search

ChickenKyiv / loopback-tutor-intern-8

https://loopback-react-account.herokuapp.com/
https://groceristar.netlify.com/
GNU General Public License v3.0
0 stars 1 forks source link

[Security] Bump loopback-connector-mongodb from 3.4.4 to 3.8.0 #117

Closed dependabot-preview[bot] closed 5 years ago

dependabot-preview[bot] commented 5 years ago

Bumps loopback-connector-mongodb from 3.4.4 to 3.8.0.

Changelog *Sourced from [loopback-connector-mongodb's changelog](https://github.com/strongloop/loopback-connector-mongodb/blob/master/CHANGES.md).* > 2018-09-19, Version 3.8.0 > ========================= > > * fix performance issues on count [#464](https://github-redirect.dependabot.com/strongloop/loopback-connector-mongodb/issues/464) (Clément) > > * feat: allow methods to pass strictObjectIDCoercion (virkt25) > > > 2018-09-14, Version 3.7.1 > ========================= > > * fix: map new names to old for connector hooks (virkt25) > > > 2018-09-12, Version 3.7.0 > ========================= > > * update deprecated mongo driver commands (Hugo Da Roit) > > * Remove hard dependency of memwatch-next (Raymond Feng) > > * Add support for protocol to be 'monogodb+srv' (Raymond Feng) > > > 2018-08-15, Version 3.6.0 > ========================= > > * docs: update with security consideration section (virkt25) > > * fix: sanitize query by default (virkt25) > > * change `count` to `countDocuments` (Rahmat Nugraha) > > * add `useNewUrlParser` on validOptionNames (Rahmat Nugraha) > > * Dedicated Model for testing disableDefaultSort (HugoPoi) > > * Add disableDefaultSort in README (HugoPoi) > > * Add settings disableDefaultSort for find method (HugoPoi) > > > 2018-07-23, Version 3.5.0 > ========================= > > * chore: drop node 4 and update deps (Taranveer Virk) > > * [WebFM] cs/pl/ru translation (candytangnb)
Commits - [`077241e`](https://github.com/strongloop/loopback-connector-mongodb/commit/077241eae3d611643a3b8343150944a45e59d061) 3.8.0 - [`c893722`](https://github.com/strongloop/loopback-connector-mongodb/commit/c8937223fc7781dc5660d36563f4f8a83845a352) fix performance issues on count [#464](https://github-redirect.dependabot.com/strongloop/loopback-connector-mongodb/issues/464) - [`b30a28e`](https://github.com/strongloop/loopback-connector-mongodb/commit/b30a28e7a13e9547ea0435bc5e388c55c761d26b) feat: allow methods to pass strictObjectIDCoercion - [`e2c6b03`](https://github.com/strongloop/loopback-connector-mongodb/commit/e2c6b03de56334f3c73624baa4256d416b32717e) 3.7.1 - [`1782868`](https://github.com/strongloop/loopback-connector-mongodb/commit/1782868c2fe7d6f6f9261142684a0e9b47c0267d) fix: map new names to old for connector hooks - [`6fe634c`](https://github.com/strongloop/loopback-connector-mongodb/commit/6fe634cf590f346fefd14eacf0c48f7b51ef2343) 3.7.0 - [`b87e617`](https://github.com/strongloop/loopback-connector-mongodb/commit/b87e617bbef2bb6b400754cef8d70809af10883c) update deprecated mongo driver commands - [`2615c4d`](https://github.com/strongloop/loopback-connector-mongodb/commit/2615c4d522e72c6f11725661cbf9e67ae46fab2c) Merge pull request [#458](https://github-redirect.dependabot.com/strongloop/loopback-connector-mongodb/issues/458) from strongloop/allow-mongodb-srv-protocol - [`46720c5`](https://github.com/strongloop/loopback-connector-mongodb/commit/46720c5adcda086bc3485ae68cef274ffcd83606) Remove hard dependency of memwatch-next - [`695bb20`](https://github.com/strongloop/loopback-connector-mongodb/commit/695bb2040e0020c0f5f8dffeca5a40d181b20c6e) Add support for protocol to be 'monogodb+srv' - Additional commits viewable in [compare view](https://github.com/strongloop/loopback-connector-mongodb/compare/v3.4.4...v3.8.0)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.
dependabot-preview[bot] commented 5 years ago

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

dependabot-preview[bot] commented 5 years ago

We've just been alerted that this update fixes a security vulnerability:

Sourced from The npm Advisory Database.

NoSQL Injection Versions of loopback-connector-mongodb before 3.6.0 are vulnerable to NoSQL injection.

MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous $where property to be passed to the MongoDB Driver. The Driver allows the special $where property in a filter to execute JavaScript (client can pass in a malicious script) on the database Driver. This is an intended feature of MongoDB unless disabled (instructions here).

A proof of concept malicious query:

GET /POST filter={"where": {"$where": "function(){sleep(5000); return this.title.contains('Hello');}"}}

... (truncated)

Patched versions: [">=3.6.0"] Affected versions: ["<=3.5.0"]