-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update github vulnerability alerts [security] #227
base: master
Are you sure you want to change the base?
Conversation
Size Change: 0 B Total Size: 142 kB ℹ️ View Unchanged
|
QA Test EnvironmentVictorWinberg-OneList--renovate-all-minor-patch Environment has been created! deploy 2024-10-01 00:03 redeploy 2024-10-01 17:04 |
2e1c28d
to
553e9a1
Compare
58d37f3
to
b1b2757
Compare
1fa35bf
to
9c7dffa
Compare
7351ec6
to
acee056
Compare
aa76d5e
to
d4317dc
Compare
1db38c3
to
c5f753a
Compare
0318352
to
3311e17
Compare
c9b0b5e
to
4163ede
Compare
22ffbe6
to
4a4b60b
Compare
7680740
to
0c5a8bb
Compare
0c5a8bb
to
84772ae
Compare
This PR contains the following updates:
1.20.2
->1.20.3
1.4.6
->1.4.7
16.4.5
->16.4.7
2.29.1
->2.31.0
6.9.0
->6.10.2
7.34.3
->7.37.3
4.19.2
->4.20.0
2.0.6
->2.0.7
8.12.0
->8.13.1
1.5.4
->1.5.5
GitHub Vulnerability Alerts
CVE-2024-45590
Impact
body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.
Patches
this issue is patched in 1.20.3
References
CVE-2024-43796
Impact
In express <4.20.0, passing untrusted user input - even after sanitizing it - to
response.redirect()
may execute untrusted codePatches
this issue is patched in express 4.20.0
Workarounds
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
Details
successful exploitation of this vector requires the following:
Release Notes
expressjs/body-parser (body-parser)
v1.20.3
Compare Source
===================
depth
option to customize the depth level in the parserdepth
level for parsing URL-encoded data is now32
(previously wasInfinity
)expressjs/cookie-parser (cookie-parser)
v1.4.7
Compare Source
==========
hasOwnProperty
serialize
without options, useobj.hasOwnProperty
when parsingmain
topackage.json
for rspackpartitioned
optionpriority
optionexpires
option to reject invalid datesmotdotla/dotenv (dotenv)
v16.4.7
Compare Source
Changed
.tap
folder when publishing. (oops, sorry about that everyone. - @motdotla) #848v16.4.6
Compare Source
Changed
import-js/eslint-plugin-import (eslint-plugin-import)
v2.31.0
Compare Source
Added
order
]: allow validating named imports ([#3043], thanks [@manuth])extensions
]: add thecheckTypeImports
option ([#2817], thanks [@phryneas])Fixed
ExportMap
/ flat config: includelanguageOptions
in context ([#3052], thanks [@michaelfaith])no-named-as-default
]: Allow using an identifier if the export is both a named and a default export ([#3032], thanks [@akwodkiewicz])export
]: False positive for exported overloaded functions in TS ([#3065], thanks [@liuxingbaoyu])exportMap
: export map cache is tainted by unreliable parse results ([#3062], thanks [@michaelfaith])exportMap
: improve cacheKey when using flat config ([#3072], thanks [@michaelfaith])Changed
no-relative-packages
]: fix typo ([#3066], thanks [@joshuaobrien])no-cycle
]: dont scc for each linted file ([#3068], thanks [@soryy708])no-cycle
]: adddisableScc
to docs ([#3070], thanks [@soryy708])RuleTester
([#3071], thanks [@G-Rath])no-restricted-paths
]: fix grammar ([#3073], thanks [@unbeauvoyage])no-default-export
], [no-named-export
]: add test case (thanks [@G-Rath])v2.30.0
Compare Source
Added
dynamic-import-chunkname
]: addallowEmpty
option to allow empty leading comments ([#2942], thanks [@JiangWeixian])dynamic-import-chunkname
]: Allow empty chunk name when webpackMode: 'eager' is set; add suggestions to remove name in eager mode ([#3004], thanks [@amsardesai])no-unused-modules
]: AddignoreUnusedTypeExports
