chore(deps): update dependency yargs-parser to 13.1.2 [security] #2402
Conversation
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
|
@travi any idea where the lint errors came from? I'd say we merge this PR and address them separately? Sorry I'm still super drowned by work + life right now, and I don't think it will ease much until mid may |
|
looks like since these updates don't impact consumers, i'm less concerned about getting priority to them when extra effort would be needed to clean up the resulting failures. |
|
Okay I'm gonna merge this first then, as this is a security update, and create a follow up issue to address the XO complaints |
|
🎉 This PR is included in version 19.0.3 🎉 The release is available on: Your semantic-release bot 📦🚀 |
…antic-release#2402) Co-authored-by: Renovate Bot <bot@renovateapp.com>
…antic-release#2402) Co-authored-by: Renovate Bot <bot@renovateapp.com>
This PR contains the following updates:
10.1.0->13.1.2GitHub Vulnerability Alerts
CVE-2020-7608
Affected versions of
yargs-parserare vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype ofObject, causing the addition or modification of an existing property that will exist on all objects.Parsing the argument
--foo.__proto__.bar baz'adds abarproperty with valuebazto all objects. This is only exploitable if attackers have control over the arguments being passed toyargs-parser.Recommendation
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.