Skip to content

build(deps): [security] bump url-parse from 1.4.7 to 1.5.3 #333

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

build(deps): [security] bump url-parse from 1.4.7 to 1.5.3 #333

wants to merge 1 commit into from

Conversation

dependabot-preview[bot]
Copy link
Contributor

Bumps url-parse from 1.4.7 to 1.5.3. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Path reaversal in url-parse url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

Affected versions: < 1.5.0

Commits
  • ad44493 [dist] 1.5.3
  • c798461 [fix] Fix host parsing for file URLs (#210)
  • 201034b [dist] 1.5.2
  • 2d9ac2c [fix] Sanitize only special URLs (#209)
  • fb128af [fix] Use 'null' as origin for non special URLs
  • fed6d9e [fix] Add a leading slash only if the URL is special
  • 94872e7 [fix] Do not incorrectly set the slashes property to true
  • 81ab967 [fix] Ignore slashes after the protocol for special URLs
  • ee22050 [ci] Use GitHub Actions
  • d2979b5 [fix] Special case the file: protocol (#204)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

@dependabot-preview
build(deps): [security] bump url-parse from 1.4.7 to 1.5.3
b8d9bdb 
Bumps [url-parse](https://github.com/unshiftio/url-parse) from 1.4.7 to 1.5.3. **This update includes a security fix.**
- [Release notes](https://github.com/unshiftio/url-parse/releases)
- [Commits](unshiftio/url-parse@1.4.7...1.5.3)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Aug 1, 2021
@dependabot-preview dependabot-preview bot requested a review from u3u August 1, 2021 19:17
@dependabot-preview dependabot-preview bot mentioned this pull request Aug 1, 2021
Closed
@codecov
Copy link

codecov bot commented Aug 1, 2021
edited
Loading

Codecov Report

Merging #333 (b8d9bdb) into dev (721dfff) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##              dev     #333   +/-   ##
=======================================
  Coverage   99.18%   99.18%           
=======================================
  Files          15       15           
  Lines         123      123           
  Branches       17       17           
=======================================
  Hits          122      122           
  Misses          1        1

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 721dfff...b8d9bdb. Read the comment docs.

@netlify
Copy link

netlify bot commented Aug 1, 2021

✔️ Deploy Preview for vue-hooks ready!

🔨 Explore the source changes: b8d9bdb

🔍 Inspect the deploy log: https://app.netlify.com/sites/vue-hooks/deploys/6106f351d5b8d2000851f232

😎 Browse the preview: https://deploy-preview-333--vue-hooks.netlify.app

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@u3u u3u Awaiting requested review from u3u

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants