secure-code-warrior-for-github[bot]
commented
5 months ago Micro-Learning Topic: Information disclosure (Detected by phrase)
Matched on "Information Exposure"
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Try a challenge in Secure Code Warrior
Micro-Learning Topic: Prototype pollution (Detected by phrase)
Matched on "Prototype Pollution"
By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).
vercel[bot]
sonarcloud[bot]
No data about Coverage
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ @nestjs/common (8.2.3 → 10.3.5) · Repo · Changelog
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
✳️ @nestjs/core (8.2.3 → 10.3.5) · Repo · Changelog
Security Advisories 🚨
🚨 @nestjs/core vulnerable to Information Exposure via StreamableFile pipe
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
✳️ @nestjs/platform-express (8.2.3 → 10.3.5) · Repo · Changelog
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ accepts (indirect, 1.3.7 → 1.3.8) · Repo · Changelog
Release Notes
1.3.8
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 28 commits:
1.3.8build: mocha@9.2.0build: support Node.js 17.xbuild: Node.js@14.19build: eslint-plugin-markdown@2.2.1build: mocha@8.4.0deps: negotiator@0.6.3deps: mime-types@~2.1.34build: support Node.js 16.xbuild: support Node.js 15.xtests: fix deep equal checksbuild: eslint@7.32.0lint: apply standard 14 stylebuild: eslint-plugin-standard@4.1.0build: eslint-plugin-import@2.25.4build: mocha@7.2.0build: nyc@15.1.0build: eslint-plugin-markdown@1.0.2lint: apply standard 13 stylebuild: nyc@14.1.1build: mocha@6.2.3build: support Node.js 14.xbuild: support Node.js 13.xbuild: Node.js@12.22build: Node.js@11.15build: Node.js@10.24build: Node.js@8.17build: use GitHub Actions instead of Travis CI↗️ busboy (indirect, 0.2.14 → 1.6.0) · Repo
Commits
See the full diff on Github. The new version differs by 31 commits:
package: bump version to v1.6.0multipart: ignore remaining data instead of forcefully endingpackage: bump version to v1.5.0multipart: handle empty data from streamsearchreadme: fix deprecated os.tmpDir in examplelib: add support for default param charset for non-extended paramspackage: bump version to v1.4.0lib: make the module easier to bundle againreadme: fix README `mimeType` parameter inconsistencypackage: bump version to v1.3.0multipart: fully reset state on successful header parsepackage: bump version to v1.2.0multipart: only skip parts with bad headerspackage: bump version to v1.1.0test: fix lint issuemultipart: fix file stream stalling with lookbehind datareadme: fix markdown renderingreadme: fix examplereadme: add link to v1.0.0 changespackage: bump version to v1.0.0lib,test: rewrite implementationci: add node v12lib: don't decode params with encodings twicebump versionreadme: fix node version to match package.jsonlib: simplify basename()bump versionci: update node brancheslib,test: remove readable-stream, use new Buffer APImultipart: fix hang when upstream stops readingreadme: remove pledgie link↗️ content-type (indirect, 1.0.4 → 1.0.5) · Repo · Changelog
Release Notes
1.0.5
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 74 commits:
1.0.5build: Node.js@10.24build: add version script for npm version releasesbuild: mocha@10.2.0build: eslint@8.32.0lint: apply standard 15 styleperf: skip value escaping when unnecessarytests: fix deep-equal assertionslint: remove deprecated String.prototype.substrbuild: support Node.js 19.xbuild: mocha@9.2.2build: eslint-plugin-promise@5.2.0build: eslint@7.32.0lint: apply standard 14 stylebuild: nyc@15.1.0build: Node.js@8.17build: Node.js@10.23build: mocha@8.4.0build: support Node.js 18.xbuild: support Node.js 17.xlint: apply standard 13 stylebuild: eslint-plugin-standard@4.1.0build: eslint-plugin-promise@4.2.1build: eslint-plugin-import@2.27.5build: support Node.js 16.xbuild: support Node.js 15.xbuild: mocha@7.2.0build: eslint@6.8.0build: nyc@14.1.1build: support Node.js 14.xbuild: support Node.js 13.xbuild: support Node.js 12.xbuild: eslint-plugin-import@2.26.0build: support Node.js 11.xbuild: eslint@5.16.0build: mocha@6.2.3build: use GitHub Actions instead of Travis CIbuild: use nyc for coverage testingbuild: speed up logic in Travis CI build stepsbuild: eslint-plugin-node@8.0.1build: eslint-plugin-import@2.16.0build: Node.js@10.15build: Node.js@8.15build: Node.js@6.16build: eslint-plugin-import@2.15.0build: eslint@5.12.1build: mocha@5.2.0build: restructure Travis CI build stepsbuild: migrate to Travis CI trusty imagebuild: Node.js@10.13build: Node.js@8.12lint: apply standard 12 styletests: use strict equalitytests: replace deprecated assert.deepEqual with deep-equaldocs: switch badges to badgenbuild: support Node.js 10.xbuild: Node.js@9.11build: eslint-plugin-standard@3.1.0build: eslint-plugin-import@2.14.0build: Node.js@8.11build: Node.js@6.14build: Node.js@4.9build: eslint-plugin-promise@3.8.0build: eslint-plugin-import@2.13.0build: eslint@4.19.1build: use yaml eslint configurationbuild: Node.js@9.9build: Node.js@8.10build: Node.js@6.13doc: fix some formattinglint: apply standard 10 stylebuild: support Node.js 9.xbuild: Node.js@8.9build: Node.js@6.12↗️ mime-db (indirect, 1.50.0 → 1.52.0) · Repo · Changelog
