search

ExpeditionRPG / expedition

Expedition: The Cards & App RPG
https://ExpeditionGame.com
Other
78 stars 26 forks source link

Update dependency nconf to ^0.11.0 [SECURITY] - abandoned #890

Open renovate[bot] opened 2 years ago

renovate[bot] commented 2 years ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
nconf ^0.10.0 -> ^0.11.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-21803

nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype.

Release Notes

flatiron/nconf ### [`v0.11.4`](https://togithub.com/indexzero/nconf/releases/tag/v0.11.4) [Compare Source](https://togithub.com/flatiron/nconf/compare/v0.11.3...v0.11.4) Fixes: - Prevent improper usage of the memory store from polluting the object prototype ([#​397](https://togithub.com/flatiron/nconf/issues/397)) ([@​mhamann](https://togithub.com/mhamann)) ### [`v0.11.3`](https://togithub.com/indexzero/nconf/releases/tag/v0.11.3) [Compare Source](https://togithub.com/flatiron/nconf/compare/v0.11.2...v0.11.3) Fixes: - Handle case where parsed config object doesn't have a prototype ([#​365](https://togithub.com/flatiron/nconf/issues/365)) ([@​ilkkao](https://togithub.com/ilkkao)) ### [`v0.11.2`](https://togithub.com/indexzero/nconf/releases/tag/v0.11.2) [Compare Source](https://togithub.com/flatiron/nconf/compare/v0.11.1...v0.11.2) This release resolves several security vulnerabilities by upgrading underlying packages. ### [`v0.11.1`](https://togithub.com/indexzero/nconf/releases/tag/v0.11.1) [Compare Source](https://togithub.com/flatiron/nconf/compare/v0.11.0...v0.11.1) This release resolves several security vulnerabilities by upgrading underlying packages. ### [`v0.11.0`](https://togithub.com/indexzero/nconf/releases/tag/v0.11.0) [Compare Source](https://togithub.com/flatiron/nconf/compare/0.10.0...v0.11.0) This release resolves several security vulnerabilities by upgrading underlying packages. **WARNING:** Due to upstream packages updates, this may cause issues with older Node.js versions (e.g. Node.js v8.x). Those older Node releases are out of support anyway, so you shouldn't use them, but be aware of this possibility.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

renovate[bot] commented 1 year ago

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

renovate[bot] commented 4 months ago

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.