search

serverless / serverless-plugin-typescript

Serverless plugin for zero-config Typescript support
MIT License
784 stars 225 forks source link

fix(deps): update dependency lodash to v4.17.13 [security] #160

Closed renovate[bot] closed 3 years ago

renovate[bot] commented 5 years ago

This PR contains the following updates:

Package Type Update Change
lodash (source) dependencies patch 4.17.11 -> 4.17.13
lodash (source) dependencies patch 4.17.4 -> 4.17.13

GitHub Vulnerability Alerts

CVE-2019-10744

Affected versions of lodash are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

CVE-2018-3721

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

CVE-2018-16487

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

CVE-2019-1010266

lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.

Release Notes

lodash/lodash ### [`v4.17.13`](https://togithub.com/lodash/lodash/compare/4.17.12...4.17.13) [Compare Source](https://togithub.com/lodash/lodash/compare/4.17.12...4.17.13) ### [`v4.17.12`](https://togithub.com/lodash/lodash/compare/4.17.11...4.17.12) [Compare Source](https://togithub.com/lodash/lodash/compare/4.17.11...4.17.12)

Renovate configuration

:date: Schedule: "" (UTC).

:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.

:recycle: Rebasing: Whenever PR becomes conflicted, or if you modify the PR title to begin with "rebase!".

:no_bell: Ignore: Close this PR and you won't be reminded about these updates again.

This PR has been generated by Renovate Bot. View repository job log here.

medikoo commented 3 years ago

Closing, as PR is outdated and we handle upgrades with different flow