Bump dset from 3.1.3 to 3.1.4 #6
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=80&v=4){kind=small}
Bumps [dset](https://github.com/lukeed/dset) from 3.1.3 to 3.1.4. - [Release notes](https://github.com/lukeed/dset/releases) - [Commits](lukeed/dset@v3.1.3...v3.1.4) --- updated-dependencies: - dependency-name: dset dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
the
dependencies
Reviewer's Guide by SourceryThis pull request updates the dset dependency from version 3.1.3 to 3.1.4. The update includes a security fix to prevent proto assignment via implicit string, which could potentially be used for prototype pollution attacks. No diagrams generated as the changes look simple and do not need a visual representation. File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
| resolution: {integrity: sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==} | ||
| engines: {node: '>=16 || 14 >=14.18'} | ||
|
|
||
| path-to-regexp@6.2.2: |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency path-to-regexp@6.2.2 (CVE-2024-45296: path-to-regexp: Backtracking regular expressions cause ReDoS) (update to 6.3.0)
The issue identified by Trivy is a security vulnerability in the path-to-regexp package, specifically version 6.2.2. The vulnerability is due to the presence of backtracking regular expressions, which can lead to a Regular Expression Denial of Service (ReDoS) attack. This type of attack can cause the application to become unresponsive or crash by exploiting the way certain regular expressions are processed, potentially leading to performance degradation or downtime.
To resolve this issue, you should update the path-to-regexp package to a version that has addressed the vulnerability. According to the issue description, upgrading to version 6.3.0 will fix the problem.
Here's the code suggestion to update the package version:
| path-to-regexp@6.2.2: | |
| path-to-regexp@6.3.0: |
This comment was generated by an experimental AI tool.
| '@types/cheerio@0.22.35': | ||
| resolution: {integrity: sha512-yD57BchKRvTV+JD53UZ6PD8KWY5g5rvvMLRnZR3EQBCZXiDT/HR+pKpMzFGlWNhFrXlo7VPZXtKvIEwZkAWOIA==} | ||
|
|
||
| '@types/cookie@0.6.0': |
There was a problem hiding this comment.
ℹ️ Codacy found a minor Security issue: Insecure dependency cookie@0.6.0 (CVE-2024-47764: cookie: cookie accepts cookie name, path, and domain with out of bounds characters) (update to 0.7.0)
The issue identified by the Trivy linter is related to an insecure dependency on the cookie library version 0.6.0. This version has a known vulnerability (CVE-2024-47764) where it improperly handles cookie names, paths, and domains that contain out-of-bounds characters. This could potentially lead to security risks, such as unauthorized access or data leakage.
To fix the issue, the recommendation is to update the cookie library to version 0.7.0, which addresses this vulnerability. Here's the code suggestion to resolve the issue:
| '@types/cookie@0.6.0': | |
| '@types/cookie@0.7.0': |
This single line change updates the dependency version to a secure version that mitigates the identified security risk.
This comment was generated by an experimental AI tool.
| micromark@4.0.0: | ||
| resolution: {integrity: sha512-o/sd0nMof8kYff+TqcDx3VSrgBTcZpSvYcAHIfHhv5VAuNmisCxjhx6YmxS8PFEpb9z5WKWKPdzf0jM23ro3RQ==} | ||
|
|
||
| micromatch@4.0.7: |
There was a problem hiding this comment.
The issue identified by the Trivy linter is a security vulnerability in the micromatch package version 4.0.7. This version is susceptible to a Regular Expression Denial of Service (ReDoS) attack, as described in CVE-2024-4067. ReDoS attacks exploit the way certain regular expressions are processed, potentially causing the application to become unresponsive by consuming excessive CPU resources.
To address this vulnerability, the micromatch package should be updated to version 4.0.8, which contains a fix for the issue. The updated version mitigates the risk of ReDoS attacks by improving the regular expression handling.
Here's the code suggestion to update the micromatch package to version 4.0.8:
| micromatch@4.0.7: | |
| micromatch@4.0.8: |
This comment was generated by an experimental AI tool.
| resolution: {integrity: sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==} | ||
| engines: {node: '>=14'} | ||
|
|
||
| '@rollup/rollup-android-arm-eabi@4.18.0': |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency rollup@4.18.0 (CVE-2024-47068: rollup: DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS) (update to 4.22.4)
The issue identified by the Trivy linter is a security vulnerability in the rollup package version 4.18.0. The vulnerability, identified as CVE-2024-47068, involves a DOM Clobbering Gadget found in scripts bundled by Rollup, which can lead to Cross-Site Scripting (XSS) attacks. XSS vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users, potentially leading to data theft, session hijacking, or other malicious activities.
To address this issue, the recommendation is to update the rollup package to version 4.22.4, which contains a fix for this vulnerability.
Here's the code suggestion to update the version:
| '@rollup/rollup-android-arm-eabi@4.18.0': | |
| '@rollup/rollup-android-arm-eabi@4.22.4': |
This comment was generated by an experimental AI tool.
| vfile@6.0.1: | ||
| resolution: {integrity: sha512-1bYqc7pt6NIADBJ98UiG0Bn/CHIVOoZ/IyEkqIruLg0mE1BKzkOXY2D6CSqQIcKqgadppE5lrxgWXJmXd7zZJw==} | ||
|
|
||
| vite@5.2.11: |
There was a problem hiding this comment.
?import&raw) (update to 5.2.14)
The issue identified by the Trivy linter is related to a security vulnerability in the vite package version 5.2.11. The specific vulnerability, tagged as CVE-2024-45811, involves a bypass of the server.fs.deny configuration when using the ?import&raw query parameter. This could potentially allow unauthorized access to file system paths that are meant to be restricted, leading to security risks such as exposure of sensitive files.
To resolve this issue, the vite package should be updated to a version where the vulnerability is patched. According to the issue description, upgrading to version 5.2.14 will address the security concern.
Here's the suggested code change to update the vite package:
| vite@5.2.11: | |
| vite@5.2.14: |
This comment was generated by an experimental AI tool.
Bumps dset from 3.1.3 to 3.1.4.
Commits
05b1ec03.1.416d6154fix: prevent proto assignment via implicit stringDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Summary by Sourcery
Bug Fixes: