search

1024pix / pix

Service public d'évaluation et de certification des compétences numériques pour tous.
https://pix.fr
GNU Affero General Public License v3.0
231 stars 52 forks source link

[BUMP] Update dependency micromatch to v4.0.8 [SECURITY] #9939

Closed renovate[bot] closed 1 week ago

renovate[bot] commented 2 weeks ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
micromatch 4.0.7 -> 4.0.8 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-4067

The NPM package micromatch is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

Release Notes

micromatch/micromatch (micromatch) ### [`v4.0.8`](https://togithub.com/micromatch/micromatch/compare/4.0.7...4.0.8) [Compare Source](https://togithub.com/micromatch/micromatch/compare/4.0.7...4.0.8)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.

pix-bot-github commented 2 weeks ago

Une fois les applications déployées, elles seront accessibles via les liens suivants :

Les variables d'environnement seront accessibles via les liens suivants :