Closed renovate[bot] closed 2 weeks ago
This PR contains the following updates:
1.2.5
1.2.6
[!WARNING] Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
CVE-2021-44906 / GHSA-xvch-5gv4-984h
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
1.2.5
->1.2.6
Prototype Pollution in minimist
CVE-2021-44906 / GHSA-xvch-5gv4-984h
More information
#### Details Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file `index.js`, function `setKey()` (lines 69-95). #### Severity - CVSS Score: 9.8 / 10 (Critical) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-44906](https://nvd.nist.gov/vuln/detail/CVE-2021-44906) - [https://github.com/minimistjs/minimist/issues/11](https://togithub.com/minimistjs/minimist/issues/11) - [https://github.com/substack/minimist/issues/164](https://togithub.com/substack/minimist/issues/164) - [https://github.com/minimistjs/minimist/pull/24](https://togithub.com/minimistjs/minimist/pull/24) - [https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703](https://togithub.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703) - [https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb](https://togithub.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb) - [https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d](https://togithub.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d) - [https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11](https://togithub.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11) - [https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip](https://togithub.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip) - [https://github.com/minimistjs/minimist/commits/v0.2.4](https://togithub.com/minimistjs/minimist/commits/v0.2.4) - [https://github.com/substack/minimist](https://togithub.com/substack/minimist) - [https://github.com/substack/minimist/blob/master/index.js#L69](https://togithub.com/substack/minimist/blob/master/index.js#L69) - [https://snyk.io/vuln/SNYK-JS-MINIMIST-559764](https://snyk.io/vuln/SNYK-JS-MINIMIST-559764) - [https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068](https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-xvch-5gv4-984h) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
minimistjs/minimist (minimist)
### [`v1.2.6`](https://togithub.com/minimistjs/minimist/blob/HEAD/CHANGELOG.md#v126---2022-03-21) [Compare Source](https://togithub.com/minimistjs/minimist/compare/v1.2.5...v1.2.6) ##### Commits - test from prototype pollution PR [`bc8ecee`](https://togithub.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb) - isConstructorOrProto adapted from PR [`c2b9819`](https://togithub.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d) - security notice for additional prototype pollution issue [`ef88b93`](https://togithub.com/minimistjs/minimist/commit/ef88b9325f77b5ee643ccfc97e2ebda577e4c4e2)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.