matthewhudson / pxon

šŸ‘¾ A JavaScript module for importing, creating, manipulating, and exporting PXON schema.
https://matthewhudson.github.io/pxon/
26 stars 1 forks source link

chore(deps): update dependency log4js to 6.4.0 [security] - autoclosed #85

Closed renovate[bot] closed 1 year ago

renovate[bot] commented 2 years ago

Mend Renovate

This PR contains the following updates:

Package Change
log4js 2.11.0 -> 6.4.0

GitHub Vulnerability Alerts

CVE-2022-21704

Impact

Default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.

Patches

Fixed by:

Released to NPM in log4js@6.4.0

Workarounds

Every version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.

References

Thanks to ranjit-git for raising the issue, and to @​lamweili for fixing the problem.

For more information

If you have any questions or comments about this advisory:


Configuration

šŸ“… Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

šŸš¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.

ā™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

šŸ”• Ignore: Close this PR and you won't be reminded about this update again.



This PR has been generated by Mend Renovate. View repository job log here.