Open renovate[bot] opened 3 years ago
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
:recycle: Renovate will retry this branch, including artifacts, only when one of the following happens:
The artifact failure details are included below:
This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.
This PR contains the following updates:
1.3.5
->1.3.6
GitHub Vulnerability Alerts
CVE-2020-7788
Overview
The
ini
npm package before version 1.3.6 has a Prototype Pollution vulnerability.If an attacker submits a malicious INI file to an application that parses it with
ini.parse
, they will pollute the prototype on the application. This can be exploited further depending on the context.Patches
This has been patched in 1.3.6.
Steps to reproduce
payload.ini
poc.js:
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.