Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update github vulnerability alerts [security] #227

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 30, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
body-parser 1.20.2 -> 1.20.3 age adoption passing confidence
cookie-parser 1.4.6 -> 1.4.7 age adoption passing confidence
dotenv 16.4.5 -> 16.4.7 age adoption passing confidence
eslint-plugin-import 2.29.1 -> 2.31.0 age adoption passing confidence
eslint-plugin-jsx-a11y 6.9.0 -> 6.10.2 age adoption passing confidence
eslint-plugin-react 7.34.3 -> 7.37.3 age adoption passing confidence
express (source) 4.19.2 -> 4.20.0 age adoption passing confidence
http-proxy-middleware 2.0.6 -> 2.0.7 age adoption passing confidence
pg (source) 8.12.0 -> 8.13.1 age adoption passing confidence
redux-mock-store 1.5.4 -> 1.5.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-45590

Impact

body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.

Patches

this issue is patched in 1.20.3

References

CVE-2024-43796

Impact

In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code

Patches

this issue is patched in express 4.20.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

  1. The attacker MUST control the input to response.redirect()
  2. express MUST NOT redirect before the template appears
  3. the browser MUST NOT complete redirection before:
  4. the user MUST click on the link in the template

Release Notes

expressjs/body-parser (body-parser)

v1.20.3

Compare Source

===================

  • deps: [email protected]
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
expressjs/cookie-parser (cookie-parser)

v1.4.7

Compare Source

==========

  • deps: [email protected]
    • Fix object assignment of hasOwnProperty
  • deps: [email protected]
    • Allow leading dot for domain
      • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
    • Add fast path for serialize without options, use obj.hasOwnProperty when parsing
  • deps: [email protected]
    • perf: parse cookies ~10% faster
    • fix: narrow the validation of cookies to match RFC6265
    • fix: add main to package.json for rspack
  • deps: [email protected]
    • Add partitioned option
  • deps: [email protected]
    • Add priority option
    • Fix expires option to reject invalid dates
    • pref: improve default decode speed
    • pref: remove slow string split in parse
  • deps: [email protected]
    • pref: read value only when assigning in parse
    • pref: remove unnecessary regexp in parse
motdotla/dotenv (dotenv)

v16.4.7

Compare Source

Changed
  • Ignore .tap folder when publishing. (oops, sorry about that everyone. - @​motdotla) #​848

v16.4.6

Compare Source

Changed
  • Clean up stale dev dependencies #​847
  • Various README updates clarifying usage and alternative solutions using dotenvx
import-js/eslint-plugin-import (eslint-plugin-import)

v2.31.0

Compare Source

Added
Fixed
Changed

v2.30.0

Compare Source

Added
Fixed
Changed
  • [Docs] no-extraneous-dependencies: Make glob pattern description more explicit ([#​2944], thanks [@​mulztob])
  • [no-unused-modules]: add console message to help debug [#​2866]
  • [Refactor] ExportMap: make procedures static instead of monkeypatching exportmap ([#​2982], thanks [@​soryy708])
  • [Refactor] ExportMap: separate ExportMap instance from its builder logic ([#​2985], thanks [@​soryy708])
  • [Docs] order: Add a quick note on how unbound imports and --fix ([#​2640], thanks [@​minervabot])
  • [Tests] appveyor -> GHA (run tests on Windows in both pwsh and WSL + Ubuntu) ([#​2987], thanks [@​joeyguerra])
  • [actions] migrate OSX tests to GHA ([ljharb#37], thanks [@​aks-])
  • [Refactor] exportMapBuilder: avoid hoisting ([#​2989], thanks [@​soryy708])
  • [Refactor] ExportMap: extract "builder" logic to separate files ([#​2991], thanks [@​soryy708])
  • [Docs] [order]: update the description of the pathGroupsExcludedImportTypes option ([#​3036], thanks [@​liby])
  • [readme] Clarify how to install the plugin ([#​2993], thanks [@​jwbth])
jsx-eslint/eslint-plugin-jsx-a11y (eslint-plugin-jsx-a11y)

