Update dependency nunjucks to v3.2.4 [SECURITY] - autoclosed

renovate[bot] commented 4 months ago

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
nunjucks	`3.0.1` -> `3.2.4`

[!WARNING] Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-2142

Impact

In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.

Example

If the user-controlled parameters were used in the views similar to the following:

<script>
let testObject = { lang: '', place: '' };
</script>

It is possible to inject XSS payload using the below parameters:

https://<application-url>/?lang=jp\&place=};alert(document.domain)//

Patches

The issue was patched in version 3.2.4.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1825980

Release Notes

mozilla/nunjucks (nunjucks)

### [`v3.2.4`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#324-Apr-13-2023) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.2.3...v3.2.4) - HTML encode backslashes when expressions are passed through the escape filter (including when this is done automatically with autoescape). Merge of [#1437](https://togithub.com/mozilla/nunjucks/pull/1437). ### [`v3.2.3`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#323-Feb-15-2021) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.2.2...v3.2.3) - Add support for nested attributes on [`sort` filter](https://mozilla.github.io/nunjucks/templating.html#sort-arr-reverse-casesens-attr); respect `throwOnUndefined` if sort attribute is undefined. - Add `base` arg to [`int` filter](https://mozilla.github.io/nunjucks/templating.html#int). - Move `chokidar` to `peerDependencies` and mark it `optional` in `peerDependenciesMeta`. - Fix prototype pollution issue for template variables. Merge of [#1330](https://togithub.com/mozilla/nunjucks/pull/1330); fixes [#1331](https://togithub.com/mozilla/nunjucks/issues/1331). Thanks [ChenKS12138](https://togithub.com/ChenKS12138)! ### [`v3.2.2`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#322-Jul-20-2020) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.2.1...v3.2.2) - Add [`select`](https://mozilla.github.io/nunjucks/templating.html#select) and [`reject`](https://mozilla.github.io/nunjucks/templating.html#reject) filters. Merge of [#1278](https://togithub.com/mozilla/nunjucks/pull/1278) and [#1279](https://togithub.com/mozilla/nunjucks/pull/1279); fixes [#282](https://togithub.com/mozilla/nunjucks/issues/282). Thanks [ogonkov](https://togithub.com/ogonkovv)! - Fix precompile binary script `TypeError: name.replace is not a function`. Fixes [#1295](https://togithub.com/mozilla/nunjucks/issues/1295). - Add support for nested attributes on [`groupby` filter](https://mozilla.github.io/nunjucks/templating.html#groupby); respect `throwOnUndefined` option, if the groupby attribute is undefined. Merge of [#1276](https://togithub.com/mozilla/nunjucks/pull/1276); fixes [#1198](https://togithub.com/mozilla/nunjucks/issues/1198). Thanks [ogonkov](https://togithub.com/ogonkovv)! - Fix bug that prevented errors in included templates from being raised when rendering templates synchronously. Fixes [#1272](https://togithub.com/mozilla/nunjucks/issues/1272). - The `indent` filter no longer appends an additional newline. Fixes [#1231](https://togithub.com/mozilla/nunjucks/issues/1231). ### [`v3.2.1`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#321-Mar-17-2020) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.2.0...v3.2.1) - Replace yargs with commander to reduce number of dependencies. Merge of [#1253](https://togithub.com/mozilla/nunjucks/pull/1253). Thanks [AlynxZhou](@AlynxZhou). - Update optional dependency chokidar from `^2.0.0` to `^3.3.0`. Merge of [#1254](https://togithub.com/mozilla/nunjucks/pull/1254). Thanks [eklingen](@eklingen). - Prevent optional dependency Chokidar from loading when not watching. Merge of [#1250](https://togithub.com/mozilla/nunjucks/pull/1250). Thanks [eklingen](@eklingen). ### [`v3.2.0`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#320-Mar-5-2019) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.1.7...v3.2.0) - Adds [`NodeResolveLoader`](http://mozilla.github.io/nunjucks/api.html#noderesolveloader), a Loader that loads templates using node's [`require.resolve`](https://nodejs.org/api/modules.html#modules_all_together). Fixes [#1175](https://togithub.com/mozilla/nunjucks/issues/1175). - Emit 'load' events on `Environment` instances, to allow runtime dependency tracking. Fixes [#1153](https://togithub.com/mozilla/nunjucks/issues/1153). ### [`v3.1.7`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#317-Jan-12-2019) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.1.6...v3.1.7) - Fix bug where exceptions were silently swallowed with synchronous render. Fixes [#678](https://togithub.com/mozilla/nunjucks/issues/678), [#1116](https://togithub.com/mozilla/nunjucks/issues/1116), [#1127](https://togithub.com/mozilla/nunjucks/issues/1127), and [#1164](https://togithub.com/mozilla/nunjucks/issues/1164) - Removes deprecated postinstall-build package in favor of [npm prepare](https://docs.npmjs.com/misc/scripts#prepublish-and-prepare). Merge of [#1172](https://togithub.com/mozilla/nunjucks/pull/1172). Fixes [#1167](https://togithub.com/mozilla/nunjucks/issues/1167). - Note: this means that npm@5 or later is required to install nunjucks directly from github. ### [`v3.1.6`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#316-Dec-13-2018) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.1.4...v3.1.6) No code changes; fixed npm packaging issue. ### [`v3.1.4`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#314-Nov-9-2018) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.1.3...v3.1.4) - Fix engine version for Node v11.1.0 - Fix "Unexpected token" error for U+2028 unicode newline. Fixes [#126](https://togithub.com/mozilla/nunjucks/issues/126) and [#736](https://togithub.com/mozilla/nunjucks/issues/736) ### [`v3.1.3`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#313-May-19-2018) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.1.2...v3.1.3) - Add `forceescape` filter. Fixes [#782](https://togithub.com/mozilla/nunjucks/issues/782) - Fix regression that prevented template errors from reporting line and column number. Fixes [#1087](https://togithub.com/mozilla/nunjucks/issues/1087) and [#1095](https://togithub.com/mozilla/nunjucks/issues/1095). - Fix "Invalid type: Is" error for `{% if value is defined %}`. Fixes [#1110](https://togithub.com/mozilla/nunjucks/issues/1110) - Formally drop support for node v4 (the upgrade to babel 7 in 3.1.0 made the build process incompatible with node < 6.9.0). ### [`v3.1.2`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#312-Feb-23-2018) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.1.0...v3.1.2) - Fix regression to make `chokidar` an optional dependency again. Fixes [#1073](https://togithub.com/mozilla/nunjucks/issues/1073) - Fix issue when running `npm install nunjucks` with the `--no-bin-links` flag - Fix regression that broke template caching. Fixes [#1074](https://togithub.com/mozilla/nunjucks/issues/1074) ### [`v3.1.0`](https://togithub.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#310-Feb-19-2018) [Compare Source](https://togithub.com/mozilla/nunjucks/compare/v3.0.1...v3.1.0) - Support nunjucks.installJinjaCompat() with slim build. Fixes [#1019](https://togithub.com/mozilla/nunjucks/issues/1019) - Fix calling render callback twice when a conditional import throws an error. Solves [#1029](https://togithub.com/mozilla/nunjucks/issues/1029) - Support objects created with Object.create(null). fixes [#468](https://togithub.com/mozilla/nunjucks/issues/468) - Support ESNext iterators, using Array.from. Merge of [#1058](https://togithub.com/mozilla/nunjucks/pull/1058)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

