LotusJS is a framework for developing HTML5 applications using web components and TypeScript. It uses a functional style and leverages ramda for composition and currying. Lotus is opinionated about two things: A functional style and separating presentation for code.
Other
12
stars
3
forks
source link
chore(deps): update dependency grunt to v1.5.3 [security] #244
file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.
Release Notes
gruntjs/grunt (grunt)
### [`v1.5.3`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.5.3)
[Compare Source](https://redirect.github.com/gruntjs/grunt/compare/v1.5.2...v1.5.3)
- Merge pull request [#1745](https://redirect.github.com/gruntjs/grunt/issues/1745) from gruntjs/fix-copy-op [`572d79b`](https://redirect.github.com/gruntjs/grunt/commit/572d79b)
- Patch up race condition in symlink copying. [`58016ff`](https://redirect.github.com/gruntjs/grunt/commit/58016ff)
- Merge pull request [#1746](https://redirect.github.com/gruntjs/grunt/issues/1746) from JamieSlome/patch-1 [`0749e1d`](https://redirect.github.com/gruntjs/grunt/commit/0749e1d)
- Create SECURITY.md [`69b7c50`](https://redirect.github.com/gruntjs/grunt/commit/69b7c50)
### [`v1.5.2`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.5.2)
[Compare Source](https://redirect.github.com/gruntjs/grunt/compare/v1.5.1...v1.5.2)
- Update Changelog [`7f15fd5`](https://redirect.github.com/gruntjs/grunt/commit/7f15fd5)
- Merge pull request [#1743](https://redirect.github.com/gruntjs/grunt/issues/1743) from gruntjs/cleanup-link [`b0ec6e1`](https://redirect.github.com/gruntjs/grunt/commit/b0ec6e1)
- Clean up link handling [`433f91b`](https://redirect.github.com/gruntjs/grunt/commit/433f91b)
### [`v1.5.1`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.5.1)
[Compare Source](https://redirect.github.com/gruntjs/grunt/compare/v1.5.0...v1.5.1)
- Merge pull request [#1742](https://redirect.github.com/gruntjs/grunt/issues/1742) from gruntjs/update-symlink-test [`ad22608`](https://redirect.github.com/gruntjs/grunt/commit/ad22608)
- Fix symlink test [`0652305`](https://redirect.github.com/gruntjs/grunt/commit/0652305)
### [`v1.5.0`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.5.0)
[Compare Source](https://redirect.github.com/gruntjs/grunt/compare/v1.4.1...v1.5.0)
- Updated changelog [`b2b2c2b`](https://redirect.github.com/gruntjs/grunt/commit/b2b2c2b)
- Merge pull request [#1740](https://redirect.github.com/gruntjs/grunt/issues/1740) from gruntjs/update-deps-22-10 [`3eda6ae`](https://redirect.github.com/gruntjs/grunt/commit/3eda6ae)
- Update testing matrix [`47d32de`](https://redirect.github.com/gruntjs/grunt/commit/47d32de)
- More updates [`2e9161c`](https://redirect.github.com/gruntjs/grunt/commit/2e9161c)
- Remove console log [`04b960e`](https://redirect.github.com/gruntjs/grunt/commit/04b960e)
- Update dependencies, tests... [`aad3d45`](https://redirect.github.com/gruntjs/grunt/commit/aad3d45)
- Merge pull request [#1736](https://redirect.github.com/gruntjs/grunt/issues/1736) from justlep/main [`fdc7056`](https://redirect.github.com/gruntjs/grunt/commit/fdc7056)
- support .cjs extension [`e35fe54`](https://redirect.github.com/gruntjs/grunt/commit/e35fe54)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
â™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
1.4.1->1.5.3GitHub Vulnerability Alerts
CVE-2022-0436
Grunt prior to version 1.5.2 is vulnerable to path traversal.
CVE-2022-1537
file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.
Release Notes
gruntjs/grunt (grunt)
### [`v1.5.3`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.5.3) [Compare Source](https://redirect.github.com/gruntjs/grunt/compare/v1.5.2...v1.5.3) - Merge pull request [#1745](https://redirect.github.com/gruntjs/grunt/issues/1745) from gruntjs/fix-copy-op [`572d79b`](https://redirect.github.com/gruntjs/grunt/commit/572d79b) - Patch up race condition in symlink copying. [`58016ff`](https://redirect.github.com/gruntjs/grunt/commit/58016ff) - Merge pull request [#1746](https://redirect.github.com/gruntjs/grunt/issues/1746) from JamieSlome/patch-1 [`0749e1d`](https://redirect.github.com/gruntjs/grunt/commit/0749e1d) - Create SECURITY.md [`69b7c50`](https://redirect.github.com/gruntjs/grunt/commit/69b7c50) ### [`v1.5.2`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.5.2) [Compare Source](https://redirect.github.com/gruntjs/grunt/compare/v1.5.1...v1.5.2) - Update Changelog [`7f15fd5`](https://redirect.github.com/gruntjs/grunt/commit/7f15fd5) - Merge pull request [#1743](https://redirect.github.com/gruntjs/grunt/issues/1743) from gruntjs/cleanup-link [`b0ec6e1`](https://redirect.github.com/gruntjs/grunt/commit/b0ec6e1) - Clean up link handling [`433f91b`](https://redirect.github.com/gruntjs/grunt/commit/433f91b) ### [`v1.5.1`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.5.1) [Compare Source](https://redirect.github.com/gruntjs/grunt/compare/v1.5.0...v1.5.1) - Merge pull request [#1742](https://redirect.github.com/gruntjs/grunt/issues/1742) from gruntjs/update-symlink-test [`ad22608`](https://redirect.github.com/gruntjs/grunt/commit/ad22608) - Fix symlink test [`0652305`](https://redirect.github.com/gruntjs/grunt/commit/0652305) ### [`v1.5.0`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.5.0) [Compare Source](https://redirect.github.com/gruntjs/grunt/compare/v1.4.1...v1.5.0) - Updated changelog [`b2b2c2b`](https://redirect.github.com/gruntjs/grunt/commit/b2b2c2b) - Merge pull request [#1740](https://redirect.github.com/gruntjs/grunt/issues/1740) from gruntjs/update-deps-22-10 [`3eda6ae`](https://redirect.github.com/gruntjs/grunt/commit/3eda6ae) - Update testing matrix [`47d32de`](https://redirect.github.com/gruntjs/grunt/commit/47d32de) - More updates [`2e9161c`](https://redirect.github.com/gruntjs/grunt/commit/2e9161c) - Remove console log [`04b960e`](https://redirect.github.com/gruntjs/grunt/commit/04b960e) - Update dependencies, tests... [`aad3d45`](https://redirect.github.com/gruntjs/grunt/commit/aad3d45) - Merge pull request [#1736](https://redirect.github.com/gruntjs/grunt/issues/1736) from justlep/main [`fdc7056`](https://redirect.github.com/gruntjs/grunt/commit/fdc7056) - support .cjs extension [`e35fe54`](https://redirect.github.com/gruntjs/grunt/commit/e35fe54)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
â™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.