fix(deps): update dependency nunjucks to v3.2.4 [security]

renovate[bot] commented 1 year ago

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
nunjucks	`3.2.3` -> `3.2.4`

Review

[ ] Updates have been tested and work
[ ] If updates are AWS related, versions match the infrastructure (e.g. Lambda runtime, database, etc.)

GitHub Vulnerability Alerts

CVE-2023-2142

Impact

In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.

Example

If the user-controlled parameters were used in the views similar to the following:

<script>
let testObject = { lang: '', place: '' };
</script>

It is possible to inject XSS payload using the below parameters:

https://<application-url>/?lang=jp\&place=};alert(document.domain)//

Patches

The issue was patched in version 3.2.4.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1825980

Release Notes

mozilla/nunjucks (nunjucks)

### [`v3.2.4`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#324-Apr-13-2023) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.2.3...v3.2.4) - HTML encode backslashes when expressions are passed through the escape filter (including when this is done automatically with autoescape). Merge of [#1437](https://togithub.com/mozilla/nunjucks/pull/1437).

Configuration

📅 Schedule: Branch creation - "" in timezone America/Montreal, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate[bot] commented 1 year ago

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

ERROR: npm v10.1.0 is known not to run on Node.js v12.22.12.  This version of npm supports the following node versions: `^18.17.0 || >=20.5.0`. You can find the latest version at https://nodejs.org/.

ERROR:
/opt/containerbase/tools/npm/10.1.0/node_modules/npm/lib/utils/exit-handler.js:19
  const hasLoadedNpm = npm?.config.loaded
                           ^

SyntaxError: Unexpected token '.'
    at wrapSafe (internal/modules/cjs/loader.js:915:16)
    at Module._compile (internal/modules/cjs/loader.js:963:27)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1027:10)
    at Module.load (internal/modules/cjs/loader.js:863:32)
    at Function.Module._load (internal/modules/cjs/loader.js:708:14)
    at Module.require (internal/modules/cjs/loader.js:887:19)
    at require (internal/modules/cjs/helpers.js:74:18)
    at module.exports (/opt/containerbase/tools/npm/10.1.0/node_modules/npm/lib/cli-entry.js:15:23)
    at module.exports (/opt/containerbase/tools/npm/10.1.0/node_modules/npm/lib/es6/validate-engines.js:39:10)
    at module.exports (/opt/containerbase/tools/npm/10.1.0/node_modules/npm/lib/cli.js:4:31)
ERROR: npm v10.1.0 is known not to run on Node.js v12.22.12.  This version of npm supports the following node versions: `^18.17.0 || >=20.5.0`. You can find the latest version at https://nodejs.org/.

ERROR:
/opt/containerbase/tools/npm/10.1.0/node_modules/npm/lib/utils/exit-handler.js:19
  const hasLoadedNpm = npm?.config.loaded
                           ^

SyntaxError: Unexpected token '.'
    at wrapSafe (internal/modules/cjs/loader.js:915:16)
    at Module._compile (internal/modules/cjs/loader.js:963:27)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1027:10)
    at Module.load (internal/modules/cjs/loader.js:863:32)
    at Function.Module._load (internal/modules/cjs/loader.js:708:14)
    at Module.require (internal/modules/cjs/loader.js:887:19)
    at require (internal/modules/cjs/helpers.js:74:18)
    at module.exports (/opt/containerbase/tools/npm/10.1.0/node_modules/npm/lib/cli-entry.js:15:23)
    at module.exports (/opt/containerbase/tools/npm/10.1.0/node_modules/npm/lib/es6/validate-engines.js:39:10)
    at module.exports (/opt/containerbase/tools/npm/10.1.0/node_modules/npm/lib/cli.js:4:31)

renovate[bot] commented 1 year ago

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (^3.2.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

cds-snc / simplify-privacy-statements-V2