qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
This PR contains the following updates:
6.10.1->6.10.3GitHub Vulnerability Alerts
CVE-2022-24999
qs before 6.10.3 allows attackers to cause a Node process hang because an
__ proto__key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such asa[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.Release Notes
ljharb/qs
### [`v6.10.3`](https://togithub.com/ljharb/qs/blob/HEAD/CHANGELOG.md#6103) [Compare Source](https://togithub.com/ljharb/qs/compare/v6.10.2...v6.10.3) - \[Fix] `parse`: ignore `__proto__` keys ([#428](https://togithub.com/ljharb/qs/issues/428)) - \[Robustness] `stringify`: avoid relying on a global `undefined` ([#427](https://togithub.com/ljharb/qs/issues/427)) - \[actions] reuse common workflows - \[Dev Deps] update `eslint`, `@ljharb/eslint-config`, `object-inspect`, `tape` ### [`v6.10.2`](https://togithub.com/ljharb/qs/blob/HEAD/CHANGELOG.md#6102) [Compare Source](https://togithub.com/ljharb/qs/compare/v6.10.1...v6.10.2) - \[Fix] `stringify`: actually fix cyclic references ([#426](https://togithub.com/ljharb/qs/issues/426)) - \[Fix] `stringify`: avoid encoding arrayformat comma when `encodeValuesOnly = true` ([#424](https://togithub.com/ljharb/qs/issues/424)) - \[readme] remove travis badge; add github actions/codecov badges; update URLs - \[Docs] add note and links for coercing primitive values ([#408](https://togithub.com/ljharb/qs/issues/408)) - \[actions] update codecov uploader - \[actions] update workflows - \[Tests] clean up stringify tests slightly - \[Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `object-inspect`, `safe-publish-latest`, `tape`Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.