ngx-duration-picker
ngx-duration-picker copied to clipboard
FrancescoBorzi
chore(deps): update dependency log4js to 6.4.0 [security] - abandoned
This PR contains the following updates:
| Package | Change |
|---|---|
| log4js | 6.3.0 -> 6.4.0 |
GitHub Vulnerability Alerts
CVE-2022-21704
Impact
Default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.
Patches
Fixed by:
- https://github.com/log4js-node/log4js-node/pull/1141
- https://github.com/log4js-node/streamroller/pull/87
Released to NPM in [email protected]
Workarounds
Every version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.
References
Thanks to ranjit-git for raising the issue, and to @lamweili for fixing the problem.
For more information
If you have any questions or comments about this advisory:
- Open an issue in logj4s-node
- Ask a question in the slack channel
- Email us at [email protected]
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
Autoclosing Skipped
This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.