Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295). This has been backported to v1. (#298)
Fix: Properties with the name __proto__ are added to objects and arrays.
(#199) This also fixes a prototype pollution vulnerability reported by
Jonathan Gregson! (#295).
By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).
To trigger a single review, invoke the @coderabbitai review command.
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?
Share
- [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai)
- [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai)
- [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai)
- [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)
Tips
### Chat
There are 3 ways to chat with CodeRabbit:
- Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- `I pushed a fix in commit .`
- `Generate unit-tests for this file.`
- Files and specific lines of code (under the "Files changed" tab): Tag `@coderabbitai` in a new review comment at the desired location with your query. Examples:
- `@coderabbitai generate unit tests for this file.`
- `@coderabbitai modularize this function.`
- PR comments: Tag `@coderabbitai` in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- `@coderabbitai generate interesting stats about this repository from git and render them as a table.`
- `@coderabbitai show all the console.log statements in this repository.`
- `@coderabbitai read src/utils.ts and generate unit tests.`
- `@coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.`
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.
### CodeRabbit Commands (invoked as PR comments)
- `@coderabbitai pause` to pause the reviews on a PR.
- `@coderabbitai resume` to resume the paused reviews.
- `@coderabbitai review` to trigger a review. This is useful when automatic reviews are disabled for the repository.
- `@coderabbitai resolve` resolve all the CodeRabbit review comments.
- `@coderabbitai help` to get help.
Additionally, you can add `@coderabbitai ignore` anywhere in the PR description to prevent this PR from being reviewed.
### CodeRabbit Configration File (`.coderabbit.yaml`)
- You can programmatically configure CodeRabbit by adding a `.coderabbit.yaml` file to the root of your repository.
- The JSON schema for the configuration file is available [here](https://coderabbit.ai/integrations/coderabbit-overrides.v2.json).
- If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: `# yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json`
### CodeRabbit Discord Community
Join our [Discord Community](https://discord.com/invite/GsXnASn26c) to get help, request features, and share feedback.
:warning: We detected 2 security issues in this pull request:
Vulnerable Libraries (2)
Severity | Details
:-: | :--
High | [pkg:npm/@docusaurus/preset-classic@3.1.1](https://github.com/2lambda123/zeebe-io-zeebe-chaos/blob/df13768485e6f6ef5c27727546c7ecd1aa2cafc7/chaos-days/package.json#L18) upgrade to: *> 3.1.1*
High | [pkg:npm/@docusaurus/core@3.1.1](https://github.com/2lambda123/zeebe-io-zeebe-chaos/blob/df13768485e6f6ef5c27727546c7ecd1aa2cafc7/chaos-days/package.json#L17) upgrade to: *> 3.1.1*
More info on how to fix Vulnerable Libraries in [JavaScript](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/using_vulnerable_libraries.html?utm_source=ghpr).
Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.
Bumps the npm_and_yarn group with 9 updates in the /chaos-days directory:
5.7.15.7.27.17.37.23.91.0.11.0.23.0.03.0.10.21.42.0.0-beta.63.1.12.0.0-beta.63.1.11.0.22.1.15.5.08.1.0Updates
semverfrom 5.7.1 to 5.7.2Release notes
Sourced from semver's releases.
Changelog
Sourced from semver's changelog.
Commits
f8cc313chore: release 5.7.22f8fd41fix: better handling of whitespace (#585)deb5ad5chore:@npmcli/template-oss@4.16.0Maintainer changes
This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.
Updates
@babel/traversefrom 7.17.3 to 7.23.9Release notes
Sourced from
@babel/traverse's releases.... (truncated)
Changelog
Sourced from
@babel/traverse's changelog.... (truncated)
Commits
a0dd614v7.23.91200542fix: Don't throw ingetTypeAnnotationwhen using TS+inference (#15383)e428a6dv7.23.7d292822fix: Crash when removing withoutProgram(#16191)d02c1f7v7.23.6cce807fBump debug to ^4.3.1 (#16164)8479012v7.23.5da7dc40Do not remove bindings when removing assignment expression path (#16131)fadc081fix: Unexpected duplication of comments (#16110)13a5c83v7.23.4Updates
json5from 1.0.1 to 1.0.2Release notes
Sourced from json5's releases.
Changelog
Sourced from json5's changelog.
