• Properly bundle all dependencies of Bower within package

• Security fixes for tar-fs dependency#2576
• Security fixes for handlebars dependency#2586
• Security fixes for ini dependency#2589

Fix security issue connected to extracting .tar.gz archives

This bug allows to write arbitrary file on filesystem when Bower extracts malicious package

Needlessly to say, please upgrade

Fixes side effect of fix from v1.8.6 that caused improper permissions for extracted folders

#2532

Fix Zip Slip Vulnerability of decompress-zip package:https://snyk.io/research/zip-slip-vulnerability

Note: v1.8.5 has been unpublished because of missing files

• Fixes release 1.8.3 by publishing with npm@3 instead of npm@5 (to includelib/node_modules)

• 451c60e Do not store resolutions if --save is not used, fixes#2344 (#2508)
• 50ee729 Allow to disable shorthand resolver (#2507)
• bb17839 Allow shallow cloning when source is a ssh protocol (#2506)
• 5a6ae54 Add support for Arrays in Environment Variable replacement (#2411)
• 74af42c Only replace last@ after (if any) last/ with# (#2395)
• 💯Make tests work on Windows / Linux / OSX on node versions 0.10 / 0.12 / 4 / 6 / 8 / 9
• 💅Format source code withprettier

Migrate registry url fromhttp://bower.herokuapp.com tohttps://registry.bower.io

It is so we leverage CDN and offload Heroku instance reducing costs.

• Download tar archives from GitHub when possible (#2263)
  • Change default shorthand resolver for github fromgit:// tohttps://
• Fix ssl handling by not setting GIT_SSL_NO_VERIFY=false (#2361)
• Allow for removing components with url instead of name (#2368)
• Show in warning message location of malformed bower.json (#2357)
• Improve handling of non-semver versions in git resolver (#2316)
• Fix handling of cached releases pluginResolverFactory (#2356)
• Allow to type the entire version when conflict occured (#2243)
• Allowowner/reponame shorthand for registering components (#2248)
• Allow single-char repo names and package names (#2249)
• Makebower version no longer honorversion in bower.json (#2232)
• Addpostinstall hook (#2252)
• Allow for@ instead of# forinstall andinfo commands (#2322)
• Upgrade all bundled modules

• Show warnings for invalid bower.json fields
• Update bower-json
  • Less strict validation on package name (allow spaces, slashes, and "@")