chore(deps): update dependency lodash to v4.17.21 [security] - abandoned#151
chore(deps): update dependency lodash to v4.17.21 [security] - abandoned#151renovate[bot] wants to merge 1 commit intomasterfrom
Conversation
renovate
bot
force-pushed
the
renovate/npm-lodash-vulnerability
branch
from
4486fa8 to
dd2a9ce
Compare
Codecov Report
@@ Coverage Diff @@
## master #151 +/- ##
=======================================
Coverage 84.84% 84.84%
=======================================
Files 3 3
Lines 132 132
Branches 35 35
=======================================
Hits 112 112
Misses 20 20 Continue to review full report at Codecov.
|
renovate
bot
force-pushed
the
renovate/npm-lodash-vulnerability
branch
26 times, most recently
from
9a566bd to
f6c42f7
Compare
renovate
bot
force-pushed
the
renovate/npm-lodash-vulnerability
branch
26 times, most recently
from
d2fed98 to
7a18a57
Compare
Codecov Report
@@ Coverage Diff @@
## master #151 +/- ##
=======================================
Coverage 84.84% 84.84%
=======================================
Files 3 3
Lines 132 132
Branches 35 35
=======================================
Hits 112 112
Misses 20 20 Continue to review full report at Codecov.
|
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
Autoclosing SkippedThis PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error. |
3 participants
This PR contains the following updates:
4.17.11->4.17.21Test plan: CI should pass with updated dependencies. No review required: this is an automated dependency update PR.
GitHub Vulnerability Alerts
CVE-2020-28500
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)
CVE-2020-8203
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
Release Notes
lodash/lodash
v4.17.21Compare Source
v4.17.20Compare Source
v4.17.16Compare Source
v4.17.15Compare Source
v4.17.14Compare Source
v4.17.13Compare Source
v4.17.12Compare Source
Configuration
📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.