origin icon indicating copy to clipboard operation
origin copied to clipboard

Published 20 hours ago verified publisher icon OriginProtocol

Update dependency redis to v3 [SECURITY]

Open renovate[bot] opened this issue 2 years ago • 0 comments

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
redis 2.8.0 -> 3.1.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-29469

Impact

When a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service.

Patches

The problem was fixed in commit 2d11b6d and was released in version 3.1.1.

References

#​1569 (GHSL-2021-026)

Release Notes

redis/node-redis

v3.1.1

Compare Source

Enhancements

  • Upgrade node and dependencies (#​1578)

Fixes

  • Fix a potential exponential regex in monitor mode (#​1595)

v3.1.0

Compare Source

Enhancements

  • Upgrade node and dependencies and redis-commands to support Redis 6 (#​1578)
  • Add support for Redis 6 auth pass [user] (#​1508)

v3.0.2

Compare Source

v3.0.1

Compare Source

v3.0.0

Compare Source

This version is mainly a release to distribute all the unreleased changes on master since 2017 and additionally removes a lot of old deprecated features and internals in preparation for an upcoming modernization refactor (v4).

Breaking Changes
  • Dropped support for Node.js < 6
  • Dropped support for hiredis (no longer required)
  • Removed previously deprecated drain event
  • Removed previously deprecated idle event
  • Removed previously deprecated parser option
  • Removed previously deprecated max_delay option
  • Removed previously deprecated max_attempts option
  • Removed previously deprecated socket_no_delay option
Bug Fixes
  • Removed development files from published package (#​1370)
  • Duplicate function now allows db param to be passed (#​1311)
Features
  • Upgraded to latest redis-commands package
  • Upgraded to latest redis-parser package, v3.0.0, which brings performance improvements
  • Replaced double-ended-queue with denque, which brings performance improvements
  • Add timestamps to debug traces
  • Add socket_initial_delay option for socket.setKeepAlive (#​1396)
  • Add support for rediss protocol in url (#​1282)

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

renovate[bot] avatar Nov 14 '21 04:11 renovate[bot]