bip
bip copied to clipboard
chore(deps): update dependency set-value to 2.0.1 [security] - abandoned
This PR contains the following updates:
Package | Change |
---|---|
set-value | 0.4.3 -> 2.0.1 |
GitHub Vulnerability Alerts
CVE-2019-10747
Versions of set-value
prior to 3.0.1 or 2.0.1 are vulnerable to Prototype Pollution. The set
function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.
Recommendation
If you are using set-value
3.x, upgrade to version 3.0.1 or later.
If you are using set-value
2.x, upgrade to version 2.0.1 or later.
CVE-2021-23440
This affects the package set-value
before 2.0.1, and starting with 3.0.0 but prior to 4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.