v6.10.2

Compare Source

Fixed
  • [patch] no-redundandant-roles: allow &lt;img src="*.svg" role="img" /&gt; #936
Commits
  • [meta] fix changelog URLs 0d01a1a
  • [Refactor] remove no-longer-needed es-iterator-helpers aa075bd
  • [Refactor] avoid spreading things that are already arrays d15d3ab
  • [Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/plugin-transform-flow-strip-types, @babel/register 5dad7c4
  • [Tests] aria-role: Add valid test for &lt;svg role="img" /&gt; daba189
  • [Docs] label-has-associated-control: add line breaks for readability 0bc6378
  • [Tests] label-has-associated-control: add additional test cases 30d2318
  • [Tests] Add tests to reinforce required attributes for role="heading" d92446c

v6.10.1

Compare Source

Commits
  • [Fix] handle interactive/noninteractive changes from aria-query 4925ba8
  • [Docs] Use consistent spelling of 'screen reader' cb6788c
  • [Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/plugin-transform-flow-strip-types, @babel/register, auto-changelog, eslint-plugin-import, tape 518a77e
  • [Deps] update es-iterator-helpers, string.prototype.includes eed03a3
  • [meta] package.json - Update jscodeshift & remove babel-jest 2ee940c
  • [Docs] Remove accidental whitespace in CONTRIBUTING.md a262131
  • [Deps] unpin aria-query e517937

v6.10.0

Compare Source

Fixed
  • [New] label-has-associated-control: add additional error message #1005
  • [Fix] label-has-associated-control: ignore undetermined label text #966
Commits
  • [Tests] switch from jest to tape a284cbf
  • [New] add eslint 9 support deac4fd
  • [New] add attributes setting a1ee7f8
  • [New] allow polymorphic linting to be restricted 6cd1a70
  • [Tests] remove duplicate tests 74d5dec
  • [Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/plugin-transform-flow-strip-types 6eca235
  • [readme] remove deprecated travis ci badge; add github actions badge 0be7ea9
  • [Tests] use npm audit instead of aud 05a5e49
  • [Deps] update axobject-query 912e98c
  • [Deps] unpin axobject-query 75147aa
  • [Deps] update axe-core 27ff7cb
  • [readme] fix jsxA11y import name ce846e0
  • [readme] fix typo in shareable config section in readme cca288b
jsx-eslint/eslint-plugin-react (eslint-plugin-react)

v7.37.3

Compare Source

Fixed
  • [no-danger][no-danger]: avoid a crash on a nested component name ([#​3833][] @​ljharb)
  • [Fix] types: correct generated type declaration ([#​3840][] @​ocavue)
  • [no-unknown-property][no-unknown-property]: support precedence prop in react 19 ([#​3829][] @​acusti)
  • [prop-types][prop-types]: props missing in validation when using generic types from a namespace import ([#​3859][] @​rbondoc96)
Changed
  • [Tests] [jsx-no-script-url][jsx-no-script-url]: Improve tests ([#​3849][] @​radu2147)
  • [Docs] fix broken links: [default-props-match-prop-types][default-props-match-prop-types], [jsx-boolean-value][jsx-boolean-value], [jsx-curly-brace-presence][jsx-curly-brace-presence], [jsx-no-bind][jsx-no-bind], [no-array-index-key][no-array-index-key], [no-is-mounted][no-is-mounted], [no-render-return-value][no-render-return-value], [require-default-props][require-default-props] ([#​3841][] @​bastiendmt)

Configuration

📅 Schedule: Branch creation - "every 3 months on the first day of the month" in timezone Europe/Stockholm, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the security label Sep 30, 2024
Copy link

github-actions bot commented Sep 30, 2024

Size Change: 0 B

Total Size: 142 kB

ℹ️ View Unchanged
Filename Size
./build/precache-4dc83f9d925941081ec346bcf91cc222.js 786 B
./build/service-worker.js 684 B
./build/static/css/main.chunk.css 2.25 kB
./build/static/js/2.chunk.js 129 kB
./build/static/js/main.chunk.js 8.53 kB
./build/static/js/runtime-main.js 774 B

compressed-size-action

Copy link

github-actions bot commented Sep 30, 2024

QA Test Environment

VictorWinberg-OneList--renovate-all-minor-patch

Environment has been created!
Please visit rome.

