fix(deps): update github vulnerability alerts [security] #227

renovate · 2024-09-30T22:02:36Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
body-parser	`1.20.2` -> `1.20.3`
cookie-parser	`1.4.6` -> `1.4.7`
eslint-plugin-import	`2.29.1` -> `2.31.0`
eslint-plugin-jsx-a11y	`6.9.0` -> `6.10.0`
eslint-plugin-react	`7.34.3` -> `7.37.1`
express (source)	`4.19.2` -> `4.20.0`
http-proxy-middleware	`2.0.6` -> `2.0.7`
pg (source)	`8.12.0` -> `8.13.0`

GitHub Vulnerability Alerts

CVE-2024-45590

Impact

body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.

Patches

this issue is patched in 1.20.3

References

CVE-2024-43796

Impact

In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code

Patches

this issue is patched in express 4.20.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

The attacker MUST control the input to response.redirect()
express MUST NOT redirect before the template appears
the browser MUST NOT complete redirection before:
the user MUST click on the link in the template

Release Notes

expressjs/body-parser (body-parser)

`v1.20.3`

Compare Source

===================

deps: [email protected]
add depth option to customize the depth level in the parser
IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

expressjs/cookie-parser (cookie-parser)

`v1.4.7`

Compare Source

==========

deps: [email protected]
- Fix object assignment of hasOwnProperty
deps: [email protected]
- Allow leading dot for domain
  - Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
- Add fast path for serialize without options, use obj.hasOwnProperty when parsing
deps: [email protected]
- perf: parse cookies ~10% faster
- fix: narrow the validation of cookies to match RFC6265
- fix: add main to package.json for rspack
deps: [email protected]
- Add partitioned option
deps: [email protected]
- Add priority option
- Fix expires option to reject invalid dates
- pref: improve default decode speed
- pref: remove slow string split in parse
deps: [email protected]
- pref: read value only when assigning in parse
- pref: remove unnecessary regexp in parse

import-js/eslint-plugin-import (eslint-plugin-import)

`v2.31.0`

Compare Source

Added

support eslint v9 ([#2996], thanks [@G-Rath] [@michaelfaith])
[order]: allow validating named imports ([#3043], thanks [@manuth])
[extensions]: add the checkTypeImports option ([#2817], thanks [@phryneas])

Fixed

ExportMap / flat config: include languageOptions in context ([#3052], thanks [@michaelfaith])
[no-named-as-default]: Allow using an identifier if the export is both a named and a default export ([#3032], thanks [@akwodkiewicz])
[export]: False positive for exported overloaded functions in TS ([#3065], thanks [@liuxingbaoyu])
exportMap: export map cache is tainted by unreliable parse results ([#3062], thanks [@michaelfaith])
exportMap: improve cacheKey when using flat config ([#3072], thanks [@michaelfaith])
adjust "is source type module" checks for flat config ([#2996], thanks [@G-Rath])

Changed

[Docs] [no-relative-packages]: fix typo ([#3066], thanks [@joshuaobrien])
[Performance] [no-cycle]: dont scc for each linted file ([#3068], thanks [@soryy708])
[Docs] [no-cycle]: add disableScc to docs ([#3070], thanks [@soryy708])
[Tests] use re-exported RuleTester ([#3071], thanks [@G-Rath])
[Docs] [no-restricted-paths]: fix grammar ([#3073], thanks [@unbeauvoyage])
[Tests] [no-default-export], [no-named-export]: add test case (thanks [@G-Rath])

`v2.30.0`

Compare Source

Added

[dynamic-import-chunkname]: add allowEmpty option to allow empty leading comments ([#2942], thanks [@JiangWeixian])
[dynamic-import-chunkname]: Allow empty chunk name when webpackMode: 'eager' is set; add suggestions to remove name in eager mode ([#3004], thanks [@amsardesai])
[no-unused-modules]: Add ignoreUnusedTypeExports option ([#3011], thanks [@silverwind])
add support for Flat Config ([#3018], thanks [@michaelfaith])

