Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

chore(deps): [security] bump eslint-utils from 1.3.1 to 1.4.3 #102

Merged
merged 1 commit into from
Nov 18, 2019
Merged

chore(deps): [security] bump eslint-utils from 1.3.1 to 1.4.3 #102

merged 1 commit into from
Nov 18, 2019

Conversation

dependabot-preview[bot]
Copy link

Bumps eslint-utils from 1.3.1 to 1.4.3. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Critical severity vulnerability that affects eslint-utils

'getStaticValue' function can execute arbitrary code

Impact

getStaticValue function can execute arbitrary code.

Patches

This problem has been patched in 1.4.1. Please update eslint-utils.

Workarounds

Don't use getStaticValue function, getStringIfConstant function, and getPropertyName function.

For more information

If you have any questions or comments about this advisory:

Affected versions: >= 1.2.0 < 1.4.1

Sourced from The GitHub Security Advisory Database.

Critical severity vulnerability that affects eslint-utils

'getStaticValue' function can execute arbitrary code

Impact

getStaticValue function can execute arbitrary code.

Patches

This problem has been patched in 1.4.1. Please update eslint-utils.

Workarounds

Don't use getStaticValue function, getStringIfConstant function, and getPropertyName function.

For more information

If you have any questions or comments about this advisory:

Affected versions: >= 1.2.0 < 1.4.1

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

@dependabot-preview
chore(deps): [security] bump eslint-utils from 1.3.1 to 1.4.3
670348c 
Bumps [eslint-utils](https://github.com/mysticatea/eslint-utils) from 1.3.1 to 1.4.3. **This update includes security fixes.**
- [Release notes](https://github.com/mysticatea/eslint-utils/releases)
- [Commits](mysticatea/eslint-utils@v1.3.1...v1.4.3)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Oct 21, 2019
@dependabot-preview dependabot-preview bot mentioned this pull request Oct 21, 2019
Closed
@rjchow rjchow merged commit e8982ed into master Nov 18, 2019
@rjchow rjchow deleted the dependabot/npm_and_yarn/eslint-utils-1.4.3 branch November 18, 2019 09:58
rjchow pushed a commit that referenced this pull request Dec 5, 2019
@semantic-release-bot
release(version): Release 1.6.0 [skip ci]
87372e5 
# [1.6.0](v1.5.0...v1.6.0) (2019-12-05)

### Chores

* **deps:** [security] bump eslint-utils from 1.3.1 to 1.4.3 ([#102](#102)) ([e8982ed](e8982ed))
* **deps:** [security] bump mixin-deep from 1.3.1 to 1.3.2 ([#79](#79)) ([1da45f7](1da45f7))
* **deps:** [security] bump tar from 2.2.1 to 2.2.2 ([#68](#68)) ([f5b1123](f5b1123))
* **deps-dev:** bump @babel/core from 7.4.5 to 7.7.2 ([#112](#112)) ([f0e8e28](f0e8e28))
* **deps-dev:** bump @babel/preset-env from 7.4.5 to 7.7.1 ([#110](#110)) ([4ef4bbe](4ef4bbe))
* **deps-dev:** bump @types/jest from 24.0.15 to 24.0.23 ([#115](#115)) ([686f2f2](686f2f2))
* **deps-dev:** bump eslint from 6.0.0 to 6.6.0 ([39be3df](39be3df))
* **deps-dev:** bump eslint from 6.0.0 to 6.6.0 ([f379f3f](f379f3f))
* **deps-dev:** bump eslint-plugin-import from 2.17.3 to 2.18.2 ([#58](#58)) ([cf990fa](cf990fa))
* **deps-dev:** bump husky from 2.4.1 to 3.1.0 ([#118](#118)) ([4d8abce](4d8abce))
* **deps-dev:** bump lint-staged from 9.2.0 to 9.4.3 ([a35c989](a35c989))
* **deps-dev:** bump lint-staged from 9.2.0 to 9.4.3 ([fc12f18](fc12f18))
* **deps-dev:** bump semantic-release from 15.13.18 to 15.13.31 ([2b55c94](2b55c94))
* **deps-dev:** bump semantic-release from 15.13.18 to 15.13.31 ([264472e](264472e))
* **dev-deps:** npm audit ([a5a7dfc](a5a7dfc))

### Features

* 🎸 Added semantic release configuration for npm release ([#131](#131)) ([cee2d64](cee2d64))
@rjchow
Copy link
Owner

rjchow commented Dec 5, 2019

🎉 This PR is included in version 1.6.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@rjchow rjchow added the released label Dec 5, 2019
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file released security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rjchow