search

celo-org / celo-monorepo

Official repository for core projects comprising the Celo platform
https://celo.org
Apache License 2.0
684 stars 360 forks source link

chore(deps): update dependency object-path to v0.11.8 [security] (release/core-contracts/6) - autoclosed #11063

Closed renovate[bot] closed 2 weeks ago

renovate[bot] commented 2 weeks ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
object-path 0.11.5 -> 0.11.8 age adoption passing confidence

[!WARNING] Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Prototype Pollution in object-path

CVE-2021-23434 / GHSA-v39p-96qg-c8rf / SNYK-JAVA-ORGWEBJARSNPM-1570423 / SNYK-JS-OBJECTPATH-1569453

More information #### Details This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition `currentPath === '__proto__'` returns false if `currentPath` is `['__proto__']`. This is because the `===` operator returns always false when the type of the operands is different. #### Severity - CVSS Score: 5.6 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-23434](https://nvd.nist.gov/vuln/detail/CVE-2021-23434) - [https://github.com/mariocasciaro/object-path/commit/7bdf4abefd102d16c163d633e8994ef154cab9eb](https://togithub.com/mariocasciaro/object-path/commit/7bdf4abefd102d16c163d633e8994ef154cab9eb) - [https://github.com/mariocasciaro/object-path](https://togithub.com/mariocasciaro/object-path) - [https://github.com/mariocasciaro/object-path#0116](https://togithub.com/mariocasciaro/object-path#0116) - [https://github.com/mariocasciaro/object-path%230116](https://togithub.com/mariocasciaro/object-path%230116) - [https://lists.debian.org/debian-lts-announce/2023/01/msg00031.html](https://lists.debian.org/debian-lts-announce/2023/01/msg00031.html) - [https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1570423](https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1570423) - [https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453](https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-v39p-96qg-c8rf) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).

Prototype Pollution in object-path

CVE-2021-3805 / GHSA-8v63-cqqc-6r2c

More information #### Details object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The `del()` function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like `toString` on all objects. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-3805](https://nvd.nist.gov/vuln/detail/CVE-2021-3805) - [https://github.com/mariocasciaro/object-path/commit/4f0903fd7c832d12ccbe0d9c3d7e25d985e9e884](https://togithub.com/mariocasciaro/object-path/commit/4f0903fd7c832d12ccbe0d9c3d7e25d985e9e884) - [https://github.com/mariocasciaro/object-path](https://togithub.com/mariocasciaro/object-path) - [https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053](https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053) - [https://lists.debian.org/debian-lts-announce/2023/01/msg00031.html](https://lists.debian.org/debian-lts-announce/2023/01/msg00031.html) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8v63-cqqc-6r2c) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).

Release Notes

mariocasciaro/object-path (object-path) ### [`v0.11.8`](https://togithub.com/mariocasciaro/object-path/compare/v0.11.7...v0.11.8) [Compare Source](https://togithub.com/mariocasciaro/object-path/compare/v0.11.7...v0.11.8) ### [`v0.11.7`](https://togithub.com/mariocasciaro/object-path/compare/v0.11.6...v0.11.7) [Compare Source](https://togithub.com/mariocasciaro/object-path/compare/v0.11.6...v0.11.7) ### [`v0.11.6`](https://togithub.com/mariocasciaro/object-path/compare/63324602658f0860a25bde311b0087625dfee439...v0.11.6) [Compare Source](https://togithub.com/mariocasciaro/object-path/compare/63324602658f0860a25bde311b0087625dfee439...v0.11.6)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

socket-security[bot] commented 2 weeks ago

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/object-path@0.11.8 None 0 60.9 kB mariocasciaro

🚮 Removed packages: npm/object-path@0.11.5

View full report↗︎