fix(deps): update dependency simple-git to v3.16.0 [security] #425
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/npm-simple-git-vulnerability
branch
from
ac13e0b
to
baca659
Compare
renovate
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.5.0->3.16.0GitHub Vulnerability Alerts
CVE-2022-25912
The package simple-git before 3.15.0 is vulnerable to Remote Code Execution (RCE) when enabling the
exttransport protocol, which makes it exploitable viaclone()method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.CVE-2022-25860
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.
Release Notes
steveukx/git-js (simple-git)
v3.16.0Compare Source
Minor Changes
97fde2c: Support the use of-Bin place of the default-bin checkout methods0a623e5: Adds vulnerability detection to prevent use of--upload-packand--receive-packwithout explicitly opting in.Patch Changes
ec97a39: Include restricting the use of git push --exec with other allowUnsafePack exclusions, thanks to @stsewd for the suggestion.v3.15.1Compare Source
Patch Changes
de570ac: Resolves an issue whereby non-strings can be passed into the config switch detector.v3.15.0Compare Source
Minor Changes
7746480: Disables the use of inline configuration arguments to prevent unitentionally allowing non-standard remote protocols without explicitly opting in to this practice with the newallowUnsafeProtocolOverrideproperty having been enabled.Patch Changes
7746480: - Upgrade repo dependencies - lerna and jestv3.14.1Compare Source
Patch Changes
5a2e7e4: Add version parsing support for non-numeric patches (including "built from source" style1.11.GIT)v3.14.0Compare Source
Minor Changes
19029fc: Create the abort plugin to allow cancelling all pending and future tasks.4259b26: Add.versionto return git version information, including whether the git binary is installed.v3.13.0Compare Source
Minor Changes
87b0d75: Increase the level of deprecation notices for use ofsimple-git/promise, which will be fully removed in the next majord0dceda: Allow supplying just one of to/from in the options supplied to git.logPatch Changes
6b3e05c: Use shared test utilities bundle in simple-git tests, to enable consistent testing across packages in the futurev3.12.0Compare Source
Minor Changes
bfd652b: Add a new configuration option to enable trimming white-space from the response togit.rawv3.11.0Compare Source
Minor Changes
80d54bd: Added fields updated + deleted branch info to fetch response, closes #823Patch Changes
75dfcb4: Add prettier configuration and apply formatting throughout.v3.10.0Compare Source
Minor Changes
2f021e7: Support for importing as an ES module with TypeScript moduleResolutionnode16or newer by addingsimpleGitas a named export.v3.9.0Compare Source
Minor Changes
a0d4eb8: Branches that have been checked out as a linked work tree will now be included in theBranchSummaryoutput, with alinkedWorkTreeproperty set totruein theBranchSummaryBranch.v3.8.0Compare Source
Minor Changes
25230cb: Support for additional log formats in diffSummary / log / stashList.Adds support for the
--numstat,--name-onlyand--name-statin addition to the existing--statoption.Patch Changes
2cfc16f: Update CI environments to run build and test in node v18, drop node v12 now out of life.13197f1: Updatedebugdependency to latest4.xv3.7.1Compare Source
Patch Changes
adb4346: Resolves issue whereby renamed files no longer appear correctly in the response togit.status.v3.7.0Compare Source
Minor Changes
fa2c7f7: Enable the use of types when loading with module-resolutionPatch Changes
3805f6b: Timeout plugin no longer keeps short lived processes alive until timeout is hitv3.6.0Compare Source
Minor Changes
f2fc5c9: Show full commit hash in aCommitResult, prior to this changegit.commitwould result in a partial hash in thecommitproperty ifcore.abbrevis unset or has a value under40. Following this change thecommitproperty will contain the full commit hash.Patch Changes
c4a2a13: chore(deps): bump minimist from 1.2.5 to 1.2.6Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.