Open renovate[bot] opened 1 year ago
secure-code-warrior-for-github[bot]
commented
1 year ago A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks.
secure-code-warrior-for-github[bot]
commented
7 months ago Session-related but not session-based, this attack is based on the ability of an attacker to force an action on a user’s browser (commonly in the form of a POST request) to perform an unauthorized action on behalf of the user. This can often occur without the user even noticing it… or only noticing when it is too late. The root cause is that browsers automatically send session cookies with all requests to a given domain, regardless of where the source of the request came from, and the application server cannot differentiate between a request that came from pages it served or a request that came from an unrelated page.
A race condition is a flaw that produces an unexpected result when the timing of actions impact other actions.
secure-code-warrior-for-github[bot]
commented
7 months ago Session-related but not session-based, this attack is based on the ability of an attacker to force an action on a user’s browser (commonly in the form of a POST request) to perform an unauthorized action on behalf of the user. This can often occur without the user even noticing it… or only noticing when it is too late. The root cause is that browsers automatically send session cookies with all requests to a given domain, regardless of where the source of the request came from, and the application server cannot differentiate between a request that came from pages it served or a request that came from an unrelated page.
A race condition is a flaw that produces an unexpected result when the timing of actions impact other actions.
renovate[bot]
commented
4 months ago Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.
You can manually request rebase by checking the rebase/retry box above.
⚠️ Warning: custom changes will be lost.
This PR contains the following updates:
0.21.1->0.21.2GitHub Vulnerability Alerts
CVE-2021-3749
axios before v0.21.2 is vulnerable to Inefficient Regular Expression Complexity.
Release Notes
axios/axios (axios)
### [`v0.21.2`](https://togithub.com/axios/axios/releases/tag/v0.21.2) [Compare Source](https://togithub.com/axios/axios/compare/v0.21.1...v0.21.2) ##### Fixes and Functionality: - Updating axios requests to be delayed by pre-emptive promise creation ([#2702](https://togithub.com/axios/axios/pull/2702)) - Adding "synchronous" and "runWhen" options to interceptors api ([#2702](https://togithub.com/axios/axios/pull/2702)) - Updating of transformResponse ([#3377](https://togithub.com/axios/axios/pull/3377)) - Adding ability to omit User-Agent header ([#3703](https://togithub.com/axios/axios/pull/3703)) - Adding multiple JSON improvements ([#3688](https://togithub.com/axios/axios/pull/3688), [#3763](https://togithub.com/axios/axios/pull/3763)) - Fixing quadratic runtime and extra memory usage when setting a maxContentLength ([#3738](https://togithub.com/axios/axios/pull/3738)) - Adding parseInt to config.timeout ([#3781](https://togithub.com/axios/axios/pull/3781)) - Adding custom return type support to interceptor ([#3783](https://togithub.com/axios/axios/pull/3783)) - Adding security fix for ReDoS vulnerability ([#3980](https://togithub.com/axios/axios/pull/3980)) ##### Internal and Tests: - Updating build dev dependancies ([#3401](https://togithub.com/axios/axios/pull/3401)) - Fixing builds running on Travis CI ([#3538](https://togithub.com/axios/axios/pull/3538)) - Updating follow rediect version ([#3694](https://togithub.com/axios/axios/pull/3694), [#3771](https://togithub.com/axios/axios/pull/3771)) - Updating karma sauce launcher to fix failing sauce tests ([#3712](https://togithub.com/axios/axios/pull/3712), [#3717](https://togithub.com/axios/axios/pull/3717)) - Updating content-type header for application/json to not contain charset field, according do RFC 8259 ([#2154](https://togithub.com/axios/axios/pull/2154)) - Fixing tests by bumping karma-sauce-launcher version ([#3813](https://togithub.com/axios/axios/pull/3813)) - Changing testing process from Travis CI to GitHub Actions ([#3938](https://togithub.com/axios/axios/pull/3938)) ##### Documentation: - Updating documentation around the use of `AUTH_TOKEN` with multiple domain endpoints ([#3539](https://togithub.com/axios/axios/pull/3539)) - Remove duplication of item in changelog ([#3523](https://togithub.com/axios/axios/pull/3523)) - Fixing gramatical errors ([#2642](https://togithub.com/axios/axios/pull/2642)) - Fixing spelling error ([#3567](https://togithub.com/axios/axios/pull/3567)) - Moving gitpod metion ([#2637](https://togithub.com/axios/axios/pull/2637)) - Adding new axios documentation website link ([#3681](https://togithub.com/axios/axios/pull/3681), [#3707](https://togithub.com/axios/axios/pull/3707)) - Updating documentation around dispatching requests ([#3772](https://togithub.com/axios/axios/pull/3772)) - Adding documentation for the type guard isAxiosError ([#3767](https://togithub.com/axios/axios/pull/3767)) - Adding explanation of cancel token ([#3803](https://togithub.com/axios/axios/pull/3803)) - Updating CI status badge ([#3953](https://togithub.com/axios/axios/pull/3953)) - Fixing errors with JSON documentation ([#3936](https://togithub.com/axios/axios/pull/3936)) - Fixing README typo under Request Config ([#3825](https://togithub.com/axios/axios/pull/3825)) - Adding axios-multi-api to the ecosystem file ([#3817](https://togithub.com/axios/axios/pull/3817)) - Adding SECURITY.md to properly disclose security vulnerabilities ([#3981](https://togithub.com/axios/axios/pull/3981)) Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub: - [Sasha Korotkov](https://togithub.com/SashaKoro) - [Daniel Lopretto](https://togithub.com/timemachine3030) - [Mike Bishop](https://togithub.com/MikeBishop) - [Dmitriy Mozgovoy](https://togithub.com/DigitalBrainJS) - [Mark](https://togithub.com/bimbiltu) - [Philipe Gouveia Paixão](https://togithub.com/piiih) - [hippo](https://togithub.com/hippo2cat) - [ready-research](https://togithub.com/ready-research) - [Xianming Zhong](https://togithub.com/chinesedfan) - [Christopher Chrapka](https://togithub.com/OJezu) - [Brian Anglin](https://togithub.com/anglinb) - [Kohta Ito](https://togithub.com/koh110) - [Ali Clark](https://togithub.com/aliclark) - [caikan](https://togithub.com/caikan) - [Elina Gorshkova](https://togithub.com/elinagorshkova) - [Ryota Ikezawa](https://togithub.com/paveg) - [Nisar Hassan Naqvi](https://togithub.com/nisarhassan12) - [Jake](https://togithub.com/codemaster138) - [TagawaHirotaka](https://togithub.com/wafuwafu13) - [Johannes Jarbratt](https://togithub.com/johachi) - [Mo Sattler](https://togithub.com/MoSattler) - [Sam Carlton](https://togithub.com/ThatGuySam) - [Matt Czapliński](https://togithub.com/MattCCC) - [Ziding Zhang](https://togithub.com/zidingz)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.