search

openMF / digital-bank-ui

Digital Bank user interface for staff on top of Fineract CN
Mozilla Public License 2.0
18 stars 28 forks source link

chore(deps): update dependency lodash [security] - autoclosed #101

Closed renovate[bot] closed 1 year ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Change
lodash 4.17.15 -> 4.17.21
lodash 4.17.11 -> 4.17.12
lodash 3.10.1 -> 4.17.5

GitHub Vulnerability Alerts

CVE-2021-23337

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

CVE-2020-8203

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

CVE-2019-10744

Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.12 or later.

CVE-2018-3721

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.5 or later.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

This PR has been generated by Mend Renovate. View repository job log here.

renovate[bot] commented 1 year ago

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

The artifact failure details are included below:

File name: package-lock.json
npm notice 
npm notice New major version of npm available! 8.19.4 -> 9.6.6
npm notice Changelog: <https://github.com/npm/cli/releases/tag/v9.6.6>
npm notice Run `npm install -g npm@9.6.6` to update!
npm notice 
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: @ngrx/core@1.2.0
npm ERR! Found: rxjs@6.5.4
npm ERR! node_modules/rxjs
npm ERR!   rxjs@"6.5.4" from the root project
npm ERR!   rxjs@"6.5.4" from @angular-devkit/schematics@9.1.7
npm ERR!   node_modules/@angular-devkit/schematics
npm ERR!     @angular-devkit/schematics@"9.1.7" from @angular/cli@9.1.7
npm ERR!     node_modules/@angular/cli
npm ERR!       dev @angular/cli@"^9.0.4" from the root project
npm ERR!     @angular-devkit/schematics@"9.1.7" from @schematics/angular@9.1.7
npm ERR!     node_modules/@schematics/angular
npm ERR!       @schematics/angular@"9.1.7" from @angular/cli@9.1.7
npm ERR!       node_modules/@angular/cli
npm ERR!         dev @angular/cli@"^9.0.4" from the root project
npm ERR!     1 more (@schematics/update)
npm ERR!   20 more (@angular-devkit/core, @angular-devkit/architect, ...)
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer rxjs@"^5.0.0-beta.12" from @ngrx/core@1.2.0
npm ERR! node_modules/@ngrx/core
npm ERR!   @ngrx/core@"^1.2.0" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: rxjs@5.5.12
npm ERR! node_modules/rxjs
npm ERR!   peer rxjs@"^5.0.0-beta.12" from @ngrx/core@1.2.0
npm ERR!   node_modules/@ngrx/core
npm ERR!     @ngrx/core@"^1.2.0" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /tmp/renovate-cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate-cache/others/npm/_logs/2023-05-08T16_07_18_145Z-debug-0.log