Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency yargs-parser to 13.1.2 [security] #2402

Merged
merged 1 commit into from Mar 29, 2022

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 29, 2022

WhiteSource Renovate

This PR contains the following updates:

Package Change
yargs-parser 10.1.0 -> 13.1.2

GitHub Vulnerability Alerts

CVE-2020-7608

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Recommendation

Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.


Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@gr2m
Copy link
Member

gr2m commented Mar 29, 2022

@travi any idea where the lint errors came from? I'd say we merge this PR and address them separately? Sorry I'm still super drowned by work + life right now, and I don't think it will ease much until mid may

@travi
Copy link
Member

travi commented Mar 29, 2022

looks like xo was updated in order to address the vulnerability, so i think it is just rule changes/increased strictness from the more recent version. this seems to be common in several of the vulnerability patch PRs we've gotten recently, either do to a direct update of xo or a more indirect update through the lockfile.

since these updates don't impact consumers, i'm less concerned about getting priority to them when extra effort would be needed to clean up the resulting failures.

@gr2m
Copy link
Member

gr2m commented Mar 29, 2022

Okay I'm gonna merge this first then, as this is a security update, and create a follow up issue to address the XO complaints

@gr2m gr2m merged commit ea389c3 into master Mar 29, 2022
8 of 10 checks passed
@gr2m gr2m deleted the renovate/npm-yargs-parser-vulnerability branch Mar 29, 2022
@gr2m gr2m mentioned this pull request Mar 29, 2022
@github-actions
Copy link

github-actions bot commented Jun 9, 2022

🎉 This PR is included in version 19.0.3 🎉

The release is available on:

Your semantic-release bot 📦🚀

morey-tech pushed a commit to ratehub/semantic-release that referenced this pull request Sep 12, 2022
adityahex27 pushed a commit to hextrust/semantic-release that referenced this pull request Oct 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants