Bump merge to 2.1.1
#246
Merged
Bump merge to 2.1.1
#246
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes: * https://security.snyk.io/vuln/SNYK-JS-MERGE-1040469 * https://security.snyk.io/vuln/SNYK-JS-MERGE-1042987 `vue-bootstrap-toggle` only uses a single function of `merge`. That function still exists in v2 of `merge`, so this version bump is not a breaking change. See https://github.com/rhyek/vue-bootstrap-toggle/blob/16cf66e4346119ea5b72ec2abeafe524b55bbaee/src/index.vue#L51 Further, the vulnerabilities (both prototype pollutions) are not exploitable, as neither of the arguments passed to `merge.recursive` are user-controllable. Still performing the update to make scanners happy. Signed-off-by: nscuro <nscuro@protonmail.com>
nscuro
added
dependencies
security
javascript
Member
Author
|
Toggles in the UI still work as expected, no errors in the dev console. |
sahibamittal
added a commit
to sahibamittal/dependency-track-frontend-upstream
that referenced
this pull request
Sep 21, 2022
commit 09e4c18 Merge: 1c24842 8377370 Author: Niklas <nscuro@protonmail.com> Date: Tue Sep 20 17:17:17 2022 +0200 Merge pull request DependencyTrack#251 from tmehnert/fix-project-view-details-display-wrong-tags commit 8377370 Author: Torsten Mehnert <torsten.mhn@gmail.com> Date: Mon Sep 19 13:48:19 2022 +0200 Fix Project View Details display wrong tags Previously the DTO was only updated, when it contains no tags and the project has tags. Because of this, the tags in the Modal didn't update, when switching between projects. Signed-off-by: Torsten Mehnert <torsten.mhn@gmail.com> commit 1c24842 Merge: 4713f98 647aaec Author: Niklas <nscuro@protonmail.com> Date: Fri Sep 16 16:38:27 2022 +0200 Merge pull request DependencyTrack#247 from sahibamittal/quick-fix-osv-ecosystem-list Quick-fix : OSV ecosystem toggle handling commit 647aaec Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Fri Sep 16 15:08:51 2022 +0100 fix osv ecosystem toggle handling Signed-off-by: Sahiba Mittal <sahibamittal98@gmail.com> commit 4713f98 Merge: 50db524 b45328c Author: Niklas <nscuro@protonmail.com> Date: Wed Sep 14 22:39:38 2022 +0200 Merge pull request DependencyTrack#246 from nscuro/update-merge Bump `merge` to 2.1.1 commit b45328c Author: nscuro <nscuro@protonmail.com> Date: Wed Sep 14 22:15:54 2022 +0200 Bump `merge` to 2.1.1 Fixes: * https://security.snyk.io/vuln/SNYK-JS-MERGE-1040469 * https://security.snyk.io/vuln/SNYK-JS-MERGE-1042987 `vue-bootstrap-toggle` only uses a single function of `merge`. That function still exists in v2 of `merge`, so this version bump is not a breaking change. See https://github.com/rhyek/vue-bootstrap-toggle/blob/16cf66e4346119ea5b72ec2abeafe524b55bbaee/src/index.vue#L51 Further, the vulnerabilities (both prototype pollutions) are not exploitable, as neither of the arguments passed to `merge.recursive` are user-controllable. Still performing the update to make scanners happy. Signed-off-by: nscuro <nscuro@protonmail.com> commit 50db524 Merge: a509004 eef9694 Author: Niklas <nscuro@protonmail.com> Date: Wed Sep 14 10:48:00 2022 +0200 Merge pull request DependencyTrack#245 from DependencyTrack/dependabot/docker/docker/nginxinc/nginx-unprivileged-daaa89b build(deps): bump nginxinc/nginx-unprivileged from `74546ba` to `daaa89b` in /docker commit eef9694 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed Sep 14 02:29:38 2022 +0000 build(deps): bump nginxinc/nginx-unprivileged in /docker Bumps nginxinc/nginx-unprivileged from `74546ba` to `daaa89b`. --- updated-dependencies: - dependency-name: nginxinc/nginx-unprivileged dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> commit a509004 Merge: 182ec06 6e02dda Author: Niklas <nscuro@protonmail.com> Date: Tue Sep 13 20:26:42 2022 +0200 Merge pull request DependencyTrack#237 from DependencyTrack/dependabot/docker/docker/nginxinc/nginx-unprivileged-74546ba build(deps): bump nginxinc/nginx-unprivileged from `8a9df81` to `74546ba` in /docker commit 6e02dda Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Aug 29 02:00:23 2022 +0000 build(deps): bump nginxinc/nginx-unprivileged in /docker Bumps nginxinc/nginx-unprivileged from `8a9df81` to `74546ba`. --- updated-dependencies: - dependency-name: nginxinc/nginx-unprivileged dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes:
vue-bootstrap-toggleonly uses a single function ofmerge. That function still exists in v2 ofmerge, so this version bump is not a breaking change. See https://github.com/rhyek/vue-bootstrap-toggle/blob/16cf66e4346119ea5b72ec2abeafe524b55bbaee/src/index.vue#L51Further, the vulnerabilities (both prototype pollutions) are not exploitable, as neither of the arguments passed to
merge.recursiveare user-controllable.Still performing the update to make scanners happy.
Signed-off-by: nscuro nscuro@protonmail.com