chore(deps): [security] bump minimist from 1.2.0 to 1.2.6 #45

Merged

argoyle merged 1 commits from dependabot-npm_and_yarn-minimist-1.2.6 into main 2022-05-02 06:58:17 +00:00

Conversation 2 Commits 1 Files Changed 1

+3 -3

argoyle commented 2022-05-02 06:52:50 +00:00 (Migrated from gitlab.com)

Copy Link

Copy Source

Bumps minimist from 1.2.0 to 1.2.6. This update includes security fixes.

Vulnerabilities fixed

Prototype Pollution in minimist Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Patched versions: 1.2.6 Affected versions: < 1.2.6

Prototype Pollution in minimist Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.

Recommendation

Upgrade to versions 0.2.1, 1.2.3 or later.

Patched versions: 1.2.3 Affected versions: >= 1.0.0, < 1.2.3

Commits

• 7efb22a 1.2.6
• ef88b93 security notice for additional prototype pollution issue
• c2b9819 isConstructorOrProto adapted from PR
• bc8ecee test from prototype pollution PR
• aeb3e27 1.2.5
• 278677b 1.2.4
• 4cf1354 security notice
• 1043d21 additional test for constructor prototype pollution
• 6457d74 1.2.3
• 38a4d1c even more aggressive checks for protocol pollution
• Additional commits viewable in compare view

---

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

• $dependabot rebase will rebase this MR
• $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Bumps [minimist](https://github.com/substack/minimist) from 1.2.0 to 1.2.6. **This update includes security fixes.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>Prototype Pollution in minimist</strong> Minimist &lt;=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).</p> <p>Patched versions: 1.2.6 Affected versions: &lt; 1.2.6</p> </blockquote> <blockquote> <p><strong>Prototype Pollution in minimist</strong> Affected versions of <code>minimist</code> are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of <code>Object</code>, causing the addition or modification of an existing property that will exist on all objects.<br /> Parsing the argument <code>--__proto__.y=Polluted</code> adds a <code>y</code> property with value <code>Polluted</code> to all objects. The argument <code>--__proto__=Polluted</code> raises and uncaught error and crashes the application.<br /> This is exploitable if attackers have control over the arguments being passed to <code>minimist</code>.</p> <h2>Recommendation</h2> <p>Upgrade to versions 0.2.1, 1.2.3 or later.</p> <p>Patched versions: 1.2.3 Affected versions: &gt;= 1.0.0, &lt; 1.2.3</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/substack/minimist/commit/7efb22a518b53b06f5b02a1038a88bd6290c2846"><code>7efb22a</code></a> 1.2.6</li> <li><a href="https://github.com/substack/minimist/commit/ef88b9325f77b5ee643ccfc97e2ebda577e4c4e2"><code>ef88b93</code></a> security notice for additional prototype pollution issue</li> <li><a href="https://github.com/substack/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d"><code>c2b9819</code></a> isConstructorOrProto adapted from PR</li> <li><a href="https://github.com/substack/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb"><code>bc8ecee</code></a> test from prototype pollution PR</li> <li><a href="https://github.com/substack/minimist/commit/aeb3e27dae0412de5c0494e9563a5f10c82cc7a9"><code>aeb3e27</code></a> 1.2.5</li> <li><a href="https://github.com/substack/minimist/commit/278677b171d956b46613a158c6c486c3ef979b20"><code>278677b</code></a> 1.2.4</li> <li><a href="https://github.com/substack/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f"><code>4cf1354</code></a> security notice</li> <li><a href="https://github.com/substack/minimist/commit/1043d212c3caaf871966e710f52cfdf02f9eea4b"><code>1043d21</code></a> additional test for constructor prototype pollution</li> <li><a href="https://github.com/substack/minimist/commit/6457d7440a47f329c12c4a5abfbce211c4235b93"><code>6457d74</code></a> 1.2.3</li> <li><a href="https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab"><code>38a4d1c</code></a> even more aggressive checks for protocol pollution</li> <li>Additional commits viewable in <a href="https://github.com/substack/minimist/compare/1.2.0...1.2.6">compare view</a></li> </ul> </details> <br /> --- <details> <summary>Dependabot commands</summary> <br /> You can trigger Dependabot actions by commenting on this MR - `$dependabot rebase` will rebase this MR - `$dependabot recreate` will recreate this MR rewriting all the manual changes and resolving conflicts </details>

argoyle commented 2022-05-02 06:56:55 +00:00 (Migrated from gitlab.com)

Copy Link

Copy Source

added 3 commits

• b6ad563c...d7e3b10e - 2 commits from branch main
• 9ee34431 - chore(deps): [security] bump minimist from 1.2.0 to 1.2.6

Compare with previous version

added 3 commits <ul><li>b6ad563c...d7e3b10e - 2 commits from branch <code>main</code></li><li>9ee34431 - chore(deps): [security] bump minimist from 1.2.0 to 1.2.6</li></ul> [Compare with previous version](/unboundsoftware/auth0mock/-/merge_requests/40/diffs?diff_id=384847716&start_sha=b6ad563c529218e3d7b9325e729591755c032067)

argoyle (Migrated from gitlab.com) scheduled this pull request to auto merge when all checks succeed 2022-05-02 06:57:38 +00:00

argoyle (Migrated from gitlab.com) merged commit cb31381be2 into main 2022-05-02 06:58:17 +00:00

argoyle commented 2022-05-02 06:58:18 +00:00 (Migrated from gitlab.com)

Copy Link

Copy Source

mentioned in commit cb31381be2

mentioned in commit cb31381be2e1443b4df0293397d383ad0f927d62

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

dependencies

Pull requests that update a dependency file

docker

javascript

security

Pull requests that address a security vulnerability

severity:moderate

No Label dependencies javascript security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

acctest (Shiny Acctest) argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) peter releaser (Unbound Releaser) renovate (Renovate Bot)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: unboundsoftware/auth0mock#45