New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

⬆️ Update dependency immer to v8 [SECURITY] #652

Closed

renovate wants to merge 1 commit into release-candidate from renovate/npm-immer-vulnerability

Contributor

renovate bot commented Jan 21, 2021

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
immer	`7.0.9` -> `8.0.1`

⚠️ MAJOR MAJOR MAJOR ⚠️

GitHub Vulnerability Alerts

CVE-2020-28477

Overview

Affected versions of immer are vulnerable to Prototype Pollution.

Proof of exploit

const {applyPatches, enablePatches} = require("immer");
enablePatches();
let obj = {};
console.log("Before : " + obj.polluted);
applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]);
// applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]);
console.log("After : " + obj.polluted);

Remediation

Version 8.0.1 contains a fix for this vulnerability, updating is recommended.

Release Notes

immerjs/immer

`v8.0.1`

Bug Fixes

Fixed security issue #738: prototype pollution possible when applying patches CVE-2020-28477 (da2bd4f)

`v8.0.0`

feature

Always freeze by default (#702) (a406c8f)

BREAKING CHANGES

always freeze by default, even in production mode. Use setAutoFreeze(process.env.NODE_ENV !== 'production') for the old behavior. See #687 (comment) for the rationale. Fixes #649, #681, #687

`v7.0.15`

Bug Fixes

make plugin loading idempotent, fixes #692 (754331b)

`v7.0.14`

Bug Fixes

build issue. Fixes #685 (?) (9007be0)

`v7.0.13`

Bug Fixes

reconcile if the original value is assigned after creating a draft. Fixes #659 (c0e6749)

`v7.0.12`

Bug Fixes

undraftable values should not be cloned for patches, fixes #676 (1b70ad5)

`v7.0.11`

Bug Fixes

skip ReadonlyMap and ReadonlySet types when not available (#653). Fixes #624 (12f4cf8)

`v7.0.10`

Bug Fixes

Clearing empty Set&Map should be noop (#682). Fixes #680 (33a305b)

Renovate configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by WhiteSource Renovate. View repository job log here.


          ⬆️ Update dependency immer to v8 [SECURITY]

7b14686

renovate bot assigned tjoskar

renovate bot requested a review from tjoskar

January 21, 2021 04:27

tjoskar closed this

renovate bot deleted the renovate/npm-immer-vulnerability branch

October 1, 2024 11:19

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet