Update dependency minimist to v1.2.8 [SECURITY] - autoclosed #55
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.2.7
->1.2.8
GitHub Vulnerability Alerts
CVE-2020-7598
Affected versions of
minimist
are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype ofObject
, causing the addition or modification of an existing property that will exist on all objects.Parsing the argument
--__proto__.y=Polluted
adds ay
property with valuePolluted
to all objects. The argument--__proto__=Polluted
raises and uncaught error and crashes the application.This is exploitable if attackers have control over the arguments being passed to
minimist
.Recommendation
Upgrade to versions 0.2.1, 1.2.3 or later.
CVE-2021-44906
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file
index.js
, functionsetKey()
(lines 69-95).Release Notes
minimistjs/minimist (minimist)
v1.2.8
Compare Source
Merged
#17
#12
#10
Fixed
#15
#8
#15
#9
#5
#8
#9
Commits
a026794
5368ca4
e5f5067
62fde7d
36ac5d0
auto-changelog
73923d2
d80727d
48bc06a
34b0f1c
5df0fe4
covert
tonyc
a48b128
covert
,tape
; remove unnecessarytap
f0fb958
funding
in package.json3639e0c
npmignore
to autogenerate an npmignore filebe2e038
282b570
ef9153f
@ljharb/eslint-config
,aud
098873c
@ljharb/eslint-config
,aud
3124ed3
safe-publish-latest
4b927de
aud
inposttest
b32d9bd
f9fdfc0
ba92fe6
tape
950eaa7
npmignore
dev dep3226afa
980d7ac
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.