Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency superjson to v1.8.1 [security] #63

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency superjson to v1.8.1 [security] #63

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Feb 10, 2022
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
superjson 1.8.0 -> 1.8.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-23631

Impact

This is critical vulnerability, as it allows to run arbitrary code on any server using superjson input, including a Blitz.js server, without prior authentication or knowledge. Attackers gain full control over the server so they could steal and manipulate data or attack further systems. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. In the case of Blitz.js, it would be at least one RPC call.

Patches

This has been patched in superjson 1.8.1 and Blitz.js 0.45.3.

If you are unable to upgrade to Blitz.js 0.45.3 in a timely manner, you can instead upgrade only superjson to version 1.8.1 using yarn resolutions are similar. Blitz versions < 0.45.3 are only affected because they used superjson versions < 1.8.1.

Workarounds

None

For more information

If you have any questions or comments about this advisory:

References

Release Notes

blitz-js/superjson (superjson)

v1.8.1

Compare Source

Fix a critical security vulnerability. See CVE-2022-23631 for more details.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the renovate label Feb 10, 2022
@vercel
Copy link

vercel bot commented Feb 10, 2022
edited
Loading

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/prisma/ama-prisma/6Ac3V3USKFvrLEU4CFbtPKG53uPJ
✅ Preview: Failed

@renovate renovate bot force-pushed the renovate/npm-superjson-vulnerability branch from 14e1019 to cf7a212 Compare August 3, 2022 15:57
@renovate
Copy link
Author

renovate bot commented Aug 3, 2022

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: @next-auth/prisma-adapter@0.5.2-next.15
npm ERR! Found: next-auth@4.0.0-next.26
npm ERR! node_modules/next-auth
npm ERR!   next-auth@"4.0.0-next.26" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer next-auth@">=4" from @next-auth/prisma-adapter@0.5.2-next.15
npm ERR! node_modules/@next-auth/prisma-adapter
npm ERR!   @next-auth/prisma-adapter@"0.5.2-next.15" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: next-auth@4.10.3
npm ERR! node_modules/next-auth
npm ERR!   peer next-auth@">=4" from @next-auth/prisma-adapter@0.5.2-next.15
npm ERR!   node_modules/@next-auth/prisma-adapter
npm ERR!     @next-auth/prisma-adapter@"0.5.2-next.15" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /tmp/renovate-cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate-cache/others/npm/_logs/2022-08-03T15_57_19_435Z-debug-0.log

@vercel
Copy link

vercel bot commented Aug 3, 2022
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated
ama-prisma ✅ Ready (Inspect) Visit Preview Aug 3, 2022 at 4:04PM (UTC)

@renovate renovate bot changed the title chore(deps): update dependency superjson to 1.8.1 [security] fix(deps): update dependency superjson to v1.8.1 [security] Mar 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
renovate
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants