The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.
Release Notes
gruntjs/grunt
### [`v1.3.0`](https://togithub.com/gruntjs/grunt/releases/v1.3.0)
[Compare Source](https://togithub.com/gruntjs/grunt/compare/v1.2.1...v1.3.0)
- Merge pull request [#1720](https://togithub.com/gruntjs/grunt/issues/1720) from gruntjs/update-changelog-deps [`faab6be`](https://togithub.com/gruntjs/grunt/commit/faab6be)
- Update Changelog and legacy-util dependency [`520fedb`](https://togithub.com/gruntjs/grunt/commit/520fedb)
- Merge pull request [#1719](https://togithub.com/gruntjs/grunt/issues/1719) from gruntjs/yaml-refactor [`7e669ac`](https://togithub.com/gruntjs/grunt/commit/7e669ac)
- Switch to use `safeLoad` for loading YML files via `file.readYAML`. [`e350cea`](https://togithub.com/gruntjs/grunt/commit/e350cea)
- Merge pull request [#1718](https://togithub.com/gruntjs/grunt/issues/1718) from gruntjs/legacy-log-bumo [`7125f49`](https://togithub.com/gruntjs/grunt/commit/7125f49)
- Bump legacy-log [`00d5907`](https://togithub.com/gruntjs/grunt/commit/00d5907)
### [`v1.2.1`](https://togithub.com/gruntjs/grunt/releases/v1.2.1)
[Compare Source](https://togithub.com/gruntjs/grunt/compare/v1.2.0...v1.2.1)
- Changelog update [`ae11839`](https://togithub.com/gruntjs/grunt/commit/ae11839)
- Merge pull request [#1715](https://togithub.com/gruntjs/grunt/issues/1715) from sibiraj-s/remove-path-is-absolute [`9d23cb6`](https://togithub.com/gruntjs/grunt/commit/9d23cb6)
- Remove path-is-absolute dependency [`e789b1f`](https://togithub.com/gruntjs/grunt/commit/e789b1f)
### [`v1.2.0`](https://togithub.com/gruntjs/grunt/releases/v1.2.0)
[Compare Source](https://togithub.com/gruntjs/grunt/compare/v1.1.0...v1.2.0)
- Allow usage of grunt plugins that are located in any location that
is visible to Node.js and NPM, instead of node_modules directly
inside package that have a dev dependency to these plugin[https://github.com/gruntjs/grunt/pull/1677](https://togithub.com/gruntjs/grunt/pull/1677)nt/pull/1677)
- Removed coffeescript from dependencies. To ease transition, if
coffeescript is still around, Grunt will attempt to load it.
If it is not, and the user loads a CoffeeScript file,
Grunt will print a useful error indicating that the
coffeescript package should be installed as a dev dependency.
This is considerably more user-friendly than dropping the require entirely,
but doing so is feasible with the latest grunt-cli as users
may simply use grunt --require [https://github.com/gruntjs/grunt/pull/1675](https://togithub.com/gruntjs/grunt/pull/1675)thub.com/gruntjs/grunt/pull/1675)
- Exposes Grunt Option keys for ease of use.
([https://github.com/gruntjs/grunt/pull/1570](https://togithub.com/gruntjs/grunt/pull/1570)1570)
- Avoiding infinite loop on very long command names.
([https://github.com/gruntjs/grunt/pull/1697](https://togithub.com/gruntjs/grunt/pull/1697)1697)
### [`v1.1.0`](https://togithub.com/gruntjs/grunt/releases/v1.1.0)
[Compare Source](https://togithub.com/gruntjs/grunt/compare/v1.0.4...v1.1.0)
- Update to mkdirp ~1.0.3
- Only support versions of Node >= 8
### [`v1.0.4`](https://togithub.com/gruntjs/grunt/compare/v1.0.3...v1.0.4)
[Compare Source](https://togithub.com/gruntjs/grunt/compare/v1.0.3...v1.0.4)
### [`v1.0.3`](https://togithub.com/gruntjs/grunt/compare/v1.0.2...v1.0.3)
[Compare Source](https://togithub.com/gruntjs/grunt/compare/v1.0.2...v1.0.3)
### [`v1.0.2`](https://togithub.com/gruntjs/grunt/compare/v1.0.1...v1.0.2)
[Compare Source](https://togithub.com/gruntjs/grunt/compare/v1.0.1...v1.0.2)
### [`v1.0.1`](https://togithub.com/gruntjs/grunt/compare/v1.0.0...v1.0.1)
[Compare Source](https://togithub.com/gruntjs/grunt/compare/v1.0.0...v1.0.1)
### [`v1.0.0`](https://togithub.com/gruntjs/grunt/compare/v0.4.5...v1.0.0)
[Compare Source](https://togithub.com/gruntjs/grunt/compare/v0.4.5...v1.0.0)
Configuration
📅 Schedule: "" in timezone America/Lima.
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box.