... (truncated)
Commits
a62db1e1.0.2e0c23fedocs: update CHANGELOG for v1.0.262a6540fix: add proto to objects and arraysUpdates
@sideway/formulafrom 3.0.0 to 3.0.1Commits
5b44c1b3.0.19fbc20achore: better number regex41ae98eCleanupc59f35eMove to SidewayMaintainer changes
This version was pushed to npm by marsup, a new releaser for
@sideway/formulasince your current version.Removes
axiosUpdates
@docusaurus/corefrom 2.0.0-beta.6 to 3.1.1Release notes
Sourced from
@docusaurus/core's releases.... (truncated)
Changelog
Sourced from
@docusaurus/core's changelog.... (truncated)
Commits
8017f6av3.1.1cf5dc2cRevert "v3.1.1"dba0df5v3.1.1beb7f05Revert "v3.1.1"1b4ee0bv3.1.1e590dacRevert "v3.1.1"4649ebcv3.1.112fcfd9fix(core): broken links optimization behaves differently than non-optimized l...37ceeebfix(core): links with target "_blank" should no be checked by the broken link...43883f8perf(core): optimize broken links checker (#9778)Updates
@docusaurus/preset-classicfrom 2.0.0-beta.6 to 3.1.1Release notes
Sourced from
@docusaurus/preset-classic's releases.... (truncated)
Changelog
Sourced from
@docusaurus/preset-classic's changelog.... (truncated)
Commits
8017f6av3.1.1cf5dc2cRevert "v3.1.1"dba0df5v3.1.1beb7f05Revert "v3.1.1"1b4ee0bv3.1.1e590dacRevert "v3.1.1"4649ebcv3.1.17b1b890chore: release Docusaurus v3.1 (#9705)a2e05d2chore: release Docusaurus 3.0.1 (#9596)85e5e55chore: release Docusaurus 3.0.0 (#9478)Updates
etafrom 1.12.3 to 2.2.0Commits
e05fa5f2.2.0f7ed8f6fix RegExp leading to slow parsing w/out tags4be3cbe2.1.2cce5850rebuild34e7179Bump std from 0.97.0 to 0.186.0 (again) (#229)c328584docs: add info for integration with webpack (#219)904f0802.1.1023ef4bdocs: add note about parser options4b04ac42.1.009b52b1build: rebuildUpdates
follow-redirectsfrom 1.14.8 to 1.15.5Commits
b1677ceRelease version 1.15.5 of the npm package.d8914f7Preserve fragment in responseUrl.6585820Release version 1.15.4 of the npm package.7a6567eDisallow bracketed hostnames.05629afPrefer native URL instead of deprecated url.parse.1cba8e8Prefer native URL instead of legacy url.resolve.72bc2a4Simplify _processResponse error handling.3d42aecAdd bracket tests.bcbb096Do not directly set Error properties.192dbe7Release version 1.15.3 of the npm package.Updates
gotfrom 9.6.0 to 12.6.1Release notes
Sourced from got's releases.
... (truncated)
Commits
c405f5412.6.167d5039Fixget-streamimport statement (#2266)469a455Meta tweaks8f77e8dFix readme "axios bugs" urls (#2253)af928f6Fix type error on build (#2251)702ed35Meta tweakse4460f7Add failing tests for #2170 (#2171)13a68d312.6.088c88fbUpdate dependencies0ca0b7fDo not enforce newest URI rules on URLs (#2200)Updates
http-cache-semanticsfrom 4.1.0 to 4.1.1Commits
2449650Update mocha560b2d8Don't use regex to trim whitespaceb1bdb92Remove linting package zooc20dc7eCache 308Updates
immerfrom 8.0.1 to 9.0.21Release notes
Sourced from immer's releases.
... (truncated)
Commits
7c15339chore(deps): bump loader-utils from 2.0.0 to 2.0.4 in /website (#1026)f07ec9dchore(deps): bump@sideway/formulafrom 3.0.0 to 3.0.1 in /website (#1027)b6ccd0ffix: ensure type exports is first in package.json export declaration (#1018)385837dchore(deps): bump http-cache-semantics from 4.1.0 to 4.1.1 in /website (#1017)e1696b7chore(deps): bump webpack from 5.75.0 to 5.76.1 in /website (#1024)Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information
Unable to locate .performanceTestingBot config file
Check out the playback for this Pull Request here.
Micro-Learning Topic: Prototype pollution (Detected by phrase)
Matched on "prototype pollution"
What is this? (2min video)
By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).
Try a challenge in Secure Code Warrior
Thanks @dependabot[bot] for opening this PR!
For COLLABORATOR only :
To add labels, comment on the issue
/label add label1,label2,label3To remove labels, comment on the issue
/label remove label1,label2,label3Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?
Share
- [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai) - [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai) - [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai) - [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)Tips
### Chat There are 3 ways to chat with CodeRabbit: - Review comments: Directly reply to a review comment made by CodeRabbit. Example: - `I pushed a fix in commit:warning: We detected 2 security issues in this pull request:
Vulnerable Libraries (2)
Severity | Details :-: | :-- High | [pkg:npm/@docusaurus/preset-classic@3.1.1](https://github.com/2lambda123/zeebe-io-zeebe-chaos/blob/df13768485e6f6ef5c27727546c7ecd1aa2cafc7/chaos-days/package.json#L18) upgrade to: *> 3.1.1* High | [pkg:npm/@docusaurus/core@3.1.1](https://github.com/2lambda123/zeebe-io-zeebe-chaos/blob/df13768485e6f6ef5c27727546c7ecd1aa2cafc7/chaos-days/package.json#L17) upgrade to: *> 3.1.1* More info on how to fix Vulnerable Libraries in [JavaScript](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/using_vulnerable_libraries.html?utm_source=ghpr).
👉 Go to the dashboard for detailed results.
📥 Happy? Share your feedback with us.
Micro-Learning Topic: Vulnerable library (Detected by phrase)
Matched on "Vulnerable Libraries"
What is this? (2min video)
Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.
Try a challenge in Secure Code Warrior
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
+464+525+176🚮 Removed packages: npm/@docusaurus/core@2.0.0-beta.6, npm/@docusaurus/preset-classic@2.0.0-beta.6, npm/@svgr/webpack@5.5.0, npm/prism-react-renderer@1.3.1, npm/react@17.0.2
View full report↗︎