sonarcloud[bot] commented 4 months ago

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

github-actions[bot] commented 4 months ago

🦙 MegaLinter status: ❌ ERROR

Descriptor	Linter	Files	Fixed	Errors	Elapsed time
❌ ACTION	actionlint	4		9	0.09s
⚠️ BASH	bash-exec	16		7	0.05s
❌ BASH	shellcheck	16		64	0.47s
✅ BASH	shfmt	16	11	0	0.89s
❌ COPYPASTE	jscpd	yes		738	31.83s
❌ CSS	stylelint	10	5	1	4.44s
❌ DOCKERFILE	hadolint	1		1	0.17s
❌ HTML	djlint	23		5077	189.47s
❌ HTML	htmlhint	23		37	0.67s
❌ JAVASCRIPT	standard	61	61	1	21.62s
❌ JSON	jsonlint	55		1	0.25s
⚠️ JSON	prettier	55	43	1	6.67s
✅ JSON	v8r	55		0	80.66s
⚠️ MARKDOWN	markdownlint	273	237	721	10.63s
❌ MARKDOWN	markdown-link-check	273		131	165.36s
✅ MARKDOWN	markdown-table-formatter	273	239	0	2.0s
❌ REPOSITORY	checkov	yes		5	61.63s
❌ REPOSITORY	gitleaks	yes		2	61.11s
✅ REPOSITORY	git_diff	yes		no	1.35s
❌ REPOSITORY	grype	yes		1	10.7s
✅ REPOSITORY	secretlint	yes		no	35.19s
❌ REPOSITORY	trivy	yes		1	9.91s
✅ REPOSITORY	trivy-sbom	yes		no	1.15s
✅ REPOSITORY	trufflehog	yes		no	8.33s
❌ SPELL	cspell	2561		59501	985.16s
❌ SPELL	lychee	1077		154	89.3s
✅ YAML	prettier	705	695	0	23.51s
❌ YAML	v8r	705		1	616.13s
❌ YAML	yamllint	705		1	46.78s

See detailed report in MegaLinter reports

_MegaLinter is graciously provided by _

sarvex / ParlAI