[Snyk] Upgrade bower from 1.3.12 to 1.8.8

[snyk-bot]

Snyk has created this PR to upgrade bower from 1.3.12 to 1.8.8.

• The recommended version is 32 versions ahead of your current version.
• The recommended version was released 8 months ago, on 2019-01-23.

The recommended version fixes:

Severity	Title	Issue ID
	Arbitrary File Write via Archive Extraction (Zip Slip)	SNYK-JS-BOWER-73627
	Arbitrary File Write via Archive Extraction (Zip Slip)	SNYK-JS-DECOMPRESSZIP-73598
	Prototype Pollution	SNYK-JS-HANDLEBARS-173692
	Prototype Pollution	SNYK-JS-HANDLEBARS-174183
	Prototype Pollution	npm:deep-extend:20180409
	Arbitrary File Overwrite	SNYK-JS-TARFS-174556
	Cross-site Scripting (XSS)	npm:handlebars:20151207

Release notes

• 1.8.8 - 2019-01-23

  Fix security issue connected to extracting .tar.gz archives

  This bug allows to write arbitrary file on filesystem when Bower extracts malicious package

  Needlessly to say, please upgrade

• 1.8.7 - 2019-01-17

  Fixes side effect of fix from v1.8.6 that caused improper permissions for extracted folders

  #2532

• 1.8.6 - 2019-01-17

  Fix Zip Slip Vulnerability of decompress-zip package: https://snyk.io/research/zip-slip-vulnerability

  Note: v1.8.5 has been unpublished because of missing files

• 1.8.4 - 2018-03-28
  • Fixes release 1.8.3 by publishing with npm@3 instead of npm@5 (to include lib/node_modules)
• 1.8.3 - 2018-03-28
  • 451c60e Do not store resolutions if --save is not used, fixes #2344 (#2508)
  • 50ee729 Allow to disable shorthand resolver (#2507)
  • bb17839 Allow shallow cloning when source is a ssh protocol (#2506)
  • 5a6ae54 Add support for Arrays in Environment Variable replacement (#2411)
  • 74af42c Only replace last @ after (if any) last / with # (#2395)
  • 💯Make tests work on Windows / Linux / OSX on node versions 0.10 / 0.12 / 4 / 6 / 8 / 9
  • 💅Format source code with prettier
• 1.8.2 - 2017-09-13

  Migrate registry url from http://bower.herokuapp.com to https://registry.bower.io

  It is so we leverage CDN and offload Heroku instance reducing costs.

• 1.8.0 - 2016-11-07
  • Download tar archives from GitHub when possible (#2263)
    • Change default shorthand resolver for github from git:// to https://
  • Fix ssl handling by not setting GIT_SSL_NO_VERIFY=false (#2361)
  • Allow for removing components with url instead of name (#2368)
  • Show in warning message location of malformed bower.json (#2357)
  • Improve handling of non-semver versions in git resolver (#2316)
  • Fix handling of cached releases pluginResolverFactory (#2356)
  • Allow to type the entire version when conflict occured (#2243)
  • Allow owner/reponame shorthand for registering components (#2248)
  • Allow single-char repo names and package names (#2249)
  • Make bower version no longer honor version in bower.json (#2232)
  • Add postinstall hook (#2252)
  • Allow for @ instead of # for install and info commands (#2322)
  • Upgrade all bundled modules
• 1.7.10 - 2017-09-13
• 1.7.9 - 2016-04-05
  • Show warnings for invalid bower.json fields
  • Update bower-json
    • Less strict validation on package name (allow spaces, slashes, and "@")
• 1.7.8 - 2016-04-04
• 1.7.7 - 2016-01-27
• 1.7.6 - 2016-01-27
• 1.7.5 - 2016-01-26
• 1.7.2 - 2015-12-31
• 1.7.1 - 2015-12-11
• 1.7.0 - 2015-12-07
• 1.6.9 - 2015-12-04
• 1.6.8 - 2015-11-27
• 1.6.7 - 2015-11-26
• 1.6.6 - 2015-11-25
• 1.6.5 - 2015-10-24
• 1.6.4 - 2015-10-24
• 1.6.3 - 2015-10-16
• 1.6.2 - 2015-10-15
• 1.5.4 - 2015-11-24
• 1.5.3 - 2015-09-24
• 1.5.2 - 2015-08-25
• 1.5.1 - 2015-08-23
• 1.5.0 - 2015-08-23
• 1.4.2 - 2015-11-24
• 1.4.1 - 2015-04-01
• 1.4.0 - 2015-03-30
• 1.3.12 - 2014-09-28

from bower GitHub Release Notes

---

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs