Closed renovate[bot] closed 6 months ago
sonarcloud[bot]
commented
7 months ago 
Quality Gate passedIssues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code
github-actions[bot]
commented
7 months ago | Descriptor | Linter | Files | Fixed | Errors | Elapsed time |
|---|---|---|---|---|---|
| ❌ ACTION | actionlint | 4 | 9 | 0.09s | |
| ⚠️ BASH | bash-exec | 16 | 7 | 0.06s | |
| ❌ BASH | shellcheck | 16 | 64 | 0.42s | |
| ✅ BASH | shfmt | 16 | 11 | 0 | 0.65s |
| ❌ COPYPASTE | jscpd | yes | 738 | 32.54s | |
| ❌ CSS | stylelint | 10 | 5 | 1 | 4.04s |
| ❌ DOCKERFILE | hadolint | 1 | 1 | 0.13s | |
| ❌ HTML | djlint | 23 | 5077 | 196.04s | |
| ❌ HTML | htmlhint | 23 | 37 | 0.68s | |
| ❌ JAVASCRIPT | standard | 61 | 61 | 1 | 22.56s |
| ❌ JSON | eslint-plugin-jsonc | 55 | 0 | 1 | 6.32s |
| ❌ JSON | jsonlint | 55 | 1 | 0.26s | |
| ⚠️ JSON | prettier | 55 | 43 | 1 | 6.31s |
| ✅ JSON | v8r | 55 | 0 | 82.36s | |
| ⚠️ MARKDOWN | markdownlint | 273 | 237 | 721 | 11.25s |
| ❌ MARKDOWN | markdown-link-check | 273 | 98 | 84.08s | |
| ✅ MARKDOWN | markdown-table-formatter | 273 | 239 | 0 | 1.96s |
| ❌ REPOSITORY | checkov | yes | 6 | 68.04s | |
| ❌ REPOSITORY | gitleaks | yes | 2 | 63.56s | |
| ✅ REPOSITORY | git_diff | yes | no | 1.37s | |
| ❌ REPOSITORY | grype | yes | 1 | 49.17s | |
| ✅ REPOSITORY | secretlint | yes | no | 36.21s | |
| ❌ REPOSITORY | trivy | yes | 1 | 15.13s | |
| ✅ REPOSITORY | trivy-sbom | yes | no | 1.77s | |
| ✅ REPOSITORY | trufflehog | yes | no | 13.43s | |
| ❌ SPELL | cspell | 2561 | 59501 | 1289.03s | |
| ❌ SPELL | lychee | 1077 | 146 | 90.25s | |
| ✅ YAML | prettier | 705 | 695 | 0 | 23.81s |
| ❌ YAML | v8r | 705 | 1 | 617.87s | |
| ❌ YAML | yamllint | 705 | 1 | 48.34s |
See detailed report in MegaLinter reports
_MegaLinter is graciously provided by 
_
This PR contains the following updates:
3.0.1->3.2.4GitHub Vulnerability Alerts
CVE-2023-2142
Impact
In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash
\character.Example
If the user-controlled parameters were used in the views similar to the following:
It is possible to inject XSS payload using the below parameters:
Patches
The issue was patched in version 3.2.4.
References
Release Notes
mozilla/nunjucks (nunjucks)
### [`v3.2.4`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#324-Apr-13-2023) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.2.3...v3.2.4) - HTML encode backslashes when expressions are passed through the escape filter (including when this is done automatically with autoescape). Merge of [#1437](https://togithub.com/mozilla/nunjucks/pull/1437). ### [`v3.2.3`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#323-Feb-15-2021) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.2.2...v3.2.3) - Add support for nested attributes on [`sort` filter](https://mozilla.github.io/nunjucks/templating.html#sort-arr-reverse-casesens-attr); respect `throwOnUndefined` if sort attribute is undefined. - Add `base` arg to [`int` filter](https://mozilla.github.io/nunjucks/templating.html#int). - Move `chokidar` to `peerDependencies` and mark it `optional` in `peerDependenciesMeta`. - Fix prototype pollution issue for template variables. Merge of [#1330](https://togithub.com/mozilla/nunjucks/pull/1330); fixes [#1331](https://togithub.com/mozilla/nunjucks/issues/1331). Thanks [ChenKS12138](https://togithub.com/ChenKS12138)! ### [`v3.2.2`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#322-Jul-20-2020) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.2.1...v3.2.2) - Add [`select`](https://mozilla.github.io/nunjucks/templating.html#select) and [`reject`](https://mozilla.github.io/nunjucks/templating.html#reject) filters. Merge of [#1278](https://togithub.com/mozilla/nunjucks/pull/1278) and [#1279](https://togithub.com/mozilla/nunjucks/pull/1279); fixes [#282](https://togithub.com/mozilla/nunjucks/issues/282). Thanks [ogonkov](https://togithub.com/ogonkovv)! - Fix precompile binary script `TypeError: name.replace is not a function`. Fixes [#1295](https://togithub.com/mozilla/nunjucks/issues/1295). - Add support for nested attributes on [`groupby` filter](https://mozilla.github.io/nunjucks/templating.html#groupby); respect `throwOnUndefined` option, if the groupby attribute is undefined. Merge of [#1276](https://togithub.com/mozilla/nunjucks/pull/1276); fixes [#1198](https://togithub.com/mozilla/nunjucks/issues/1198). Thanks [ogonkov](https://togithub.com/ogonkovv)! - Fix bug that prevented errors in included templates from being raised when rendering templates synchronously. Fixes [#1272](https://togithub.com/mozilla/nunjucks/issues/1272). - The `indent` filter