Bump lodash-es from 4.17.4 to 4.17.23 in /PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux #16
Conversation
Bumps [lodash-es](https://github.com/lodash/lodash) from 4.17.4 to 4.17.23. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.4...4.17.23) --- updated-dependencies: - dependency-name: lodash-es dependency-version: 4.17.23 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
|
|
|
Semgrep found 1
Risk: Affected versions of webpack-dev-server are vulnerable to Improper Input Validation. Missing origin validation on webpack-dev-server's Hot Module Replacement websocket allows any webpage to connect to the dev server's socket, access in‐memory compiled assets and source code, and exfiltrate a developer's source files. Manual Review Advice: A vulnerability from this advisory is reachable if you are using Fix: Upgrade this library to at least version 3.1.11 at WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json:12860. Reference(s): GHSA-cf66-xwfp-gvc4, CVE-2018-14732 Semgrep found 1
Risk: Affected versions of http-proxy are vulnerable to Incomplete List of Disallowed Inputs / Protection Mechanism Failure. A denial-of-service exists in node-http-proxy when using Manual Review Advice: A vulnerability from this advisory is reachable if you set headers on the proxy request using the proxyReq.setHeader function in a standalone proxy server implemented using the http-proxy package Fix: Upgrade this library to at least version 1.18.1 at WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json:6292. Reference(s): GHSA-6x33-pw7p-hmpq Semgrep found 1
Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. UAParser.js uses a vulnerable regular expression to parse User-Agent headers. A malicious header can trigger catastrophic backtracking in the regex, resulting in prolonged processing times and potential denial of service. Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli Fix: Upgrade this library to at least version 0.7.24 at WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json:12441. Reference(s): GHSA-78cj-fxph-m83p, CVE-2021-27292 Semgrep found 1
Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. A specially crafted user agent string can trigger catastrophic backtracking in the regex designed for Redmi Phones and Mi Pad Tablets. This may result in a Regular Expression Denial of Service, causing resource exhaustion when ua-parser-js attempts to parse the malicious input. Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli Fix: Upgrade this library to at least version 0.7.22 at WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json:12441. Reference(s): GHSA-662x-fhqg-9p8v, CVE-2020-7733 Semgrep found 1
Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. UAParser.js is vulnerable to Regular Expression Denial of Service (ReDoS) attacks. Maliciously crafted user agent strings can trigger inefficient regex patterns, leading to excessive backtracking and high CPU consumption, which may ultimately cause service degradation or a denial of service. Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli Fix: Upgrade this library to at least version 0.7.23 at WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json:12441. Reference(s): GHSA-394c-5j6w-4xmx, CVE-2020-7793 Semgrep found 1
Risk: tmpl versions before 1.0.5 are vulnerable to Uncontrolled Resource Consumption when formatting a string. Fix: Upgrade this library to at least version 1.0.5 at WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json:12311. Reference(s): GHSA-jgrx-mgxx-jf9v, CVE-2021-3777 Semgrep found 1
Risk: This specific version of fsevents contains malicious code. Upgrade to the safe version immediately. Fix: Upgrade this library to at least version 1.2.11 at WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json:4441. Reference(s): https://osv.dev/vulnerability/MAL-2023-462 Semgrep found 1
Risk: Affected version of deep-extend is vulnerable to Prototype Pollution. Malicious input passed to deep-extend allows an attacker to overwrite the prototype of Fix: Upgrade this library to at least version 0.5.1 at WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json:2886. Reference(s): GHSA-hr2v-3952-633q, CVE-2018-3750 Semgrep found 1
Risk: Affected versions of @babel/traverse, babel-traverse, @babel/plugin-transform-runtime, @babel/preset-env, @babel/helper-define-polyfill-provider, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-corejs3, babel-plugin-polyfill-es-shims, and babel-plugin-polyfill-regenerator are vulnerable to Incomplete List Of Disallowed Inputs. An attacker can exploit a vulnerability in the internal Babel methods Manual Review Advice: A vulnerability from this advisory is reachable if you use Babel to compile untrusted JavaScript Fix: There are no safe versions of this library available for upgrade. Library included at WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json:1432. Reference(s): GHSA-67hx-6x53-jw92, CVE-2023-45133 Semgrep found 1
Risk: Affected versions of fsevents are vulnerable to Improper Control Of Generation Of Code ('Code Injection'). fsevents depends on the Fix: Upgrade this library to at least version 1.2.11 at WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json:4441. Reference(s): GHSA-8r6j-v8pm-fqw3, CVE-2023-45311 |
Bumps lodash-es from 4.17.4 to 4.17.23.
Commits
dec55b7Bump main to v4.17.23 (#6088)19c9251fix: setCacheHas JSDoc return type should be boolean (#6071)b5e6729jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)edadd45Prevent prototype pollution on baseUnset function4879a7adoc: fix autoLink function, conversion of source links (#6056)9648f69chore: removeyarn.lockfile (#6053)dfa407dci: remove legacy configuration files (#6052)156e196feat: add renovate setup (#6039)933e106ci: add pipeline for Bun (#6023)072a807docs: update links related to Open JS Foundation (#5968)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.