option ([#3011], thanks [@silverwind])Fixed
no-extraneous-dependencies
]: allow wrong path ([#3012], thanks [@chabb])no-cycle
]: use scc algorithm to optimize ([#2998], thanks [@soryy708])no-duplicates
]: Removing duplicates breaks in TypeScript ([#3033], thanks [@yesl-kim])newline-after-import
]: fix considerComments option when require ([#2952], thanks [@developer-bandi])order
]: do not compare first path segment for relative paths ([#2682]) ([#2885], thanks [@mihkeleidast])Changed
no-extraneous-dependencies
: Make glob pattern description more explicit ([#2944], thanks [@mulztob])no-unused-modules
]: add console message to help debug [#2866]ExportMap
: make procedures static instead of monkeypatching exportmap ([#2982], thanks [@soryy708])ExportMap
: separate ExportMap instance from its builder logic ([#2985], thanks [@soryy708])order
: Add a quick note on how unbound imports and --fix ([#2640], thanks [@minervabot])exportMapBuilder
: avoid hoisting ([#2989], thanks [@soryy708])ExportMap
: extract "builder" logic to separate files ([#2991], thanks [@soryy708])order
]: update the description of thepathGroupsExcludedImportTypes
option ([#3036], thanks [@liby])jsx-eslint/eslint-plugin-jsx-a11y (eslint-plugin-jsx-a11y)
v6.10.2
Compare Source
Fixed
no-redundandant-roles
: allow<img src="*.svg" role="img" />
#936
Commits
0d01a1a
es-iterator-helpers
aa075bd
d15d3ab
@babel/cli
,@babel/core
,@babel/eslint-parser
,@babel/plugin-transform-flow-strip-types
,@babel/register
5dad7c4
aria-role
: Add valid test for<svg role="img" />
daba189
label-has-associated-control
: add line breaks for readability0bc6378
label-has-associated-control
: add additional test cases30d2318
d92446c
v6.10.1
Compare Source
Commits
4925ba8
cb6788c
@babel/cli
,@babel/core
,@babel/eslint-parser
,@babel/plugin-transform-flow-strip-types
,@babel/register
,auto-changelog
,eslint-plugin-import
,tape
518a77e
es-iterator-helpers
,string.prototype.includes
eed03a3
2ee940c
a262131
aria-query
e517937
v6.10.0
Compare Source
Fixed
label-has-associated-control
: add additional error message#1005
label-has-associated-control
: ignore undetermined label text#966
Commits
a284cbf
deac4fd
attributes
settinga1ee7f8
6cd1a70
74d5dec
@babel/cli
,@babel/core
,@babel/eslint-parser
,@babel/plugin-transform-flow-strip-types
6eca235
0be7ea9
npm audit
instead ofaud
05a5e49
axobject-query
912e98c
axobject-query
75147aa
axe-core
27ff7cb
ce846e0
cca288b
jsx-eslint/eslint-plugin-react (eslint-plugin-react)
v7.37.3
Compare Source
Fixed
no-danger
][no-danger]: avoid a crash on a nested component name ([#3833][] @ljharb)no-unknown-property
][no-unknown-property]: supportprecedence
prop in react 19 ([#3829][] @acusti)prop-types
][prop-types]: props missing in validation when using generic types from a namespace import ([#3859][] @rbondoc96)Changed
jsx-no-script-url
][jsx-no-script-url]: Improve tests ([#3849][] @radu2147)default-props-match-prop-types
][default-props-match-prop-types], [jsx-boolean-value
][jsx-boolean-value], [jsx-curly-brace-presence
][jsx-curly-brace-presence], [jsx-no-bind
][jsx-no-bind], [no-array-index-key
][no-array-index-key], [no-is-mounted
][no-is-mounted], [no-render-return-value
][no-render-return-value], [require-default-props
][require-default-props] ([#3841][] @bastiendmt)Configuration
📅 Schedule: Branch creation - "every 3 months on the first day of the month" in timezone Europe/Stockholm, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.