-
-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
⬆️ Updates qs to v6.9.7 [SECURITY] #559
base: master
Are you sure you want to change the base?
Conversation
Branch automerge failureThis PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.
|
Hey! Changelogs info seems to be missing or might be in incorrect format. |
Pull request by bot. No need to analyze |
Thanks for the PR! This section of the codebase is owner by https://github.com/AlexRogalskiy/ - if they write a comment saying "LGTM" then it will be merged. |
🏷️ [bumpr] Next version:v1.16.1 Changes:v1.16.0...AlexRogalskiy:renovate/npm-qs-vulnerability |
👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎ This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
5182377
to
469ab9a
Compare
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
🚮 Removed packages: npm/qs@6.9.6 |
469ab9a
to
f1a4aa4
Compare
This PR contains the following updates:
6.9.6
->6.9.7
GitHub Vulnerability Alerts
CVE-2022-24999
qs before 6.10.3 allows attackers to cause a Node process hang because an
__ proto__
key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such asa[__proto__]=b&a[__proto__]&a[length]=100000000
. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.Release Notes
ljharb/qs (qs)
v6.9.7
Compare Source
parse
: ignore__proto__
keys (#428)stringify
: avoid encoding arrayformat comma whenencodeValuesOnly = true
(#424)stringify
: avoid relying on a globalundefined
(#427)Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Moscow, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.