deploy 2024-10-01 00:03

redeploy 2024-10-01 17:04
redeploy 2024-10-03 09:18
redeploy 2024-10-03 12:58
redeploy 2024-10-06 20:25
redeploy 2024-10-08 12:20
redeploy 2024-10-08 23:17
redeploy 2024-10-09 05:22
redeploy 2024-10-15 12:36
redeploy 2024-10-16 19:44
redeploy 2024-10-21 09:54
redeploy 2024-10-21 14:19
redeploy 2024-10-23 02:12
redeploy 2024-10-23 22:33
redeploy 2024-10-24 19:00
redeploy 2024-10-26 09:06
redeploy 2024-11-04 20:28
redeploy 2024-11-09 05:00
redeploy 2024-11-13 03:58
redeploy 2024-11-15 01:49
redeploy 2024-11-22 04:35
redeploy 2024-11-23 05:17
redeploy 2024-11-23 21:14
redeploy 2024-11-23 22:42
redeploy 2024-11-26 20:37
redeploy 2024-11-28 01:10
redeploy 2024-11-30 07:20
redeploy 2024-11-30 12:05
redeploy 2024-12-01 20:02
redeploy 2024-12-02 07:13
redeploy 2024-12-02 18:59
redeploy 2024-12-02 20:55
redeploy 2024-12-03 05:44
redeploy 2024-12-05 07:00
redeploy 2024-12-06 07:51
redeploy 2024-12-06 21:37
redeploy 2024-12-08 23:17
redeploy 2024-12-09 08:41
redeploy 2024-12-11 19:32
redeploy 2024-12-11 22:30
redeploy 2024-12-12 02:24
redeploy 2024-12-12 04:45
redeploy 2024-12-12 07:23
redeploy 2024-12-12 21:35
redeploy 2024-12-13 03:01
redeploy 2024-12-13 10:14
redeploy 2024-12-13 18:19
redeploy 2024-12-13 23:36
redeploy 2024-12-15 22:16
redeploy 2024-12-16 01:21
redeploy 2024-12-16 05:03
redeploy 2024-12-16 07:40
redeploy 2024-12-16 10:09
redeploy 2024-12-16 17:55
redeploy 2024-12-17 14:59
redeploy 2024-12-17 17:58
redeploy 2024-12-17 20:47
redeploy 2024-12-17 22:30
redeploy 2024-12-18 02:08
redeploy 2024-12-18 18:21
redeploy 2024-12-18 21:11
redeploy 2024-12-18 22:17
redeploy 2024-12-19 08:08
redeploy 2024-12-19 20:03
redeploy 2024-12-20 05:49
redeploy 2024-12-20 08:30
redeploy 2024-12-20 20:40
redeploy 2024-12-21 01:25
redeploy 2024-12-21 22:49
redeploy 2024-12-24 05:32

@renovate renovate bot force-pushed the renovate/all-minor-patch branch 5 times, most recently from 2e1c28d to 553e9a1 Compare October 8, 2024 10:19
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from 58d37f3 to b1b2757 Compare October 15, 2024 10:35
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from 1fa35bf to 9c7dffa Compare October 23, 2024 00:11
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from 7351ec6 to acee056 Compare October 26, 2024 07:05
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from aa76d5e to d4317dc Compare November 9, 2024 03:59
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 1db38c3 to c5f753a Compare November 15, 2024 00:48
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 6 times, most recently from 0318352 to 3311e17 Compare November 28, 2024 00:09
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from c9b0b5e to 4163ede Compare November 30, 2024 11:03
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 21 times, most recently from 22ffbe6 to 4a4b60b Compare December 18, 2024 21:16
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 7 times, most recently from 7680740 to 0c5a8bb Compare December 21, 2024 21:48
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 0c5a8bb to 84772ae Compare December 24, 2024 04:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants