In AngularJS before 1.7.9 the function merge() could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
Release Notes
angular/angular.js
### [`v1.7.9`](https://togithub.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19)
[Compare Source](https://togithub.com/angular/angular.js/compare/v1.7.8...v1.7.9)
#### Bug Fixes
- **angular.merge:** do not merge **proto** property
([726f49](https://togithub.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a))
(Thanks to the [Snyk Security Research Team](https://snyk.io/blog/snyk-research-team-discovers-severe-prototype-pollution-security-vulnerabilities-affecting-all-versions-of-lodash/) for identifyng this issue.)
- **ngStyle:** correctly remove old style when new style value is invalid
([5edd25](https://togithub.com/angular/angular.js/commit/5edd25364f617083363dc2bd61f9230b38267578),
[#16860](https://togithub.com/angular/angular.js/issues/16860),
[#16868](https://togithub.com/angular/angular.js/issues/16868))
Renovate configuration
:date: Schedule: "" (UTC).
:vertical_traffic_light: Automerge: Enabled.
:recycle: Rebasing: Whenever PR is stale, or if you modify the PR title to begin with "rebase!".
:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
Newsflash: Renovate has joined WhiteSource, and is now free for all use. Learn more or view updated terms and privacy policies.
This PR contains the following updates:
1.7.8->1.7.9GitHub Vulnerability Alerts
CVE-2019-10768
In AngularJS before 1.7.9 the function
merge()could be tricked into adding or modifying properties ofObject.prototypeusing a__proto__payload.Release Notes
angular/angular.js
### [`v1.7.9`](https://togithub.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19) [Compare Source](https://togithub.com/angular/angular.js/compare/v1.7.8...v1.7.9) #### Bug Fixes - **angular.merge:** do not merge **proto** property ([726f49](https://togithub.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a))(Thanks to the [Snyk Security Research Team](https://snyk.io/blog/snyk-research-team-discovers-severe-prototype-pollution-security-vulnerabilities-affecting-all-versions-of-lodash/) for identifyng this issue.) - **ngStyle:** correctly remove old style when new style value is invalid ([5edd25](https://togithub.com/angular/angular.js/commit/5edd25364f617083363dc2bd61f9230b38267578), [#16860](https://togithub.com/angular/angular.js/issues/16860), [#16868](https://togithub.com/angular/angular.js/issues/16868))
Renovate configuration
:date: Schedule: "" (UTC).
:vertical_traffic_light: Automerge: Enabled.
:recycle: Rebasing: Whenever PR is stale, or if you modify the PR title to begin with "
rebase!".:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
Newsflash: Renovate has joined WhiteSource, and is now free for all use. Learn more or view updated terms and privacy policies.