neo-one
neo-one copied to clipboard

Published 20 hours ago •

Reame
Issues

fix(deps): update dependency immer to v9 [security] - abandoned

Open renovate[bot] opened this issue 3 years ago • 2 comments

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
immer	`^5.0.0` -> `^9.0.0`

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2020-28477

Overview

Affected versions of immer are vulnerable to Prototype Pollution.

Proof of exploit

const {applyPatches, enablePatches} = require("immer");
enablePatches();
let obj = {};
console.log("Before : " + obj.polluted);
applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]);
// applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]);
console.log("After : " + obj.polluted);

Remediation

Version 8.0.1 contains a fix for this vulnerability, updating is recommended.

CVE-2021-23436

This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "proto" || p === "constructor") in applyPatches_ returns false if p is ['proto'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

CVE-2021-3757

immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').

Release Notes

immerjs/immer

`v9.0.19`

Bug Fixes

don't freeze drafts returned from produce if they were passed in as draft (#917) (46867f8)
produce results should never be frozen when returned from nested produces, to prevent 'hiding' drafts. Fixes #935 (a810960)
release and publish from 'main' rather than 'master' branch (82acc40)
revert earlier fix (#990) for recursive types (#1014) (3eeb331)
Upgrade Github actions to Node 16 attempt 1 (9d4ea93)
Upgrade Github actions to Node 16 attempt 2 (082eecd)

`v9.0.18`

Bug Fixes

Preserve insertion order of Sets, fixes #819 (#976) (b3eeb69)
unnecessarily recursive Draft type (#990) (b9eae1d)

`v9.0.17`

Bug Fixes

special case NaN in setter (#912) (5721bb7)

`v9.0.16`

Bug Fixes

protect isDraftable against undefined constructor (#969) (ced4563)

`v9.0.15`

Bug Fixes

Add "types" to exports for TypeScript 4.7 (#946) (85ce6b7)

`v9.0.14`

Bug Fixes

Use .esm.js module for backwards compatibility with old build tools (#939) (d30d219)

`v9.0.13`

Bug Fixes

consistent recipe return type in produceWithPatches (#934) (220d61d)
incorrect return type for async produceWithPatches (#933) (9f7623d)

`v9.0.12`

Bug Fixes

produceWithPatches should not wrap result in Immutable, fixes #850, #881 (d8f2636)

`v9.0.11`

Bug Fixes

incorrect patches for delete on arrays. Fixes #879 (d91a659)

`v9.0.10`

Bug Fixes

No patches being generated for root primitive replacements. Fixes #888 (0f96270)

`v9.0.9`

Bug Fixes

make sure produceWithPatches accepts promises (d80e823)

`v9.0.8`

Bug Fixes

immerjs#876 Ensure empty patch set for atomic set+delete on Map (#878) (e140918)

`v9.0.7`

Bug Fixes

Append to array when key is "-" (#872) (2afdb1b)

`v9.0.6`

Bug Fixes

security: Follow up on CVE-2020-28477 where path: [["__proto__"], "x"] could still pollute the prototype (fa671e5)

`v9.0.5`

Bug Fixes

release missing dist/ folder (bfb8dec)

`v9.0.4`

Bug Fixes

#791 return 'nothing' should produce undefined patch (5412c9f)
#807 new undefined properties should end up in result object (dc3f66c)
Better applyPatches type (#810) (09ac097), closes #809

`v9.0.3`

Bug Fixes

isPlainObject: add quick comparison between input and Object to short-circuit taxing Function.toString invocations (#805) (07575f3)

`v9.0.2`

Bug Fixes

#785 fix type inference for produce incorrectly inferring promise (#786) (6555173)

`v9.0.1`

Bug Fixes

#768 immerable field being lost during patch value cloning (#771) (e0b7c01)

`v9.0.0`

feature

Improved typescript types (2c2f30e), closes #720

BREAKING CHANGES

It is no longer allowed to return nothing from a recipe if the target state doesn't accept undefined.
It is no longer allowed to return arbitrary things from a recipe. Recipes should either return nothing, or something that is assignable to the original state type. This will catch mistakes with accidental returns earlier.

`v8.0.4`

Bug Fixes

make sure isPlainObject checks support objects send accross frames. Fixes #766 / #405 (5ae3547)

`v8.0.3`

Bug Fixes

new Immer().produce now has the same type as produce. Fixes #749 (f8b77d1)

`v8.0.2`

Bug Fixes

Add a type-checking fast path for primitive types (#755) (d395efe)
Ignore equal reference assignments. Fixes #648 (3b4286d)

`v8.0.1`

Bug Fixes

Fixed security issue #738: prototype pollution possible when applying patches CVE-2020-28477 (da2bd4f)

`v8.0.0`

feature

Always freeze by default (#702) (a406c8f)

BREAKING CHANGES

always freeze by default, even in production mode. Use setAutoFreeze(process.env.NODE_ENV !== 'production') for the old behavior. See https://github.com/immerjs/immer/issues/687#issuecomment-728881754 for the rationale. Fixes #649, #681, #687

`v7.0.15`

Bug Fixes

make plugin loading idempotent, fixes #692 (754331b)

`v7.0.14`

Bug Fixes

build issue. Fixes #685 (?) (9007be0)

`v7.0.13`

Bug Fixes

reconcile if the original value is assigned after creating a draft. Fixes #659 (c0e6749)

`v7.0.12`

Bug Fixes

undraftable values should not be cloned for patches, fixes #676 (1b70ad5)

`v7.0.11`

Bug Fixes

skip ReadonlyMap and ReadonlySet types when not available (#653). Fixes #624 (12f4cf8)

`v7.0.10`

Bug Fixes

Clearing empty Set&Map should be noop (#682). Fixes #680 (33a305b)

`v7.0.9`

Bug Fixes

clear map creates invalid patches, fixes #663 (bacc1e0)

`v7.0.8`

Bug Fixes

Use a named type for Draft object for smaller type declaration files (a1a0da0)
use Array.prototype.slice() for copying arrays. Fixes #650 (bf90358)
use Array.prototype.slice() for copying arrays. Fixes #650 (bb40c36)

`v7.0.7`

Bug Fixes

made NOTHING and IMMERABLE shared symbols. Fixes #632 (b1c6a8e)
make sure changing an undefined value to undefined is not picked up as change. Fixes #646 (5521527)
out of range assignments were broken in ES5 mode. Fixes #638 (0fe9132)
Set finalization can get stuck in a loop, fixes #628 (b12e5c9)
Trigger setters with the correct context, fixes #604 (2697430)

`v7.0.6`

Bug Fixes

flow: added types for produceWithPatches (b355838)

`v7.0.5`

Bug Fixes

Fixed regression in Object.frozen for IE11. Fixes #600 (6371d05)

`v7.0.4`

Bug Fixes

Flow: Add tests for Map and Set and fix base type (9022672)
new map keys were not added if value is undefined (4a1bd65)

`v7.0.3`

Bug Fixes

getOwnPropertyDescriptors is not available in Internet Explorer and Hermes. Fixes #626 (c7a47e2)

`v7.0.2`

Bug Fixes

Fixed #620: Symbolic properties were not drafted or finalized correctly (91915cf)

`v7.0.1`

Bug Fixes

Add missing type current for pre-TS 3.7 types (7d6b57b)

`v7.0.0`

Introduced current, which takes a snapshot of the current state of a draft and finalizes it (but without freezing). Current is a great utility to print the current state during debugging (no Proxies in the way), and the output of current can also be safely leaked outside the producer. Implements #441, #591
[BREAKING CHANGE] getters and setters are now handled consistently: own getters and setters will always by copied into fields (like Object.assign does), inherited getters and setters will be left as-is. This should allow using Immer directly on objects that trap their fields, like done in Vue or MobX. Fixes #584, #439, #593, #558
[BREAKING CHANGE] produce no longer accepts non-draftable objects as first argument
[BREAKING CHANGE] original can only be called on drafts and will throw otherwise (fixes #605)
[BREAKING CHANGE] non-enumerable and symbolic fields will never be frozen
[BREAKING CHANGE] the patches for arrays are now computed differently to fix some scenarios in which they were incorrect. In some cases they will be more optimal now, in other cases less. Especially splicing / unshifting items into an existing array might result in a lot of patches. Fixes #468
Improved documentation in several areas, there is now a page for typical update patterns and a separate page on how to work with classes. And additional performance tips have been included. Fixes #457, #115, #462
Fixed #462: All branches of the produced state should be frozen
Fixed #588: Inconsistent behavior with nested produce
Fixed #577: Immer might not work with polyfilled symbols
Fixed #514, #609: Explicitly calling useProxies(false) shouldn’t check for the presence of Proxy.

`v6.0.9`

Bug Fixes

typo in feature.md (sovled > solved) (3445168)

`v6.0.8`

Bug Fixes

Make sure Immer works correctly when Symbol is polyfilled, fixes #577 (2b40aec)

`v6.0.7`

Bug Fixes

fixed issue where new items in Set where not recorded after iterating. Fixes #586 (169db77)

`v6.0.6`

Bug Fixes

Object.isFrozen dies on non objects in Internet Explorer. Fixes #600 (974bd70)

`v6.0.5`

Bug Fixes

Don't recurse into non-enumerable members when freezing tree. Fixes #590 (497d1a0)
Don't recurse into non-enumerable members when freezing tree. Fixes #590 (d64c2bd)

`v6.0.4`

Bug Fixes

added flow typings for new API's introduced in v6. Fixes #570 (0ddddfc)
Ensure values in patches are never a draft, fixes #559 (33ecbd6)
improve flow types (427040c)

`v6.0.3`

Bug Fixes

copy flow types to where flow can find them (6247c03)
Flow failed to find the Immer typings (c2ae050)

`v6.0.2`

Bug Fixes

change Full error url (2778ce8)
fixed broken minimized error url (issue#550) (949960f)

`v6.0.1`

Bug Fixes

rename compat index.d.ts to immer.d.ts (ed6ba6d)

`v6.0.0`

Merge pull request #536 from immerjs/multi-bundle (0d87fc8), closes #536
Adding large data sets to a draft has been optimized (in case autofreeze is disabled)
Added compatibility typing support for TypeScript versions pre 3.7

BREAKING CHANGES

Support for ES5, patches and Map/Set collections has to be explicitly enable now: https://immerjs.github.io/immer/docs/installation
Custom serialization hooks are no longer supported

Configuration

📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

Dec 07 '21 23:12 renovate[bot]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.

Mar 24 '23 20:03 renovate[bot]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

Apr 04 '24 13:04 renovate[bot]