Fixed

[no-extraneous-dependencies]: allow wrong path ([#3012], thanks [@chabb])
[no-cycle]: use scc algorithm to optimize ([#2998], thanks [@soryy708])
[no-duplicates]: Removing duplicates breaks in TypeScript ([#3033], thanks [@yesl-kim])
[newline-after-import]: fix considerComments option when require ([#2952], thanks [@developer-bandi])
[order]: do not compare first path segment for relative paths ([#2682]) ([#2885], thanks [@mihkeleidast])

Changed

[Docs] no-extraneous-dependencies: Make glob pattern description more explicit ([#2944], thanks [@mulztob])
[no-unused-modules]: add console message to help debug [#2866]
[Refactor] ExportMap: make procedures static instead of monkeypatching exportmap ([#2982], thanks [@soryy708])
[Refactor] ExportMap: separate ExportMap instance from its builder logic ([#2985], thanks [@soryy708])
[Docs] order: Add a quick note on how unbound imports and --fix ([#2640], thanks [@minervabot])
[Tests] appveyor -> GHA (run tests on Windows in both pwsh and WSL + Ubuntu) ([#2987], thanks [@joeyguerra])
[actions] migrate OSX tests to GHA ([ljharb#37], thanks [@aks-])
[Refactor] exportMapBuilder: avoid hoisting ([#2989], thanks [@soryy708])
[Refactor] ExportMap: extract "builder" logic to separate files ([#2991], thanks [@soryy708])
[Docs] [order]: update the description of the pathGroupsExcludedImportTypes option ([#3036], thanks [@liby])
[readme] Clarify how to install the plugin ([#2993], thanks [@jwbth])

jsx-eslint/eslint-plugin-jsx-a11y (eslint-plugin-jsx-a11y)

`v6.10.0`

Compare Source

Fixed

[New] label-has-associated-control: add additional error message #1005
[Fix] label-has-associated-control: ignore undetermined label text #966

Commits

[Tests] switch from jest to tape a284cbf
[New] add eslint 9 support deac4fd
[New] add attributes setting a1ee7f8
[New] allow polymorphic linting to be restricted 6cd1a70
[Tests] remove duplicate tests 74d5dec
[Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/plugin-transform-flow-strip-types 6eca235
[readme] remove deprecated travis ci badge; add github actions badge 0be7ea9
[Tests] use npm audit instead of aud 05a5e49
[Deps] update axobject-query 912e98c
[Deps] unpin axobject-query 75147aa
[Deps] update axe-core 27ff7cb
[readme] fix jsxA11y import name ce846e0
[readme] fix typo in shareable config section in readme cca288b

jsx-eslint/eslint-plugin-react (eslint-plugin-react)

`v7.37.1`

Compare Source

Fixed

[meta] do not npmignore d.ts files (#3836 @ljharb)

Changed

[readme] Fix shared settings link (#3834 @MgenGlder)

`v7.37.0`

Compare Source

Added

add type generation (#3830 @voxpelli)
[no-unescaped-entities]: add suggestions (#3831 @StyleShit)
[forbid-component-props]: add allowedForPatterns/disallowedForPatterns options (#3805 @Efimenko)
[no-unstable-nested-components]: add propNamePattern to support custom render prop naming conventions (#3826 @danreeves)

Changed

[readme] flat config example for react 17+ (#3824 @GabenGar)

`v7.36.1`

Compare Source

Fixed

[no-is-mounted]: fix logic in method name check (#3821 @Mathias-S)
[jsx-no-literals]: Avoid crashing on valueless boolean props (#3823 @reosarevok)

