cypress-io / add-cypress-custom-command-in-typescript

Testing how new Cypress commands are added in TypeScript
87 stars 30 forks source link

chore(deps): update dependency ini to version 1.3.6 🌟 #130

Closed renovate[bot] closed 3 years ago

renovate[bot] commented 3 years ago

WhiteSource Renovate

This PR contains the following updates:

Package Change
ini 1.3.5 -> 1.3.6

GitHub Vulnerability Alerts

CVE-2020-7788

Overview

The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6

Steps to reproduce

payload.ini

[__proto__]
polluted = "polluted"

poc.js:

var fs = require('fs')
var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)
> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted

Configuration

📅 Schedule: "" in timezone America/New_York.

🚦 Automerge: Enabled.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.



This PR has been generated by WhiteSource Renovate. View repository job log here.