Release Notes
1.52.0
1.51.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 31 commits:
1.52.0build: raw-body@2.5.0build: mocha@9.2.1Add new upstream MIME typesAdd extensions from IANA for more image/* typesdocs: update licenseAdd extension .asc to application/pgp-keystests: improve mime type validation in testsAdd extensions to various XML typesbuild: Node.js@17.4docs: clarify descriptionbuild: mocha@9.2.0Add new upstream MIME typesbuild: Node.js@17.3Add new upstream MIME typesbuild: raw-body@2.4.2build: eslint-plugin-import@2.25.4Add new upstream MIME types1.51.0Mark image/vnd.ms-dds as compressiblebuild: eslint-plugin-import@2.25.2build: support Node.js 17.xbuild: Node.js@16.13build: eslint-plugin-promise@5.1.1build: mocha@9.1.3Mark image/vnd.microsoft.icon as compressibleAdd new upstream MIME typesbuild: update CI for npm TLS upgradebuild: Node.js@14.18build: Node.js@16.10Add new upstream MIME types↗️ mime-types (indirect, 2.1.33 → 2.1.35) · Repo · Changelog
Release Notes
2.1.35
2.1.34
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 25 commits:
2.1.35docs: update link to CIbuild: fix run names in Github Actionsbuild: Node.js@17.7build: mocha@9.2.2deps: mime-db@1.52.0build: Node.js@17.5build: Node.js@16.14build: mocha@9.2.0build: Node.js@17.4build: Node.js@14.19build: eslint-plugin-import@2.25.4build: mocha@9.1.4build: Node.js@17.3build: eslint-plugin-import@2.25.3build: eslint-plugin-promise@5.2.02.1.34build: eslint-plugin-import@2.25.2deps: mime-db@1.51.0docs: remove non-relevant entries from historybuild: support Node.js 17.xbuild: Node.js@16.13build: eslint-plugin-promise@5.1.1build: mocha@9.1.3build: update CI for npm TLS upgrade↗️ minimist (indirect, 1.2.5 → 1.2.8) · Repo · Changelog
Security Advisories 🚨
🚨 Prototype Pollution in minimist
Release Notes
1.2.8 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 52 commits:
v1.2.8Merge tag 'v0.2.3'v0.2.3[Fix] Fix long option followed by single dash (#17)[Tests] Remove duplicate test (#12)[eslint] fix indentation[Dev Deps] add missing `npmignore` dev dep[Dev Deps] update `@ljharb/eslint-config`, `aud`[Fix] Fix long option followed by single dash[actions] Avoid 0.6 tests due to build failures[Dev Deps] update `tape`[Fix] opt.string works with multiple aliases (#10)[Fix] Fix handling of short option with non-trivial equals[Dev Deps] update `@ljharb/eslint-config`, `aud`[Tests] Remove duplicate test[Fix] opt.string works with multiple aliases[eslint] more cleanup[eslint] fix indentation and whitespaceMerge tag 'v0.2.2'v0.2.2v1.2.7[meta] add `auto-changelog`[meta] add `auto-changelog`[actions] add reusable workflows[meta] add `safe-publish-latest`[eslint] add eslint; rules to enable later are warnings[Tests] add `aud` in `posttest`[readme] rename and add badges[actions] add reusable workflows[meta] add `safe-publish-latest`[eslint] add eslint; rules to enable later are warnings[Tests] add `aud` in `posttest`[readme] rename and add badges[Dev Deps] switch from `covert` to `nyc`[Dev Deps] switch from `covert` to `nyc`[Dev Deps] update `covert`, `tape`; remove unnecessary `tap`[Dev Deps] update `covert`, `tape`; remove unnecessary `tap`[meta] create FUNDING.yml; add `funding` in package.json[meta] use `npmignore` to autogenerate an npmignore file[meta] create FUNDING.yml; add `funding` in package.json[meta] use `npmignore` to autogenerate an npmignore file[meta] update repo URLs[meta] update repo URLsOnly apps should have lockfilesOnly apps should have lockfiles1.2.6security notice for additional prototype pollution issueisConstructorOrProto adapted from PR[eslint] more cleanup[eslint] fix indentation and whitespaceisConstructorOrProto adapted from PRtest from prototype pollution PR↗️ multer (indirect, 1.4.3 → 1.4.4-lts.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 10 commits:
version: 1.4.4-lts.1history: 1.4.4-lts.1fix(cve): bump busboy to fix CVE-2022-24434version: 1.4.4history: 1.4.4Handle missing field names (#913)Fix spelling misstakes in README-es.mdMerge pull request #803 from khacpv/masterMerge branch 'master' into masterMerge pull request #948 from Collabos/master↗️ negotiator (indirect, 0.6.2 → 0.6.3) · Repo · Changelog
Release Notes
0.6.3 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
🆕 @lukeed/csprng (added, 1.1.0)
🆕 uid (added, 2.0.2)
🗑️ aws-sdk (removed)
🗑️ jmespath (removed)
🗑️ xml2js (removed)
🗑️ xmlbuilder (removed)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands