Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency dompurify to v2.5.4 [security] #597

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update dependency dompurify to v2.5.4 [security] #597

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 16, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
dompurify 2.3.8 -> 2.5.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-45801

It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.

This renders dompurify unable to avoid XSS attack.

Fixed by cure53/DOMPurify@1e52026 (3.x branch) and cure53/DOMPurify@26e1d69 (2.x branch).

CVE-2024-47875

DOMpurify was vulnerable to nesting-based mXSS

fixed by 0ef5e537 (2.x) and
merge 943

Backporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking

POC is avaible under test

CVE-2024-48910

dompurify was vulnerable to prototype pollution

Fixed by cure53/DOMPurify@d1dd037

Release Notes

cure53/DOMPurify (dompurify)

v2.5.4: DOMPurify 2.5.4

Compare Source

  • Fixed a bug with latest isNaN checks affecting MSIE, thanks @​tulach
  • Fixed the tests for MSIE and fixed related test-runner

v2.5.3: DOMPurify 2.5.3

Compare Source

  • Fixed several mXSS variations found by and thanks to @​kevin-mizu & @​Ry0taK
  • Added better configurability for comment scrubbing default behavior
  • Added better hardening against Prototype Pollution attacks, thanks @​kevin-mizu
  • Fixed some smaller issues in README and other documentation

v2.5.2: DOMPurify 2.5.2

Compare Source

  • Addressed and fixed a mXSS variation found by @​kevin-mizu
  • Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
  • Updated tests for older Safari and Chrome versions

v2.5.1: DOMPurify 2.5.1

Compare Source

  • Fixed an mXSS sanitizer bypass reported by @​icesfont
  • Added new code to track element nesting depth
  • Added new code to enforce a maximum nesting depth of 255
  • Added coverage tests and necessary clobbering protections

Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

v2.5.0: DOMPurify 2.5.0

Compare Source

  • Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
  • Updated the LICENSE file to show the accurate year number
  • Updated several build and test dependencies

v2.4.9: DOMPurify 2.4.9

Compare Source

  • Fixed another conditional bypass caused by Processing Instructions, thanks @​Ry0taK
  • Fixed the regex for HTML Custom Element detection, thanks @​AlekseySolovey3T

v2.4.8: DOMPurify 2.4.8

Compare Source

  • Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks @​Slonser

v2.4.7: DOMPurify 2.4.7

Compare Source

v2.4.6: DOMPurify 2.4.6

Compare Source

  • Fixed a bypass in jsdom 22 in case the noframes element is permitted, thanks @​leeN

v2.4.5: DOMPurify 2.4.5

Compare Source

  • Fixed a problem with improper reset of custom HTML options, thanks @​ammaraskar

v2.4.4: DOMPurify 2.4.4

Compare Source

v2.4.3: DOMPurify 2.4.3

Compare Source

  • Final release that is compatible with MSIE10 & MSIE 11

v2.4.2: DOMPurify 2.4.2

Compare Source

  • Fixed a Trusted Types sink violation with empty input and NAMESPACE , thanks @​tosmolka
  • Fixed a Prototype Pollution issue discovered and reported by @​kevin-mizu

v2.4.1: DOMPurify 2.4.1

Compare Source

v2.4.0: DOMPurify 2.4.0

Compare Source

  • Removed bundled types again as they caused too much trouble

v2.3.12: DOMPurify 2.3.12

Compare Source

v2.3.11: DOMPurify 2.3.11

Compare Source

  • Added generated type definitions for better compatibility
  • Added SANITIZE_NAMED_PROPS config option, thanks @​SoheilKhodayari
  • Updated README and config documentation, thanks @​0xedward
  • Updated test suite with newer Node versions

v2.3.10: DOMPurify 2.3.10

Compare Source

  • Added support for sanitization of attributes requiring Trusted Types, thanks @​tosmolka

v2.3.9: DOMPurify 2.3.9

Compare Source

  • Made TAG and ATTR config options case-sensitive when parsing XHTML, thanks @​tosmolka
  • Bumped some dependencies, thanks @​is2ei
  • Included github-actions in the dependabot config, thanks @​nathannaveen

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate Renovate
Copy link
Contributor Author

renovate bot commented Sep 16, 2024
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @craco/craco@6.4.3
npm error Found: react-scripts@5.0.1
npm error node_modules/react-scripts
npm error   react-scripts@"5.0.1" from the root project
npm error   peer react-scripts@"^5" from craco-swc@0.5.1
npm error   node_modules/craco-swc
npm error     dev craco-swc@"0.5.1" from the root project
npm error
npm error Could not resolve dependency:
npm error peer react-scripts@"^4.0.0" from @craco/craco@6.4.3
npm error node_modules/@craco/craco
npm error   dev @craco/craco@"6.4.3" from the root project
npm error   peer @craco/craco@"^6 || ^7" from craco-swc@0.5.1
npm error   node_modules/craco-swc
npm error     dev craco-swc@"0.5.1" from the root project
npm error
npm error Conflicting peer dependency: react-scripts@4.0.3
npm error node_modules/react-scripts
npm error   peer react-scripts@"^4.0.0" from @craco/craco@6.4.3
npm error   node_modules/@craco/craco
npm error     dev @craco/craco@"6.4.3" from the root project
npm error     peer @craco/craco@"^6 || ^7" from craco-swc@0.5.1
npm error     node_modules/craco-swc
npm error       dev craco-swc@"0.5.1" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /tmp/renovate/cache/others/npm/_logs/2024-12-08T22_03_36_934Z-eresolve-report.txt
npm error A complete log of this run can be found in: /tmp/renovate/cache/others/npm/_logs/2024-12-08T22_03_36_934Z-debug-0.log

@netlify Netlify
Copy link

netlify bot commented Sep 16, 2024
edited
Loading

Deploy Preview for practical-hodgkin-4543e2 ready!

Name Link
🔨 Latest commit ef138da
🔍 Latest deploy log https://app.netlify.com/sites/practical-hodgkin-4543e2/deploys/66e8a87295e6f800085fb04f
😎 Deploy Preview https://deploy-preview-597--practical-hodgkin-4543e2.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@renovate renovate bot changed the title fix(deps): update dependency dompurify to v2.5.4 [security] fix(deps): update dependency dompurify to v2.5.4 [security] - autoclosed Dec 8, 2024
@renovate renovate bot closed this Dec 8, 2024
@renovate renovate bot deleted the renovate/npm-dompurify-vulnerability branch December 8, 2024 18:33
@renovate renovate bot changed the title fix(deps): update dependency dompurify to v2.5.4 [security] - autoclosed fix(deps): update dependency dompurify to v2.5.4 [security] Dec 8, 2024
@renovate renovate bot reopened this Dec 8, 2024
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Dec 8, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants