dancefinder/dancefinder-app
5
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Activity

Build(deps): [security] bump dset from 3.1.1 to 3.1.2 #382

Merged
argoyle merged 1 commits from dependabot-npm_and_yarn-dset-3.1.2 into master 2022-05-23 07:08:07 +00:00
Conversation 3 Commits 1 Files Changed 1
+3 -3
argoyle commented 2022-05-21 04:41:40 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

Bumps dset from 3.1.1 to 3.1.2. This update includes a security fix.

Vulnerabilities fixed

Prototype Pollution in dset All versions of dset prior to 3.1.2 are vulnerable to Prototype Pollution via dset/merge mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or prototype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.

Patched versions: 3.1.2 Affected versions: < 3.1.2

Release notes

Sourced from dset's releases.

v3.1.2

Patches

  • (dset/merge): Prevent possible prototype pollution (#34): 2d156c7 Thank you @​n1ru4l~!

Chores

Full Changelog: https://github.com/lukeed/dset/compare/v3.1.1...v3.1.2

Commits

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts
Bumps [dset](https://github.com/lukeed/dset) from 3.1.1 to 3.1.2. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>Prototype Pollution in dset</strong> All versions of <code>dset</code> prior to 3.1.2 are vulnerable to Prototype Pollution via <code>dset/merge</code> mode, as the <code>dset</code> function checks for prototype pollution by validating if the top-level path contains <code>__proto__</code>, <code>constructor</code> or <code>prototype</code>. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.</p> <p>Patched versions: 3.1.2 Affected versions: &lt; 3.1.2</p> </blockquote> </details> <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/lukeed/dset/releases">dset's releases</a>.</em></p> <blockquote> <h2>v3.1.2</h2> <h2>Patches</h2> <ul> <li>(<code>dset/merge</code>): Prevent possible prototype pollution (<a href="https://github.com/lukeed/dset/issues/34">#34</a>): 2d156c7 <em>Thank you <a href="https://github.com/n1ru4l"><code>@​n1ru4l</code></a>~!</em></li> </ul> <h2>Chores</h2> <ul> <li> <p>(<code>dset/merge</code>): Add tests for &quot;<strong>proto</strong>&quot; key (<a href="https://github.com/lukeed/dset/issues/38">#38</a>): 845879b <em>Thank you <a href="https://github.com/fortiZde"><code>@​fortiZde</code></a>~!</em></p> </li> <li> <p>Correct README example errors (<a href="https://github.com/lukeed/dset/issues/30">#30</a>): 56923fe <em>Thank you <a href="https://github.com/bgoscinski"><code>@​bgoscinski</code></a>~!</em></p> </li> </ul> <hr /> <blockquote> <p><strong>Full Changelog</strong>: <a href="https://github.com/lukeed/dset/compare/v3.1.1...v3.1.2">https://github.com/lukeed/dset/compare/v3.1.1...v3.1.2</a></p> </blockquote> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/lukeed/dset/commit/740b3aeec52b28244be05c8c73f40921c4434851"><code>740b3ae</code></a> 3.1.2</li> <li><a href="https://github.com/lukeed/dset/commit/845879b6cd11547dbb2155d806570b54fb086c05"><code>845879b</code></a> chore(merge): add tests for &quot;<strong>proto</strong>&quot; key (<a href="https://github.com/lukeed/dset/issues/38">#38</a>)</li> <li><a href="https://github.com/lukeed/dset/commit/2d156c7f615877ad11d2586f54865ebdc11e4acc"><code>2d156c7</code></a> fix(merge): prevent possible prototype pollution (<a href="https://github.com/lukeed/dset/issues/34">#34</a>)</li> <li><a href="https://github.com/lukeed/dset/commit/56923feb8095e275eb3ef853a53cd9b3476f8260"><code>56923fe</code></a> chore: readme example errors (<a href="https://github.com/lukeed/dset/issues/30">#30</a>)</li> <li>See full diff in <a href="https://github.com/lukeed/dset/compare/v3.1.1...v3.1.2">compare view</a></li> </ul> </details> <br /> --- <details> <summary>Dependabot commands</summary> <br /> You can trigger Dependabot actions by commenting on this MR - `$dependabot rebase` will rebase this MR - `$dependabot recreate` will recreate this MR rewriting all the manual changes and resolving conflicts </details>
argoyle commented 2022-05-23 06:32:08 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

added 2 commits

  • c536de8f - 1 commit from branch master
  • 121a8650 - Build(deps): [security] bump dset from 3.1.1 to 3.1.2

Compare with previous version

added 2 commits <ul><li>c536de8f - 1 commit from branch <code>master</code></li><li>121a8650 - Build(deps): [security] bump dset from 3.1.1 to 3.1.2</li></ul> [Compare with previous version](/unboundsoftware/dancefinder/dancefinder-app/-/merge_requests/333/diffs?diff_id=399830064&start_sha=1837e3c274d5c6a8bcc4ecb1222065486cffb067)
argoyle commented 2022-05-23 06:41:09 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

added 2 commits

  • 764d2d57 - 1 commit from branch master
  • 572abea5 - Build(deps): [security] bump dset from 3.1.1 to 3.1.2

Compare with previous version

added 2 commits <ul><li>764d2d57 - 1 commit from branch <code>master</code></li><li>572abea5 - Build(deps): [security] bump dset from 3.1.1 to 3.1.2</li></ul> [Compare with previous version](/unboundsoftware/dancefinder/dancefinder-app/-/merge_requests/333/diffs?diff_id=399835698&start_sha=121a8650a4b80267ade57ea5fec1bc7bd1eef623)
argoyle commented 2022-05-23 06:52:13 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

added 2 commits

  • 5c35762e - 1 commit from branch master
  • 275d91b2 - Build(deps): [security] bump dset from 3.1.1 to 3.1.2

Compare with previous version

added 2 commits <ul><li>5c35762e - 1 commit from branch <code>master</code></li><li>275d91b2 - Build(deps): [security] bump dset from 3.1.1 to 3.1.2</li></ul> [Compare with previous version](/unboundsoftware/dancefinder/dancefinder-app/-/merge_requests/333/diffs?diff_id=399843389&start_sha=572abea5e6722572bb28453b0638390a88a133e8)
argoyle (Migrated from gitlab.com) scheduled this pull request to auto merge when all checks succeed 2022-05-23 06:55:23 +00:00
argoyle (Migrated from gitlab.com) merged commit into master 2022-05-23 07:08:07 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
dependencies
Pull requests that update a dependency file
 docker
javascript
security
Pull requests that address a security vulnerability
 severity:critical
severity:high
severity:low
severity:moderate
No Label dependencies javascript security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dancefinder/dancefinder-app#382
Delete Branch "dependabot-npm_and_yarn-dset-3.1.2"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?