This PR contains the following updates:
~0.4.5
->~1.3.0
:warning: MAJOR MAJOR MAJOR :warning:
GitHub Vulnerability Alerts
CVE-2020-7729
The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.
Release Notes
gruntjs/grunt
### [`v1.3.0`](https://togithub.com/gruntjs/grunt/releases/v1.3.0) [Compare Source](https://togithub.com/gruntjs/grunt/compare/v1.2.1...v1.3.0) - Merge pull request [#1720](https://togithub.com/gruntjs/grunt/issues/1720) from gruntjs/update-changelog-deps [`faab6be`](https://togithub.com/gruntjs/grunt/commit/faab6be) - Update Changelog and legacy-util dependency [`520fedb`](https://togithub.com/gruntjs/grunt/commit/520fedb) - Merge pull request [#1719](https://togithub.com/gruntjs/grunt/issues/1719) from gruntjs/yaml-refactor [`7e669ac`](https://togithub.com/gruntjs/grunt/commit/7e669ac) - Switch to use `safeLoad` for loading YML files via `file.readYAML`. [`e350cea`](https://togithub.com/gruntjs/grunt/commit/e350cea) - Merge pull request [#1718](https://togithub.com/gruntjs/grunt/issues/1718) from gruntjs/legacy-log-bumo [`7125f49`](https://togithub.com/gruntjs/grunt/commit/7125f49) - Bump legacy-log [`00d5907`](https://togithub.com/gruntjs/grunt/commit/00d5907) ### [`v1.2.1`](https://togithub.com/gruntjs/grunt/releases/v1.2.1) [Compare Source](https://togithub.com/gruntjs/grunt/compare/v1.2.0...v1.2.1) - Changelog update [`ae11839`](https://togithub.com/gruntjs/grunt/commit/ae11839) - Merge pull request [#1715](https://togithub.com/gruntjs/grunt/issues/1715) from sibiraj-s/remove-path-is-absolute [`9d23cb6`](https://togithub.com/gruntjs/grunt/commit/9d23cb6) - Remove path-is-absolute dependency [`e789b1f`](https://togithub.com/gruntjs/grunt/commit/e789b1f) ### [`v1.2.0`](https://togithub.com/gruntjs/grunt/releases/v1.2.0) [Compare Source](https://togithub.com/gruntjs/grunt/compare/v1.1.0...v1.2.0) - Allow usage of grunt plugins that are located in any location that is visible to Node.js and NPM, instead of node_modules directly inside package that have a dev dependency to these plugin[https://github.com/gruntjs/grunt/pull/1677](https://togithub.com/gruntjs/grunt/pull/1677)nt/pull/1677) - Removed coffeescript from dependencies. To ease transition, if coffeescript is still around, Grunt will attempt to load it. If it is not, and the user loads a CoffeeScript file, Grunt will print a useful error indicating that the coffeescript package should be installed as a dev dependency. This is considerably more user-friendly than dropping the require entirely, but doing so is feasible with the latest grunt-cli as users may simply use grunt --require [https://github.com/gruntjs/grunt/pull/1675](https://togithub.com/gruntjs/grunt/pull/1675)thub.com/gruntjs/grunt/pull/1675) - Exposes Grunt Option keys for ease of use. ([https://github.com/gruntjs/grunt/pull/1570](https://togithub.com/gruntjs/grunt/pull/1570)1570) - Avoiding infinite loop on very long command names. ([https://github.com/gruntjs/grunt/pull/1697](https://togithub.com/gruntjs/grunt/pull/1697)1697) ### [`v1.1.0`](https://togithub.com/gruntjs/grunt/releases/v1.1.0) [Compare Source](https://togithub.com/gruntjs/grunt/compare/v1.0.4...v1.1.0) - Update to mkdirp ~1.0.3 - Only support versions of Node >= 8 ### [`v1.0.4`](https://togithub.com/gruntjs/grunt/compare/v1.0.3...v1.0.4) [Compare Source](https://togithub.com/gruntjs/grunt/compare/v1.0.3...v1.0.4) ### [`v1.0.3`](https://togithub.com/gruntjs/grunt/compare/v1.0.2...v1.0.3) [Compare Source](https://togithub.com/gruntjs/grunt/compare/v1.0.2...v1.0.3) ### [`v1.0.2`](https://togithub.com/gruntjs/grunt/compare/v1.0.1...v1.0.2) [Compare Source](https://togithub.com/gruntjs/grunt/compare/v1.0.1...v1.0.2) ### [`v1.0.1`](https://togithub.com/gruntjs/grunt/compare/v1.0.0...v1.0.1) [Compare Source](https://togithub.com/gruntjs/grunt/compare/v1.0.0...v1.0.1) ### [`v1.0.0`](https://togithub.com/gruntjs/grunt/compare/v0.4.5...v1.0.0) [Compare Source](https://togithub.com/gruntjs/grunt/compare/v0.4.5...v1.0.0)Configuration
📅 Schedule: "" in timezone America/Lima.
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.