dequelabs / axe-webdriverjs

Provides a chainable axe API for Selenium's WebDriverJS and automatically injects into all frames.
Mozilla Public License 2.0
130 stars 46 forks source link

build(deps-dev): [security] bump standard-version from 7.0.0 to 8.0.1 #154

Closed dependabot-preview[bot] closed 4 years ago

dependabot-preview[bot] commented 4 years ago

Bumps standard-version from 7.0.0 to 8.0.1. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Command Injection in standard-version

GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2020-111

The GitHub Security Lab team has identified a potential security vulnerability in standard-version.

Summary

The standardVersion function has a command injection vulnerability. Clients of the standard-version library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

Product

Standard Version

Tested Version

Commit 2f04ac8

Details

Issue 1: Command injection in standardVersion

The following proof-of-concept illustrates the vulnerability. First install Standard Version and create an empty git repo to run the PoC in:

Affected versions: < 8.0.1

Release notes

Sourced from standard-version's releases.

standard-version v8.0.1

Bug Fixes

  • deps: update dependency conventional-changelog to v3.1.21 (#586) (fd456c9)
  • deps: update dependency conventional-changelog-conventionalcommits to v4.3.0 (#587) (b3b5eed)
  • deps: update dependency conventional-recommended-bump to v6.0.9 (#588) (d4d2ac2)
  • deps: update dependency git-semver-tags to v4 (#589) (a0f0e81)
  • Vulnerability Report GHSL-2020-11101 (9d978ac)

standard-version v8.0.0

⚠ BREAKING CHANGES

  • composer.json and composer.lock will no longer be read from or bumped by default. If you need to obtain a version or write a version to these files, please use bumpFiles and/or packageFiles options accordingly.

Bug Fixes

  • composer.json and composer.lock have been removed from default package and bump files. (c934f3a), closes #495 #394
  • deps: update dependency conventional-changelog to v3.1.18 (#510) (e6aeb77)
  • deps: update dependency yargs to v15.1.0 (#518) (8f36f9e)
  • deps: update dependency yargs to v15.3.1 (#559) (d98cd46)
Changelog

Sourced from standard-version's changelog.

8.0.1 (2020-07-12)

Bug Fixes

  • deps: update dependency conventional-changelog to v3.1.21 (#586) (fd456c9)
  • deps: update dependency conventional-changelog-conventionalcommits to v4.3.0 (#587) (b3b5eed)
  • deps: update dependency conventional-recommended-bump to v6.0.9 (#588) (d4d2ac2)
  • deps: update dependency git-semver-tags to v4 (#589) (a0f0e81)
  • Vulnerability Report GHSL-2020-11101 (9d978ac)

8.0.0 (2020-05-06)

⚠ BREAKING CHANGES

  • composer.json and composer.lock will no longer be read from or bumped by default. If you need to obtain a version or write a version to these files, please use bumpFiles and/or packageFiles options accordingly.

Bug Fixes

  • composer.json and composer.lock have been removed from default package and bump files. (c934f3a), closes #495 #394
  • deps: update dependency conventional-changelog to v3.1.18 (#510) (e6aeb77)
  • deps: update dependency yargs to v15.1.0 (#518) (8f36f9e)
  • deps: update dependency yargs to v15.3.1 (#559) (d98cd46)

7.1.0 (2019-12-08)

Features

  • Adds support for header (--header) configuration based on the spec. (#364) (ba80a0c)
  • custom 'bumpFiles' and 'packageFiles' support (#372) (564d948)

Bug Fixes

  • deps: update dependency conventional-changelog to v3.1.15 (#479) (492e721)
  • deps: update dependency conventional-changelog-conventionalcommits to v4.2.3 (#496) (bc606f8)
  • deps: update dependency conventional-recommended-bump to v6.0.5 (#480) (1e1e215)
  • deps: update dependency yargs to v15 (#484) (35b90c3)
  • use require.resolve for the default preset (#465) (d557372)
  • deps: update dependency detect-newline to v3.1.0 (#482) (04ab36a)
  • deps: update dependency figures to v3.1.0 (#468) (63300a9)
  • deps: update dependency git-semver-tags to v3.0.1 (#485) (9cc188c)
  • deps: update dependency yargs to v14.2.1 (#483) (dc1fa61)
  • deps: update dependency yargs to v14.2.2 (#488) (ecf26b6)

7.0.1 (2019-11-07)

Commits
  • 57e4e25 chore: release 8.0.1 (#611)
  • 58105e1 chore: Adds basic issue templates (#613)
  • 9d978ac fix: Vulnerability Report GHSL-2020-11101
  • 267d78d chore: stop pinning deps (#615)
  • da84ec4 test(windows): skip mock-git tests for Windows (#616)
  • 871201f Merge pull request from GHSA-7xcx-6wjh-7xp2
  • a0f0e81 fix(deps): update dependency git-semver-tags to v4 (#589)
  • fd456c9 fix(deps): update dependency conventional-changelog to v3.1.21 (#586)
  • b3b5eed fix(deps): update dependency conventional-changelog-conventionalcommits to v4...
  • d4d2ac2 fix(deps): update dependency conventional-recommended-bump to v6.0.9 (#588)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by oss-bot, a new releaser for standard-version since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)
WilcoFiers commented 4 years ago

Reviewed for security.