no longer appends an additional newline. Fixes [#1231](https://togithub.com/mozilla/nunjucks/issues/1231). ### [`v3.2.1`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#321-Mar-17-2020) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.2.0...v3.2.1) - Replace yargs with commander to reduce number of dependencies. Merge of [#1253](https://togithub.com/mozilla/nunjucks/pull/1253). Thanks [AlynxZhou](@AlynxZhou). - Update optional dependency chokidar from `^2.0.0` to `^3.3.0`. Merge of [#1254](https://togithub.com/mozilla/nunjucks/pull/1254). Thanks [eklingen](@eklingen). - Prevent optional dependency Chokidar from loading when not watching. Merge of [#1250](https://togithub.com/mozilla/nunjucks/pull/1250). Thanks [eklingen](@eklingen). ### [`v3.2.0`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#320-Mar-5-2019) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.1.7...v3.2.0) - Adds [`NodeResolveLoader`](http://mozilla.github.io/nunjucks/api.html#noderesolveloader), a Loader that loads templates using node's [`require.resolve`](https://nodejs.org/api/modules.html#modules_all_together). Fixes [#1175](https://togithub.com/mozilla/nunjucks/issues/1175). - Emit 'load' events on `Environment` instances, to allow runtime dependency tracking. Fixes [#1153](https://togithub.com/mozilla/nunjucks/issues/1153). ### [`v3.1.7`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#317-Jan-12-2019) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.1.6...v3.1.7) - Fix bug where exceptions were silently swallowed with synchronous render. Fixes [#678](https://togithub.com/mozilla/nunjucks/issues/678), [#1116](https://togithub.com/mozilla/nunjucks/issues/1116), [#1127](https://togithub.com/mozilla/nunjucks/issues/1127), and [#1164](https://togithub.com/mozilla/nunjucks/issues/1164) - Removes deprecated postinstall-build package in favor of [npm prepare](https://docs.npmjs.com/misc/scripts#prepublish-and-prepare). Merge of [#1172](https://togithub.com/mozilla/nunjucks/pull/1172). Fixes [#1167](https://togithub.com/mozilla/nunjucks/issues/1167). - Note: this means that npm@5 or later is required to install nunjucks directly from github. ### [`v3.1.6`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#316-Dec-13-2018) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.1.4...v3.1.6) No code changes; fixed npm packaging issue. ### [`v3.1.4`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#314-Nov-9-2018) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.1.3...v3.1.4) - Fix engine version for Node v11.1.0 - Fix "Unexpected token" error for U+2028 unicode newline. Fixes [#126](https://togithub.com/mozilla/nunjucks/issues/126) and [#736](https://togithub.com/mozilla/nunjucks/issues/736) ### [`v3.1.3`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#313-May-19-2018) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.1.2...v3.1.3) - Add `forceescape` filter. Fixes [#782](https://togithub.com/mozilla/nunjucks/issues/782) - Fix regression that prevented template errors from reporting line and column number. Fixes [#1087](https://togithub.com/mozilla/nunjucks/issues/1087) and [#1095](https://togithub.com/mozilla/nunjucks/issues/1095). - Fix "Invalid type: Is" error for `{% if value is defined %}`. Fixes [#1110](https://togithub.com/mozilla/nunjucks/issues/1110) - Formally drop support for node v4 (the upgrade to babel 7 in 3.1.0 made the build process incompatible with node < 6.9.0). ### [`v3.1.2`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#312-Feb-23-2018) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.1.0...v3.1.2) - Fix regression to make `chokidar` an optional dependency again. Fixes [#1073](https://togithub.com/mozilla/nunjucks/issues/1073) - Fix issue when running `npm install nunjucks` with the `--no-bin-links` flag - Fix regression that broke template caching. Fixes [#1074](https://togithub.com/mozilla/nunjucks/issues/1074) ### [`v3.1.0`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#310-Feb-19-2018) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.0.1...v3.1.0) - Support nunjucks.installJinjaCompat() with slim build. Fixes [#1019](https://togithub.com/mozilla/nunjucks/issues/1019) - Fix calling render callback twice when a conditional import throws an error. Solves [#1029](https://togithub.com/mozilla/nunjucks/issues/1029) - Support objects created with Object.create(null). fixes [#468](https://togithub.com/mozilla/nunjucks/issues/468) - Support ESNext iterators, using Array.from. Merge of [#1058](https://togithub.com/mozilla/nunjucks/pull/1058)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.