`v7.36.0`

Compare Source

Added

[no-string-refs]: allow this.refs in > 18.3.0 (#3807 @henryqdineen)
[jsx-no-literals] Add elementOverrides option and the ability to ignore this rule on specific elements (#3812 @Pearce-Ropion)
[forward-ref-uses-ref]: add rule for checking ref parameter is added ([#3667][] @NotWoods)

Fixed

[function-component-definition], [boolean-prop-naming], [jsx-first-prop-new-line], [jsx-props-no-multi-spaces], propTypes: use type args (#3629 @HenryBrown0)
JSX pragma: fail gracefully (#3632 @ljharb)
[jsx-props-no-spreading]: add explicitSpread option to schema (#3799 @ljharb)

Changed

[Tests] add @typescript-eslint/parser v6 (#3629 @HenryBrown0)
[Tests] add @typescript-eslint/parser v7 and v8 (#3629 @hampustagerud)
[Docs] [no-danger]: update broken link (#3817 @lucasrmendonca)
[types] add jsdoc type annotations (#3731 @y-hsgw)
[Tests] button-has-type: add test case with spread (#3731 @y-hsgw)

`v7.35.2`

Compare Source

Fixed

[jsx-curly-brace-presence]: avoid autofixing attributes with double quotes to a double quoted attribute ([#3814][] @ljharb)

Configuration

📅 Schedule: Branch creation - "every 3 months on the first day of the month" in timezone Europe/Stockholm, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

github-actions · 2024-09-30T22:04:10Z

Size Change: 0 B

Total Size: 142 kB

ℹ️ View Unchanged

Filename	Size
`./build/precache-4dc83f9d925941081ec346bcf91cc222.js`	786 B
`./build/service-worker.js`	684 B
`./build/static/css/main.chunk.css`	2.25 kB
`./build/static/js/2.chunk.js`	129 kB
`./build/static/js/main.chunk.js`	8.53 kB
`./build/static/js/runtime-main.js`	774 B

_{compressed-size-action}

github-actions · 2024-09-30T22:04:42Z

QA Test Environment

VictorWinberg-OneList--renovate-all-minor-patch

Environment has been created!
Please visit rome.

deploy 2024-10-01 00:03

redeploy 2024-10-01 17:04
redeploy 2024-10-03 09:18
redeploy 2024-10-03 12:58
redeploy 2024-10-06 20:25
redeploy 2024-10-08 12:20
redeploy 2024-10-08 23:17

renovate bot added the security label Sep 30, 2024

renovate bot force-pushed the renovate/all-minor-patch branch 5 times, most recently from 2e1c28d to 553e9a1 Compare October 8, 2024 10:19

fix(deps): update github vulnerability alerts [security]

3bdfe94

renovate bot force-pushed the renovate/all-minor-patch branch from 553e9a1 to 3bdfe94 Compare October 8, 2024 21:16

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update github vulnerability alerts [security] #227

fix(deps): update github vulnerability alerts [security] #227

renovate bot commented Sep 30, 2024 •

edited

Loading

github-actions bot commented Sep 30, 2024 •

edited

Loading

github-actions bot commented Sep 30, 2024 •

edited

Loading

fix(deps): update github vulnerability alerts [security] #227

Are you sure you want to change the base?

fix(deps): update github vulnerability alerts [security] #227

Conversation

renovate bot commented Sep 30, 2024 • edited Loading

GitHub Vulnerability Alerts

Impact

Patches

References

Impact

Patches

Workarounds

Details

Release Notes

Added

Fixed

Changed

Added

Fixed

Changed

Fixed

Commits

Fixed

Changed

Added

Changed

Fixed

Added

Fixed

Changed

Fixed

Configuration

github-actions bot commented Sep 30, 2024 • edited Loading

github-actions bot commented Sep 30, 2024 • edited Loading

QA Test Environment

renovate bot commented Sep 30, 2024 •

edited

Loading

github-actions bot commented Sep 30, 2024 •

edited

Loading

github-actions bot commented Sep 30, 2024 •

edited

Loading