renovate[bot]
commented
2 years ago β Artifact update problem
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
β» Renovate will retry this branch, including artifacts, only when one of the following happens:
- any of the package files in this branch needs updating, or
- the branch becomes conflicted, or
- you click the rebase/retry checkbox if found above, or
- you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: package-lock.json
real 0m9.013s
user 0m7.671s
sys 0m1.154s
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! While resolving: @multei/web@0.1.0
npm ERR! Found: react@17.0.1
npm ERR! node_modules/react
npm ERR! react@"17.0.1" from the root project
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peer react@"^16.4.2" from gatsby@2.24.85
npm ERR! node_modules/gatsby
npm ERR! gatsby@"2.24.85" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR!
npm ERR! See /tmp/renovate-cache/others/npm/eresolve-report.txt for a full report.
npm ERR! A complete log of this run can be found in:
npm ERR! /tmp/renovate-cache/others/npm/_logs/2022-06-18T23_41_28_157Z-debug-0.log
netlify[bot]
This PR contains the following updates:
0.25.4->0.30.5GitHub Vulnerability Alerts
CVE-2022-29256
There's a possible vulnerability in logic that is run only at
npm installtime when installing versions ofsharpprior to the latest v0.30.5.This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. However, out of an abundance of caution, I've created this advisory.
If an attacker has the ability to set the value of the
PKG_CONFIG_PATHenvironment variable in a build environment then they might be able to use this to inject an arbitrary command atnpm installtime.I've used the Common Vulnerability Scoring System (CVSS) calculator to determine the maximum possible impact, which suggests a "medium" score of 5.9, but for most people the real impact will be dealing with the noise from automated security tooling that this advisory will bring.
AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:R/MS:X/MC:X/MI:X/MA:XThis problem was fixed in commit a6aeef6 and published as part of
sharpv0.30.5.Thank you very much to @dwisiswant0 for the responsible disclosure.
Remember: if an attacker has control over environment variables in your build environment then you have a bigger problem to deal with than this issue.
Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.