Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency class-validator to 0.14.0 [security] #946

Merged
merged 1 commit into from Feb 6, 2023
Merged

chore(deps): update dependency class-validator to 0.14.0 [security] #946

merged 1 commit into from Feb 6, 2023

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 12, 2023

Mend Renovate

This PR contains the following updates:

Package Change
class-validator 0.13.2 -> 0.14.0

GitHub Vulnerability Alerts

CVE-2019-18413

In TypeStack class-validator, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input.

The default settings for forbidUnknownValues has been changed to true in 0.14.0.

NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-class-validator-vulnerability branch from 1b21c04 to 111893c Compare January 15, 2023 07:46
@renovate renovate bot force-pushed the renovate/npm-class-validator-vulnerability branch from 111893c to 30fd417 Compare January 29, 2023 03:59
saratscheff
saratscheff suggested changes Jan 31, 2023
View reviewed changes
Copy link

@saratscheff saratscheff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#930 updates this and considers peer dependencies

@kamilmysliwiec kamilmysliwiec merged commit 9187155 into master Feb 6, 2023
@delete-merged-branch delete-merged-branch bot deleted the renovate/npm-class-validator-vulnerability branch February 6, 2023 10:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saratscheff saratscheff saratscheff requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@saratscheff @kamilmysliwiec