fix(deps): update dependency simple-git to v3 [security] #90
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/npm-simple-git-vulnerability
branch
from
1c3d729 to
05110ae
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/npm-simple-git-vulnerability
branch
from
05110ae to
c384e6c
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/npm-simple-git-vulnerability
branch
from
c384e6c to
c700a81
Compare
renovate
bot
changed the title
renovate
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^2.38.0->^3.0.0GitHub Vulnerability Alerts
CVE-2022-24433
The package simple-git before 3.3.0 is vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options, it was possible to get arbitrary command execution.
CVE-2022-24066
simple-git(maintained as git-js named repository on GitHub) is a light weight interface for running git commands in any node.js application.The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover. A fix was released in [email protected].CVE-2022-25912
The package simple-git before 3.15.0 is vulnerable to Remote Code Execution (RCE) when enabling the
exttransport protocol, which makes it exploitable viaclone()method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.CVE-2022-25860
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.
Release Notes
steveukx/git-js (simple-git)
v3.16.0Compare Source
Minor Changes
97fde2c: Support the use of-Bin place of the default-bin checkout methods0a623e5: Adds vulnerability detection to prevent use of--upload-packand--receive-packwithout explicitly opting in.Patch Changes
ec97a39: Include restricting the use of git push --exec with other allowUnsafePack exclusions, thanks to @stsewd for the suggestion.v3.15.1Compare Source
Patch Changes
de570ac: Resolves an issue whereby non-strings can be passed into the config switch detector.v3.15.0Compare Source
Minor Changes
7746480: Disables the use of inline configuration arguments to prevent unitentionally allowing non-standard remote protocols without explicitly opting in to this practice with the newallowUnsafeProtocolOverrideproperty having been enabled.Patch Changes
7746480: - Upgrade repo dependencies - lerna and jestv3.14.1Compare Source
Patch Changes
5a2e7e4: Add version parsing support for non-numeric patches (including "built from source" style1.11.GIT)v3.14.0Compare Source
Minor Changes
19029fc: Create the abort plugin to allow cancelling all pending and future tasks.4259b26: Add.versionto return git version information, including whether the git binary is installed.v3.13.0Compare Source
Minor Changes
87b0d75: Increase the level of deprecation notices for use ofsimple-git/promise, which will be fully removed in the next majord0dceda: Allow supplying just one of to/from in the options supplied to git.logPatch Changes
6b3e05c: Use shared test utilities bundle in simple-git tests, to enable consistent testing across packages in the futurev3.12.0Compare Source
Minor Changes
bfd652b: Add a new configuration option to enable trimming white-space from the response togit.rawv3.11.0Compare Source
Minor Changes
80d54bd: Added fields updated + deleted branch info to fetch response, closes #823Patch Changes
75dfcb4: Add prettier configuration and apply formatting throughout.v3.10.0Compare Source
Minor Changes
2f021e7: Support for importing as an ES module with TypeScript moduleResolutionnode16or newer by addingsimpleGitas a named export.v3.9.0Compare Source
Minor Changes
a0d4eb8: Branches that have been checked out as a linked work tree will now be included in theBranchSummaryoutput, with alinkedWorkTreeproperty set totruein theBranchSummaryBranch.v3.8.0Compare Source
Minor Changes
25230cb: Support for additional log formats in diffSummary / log / stashList.Adds support for the
--numstat,--name-onlyand--name-statin addition to the existing--statoption.Patch Changes
2cfc16f: Update CI environments to run build and test in node v18, drop node v12 now out of life.13197f1: Updatedebugdependency to latest4.xv3.7.1Compare Source
Patch Changes
adb4346: Resolves issue whereby renamed files no longer appear correctly in the response togit.status.v3.7.0Compare Source
Minor Changes
fa2c7f7: Enable the use of types when loading with module-resolutionPatch Changes
3805f6b: Timeout plugin no longer keeps short lived processes alive until timeout is hitv3.6.0Compare Source
Minor Changes
f2fc5c9: Show full commit hash in aCommitResult, prior to this changegit.commitwould result in a partial hash in thecommitproperty ifcore.abbrevis unset or has a value under40. Following this change thecommitproperty will contain the full commit hash.Patch Changes
c4a2a13: chore(deps): bump minimist from 1.2.5 to 1.2.6v3.5.0Compare Source
Minor Changes
2040de6: Resolves potential command injection vulnerability by preventing use of--upload-packingit.clonev3.4.0Compare Source
Minor Changes
ed412ef: Use null separators in git.status to allow for non-ascii file namesv3.3.0Compare Source
Minor Changes
d119ec4: Resolves potential command injection vulnerability by preventing use of--upload-packingit.fetchv3.2.6Compare Source
Patch Changes
80651d5: Resolve issue in prePublish scriptv3.2.4Compare Source
Patch Changes
d35987b: Release with changesetsv3.1.1Compare Source
v3.1.0Compare Source
Features
StatusResult(70e6767), closes #7183.0.4 (2022-01-23)
Bug Fixes
3.0.3 (2022-01-20)
Bug Fixes
latest(5db4434)3.0.2 (2022-01-18)
Bug Fixes
simple-git/promisewith deprecation notice until mid-2022. (4413c47)3.0.1 (2022-01-18)
Bug Fixes
v3.0.4Compare Source
v3.0.3Compare Source
v3.0.2Compare Source
v3.0.1Compare Source
v2.48.0Compare Source
Features
StatusResultreturned bygit.status()should includedetachedstate of the working copy. (#695) (f464ebe)Bug Fixes
git.commit()(61089cb)2.47.1 (2021-11-29)
Bug Fixes
v2.47.1Compare Source
v2.47.0Compare Source
Features
v2.46.0Compare Source
Features
completionplugin (#684) (ecb7bd6)completionplugin to allow configuring whensimple-gitdetermines thegittasks to be complete. (ecb7bd6)2.45.1 (2021-09-04)
Bug Fixes
v2.45.1Compare Source
v2.45.0Compare Source
Features
Bug Fixes
nulldespite values being present in configuration (9fd483a)v2.44.0Compare Source
Features
v2.43.0Compare Source
Features
v2.42.0Compare Source
Features
logtask to separate task builder (0712f86)scopeargument inlistConfigto return a specific scope's configuration (0685a8b)2.41.2 (2021-07-29)
Bug Fixes
trueandfalseinDiffResultTextFile | DiffResultBinaryFileto aid type assertions. (8059099)2.41.1 (2021-07-11)
Bug Fixes
v2.41.2Compare Source
v2.41.1Compare Source
v2.41.0Compare Source
Features
git config addto work on thelocal,globalorsystemconfiguration. (c7164e7)local,globalorsystemconfiguration. (00ada06)v2.40.0Compare Source
Features
spawnOptionsplugin to allow settinguid/gidowner for the spawnedgitchild processes. (cc70220)2.39.1 (2021-06-09)
Bug Fixes
.execAPI (c9207da)mergeFromToto more closely represent its functionality (see #50 for the original requirement). (dd2244e)v2.39.1Compare Source
v2.39.0Compare Source
Features
git.cwdcan now be configured to affect just the chain rather than root instance. (4110662)2.38.1 (2021-05-09)
Bug Fixes
GitPluginErrorfrom the main package. (2aa7e55), closes #616v2.38.1Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.