Update dependency ini to ~1.3.6 [SECURITY] by renovate[bot] · Pull Request #3 · nookala/first_app

renovate · 2025-01-09T16:03:35Z

This PR contains the following updates:

Package	Change	Age	Confidence
ini	`~1.0.5` → `~1.3.6`

GitHub Vulnerability Alerts

CVE-2020-7788

Overview

The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6.

Steps to reproduce

payload.ini

[__proto__]
polluted = "polluted"

poc.js:

var fs = require('fs')
var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)

> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted

Release Notes

npm/ini (ini)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from 6d179a4 to 54d695a Compare January 11, 2025 11:48

renovate bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Jan 11, 2025

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from 54d695a to 1a9a1bd Compare January 15, 2025 19:39

renovate bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Jan 15, 2025

renovate bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Jan 17, 2025

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from 1a9a1bd to 1748f4c Compare January 17, 2025 11:45

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from 1748f4c to e22c243 Compare January 25, 2025 11:49

renovate bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Jan 25, 2025

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from e22c243 to 946b185 Compare January 26, 2025 06:13

renovate bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Jan 26, 2025

renovate bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Jan 31, 2025

renovate bot force-pushed the renovate/npm-ini-vulnerability branch 2 times, most recently from b70e725 to a0ab166 Compare February 1, 2025 19:46

renovate bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Feb 1, 2025

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from a0ab166 to b9c4aab Compare February 9, 2025 11:30

renovate bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Feb 9, 2025

renovate bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Feb 12, 2025

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from b9c4aab to 68c8dba Compare February 12, 2025 07:53

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from 68c8dba to c945314 Compare March 5, 2025 03:43

renovate bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Mar 5, 2025

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from c945314 to cd5b3a9 Compare March 8, 2025 03:31

renovate bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Mar 8, 2025

renovate bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Mar 13, 2025

renovate bot force-pushed the renovate/npm-ini-vulnerability branch 2 times, most recently from df38326 to 441013a Compare March 15, 2025 11:17

renovate bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Mar 15, 2025

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from 441013a to 757dd73 Compare March 19, 2025 23:58

renovate bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Mar 19, 2025

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from 757dd73 to 610a988 Compare March 21, 2025 23:48

renovate bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Mar 21, 2025

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from 0f492c9 to 3197811 Compare November 20, 2025 08:13

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from 3197811 to e6a3dfa Compare December 5, 2025 07:43

renovate bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Dec 5, 2025

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from e6a3dfa to 54a719d Compare December 6, 2025 11:04

renovate bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Dec 6, 2025

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from 54a719d to 9d99705 Compare December 30, 2025 11:46

renovate bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Dec 30, 2025

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from 9d99705 to 602626d Compare January 2, 2026 07:38

renovate bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Jan 2, 2026

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from 602626d to 147cacc Compare January 10, 2026 07:27

renovate bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Jan 10, 2026

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from 147cacc to 6978cb4 Compare January 11, 2026 04:03

renovate bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Jan 11, 2026

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from 6978cb4 to 1582d55 Compare January 20, 2026 04:14

renovate bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Jan 20, 2026

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from 1582d55 to a65d663 Compare January 21, 2026 11:55

renovate bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Jan 21, 2026

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from a65d663 to e209546 Compare February 3, 2026 11:49

renovate bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Feb 3, 2026

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from e209546 to 10e6a3b Compare February 5, 2026 00:02

renovate bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Feb 5, 2026

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from 10e6a3b to 177ac39 Compare February 13, 2026 11:56

renovate bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Feb 13, 2026

renovate bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Feb 14, 2026

renovate bot force-pushed the renovate/npm-ini-vulnerability branch 2 times, most recently from bf84a97 to e6515d7 Compare February 17, 2026 07:02

renovate bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Feb 17, 2026

Update dependency ini to ~1.3.6 [SECURITY]

bb22c69

renovate bot force-pushed the renovate/npm-ini-vulnerability branch from e6515d7 to bb22c69 Compare February 20, 2026 12:09

renovate bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Feb 20, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency ini to ~1.3.6 [SECURITY]#3

Update dependency ini to ~1.3.6 [SECURITY]#3
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-ini-vulnerability

renovate bot commented Jan 9, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Comments

Conversation

renovate bot commented Jan 9, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Overview

Patches

Steps to reproduce

Release Notes

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Comments

renovate bot commented Jan 9, 2025 •

edited

Loading