search

badges / shields

Concise, consistent, and legible badges in SVG and raster format
https://shields.io
Creative Commons Zero v1.0 Universal
23.91k stars 5.51k forks source link

chore(deps): bump jsonpath-plus from 10.0.0 to 10.0.6; test [dynamic] #10620

Closed dependabot[bot] closed 1 month ago

dependabot[bot] commented 1 month ago

Bumps jsonpath-plus from 10.0.0 to 10.0.6.

Changelog

Sourced from jsonpath-plus's changelog.

10.0.6

  • fix(security): prevent call/apply invocation of Function

10.0.5

  • fix: remove overly aggressive disabling of native functions but disallow __proto__

10.0.4

  • fix(security): further prevent binding of Function calls which may evade detection

10.0.3

  • fix(security): prevent binding of Function calls which may evade detection

10.0.2

  • fix(security): prevent Function calls outside of member expressions

10.0.1

  • fix(security): prohibit Function in "safe" vm
Commits


Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
socket-security[bot] commented 1 month ago

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@actions/core@1.11.1 Transitive: environment, filesystem, network, shell, unsafe +6 1.56 MB bryanmacfarlane, chrispat, cschleiden, ...2 more
npm/@actions/github@6.0.0 environment, filesystem Transitive: network, unsafe +20 8.09 MB thboop

View full report↗︎

github-actions[bot] commented 1 month ago

🚀 Updated review app: https://pr-10620-badges-shields.fly.dev

chris48s commented 1 month ago

merging a release of this with security related fixes reassures me we went the right way on this :)