search

dalen / puppetexplorer

Puppet web interface written in CoffeeScript using AngularJS
demo.puppetexplorer.io
Other
412 stars 43 forks source link

[Security] Bump safer-eval from 1.2.3 to 1.3.5 #616

Closed dependabot-preview[bot] closed 4 years ago

dependabot-preview[bot] commented 5 years ago

Bumps safer-eval from 1.2.3 to 1.3.5. This update includes a security fix.

Vulnerabilities fixed *Sourced from The GitHub Security Advisory Database.* > **Moderate severity vulnerability that affects safer-eval** > safer-eval before 1.3.2 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code. > > Affected versions: < 1.3.2
Commits - [`6d5ed4b`](https://github.com/commenthol/safer-eval/commit/6d5ed4b90d676a10776b818dee84014dcd41e632) 1.3.5 - [`fbbc623`](https://github.com/commenthol/safer-eval/commit/fbbc623b7a6f6b9176dfed3f1c3d12ccc848f7b8) Merge pull request [#7](https://github-redirect.dependabot.com/commenthol/safer-eval/issues/7) from commenthol/strict-mode-recommendation - [`1a87237`](https://github.com/commenthol/safer-eval/commit/1a8723704b30ac43c3c300223c6132e27b48fc21) fix: use strict mode recommendation - [`b81dab9`](https://github.com/commenthol/safer-eval/commit/b81dab9c7ef88345e5e9a4490426ac171a489add) 1.3.4 - [`073267a`](https://github.com/commenthol/safer-eval/commit/073267ac30e67d3e5c1762c5d0373444ead61660) Merge pull request [#6](https://github-redirect.dependabot.com/commenthol/safer-eval/issues/6) from commenthol/fix-breakout-console - [`25c3048`](https://github.com/commenthol/safer-eval/commit/25c304828b7fbfe228fbc9055f6004b181dd2c38) docu: Update tested browsers/ node versions - [`25fbbe5`](https://github.com/commenthol/safer-eval/commit/25fbbe53e46c54d10b4c583b8f5c659933400ccb) fix: sandbox breakout with console.constructor... - [`1ff9411`](https://github.com/commenthol/safer-eval/commit/1ff9411b4099e71798cfd822d5b0a536b39f31d5) chore: bump dependencies - [`d3167c8`](https://github.com/commenthol/safer-eval/commit/d3167c8cb863dbd373381a563a9045c2a07c6799) 1.3.3 - [`ba69286`](https://github.com/commenthol/safer-eval/commit/ba692863fe7062085b62669525d405257a16f486) Merge pull request [#5](https://github-redirect.dependabot.com/commenthol/safer-eval/issues/5) from commenthol/warning - Additional commits viewable in [compare view](https://github.com/commenthol/safer-eval/compare/v1.2.3...v1.3.5)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will not automatically merge this PR because it includes a minor update to a production dependency.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)
dependabot-preview[bot] commented 4 years ago

Superseded by #628.