search

quirrel-dev / quirrel

The Task Queueing Solution for Serverless.
https://quirrel.dev
MIT License
885 stars 67 forks source link

fix(deps): update dependency immer to v9.0.6 [security] - autoclosed #1170

Closed renovate[bot] closed 1 month ago

renovate[bot] commented 4 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
immer 9.0.5 -> 9.0.6 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-3757

immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').

CVE-2021-23436

This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "__proto__" || p === "constructor") in applyPatches_ returns false if p is ['__proto__'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

Release Notes

immerjs/immer (immer) ### [`v9.0.6`](https://togithub.com/immerjs/immer/releases/tag/v9.0.6) [Compare Source](https://togithub.com/immerjs/immer/compare/v9.0.5...v9.0.6) ##### Bug Fixes - **security:** Follow up on CVE-2020-28477 where `path: [["__proto__"], "x"]` could still pollute the prototype ([fa671e5](https://togithub.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237))

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.

netlify[bot] commented 4 months ago

Deploy Preview for quirrel-docs canceled.

Name Link
Latest commit a6730766667d673dc7b90bc04506587086919816
Latest deploy log https://app.netlify.com/sites/quirrel-docs/deploys/662b2ff9ebc161000841bd23
netlify[bot] commented 4 months ago

Deploy Preview for quirrel-development-ui ready!

Name Link
Latest commit a6730766667d673dc7b90bc04506587086919816
Latest deploy log https://app.netlify.com/sites/quirrel-development-ui/deploys/662b2ff9faad3a000806664a
Deploy Preview https://deploy-preview-1170--quirrel-development-ui.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.