Skip to content

Update dependency mpath to 0.8.4 [SECURITY]#46

Open
renovate[bot] wants to merge 1 commit intodevfrom
renovate/npm-mpath-vulnerability
Open

Update dependency mpath to 0.8.4 [SECURITY]#46
renovate[bot] wants to merge 1 commit intodevfrom
renovate/npm-mpath-vulnerability

Conversation

@renovate
Copy link

@renovate renovate bot commented Oct 20, 2021

WhiteSource Renovate

This PR contains the following updates:

Package Change
mpath 0.8.3 -> 0.8.4

GitHub Vulnerability Alerts

CVE-2021-23438

This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['proto']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@renovate-bot