Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

fix: address prototype pollution issue #108

Merged
merged 1 commit into from
Oct 25, 2020
Merged

fix: address prototype pollution issue #108

merged 1 commit into from
Oct 25, 2020

Conversation

bcoe
Copy link
Member

@bcoe bcoe commented Oct 25, 2020

@po6ix @joaogmauricio I appreciate the vulnerability report, I believe this addresses the problem (_let me know if you can confirm). Also let me know if you can think of any additional regression tests.

@JamieSlome, @alromh87, I like the idea of huntr, I'd rather have a company submit a patch than simply notify me of a CVE. #107 was just not inline with how I've been addressing this issue elsewhere in the yargs codebase.

CC: @ljharb
Fixes: #96

@JamieSlome
Copy link

@bcoe - that is great to hear - we'd love to work with you to get fixes into the repository in the future. Would you be available to discuss this further together?

@bcoe bcoe merged commit a9ac604 into master Oct 25, 2020
@bcoe bcoe deleted the fix-96 branch October 25, 2020 15:00
@bcoe
Copy link
Member Author

bcoe commented Oct 25, 2020

@JamieSlome happy to discuss more, email is a good place to start as I'm pretty full of meetings over the next few weeks.

@JamieSlome
Copy link

@bcoe - I will shoot over an e-mail to you today!

@DarthHater DarthHater mentioned this pull request Nov 2, 2020
Merged
This was referenced Nov 3, 2020
Closed
Closed
@xiniria xiniria mentioned this pull request Nov 19, 2020
Closed
@stof
Copy link

stof commented Nov 19, 2020
edited
Loading

@bcoe will this be backported in the older major version ?

  • webpack 4 depends on a version of cacache (through the terser-webpack-plugin) which uses y18n 4.x
  • webpack-dev-server and webpack-cli are using yargs 13 which uses y18n 4.x
  • gulp-cli is using yargs 7 which uses y18n 3.x

@KTOmega KTOmega mentioned this pull request Nov 20, 2020
Closed
@aziemchawdhary-gs aziemchawdhary-gs mentioned this pull request Nov 25, 2020
Closed
@nehalilani nehalilani mentioned this pull request Dec 1, 2020
Closed
@billyvg billyvg mentioned this pull request Mar 30, 2021
Merged
billyvg pushed a commit to getsentry/sentry that referenced this pull request Mar 30, 2021
@dependabot
build(deps): bump y18n from 4.0.0 to 4.0.1 (#24796)
2269ac3 
Bumps [y18n](https://github.com/yargs/y18n) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/yargs/y18n/releases)
- [Changelog](https://github.com/yargs/y18n/blob/master/CHANGELOG.md)
- [Commits](https://github.com/yargs/y18n/commits)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

There's no changelog entry for this version, but based on the publish date of `4.0.1`, I think the release addresses this issue: yargs/y18n#108
@sync-by-unito sync-by-unito bot mentioned this pull request Mar 31, 2021
Merged
@fungiboletus fungiboletus mentioned this pull request Mar 31, 2021
Closed
@atxryan atxryan mentioned this pull request Mar 31, 2021
Closed
This was referenced Apr 1, 2021
Merged
Merged
Merged
Open
Closed
@RaghulXander RaghulXander mentioned this pull request Apr 30, 2021
Merged
@debricked-staging debricked-staging bot mentioned this pull request Jun 18, 2021
Open
@debricked debricked bot mentioned this pull request Jul 1, 2021
Open
@debricked debricked bot mentioned this pull request Jul 9, 2021
Open
@github-actions github-actions bot mentioned this pull request May 11, 2022
Closed
@CMaheshBL CMaheshBL mentioned this pull request May 6, 2022
Open
@sync-by-unito sync-by-unito bot mentioned this pull request Jun 29, 2022
Open
@Svetlana-github Svetlana-github mentioned this pull request May 16, 2022
Open
@github-actions github-actions bot mentioned this pull request Aug 1, 2022
Open
@debricked-staging debricked-staging bot mentioned this pull request Sep 12, 2022
Closed
@debricked-staging debricked-staging bot mentioned this pull request Nov 7, 2022
Open
@RobertMickleCx RobertMickleCx mentioned this pull request Mar 7, 2023
Open
@joshbetz joshbetz mentioned this pull request Apr 14, 2023
Merged
@shadowspawn shadowspawn mentioned this pull request Jun 30, 2023
Closed
@github-actions github-actions bot mentioned this pull request Jun 6, 2024
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@ljharb ljharb ljharb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Prototype pollution
4 participants
@bcoe @JamieSlome @stof @ljharb