Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency qs to v6.7.3 [security] #96

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 28, 2023

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
qs 6.7.0 -> 6.7.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-24999

qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.


Release Notes

ljharb/qs (qs)

v6.7.3

Compare Source

  • [Fix] parse: ignore __proto__ keys (#​428)
  • [Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#​424)
  • [Robustness] stringify: avoid relying on a global undefined (#​427)
  • [readme] remove travis badge; add github actions/codecov badges; update URLs
  • [Docs] add note and links for coercing primitive values (#​408)
  • [meta] fix README.md (#​399)
  • [meta] do not publish workflow files
  • [actions] backport actions from main
  • [Dev Deps] backport updates from main
  • [Tests] use nyc for coverage
  • [Tests] clean up stringify tests slightly

v6.7.2

Compare Source

  • [Fix] proper comma parsing of URL-encoded commas (#​361)
  • [Fix] parses comma delimited array while having percent-encoded comma treated as normal text (#​336)

v6.7.1

Compare Source

  • [Fix] parse: Fix parsing array from object with comma true (#​359)
  • [Fix] parse: with comma true, handle field that holds an array of arrays (#​335)
  • [fix] parse: with comma true, do not split non-string values (#​334)
  • [Fix] parse: throw a TypeError instead of an Error for bad charset (#​349)
  • [Fix] fix for an impossible situation: when the formatter is called with a non-string value
  • [Refactor] formats: tiny bit of cleanup.
  • readme: add security note
  • [meta] add tidelift marketing copy
  • [meta] add funding field
  • [meta] add FUNDING.yml
  • [meta] Clean up license text so it’s properly detected as BSD-3-Clause
  • [Dev Deps] update eslint, @ljharb/eslint-config, tape, safe-publish-latest, evalmd, iconv-lite, mkdirp, object-inspect, browserify
  • [Tests] parse: add passing arrayFormat tests
  • [Tests] use shared travis-ci configs
  • [Tests] Buffer.from in node v5.0-v5.9 and v4.0-v4.4 requires a TypedArray
  • [Tests] add tests for depth=0 and depth=false behavior, both current and intuitive/intended
  • [Tests] use eclint instead of editorconfig-tools
  • [actions] add automatic rebasing / merge commit blocking

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 193c20d to 2f319d2 Compare October 15, 2023 17:05
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 2f319d2 to 7190cc8 Compare October 23, 2023 17:57
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 7190cc8 to a58bf91 Compare January 15, 2024 10:05
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from a58bf91 to eac8eff Compare February 4, 2024 09:34
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from eac8eff to 4df3610 Compare February 25, 2024 11:18
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 4df3610 to 3e9393f Compare March 12, 2024 12:44
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 3e9393f to a4cc519 Compare April 14, 2024 08:34
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from a4cc519 to 0ce4633 Compare July 21, 2024 14:32
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 0ce4633 to 933b40b Compare August 6, 2024 06:50
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 933b40b to 45b365c Compare December 2, 2024 10:24
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 45b365c to 3276ef6 Compare January 23, 2025 21:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants