search

Thierry-Chain / Library-Management-App

Updated Library management system
https://smart-library-rw.herokuapp.com
2 stars 1 forks source link

Update dependency ini to 1.3.6 [SECURITY] #28

Closed renovate[bot] closed 1 year ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Change
ini 1.3.5 -> 1.3.6

GitHub Vulnerability Alerts

CVE-2020-7788

Overview

The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6.

Steps to reproduce

payload.ini

[__proto__]
polluted = "polluted"

poc.js:

var fs = require('fs')
var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)
> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

renovate[bot] commented 1 year ago

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

The artifact failure details are included below:

File name: package-lock.json
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@~2.3.2 (node_modules/tailwindcss/node_modules/chokidar/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN @pmmmwh/react-refresh-webpack-plugin@0.5.10 requires a peer of webpack@>=4.43.0 <6.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN css-minimizer-webpack-plugin@3.4.1 requires a peer of webpack@^5.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN source-map-loader@3.0.2 requires a peer of webpack@^5.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN eslint-webpack-plugin@3.2.0 requires a peer of eslint@^7.0.0 || ^8.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN eslint-webpack-plugin@3.2.0 requires a peer of webpack@^5.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN tailwindcss@3.2.6 requires a peer of postcss@^8.0.9 but none is installed. You must install peer dependencies yourself.
npm WARN update-browserslist-db@1.0.10 requires a peer of browserslist@>= 4.21.0 but none is installed. You must install peer dependencies yourself.
npm WARN cssnano-utils@3.1.0 requires a peer of postcss@^8.2.15 but none is installed. You must install peer dependencies yourself.
npm WARN postcss-import@14.1.0 requires a peer of postcss@^8.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN postcss-nested@6.0.0 requires a peer of postcss@^8.2.14 but none is installed. You must install peer dependencies yourself.
npm WARN postcss-js@4.0.1 requires a peer of postcss@^8.4.21 but none is installed. You must install peer dependencies yourself.

npm ERR! code EBADPLATFORM
npm ERR! notsup Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm ERR! notsup Valid OS:    darwin
npm ERR! notsup Valid Arch:  any
npm ERR! notsup Actual OS:   linux
npm ERR! notsup Actual Arch: x64

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate-cache/others/npm/_logs/2023-02-11T22_23_31_611Z-debug.log
vercel[bot] commented 1 year ago

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated
manage-library ❌ Failed (Inspect) Feb 11, 2023 at 10:25PM (UTC)
vercel[bot] commented 1 year ago

Deployment failed with the following error:

Resource is limited - try again in 8 hours (more than 100, code: "api-deployments-free-per-day").
vercel[bot] commented 1 year ago

Deployment failed with the following error:

Resource is limited - try again in 3 hours (more than 100, code: "api-deployments-free-per-day").
vercel[bot] commented 1 year ago

Deployment failed with the following error:

Resource is limited - try again in 19 minutes (more than 100, code: "api-deployments-free-per-day").
renovate[bot] commented 1 year ago

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (1.3.6). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.