Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

chore(deps): update dependency json to v10 [security] #327

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

chore(deps): update dependency json to v10 [security] #327

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 21, 2021
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
json ^9.0.4 -> ^10.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-7712

This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function.

Release Notes

trentm/json (json)

v10.0.0

Compare Source

  • Backward incompatible and security-related change to parsing "lookup" strings.

    This version restricts the supported syntax for bracketed "lookup"
    strings     to fix a possible
    vulnerability (CVE-2020-7712). With a carefully crafted lookup string,
    command injection was possible. See
    #​144 for a repro. If you use
    json (the CLI or as a node.js module) and run arbitrary user-provided
    strings as a "lookup", then you should upgrade.

    For the json CLI, a "lookup" string is the 'foo' in:

      echo ...some json... | json foo

    which allows you to lookup fields on the given JSON, e.g.:

      $ echo '{"foo": {"bar": "baz"}}' | json foo.bar
  baz

    If one of the lookup fields isn't a valid JS identifier, then the JS array
    notation is supported:

      $ echo '{"https://example.com": "my-value"}' | json '["https://example.com"]'
  my-value

    Before this change, json would effectively exec the string between the
    brackets as JS code such that things like the following were possible:

      $ echo '{"foo3": "bar"}' | json '["foo" + 3]'
  bar

    This change limits supported bracket syntax in lookups to a simple quoted
    string:

      ["..."]
  ['...']
  [`...`]      # no variable interpolation

    Otherwise generating an error of the form:

      json: error: invalid bracketed lookup string: "[\"foo\" + 3]" (must be of the form ['...'], ["..."], or [`...`])

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the security Pull requests that address a security vulnerability label Jul 21, 2021
@cwillisf cwillisf added the dependencies Pull requests that update a dependency file label Jul 21, 2021
@renovate renovate bot force-pushed the renovate/npm-json-vulnerability branch from b04d85c to 537bee4 Compare July 22, 2021 16:31
@renovate renovate bot force-pushed the renovate/npm-json-vulnerability branch 2 times, most recently from 68cb2e8 to 582990f Compare February 26, 2024 15:54
@renovate renovate bot changed the title chore(deps): update dependency json to v10 [security] chore(deps): update dependency json to v10 [security] - autoclosed Dec 8, 2024
@renovate renovate bot closed this Dec 8, 2024
@renovate renovate bot deleted the renovate/npm-json-vulnerability branch December 8, 2024 18:40
@github-actions github-actions bot locked and limited conversation to collaborators Dec 8, 2024
@renovate renovate bot changed the title chore(deps): update dependency json to v10 [security] - autoclosed chore(deps): update dependency json to v10 [security] Dec 8, 2024
@renovate renovate bot reopened this Dec 8, 2024
@renovate renovate bot force-pushed the renovate/npm-json-vulnerability branch from 796896c to 582990f Compare December 8, 2024 23:07
@renovate renovate bot force-pushed the renovate/npm-json-vulnerability branch from 582990f to 4593930 Compare February 11, 2025 12:11
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@cwillisf