search

balena-io-modules / scrutinizer

Extract a git repository's metadata relying on open source conventions
Apache License 2.0
8 stars 0 forks source link

Update dependency simple-git to 3.5.0 [SECURITY] #207

Open balena-ci opened 2 years ago

balena-ci commented 2 years ago

This PR contains the following updates:

Package Type Update Change
simple-git dependencies major ^2.47.0 -> ^3.0.0

GitHub Vulnerability Alerts

CVE-2022-24433

The package simple-git before 3.3.0 is vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options, it was possible to get arbitrary command execution.

CVE-2022-24066

simple-git (maintained as git-js named repository on GitHub) is a light weight interface for running git commands in any node.js application.The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover. A fix was released in simple-git@3.5.0.

Release Notes

steveukx/git-js ### [`v3.5.0`](https://togithub.com/steveukx/git-js/blob/HEAD/simple-git/CHANGELOG.md#​350) [Compare Source](https://togithub.com/steveukx/git-js/compare/simple-git@3.4.0...simple-git@3.5.0) ##### Minor Changes - [`2040de6`](https://togithub.com/steveukx/git-js/commit/2040de6): Resolves potential command injection vulnerability by preventing use of `--upload-pack` in `git.clone` ### [`v3.4.0`](https://togithub.com/steveukx/git-js/blob/HEAD/simple-git/CHANGELOG.md#​340) [Compare Source](https://togithub.com/steveukx/git-js/compare/simple-git@3.3.0...simple-git@3.4.0) ##### Minor Changes - [`ed412ef`](https://togithub.com/steveukx/git-js/commit/ed412ef): Use null separators in git.status to allow for non-ascii file names ### [`v3.3.0`](https://togithub.com/steveukx/git-js/blob/HEAD/simple-git/CHANGELOG.md#​330) [Compare Source](https://togithub.com/steveukx/git-js/compare/simple-git@3.2.6...simple-git@3.3.0) ##### Minor Changes - [`d119ec4`](https://togithub.com/steveukx/git-js/commit/d119ec4): Resolves potential command injection vulnerability by preventing use of `--upload-pack` in `git.fetch` ### [`v3.2.6`](https://togithub.com/steveukx/git-js/blob/HEAD/simple-git/CHANGELOG.md#​326) [Compare Source](https://togithub.com/steveukx/git-js/compare/simple-git@3.2.4...simple-git@3.2.6) ##### Patch Changes - [`80651d5`](https://togithub.com/steveukx/git-js/commit/80651d5): Resolve issue in prePublish script ### [`v3.2.4`](https://togithub.com/steveukx/git-js/blob/HEAD/simple-git/CHANGELOG.md#​324) [Compare Source](https://togithub.com/steveukx/git-js/compare/simple-git-v3.1.1...simple-git@3.2.4) ##### Patch Changes - [`d35987b`](https://togithub.com/steveukx/git-js/commit/d35987b): Release with changesets ### [`v3.1.1`](https://togithub.com/steveukx/git-js/blob/HEAD/simple-git/CHANGELOG.md#​311-httpswwwgithubcomsteveukxgit-jscomparesimple-git-v310simple-git-v311-2022-01-26) [Compare Source](https://togithub.com/steveukx/git-js/compare/simple-git-v3.1.0...simple-git-v3.1.1) ### [`v3.1.0`](https://togithub.com/steveukx/git-js/blob/HEAD/simple-git/CHANGELOG.md#​310-httpswwwgithubcomsteveukxgit-jscomparesimple-git-v304simple-git-v310-2022-01-23) [Compare Source](https://togithub.com/steveukx/git-js/compare/simple-git-v3.0.4...simple-git-v3.1.0) ##### Features - optionally include ignored files in `StatusResult` ([70e6767](https://www.github.com/steveukx/git-js/commit/70e676759012d26ab644644e10f7957fba51ae2f)), closes [#​718](https://www.togithub.com/steveukx/git-js/issues/718) ##### [3.0.4](https://www.github.com/steveukx/git-js/compare/simple-git-v3.0.3...simple-git-v3.0.4) (2022-01-23) ##### Bug Fixes - support parsing empty responses ([91eb7fb](https://www.github.com/steveukx/git-js/commit/91eb7fb01fe466468537621cb94b9f932026506e)), closes [#​713](https://www.togithub.com/steveukx/git-js/issues/713) ##### [3.0.3](https://www.github.com/steveukx/git-js/compare/simple-git-v3.0.2...simple-git-v3.0.3) (2022-01-20) ##### Bug Fixes - allow branches without labels ([07a1388](https://www.github.com/steveukx/git-js/commit/07a138808fb0b78068da83030698a957e567541c)) - implement v3 deprecations ([ed6d18e](https://www.github.com/steveukx/git-js/commit/ed6d18e88a6a4f9fd18d4733a94b491e0e9e3ba1)) - publish v3 as `latest` ([5db4434](https://www.github.com/steveukx/git-js/commit/5db4434d00acba560fe2569c04f9813cde026468)) ##### [3.0.2](https://www.github.com/steveukx/git-js/compare/simple-git-v3.0.1...simple-git-v3.0.2) (2022-01-18) ##### Bug Fixes - Backward compatibility - permit loading `simple-git/promise` with deprecation notice until mid-2022. ([4413c47](https://www.github.com/steveukx/git-js/commit/4413c47fa3d9893734a5bb06075b962645f73cb9)) ##### [3.0.1](https://www.github.com/steveukx/git-js/compare/simple-git-v3.0.0...simple-git-v3.0.1) (2022-01-18) ##### Bug Fixes - Documentation update ([4e000f6](https://www.github.com/steveukx/git-js/commit/4e000f69aa876b3999ec98fe42e94186facd5790)) ### [`v3.0.4`](https://togithub.com/steveukx/git-js/blob/HEAD/simple-git/CHANGELOG.md#​304-httpswwwgithubcomsteveukxgit-jscomparesimple-git-v303simple-git-v304-2022-01-23) [Compare Source](https://togithub.com/steveukx/git-js/compare/simple-git-v3.0.3...simple-git-v3.0.4) ### [`v3.0.3`](https://togithub.com/steveukx/git-js/blob/HEAD/simple-git/CHANGELOG.md#​303-httpswwwgithubcomsteveukxgit-jscomparesimple-git-v302simple-git-v303-2022-01-20) [Compare Source](https://togithub.com/steveukx/git-js/compare/simple-git-v3.0.2...simple-git-v3.0.3) ### [`v3.0.2`](https://togithub.com/steveukx/git-js/blob/HEAD/simple-git/CHANGELOG.md#​302-httpswwwgithubcomsteveukxgit-jscomparesimple-git-v301simple-git-v302-2022-01-18) [Compare Source](https://togithub.com/steveukx/git-js/compare/simple-git-v3.0.1...simple-git-v3.0.2) ### [`v3.0.1`](https://togithub.com/steveukx/git-js/blob/HEAD/simple-git/CHANGELOG.md#​301-httpswwwgithubcomsteveukxgit-jscomparesimple-git-v300simple-git-v301-2022-01-18) [Compare Source](https://togithub.com/steveukx/git-js/compare/v2.48.0...simple-git-v3.0.1) ### [`v2.48.0`](https://togithub.com/steveukx/git-js/blob/HEAD/simple-git/CHANGELOG.md#​2480-httpswwwgithubcomsteveukxgit-jscomparev2471v2480-2021-12-01) [Compare Source](https://togithub.com/steveukx/git-js/compare/v2.47.1...v2.48.0) ##### Features - `StatusResult` returned by `git.status()` should include `detached` state of the working copy. ([#​695](https://www.togithub.com/steveukx/git-js/issues/695)) ([f464ebe](https://www.github.com/steveukx/git-js/commit/f464ebe567c6c5cd4e99fd7e6300d9efdd4cbb1b)) ##### Bug Fixes - Add example for empty commit message in `git.commit()` ([61089cb](https://www.github.com/steveukx/git-js/commit/61089cbcb791acf9dc596dcc903e7b9c6c76c0e1)) ##### [2.47.1](https://www.github.com/steveukx/git-js/compare/v2.47.0...v2.47.1) (2021-11-29) ##### Bug Fixes - Add support for node@17 in unit tests ([0d3bf47](https://www.github.com/steveukx/git-js/commit/0d3bf479dd52e68e3af502685568c8e376ba2af3)) - Add support for node@17 in unit tests ([0d3bf47](https://www.github.com/steveukx/git-js/commit/0d3bf479dd52e68e3af502685568c8e376ba2af3)) ### [`v2.47.1`](https://togithub.com/steveukx/git-js/blob/HEAD/simple-git/CHANGELOG.md#​2471-httpswwwgithubcomsteveukxgit-jscomparev2470v2471-2021-11-29) [Compare Source](https://togithub.com/steveukx/git-js/compare/v2.47.0...v2.47.1)

Configuration

πŸ“… Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

β™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

πŸ”• Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Renovate Bot.