Closed dependabot-preview[bot] closed 5 years ago
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version
or @dependabot ignore this minor version
.
If you change your mind, just re-open this PR and I'll resolve any conflicts on it.
Bumps loopback from 3.20.0 to 3.25.0. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The npm Advisory Database](https://npmjs.com/advisories/771).* > **Improper Authorization** > Vulnerable versions of `loopback` may allow attackers to create Authentication Tokens on behalf of other users due to Improper Authorization. If the AccessToken model is publicly exposed, an attacker can create Authorization Tokens for any user as long as they know the target's `userId`. This will allow the attacker to access the user's data and their privileges. > > Affected versions: <=2.39.2; >=3.0.0 <=3.21.0Changelog
*Sourced from [loopback's changelog](https://github.com/strongloop/loopback/blob/master/CHANGES.md).* > 2019-02-05, Version 3.25.0 > ========================== > > * Support middleware injected by AppDynamics. (Mike Li) > > > 2019-01-11, Version 3.24.2 > ========================== > > * Fix crash when modifying an unknown user (Matheus Horstmann) > > > 2019-01-08, Version 3.24.1 > ========================== > > * Update underscore.string to 3.3.5 (Francois) > > * Fix: treat empty access token string as undefined (andrey-abramow) > > > 2018-11-15, Version 3.24.0 > ========================== > > * Set juggler options for remote calls (Raymond Feng) > > * Speed up ACL tests by reducing saltWorkFactor (Miroslav Bajtoš) > > > 2018-10-25, Version 3.23.2 > ========================== > > * Fix ACL check to support model wildcard (Moshe Malka) > > > 2018-10-18, Version 3.23.1 > ========================== > > * README: highlight Active LTS at the top (Miroslav Bajtoš) > > > 2018-10-09, Version 3.23.0 > ========================== > > * Clear handler cache when a method is added/removed (Mohammed Essehemy) > > * Add `options.preserveAccessTokens` (lchaglla) > > * Update LB3 to be active LTS (Diana Lau) > > * Fix ACL tests to wait until all assertions finish (Moshe Malka) > ... (truncated)Commits
- [`1e33ec5`](https://github.com/strongloop/loopback/commit/1e33ec596fdb0da89c0af6839a61b700eb49cd9c) 3.25.0 - [`c38900b`](https://github.com/strongloop/loopback/commit/c38900b785c3ed03dee23c6ee3a188f463d63838) Merge pull request [#4119](https://github-redirect.dependabot.com/strongloop/loopback/issues/4119) from studykik/fix/appdynamics-proxy - [`edb8dbc`](https://github.com/strongloop/loopback/commit/edb8dbc517818baf10fb8e41cd57b061775c0ff1) Support middleware injected by AppDynamics. - [`b77907f`](https://github.com/strongloop/loopback/commit/b77907ffa59c7031fcb3bb6dbff96894bc597ba4) 3.24.2 - [`242c20f`](https://github.com/strongloop/loopback/commit/242c20fecfff95d0cf758eced22662a4c8ade8b9) Merge pull request [#4108](https://github-redirect.dependabot.com/strongloop/loopback/issues/4108) from horstmannmat/fix_4105 - [`2532b0b`](https://github.com/strongloop/loopback/commit/2532b0b67e9f809d0268604f48097d0c6bc31ac9) Fix crash when modifying an unknown user - [`0bb8c23`](https://github.com/strongloop/loopback/commit/0bb8c23e2d6740ced342a41cdb82402629e2a60c) 3.24.1 - [`6eb8c0e`](https://github.com/strongloop/loopback/commit/6eb8c0ed3a4c776f11847f1b3e0130703104bc42) Merge pull request [#4107](https://github-redirect.dependabot.com/strongloop/loopback/issues/4107) from 3z3qu13l/master - [`6b74874`](https://github.com/strongloop/loopback/commit/6b748748bdf8d77330212e11d770bc1d22f79e20) Update underscore.string to 3.3.5 - [`da2b8d8`](https://github.com/strongloop/loopback/commit/da2b8d8676dbac039b3e009fc4966cb341cd4ec6) Merge pull request [#4083](https://github-redirect.dependabot.com/strongloop/loopback/issues/4083) from andrey-abramow/master - Additional commits viewable in [compare view](https://github.com/strongloop/loopback/compare/v3.20.0...v3.25.0)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.