New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency pubnub to v7 [SECURITY] #28

Open

renovate wants to merge 1 commit into master from renovate/npm-pubnub-vulnerability

renovate bot commented Dec 7, 2023

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
pubnub	`^4.21.6` -> `^7.0.0`

GitHub Vulnerability Alerts

CVE-2023-26154

Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub before 7.3.0; versions of the package pubnub/pubnub before 6.1.0; versions of the package pubnub before 5.3.0; versions of the package pubnub before 0.4.0; versions of the package pubnub/c-core before 4.5.0; versions of the package com.pubnub:pubnub-kotlin before 7.7.0; versions of the package pubnub/swift before 6.2.0; versions of the package pubnub before 5.2.0; versions of the package pubnub before 4.3.0 are vulnerable to Insufficient Entropy via the getKey function, due to inefficient implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file.

Note:

In order to exploit this vulnerability, the attacker needs to invest resources in preparing the attack and brute-force the encryption.

Release Notes

pubnub/javascript (pubnub)

`v7.4.0`

October 16 2023

Added

Add crypto module that allows configure SDK to encrypt and decrypt messages.

Fixed

Improved security of crypto implementation by adding enhanced AES-CBC cryptor.

`v7.3.3`

September 11 2023

Fixed

Fixes issue of getting misleading error message when sendFile fails.

`v7.3.2`

August 31 2023

Fixed

Fixes issue of having deprecated superagent version. Fixed the following issues reported by @wimZ: #317.

`v7.3.1`

August 21 2023

Fixed

Fixes issue of missing get and set methods for userId field of PubNub configuration.

`v7.3.0`

July 26 2023

Fixed

Fixes issue of severe vulnerability warnings for vm2 usage.

`v7.2.3`

June 19 2023

Added

Added optional param withHeartbeat to set state through heartbeat endpoint.

`v7.2.2`

December 12 2022

Fixed

Fixes a case in React Native with using an error interface in superagent.
Fixes issue of getFileUrl not setting auth value as token string when token is set. Fixed the following issues reported by @abdalla-nayer: #302.

`v7.2.1`

November 10 2022

Fixed

Removes remains of Buffer from the crypto module.

`v7.2.0`

July 01 2022

Added

Allows to specify users and spaces in grantToken method.
Allows to use userId instead of uuid in configuration.

`v7.1.2`

June 22 2022

Fixed

Fixes parseToken issues on Web and React Native.

`v7.1.1`

June 14 2022

Added

Added user and space memberships related methods.
Added type and status fields in User and Space. status field in memberships.

`v7.0.1`

May 24 2022

`v7.0.0`

May 24 2022

Modified

BREAKING CHANGES: Removed objects v1 methods support.

`v5.0.1`

March 02 2022

Fixed

Unsubscribe fix unsubscribe from channel group presence.

`v5.0.0`

January 12 2022

Modified

BREAKING CHANGES: uuid is required parameter in PubNub constructor.

`v4.37.0`

December 16 2021

Added

Add revoke token feature.

`v4.36.0`

December 09 2021

Fixed

Remove isomorphic-webcrypto polyfill for web Add buffer polyfill to react native. Fixed the following issues reported by @JakeOrel: #233.

`v4.35.0`

December 02 2021

Added

Allows to specify multiple origins in the config, which enables domain sharding for custom origins.

`v4.34.2`

December 01 2021

Fixed

Fix listener callback is invoked multiple times. Fixed the following issues reported by @puopg: #230.

`v4.34.1`

November 19 2021

Fixed

Update .npmignore and excluded resources from from NPM package. Fixed the following issues reported by @ElridgeDMello: #228.

`v4.34.0`

November 19 2021

Added

Upgrade superagent.

`v4.33.1`

October-18-2021

🐛 Fixes issue of performing file publish message retry according to fileUploadPublishRetryLimit setting of PubNub instance.

`v4.33.0`

August-31-2021

🌟️ Added support for Objects v2 in PAM v3 api.
🐛 Fixes issue related to file decryption when cipherkey is provided in method.

`v4.32.1`

May-26-2021

🐛 Fixes issue of signature does not match error with getAllUUIDMetadata call.
🐛 Error handling with global hereNow call to provide detailed error message when feature not enabled.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          Update dependency pubnub to v7 [SECURITY]

375e8e7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment