell access	✅ 0 issues
Debug access	✅ 0 issues
Long strings	✅ 0 issues
High entropy strings	✅ 0 issues
URL strings	✅ 0 issues
Uses eval	✅ 0 issues
Dynamic require	✅ 0 issues
Environment variable access	✅ 0 issues
Missing dependency	✅ 0 issues
Unused dependency	✅ 0 issues
Peer dependency	✅ 0 issues
Uncaught optional dependency	✅ 0 issues
Unresolved require	✅ 0 issues
Extraneous dependency	✅ 0 issues
Obfuscated require	✅ 0 issues
Obfuscated code	✅ 0 issues
Minified code	✅ 0 issues
Bidirectional unicode control characters	✅ 0 issues
Zero width unicode chars	✅ 0 issues
Bad text encoding	✅ 0 issues
Unicode homoglyphs	✅ 0 issues
Invisible chars	✅ 0 issues
Suspicious strings	✅ 0 issues
Invalid package.json	✅ 0 issues
HTTP dependency	✅ 0 issues
Git dependency	✅ 0 issues
GitHub dependency	✅ 0 issues
File dependency	✅ 0 issues
No tests	✅ 0 issues
No repository	✅ 0 issues
Bad semver	✅ 0 issues
Bad dependency semver	✅ 0 issues
No v1	✅ 0 issues
No website	✅ 0 issues
No bug tracker	✅ 0 issues
No contributors or author data	✅ 0 issues
CommonJS depending on ESModule	✅ 0 issues
Empty package	✅ 0 issues
Trivial Package	✅ 0 issues
No README	✅ 0 issues
Deprecated	✅ 0 issues
Chronological version anomaly	✅ 0 issues
Semver anomaly	✅ 0 issues
New author	✅ 0 issues
Unstable ownership	✅ 0 issues
Non-existent author	✅ 0 issues
Unmaintained	⚠️ 1 issue
Unpublished package	✅ 0 issues
Major refactor	✅ 0 issues
Missing package tarball	✅ 0 issues
Unsafe copyright	✅ 0 issues
License change	✅ 0 issues
Non OSI license	✅ 0 issues
Deprecated license	✅ 0 issues
Missing license	✅ 0 issues
Non SPDX license	✅ 0 issues
Unclear license	✅ 0 issues
Mixed license	✅ 0 issues
Legal notice	✅ 0 issues
Modified license	✅ 0 issues
Modified license exception	✅ 0 issues
License exception	✅ 0 issues
Deprecated SPDX exception	✅ 0 issues
Potential typo squat	✅ 0 issues
Known Malware	✅ 0 issues
Telemetry	✅ 0 issues
Protestware/Troll package	✅ 0 issues
AI detected security risk	✅ 0 issues
AI warning	✅ 0 issues