-
Notifications
You must be signed in to change notification settings - Fork 399
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency express to v4.17.3 [security] #1949
Conversation
Code Climate has analyzed commit ea31c46 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 96.9% (0.0% change). View more on Code Climate. |
BundleMonUnchanged files (6)
No change in files bundle size Unchanged groups (6)
Final result: ✅ View report in BundleMon website ➡️ |
BundleMon (NGXS Plugins)Unchanged files (28)
No change in files bundle size Unchanged groups (6)
Final result: ✅ View report in BundleMon website ➡️ |
BundleMon (Integration Projects)Unchanged files (4)
No change in files bundle size Final result: ✅ View report in BundleMon website ➡️ |
This PR contains the following updates:
4.17.1
->4.17.3
⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the logs for more information.
GitHub Vulnerability Alerts
CVE-2022-24999
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Release Notes
expressjs/express
v4.17.3
Compare Source
===================
__proto__
keysv4.17.2
Compare Source
===================
undefined
inres.jsonp
undefined
when"json escape"
is enabledRegExp
sres.jsonp(obj, status)
deprecation messageres.is
JSDocmaxAge
option to reject invalid valuesreq.socket
over deprecatedreq.connection
Configuration
📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.