Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency qs [security] #203

Merged
merged 1 commit into from Dec 22, 2022
Merged

chore(deps): update dependency qs [security] #203

merged 1 commit into from Dec 22, 2022

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 9, 2022
edited by TheKingTermux

Mend Renovate

This PR contains the following updates:

Closed #212

Package Change
qs 6.5.2 -> 6.5.3
qs 6.7.0 -> 6.7.3

GitHub Vulnerability Alerts

CVE-2022-24999

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Dec 9, 2022
@renovate renovate bot requested a review from TheKingTermux December 9, 2022 15:18
@renovate renovate bot changed the title chore(deps): update dependency qs to 6.7.3 [security] chore(deps): update dependency qs [security] Dec 13, 2022
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from b2710e3 to b4be8b8 Compare December 13, 2022 09:16
@renovate renovate bot changed the title chore(deps): update dependency qs [security] Update dependency qs [SECURITY] Dec 17, 2022
@renovate renovate bot changed the title Update dependency qs [SECURITY] chore(deps): update dependency qs [security] Dec 17, 2022
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from b4be8b8 to 3b58237 Compare December 22, 2022 01:09
@TheKingTermux TheKingTermux merged commit c7ec5ea into main Dec 22, 2022
@TheKingTermux TheKingTermux deleted the renovate/npm-qs-vulnerability branch December 22, 2022 11:42
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 24, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@TheKingTermux TheKingTermux TheKingTermux approved these changes

Assignees

@TheKingTermux TheKingTermux

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

qs vulnerable to Prototype Pollution
1 participant
@TheKingTermux