unboundsoftware/auth0mock
6
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases 14 Activity

chore(deps): [security] bump ini from 1.3.5 to 1.3.8 #44

Merged
argoyle merged 1 commits from dependabot-npm_and_yarn-ini-1.3.8 into main 2022-05-02 06:59:59 +00:00
Conversation 3 Commits 1 Files Changed 1
+3 -3
argoyle commented 2022-05-02 06:52:37 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

Bumps ini from 1.3.5 to 1.3.8. This update includes a security fix.

Vulnerabilities fixed

Prototype Pollution

Overview

The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6

Steps to reproduce

payload.ini

[__proto__]
polluted = "polluted"

poc.js:

var fs = require('fs')
</tr></table>

... (truncated)

Patched versions: 1.3.6 Affected versions: < 1.3.6

Commits
  • a2c5da8 1.3.8
  • af5c6bb Do not use Object.create(null)
  • 8b648a1 don't test where our devdeps don't even work
  • c74c8af 1.3.7
  • 024b8b5 update deps, add linting
  • 032fbaf Use Object.create(null) to avoid default object property hazards
  • 2da9039 1.3.6
  • cfea636 better git push script, before publish instead of after
  • 56d2805 do not allow invalid hazardous string as section name
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for ini since your current version.


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts
Bumps [ini](https://github.com/npm/ini) from 1.3.5 to 1.3.8. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>Prototype Pollution</strong></p> <h3>Overview</h3> <p>The <code>ini</code> npm package before version 1.3.6 has a Prototype Pollution vulnerability.</p> <p>If an attacker submits a malicious INI file to an application that parses it with <code>ini.parse</code>, they will pollute the prototype on the application. This can be exploited further depending on the context.</p> <h3>Patches</h3> <p>This has been patched in 1.3.6</p> <h3>Steps to reproduce</h3> <p>payload.ini</p> <pre><code>[__proto__] polluted = &quot;polluted&quot; </code></pre> <p>poc.js:</p> <pre><code>var fs = require('fs') &lt;/tr&gt;&lt;/table&gt; </code></pre> </blockquote> <p>... (truncated)</p> <blockquote> <p>Patched versions: 1.3.6 Affected versions: &lt; 1.3.6</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/npm/ini/commit/a2c5da86604bc2238fe393c5ff083bf23a9910eb"><code>a2c5da8</code></a> 1.3.8</li> <li><a href="https://github.com/npm/ini/commit/af5c6bb5dca6f0248c153aa87e25bddfc515ff6e"><code>af5c6bb</code></a> Do not use Object.create(null)</li> <li><a href="https://github.com/npm/ini/commit/8b648a1ac49e1b3b7686ea957e0b95e544bc6ec1"><code>8b648a1</code></a> don't test where our devdeps don't even work</li> <li><a href="https://github.com/npm/ini/commit/c74c8af35f32b801a7e82a8309eab792a95932f6"><code>c74c8af</code></a> 1.3.7</li> <li><a href="https://github.com/npm/ini/commit/024b8b55ac1c980c6225607b007714c54eb501ba"><code>024b8b5</code></a> update deps, add linting</li> <li><a href="https://github.com/npm/ini/commit/032fbaf5f0b98fce70c8cc380e0d05177a9c9073"><code>032fbaf</code></a> Use Object.create(null) to avoid default object property hazards</li> <li><a href="https://github.com/npm/ini/commit/2da90391ef70db41d10f013e3a87f9a8c5d01a72"><code>2da9039</code></a> 1.3.6</li> <li><a href="https://github.com/npm/ini/commit/cfea636f534b5ca7550d2c28b7d1a95d936d56c6"><code>cfea636</code></a> better git push script, before publish instead of after</li> <li><a href="https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1"><code>56d2805</code></a> do not allow invalid hazardous string as section name</li> <li>See full diff in <a href="https://github.com/npm/ini/compare/v1.3.5...v1.3.8">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~isaacs">isaacs</a>, a new releaser for ini since your current version.</p> </details> <br /> --- <details> <summary>Dependabot commands</summary> <br /> You can trigger Dependabot actions by commenting on this MR - `$dependabot rebase` will rebase this MR - `$dependabot recreate` will recreate this MR rewriting all the manual changes and resolving conflicts </details>
argoyle commented 2022-05-02 06:56:57 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

added 3 commits

  • 836945a5...d7e3b10e - 2 commits from branch main
  • 33ffd056 - chore(deps): [security] bump ini from 1.3.5 to 1.3.8

Compare with previous version

added 3 commits <ul><li>836945a5...d7e3b10e - 2 commits from branch <code>main</code></li><li>33ffd056 - chore(deps): [security] bump ini from 1.3.5 to 1.3.8</li></ul> [Compare with previous version](/unboundsoftware/auth0mock/-/merge_requests/39/diffs?diff_id=384847719&start_sha=836945a556152f2efd3515e3a0332c022eddda7f)
argoyle commented 2022-05-02 06:58:20 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

added 3 commits

  • 33ffd056...cb31381b - 2 commits from branch main
  • 75ec899c - chore(deps): [security] bump ini from 1.3.5 to 1.3.8

Compare with previous version

added 3 commits <ul><li>33ffd056...cb31381b - 2 commits from branch <code>main</code></li><li>75ec899c - chore(deps): [security] bump ini from 1.3.5 to 1.3.8</li></ul> [Compare with previous version](/unboundsoftware/auth0mock/-/merge_requests/39/diffs?diff_id=384848378&start_sha=33ffd056e332f8bf5c003363ca3dae5f6488b455)
argoyle commented 2022-05-02 06:59:59 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

mentioned in commit a5653c8ea6

mentioned in commit a5653c8ea6e18858d460ed648fb3277acae39217
argoyle (Migrated from gitlab.com) merged commit a5653c8ea6 into main 2022-05-02 07:00:00 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
dependencies
Pull requests that update a dependency file
 docker
javascript
security
Pull requests that address a security vulnerability
 severity:moderate
No Label dependencies javascript security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
acctest (Shiny Acctest) argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) peter releaser (Unbound Releaser) renovate (Renovate Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unboundsoftware/auth0mock#44
Delete Branch "dependabot-npm_and_yarn-ini-1.3.8"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?