github-actions[bot]
commented
1 week ago :mag: Vulnerabilities of ghcr.io/uniget-org/tools/n8n:1.47.3
:package: Image Reference ghcr.io/uniget-org/tools/n8n:1.47.3
| digest | sha256:3affce5c73f42a24dd4a4abb089cfb371cc518791517c5177719ee5c0b456c70 |
| vulnerabilities |     |
| platform | linux/amd64 |
| size | 138 MB |
| packages | 1343 |
pkg:npm/pdfjs-dist@2.16.105
Description### Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. ### Patches The patch removes the use of `eval`: https://github.com/mozilla/pdf.js/pull/18015 ### Workarounds Set the option `isEvalSupported` to `false`. ### References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645 | ||||||||
pkg:npm/lodash.set@4.3.2 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
DescriptionVersions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions `pick`, `set`, `setWith`, `update`, `updateWith`, and `zipObjectDeep` allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays. This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances. | ||||||||
pkg:npm/%40azure/identity@3.4.2 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
DescriptionAzure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability. | ||||||||
pkg:npm/semver@5.3.0 Inefficient Regular Expression Complexity
DescriptionVersions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. |
pdfjs-dist 
This PR contains the following updates:
1.47.2->1.47.3Release Notes
n8n-io/n8n (n8n)
### [`v1.47.3`](https://togithub.com/n8n-io/n8n/releases/tag/n8n%401.47.3) [Compare Source](https://togithub.com/n8n-io/n8n/compare/n8n@1.47.2...n8n@1.47.3) ##### Bug Fixes - **core:** Fix AddActivatedAtUserSetting migration on MariaDB ([#9910](https://togithub.com/n8n-io/n8n/issues/9910)) ([e8510c2](https://togithub.com/n8n-io/n8n/commit/e8510c21edb7dbc54905abd40a72829c7183a274)) - **core:** Fix worker logs relay ([#9919](https://togithub.com/n8n-io/n8n/issues/9919)) ([7495136](https://togithub.com/n8n-io/n8n/commit/7495136ccf548d43e8bace44e6d8cf506840ff55)) - **core:** Throw on adding execution without execution data ([#9903](https://togithub.com/n8n-io/n8n/issues/9903)) ([ada1adb](https://togithub.com/n8n-io/n8n/commit/ada1adbaa18a6c62118a8922f05f71957c110641)) - **editor:** Fix frontend project roles ([#9901](https://togithub.com/n8n-io/n8n/issues/9901)) ([82703d6](https://togithub.com/n8n-io/n8n/commit/82703d6af8354617a576ac043908ae6e21ccde5f))Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.