Bump path-to-regexp from 6.2.2 to 6.3.0 #1
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=80&v=4){kind=small}
Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) from 6.2.2 to 6.3.0. - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md) - [Commits](pillarjs/path-to-regexp@v6.2.2...v6.3.0) --- updated-dependencies: - dependency-name: path-to-regexp dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
the
dependencies
Reviewer's Guide by SourceryThis pull request updates the path-to-regexp dependency from version 6.2.2 to 6.3.0. The update includes a fix for backtracking protection in the 6.x version line. The changes are primarily reflected in the pnpm-lock.yaml file, which shows the version bump and related dependency adjustments. No diagrams generated as the changes look simple and do not need a visual representation. File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
| micromark@4.0.0: | ||
| resolution: {integrity: sha512-o/sd0nMof8kYff+TqcDx3VSrgBTcZpSvYcAHIfHhv5VAuNmisCxjhx6YmxS8PFEpb9z5WKWKPdzf0jM23ro3RQ==} | ||
|
|
||
| micromatch@4.0.7: |
There was a problem hiding this comment.
The issue identified by the Trivy linter is a security vulnerability in the micromatch package, specifically version 4.0.7. The vulnerability is a Regular Expression Denial of Service (ReDoS), which occurs when an attacker can exploit a regular expression to cause the application to consume excessive amounts of resources, potentially leading to a denial of service. This type of vulnerability can be particularly harmful in environments where regular expressions are used on untrusted input.
To fix this issue, you should update the micromatch package to a version that has patched this vulnerability. According to the issue description provided, updating to version 4.0.8 will resolve the vulnerability. Here's the code suggestion to make this change:
| micromatch@4.0.7: | |
| micromatch@4.0.8: |
This comment was generated by an experimental AI tool.
| '@types/cheerio@0.22.35': | ||
| resolution: {integrity: sha512-yD57BchKRvTV+JD53UZ6PD8KWY5g5rvvMLRnZR3EQBCZXiDT/HR+pKpMzFGlWNhFrXlo7VPZXtKvIEwZkAWOIA==} | ||
|
|
||
| '@types/cookie@0.6.0': |
There was a problem hiding this comment.
ℹ️ Codacy found a minor Security issue: Insecure dependency cookie@0.6.0 (CVE-2024-47764: cookie: cookie accepts cookie name, path, and domain with out of bounds characters) (update to 0.7.0)
The issue identified by the Trivy linter is related to a security vulnerability in the cookie package version 0.6.0. The vulnerability, identified as CVE-2024-47764, arises because the cookie package allows the use of cookie names, paths, and domains that contain out-of-bounds characters. This can potentially be exploited to perform attacks such as cookie poisoning or to bypass security mechanisms that rely on cookie integrity.
To address this vulnerability, the cookie package should be updated to a version where this issue is resolved. The recommended update is to version 0.7.0 or later, which includes fixes for this security flaw.
Here's the code suggestion to fix the issue by updating the package version:
| '@types/cookie@0.6.0': | |
| '@types/cookie@0.7.0': |
This comment was generated by an experimental AI tool.
| vfile@6.0.1: | ||
| resolution: {integrity: sha512-1bYqc7pt6NIADBJ98UiG0Bn/CHIVOoZ/IyEkqIruLg0mE1BKzkOXY2D6CSqQIcKqgadppE5lrxgWXJmXd7zZJw==} | ||
|
|
||
| vite@5.2.11: |
There was a problem hiding this comment.
?import&raw) (update to 5.2.14)
The issue identified by the Trivy linter is a security vulnerability in the vite package, specifically version 5.2.11. The vulnerability, tracked as CVE-2024-45811, involves a bypass of the server.fs.deny configuration when using the query parameters ?import&raw. This could potentially allow unauthorized access to file system paths that should be restricted, posing a security risk to applications using this version of Vite.
To address this security vulnerability, the recommended action is to update the vite package to a version where the issue has been resolved. In this case, updating to version 5.2.14 is suggested as it contains the necessary security patches.
Here is the code suggestion to fix the issue:
| vite@5.2.11: | |
| vite@5.2.14: |
This comment was generated by an experimental AI tool.
| domutils@3.1.0: | ||
| resolution: {integrity: sha512-H78uMmQtI2AhgDJjWeQmHwJJ2bLPD3GMmO7Zja/ZZh84wkm+4ut+IUnUdRa8uCGX88DiVx1j6FRe1XfxEgjEZA==} | ||
|
|
||
| dset@3.1.3: |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency dset@3.1.3 (CVE-2024-21529: dset: Prototype Pollution) (update to 3.1.4)
The issue identified by the Trivy linter is a security vulnerability known as "Prototype Pollution" in the dset package version 3.1.3. Prototype Pollution is a type of vulnerability that allows an attacker to manipulate an object's prototype, potentially leading to unexpected behavior or security issues in the application. This can result in the modification of properties in JavaScript objects, which could be exploited to perform various attacks.
The recommendation to fix this issue is to update the dset package to a version that has patched this vulnerability. In this case, updating to version 3.1.4 will resolve the issue.
Here is the code suggestion to update the dset package to the secure version:
| dset@3.1.3: | |
| dset@3.1.4: |
This comment was generated by an experimental AI tool.
| resolution: {integrity: sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==} | ||
| engines: {node: '>=14'} | ||
|
|
||
| '@rollup/rollup-android-arm-eabi@4.18.0': |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency rollup@4.18.0 (CVE-2024-47068: rollup: DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS) (update to 4.22.4)
The issue identified by the Trivy linter is related to a security vulnerability in the rollup package version 4.18.0. The vulnerability, tracked as CVE-2024-47068, involves a DOM Clobbering Gadget found in rollup bundled scripts, which can lead to Cross-Site Scripting (XSS) attacks. XSS vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users, potentially leading to unauthorized actions or data theft.
To address this security issue, the affected dependency should be updated to a version where the vulnerability has been fixed. According to the provided description, the fixed version is 4.22.4. Here's the single line change to update the dependency:
| '@rollup/rollup-android-arm-eabi@4.18.0': | |
| '@rollup/rollup-android-arm-eabi@4.22.4': |
This comment was generated by an experimental AI tool.
Bumps path-to-regexp from 6.2.2 to 6.3.0.
Release notes
Sourced from path-to-regexp's releases.
Commits
75a92c36.3.0f1253b4Add backtrack protection to 6.x (#324)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Summary by Sourcery
Bug Fixes: