Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency qs to v6.9.7 [security] #22

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update dependency qs to v6.9.7 [security] #22

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 28, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
qs 6.9.4 -> 6.9.7 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-24999

qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.

Release Notes

ljharb/qs (qs)

v6.9.7

Compare Source

  • [Fix] parse: ignore __proto__ keys (#​428)
  • [Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#​424)
  • [Robustness] stringify: avoid relying on a global undefined (#​427)
  • [readme] remove travis badge; add github actions/codecov badges; update URLs
  • [Docs] add note and links for coercing primitive values (#​408)
  • [Tests] clean up stringify tests slightly
  • [meta] fix README.md (#​399)
  • Revert "[meta] ignore eclint transitive audit warning"
  • [actions] backport actions from main
  • [Dev Deps] backport updates from main

v6.9.6

Compare Source

  • [Fix] restore dist dir; mistakenly removed in d4f6c32

v6.9.5

Compare Source

  • [Fix] stringify: do not encode parens for RFC1738
  • [Fix] stringify: fix arrayFormat comma with empty array/objects (#​350)
  • [Refactor] format: remove util.assign call
  • [meta] add "Allow Edits" workflow; update rebase workflow
  • [actions] switch Automatic Rebase workflow to pull_request_target event
  • [Tests] stringify: add tests for #​378
  • [Tests] migrate tests to Github Actions
  • [Tests] run nyc on all tests; use tape runner
  • [Dev Deps] update eslint, @ljharb/eslint-config, browserify, mkdirp, object-inspect, tape; add aud

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch 2 times, most recently from 8d0e7ac to 87efe40 Compare October 15, 2023 09:40
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 87efe40 to 6929896 Compare October 23, 2023 18:07
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 6929896 to 0932137 Compare January 24, 2024 07:30
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 0932137 to f7b8eea Compare February 4, 2024 09:37
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch 2 times, most recently from ad99ab8 to 51e1c07 Compare February 25, 2024 09:49
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 51e1c07 to 9a1c571 Compare March 12, 2024 09:32
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 9a1c571 to 8ce91dd Compare April 14, 2024 11:36
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 8ce91dd to ebf105a Compare July 21, 2024 11:34
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from ebf105a to a7ac5ca Compare August 6, 2024 07:31
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from a7ac5ca to 4236d06 Compare December 2, 2024 12:18
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 4236d06 to f511494 Compare December 10, 2024 09:01
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from f511494 to 94e0ee7 Compare January 23, 2025 22:50
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 94e0ee7 to 9c13f3d Compare February 9, 2025 13:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants