Skip to content

chore(deps): update devdependency codecov to v3.7.1 [security] #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update devdependency codecov to v3.7.1 [security] #33

wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 19, 2020
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
codecov 3.4.0 -> 3.7.1 age confidence

GitHub Vulnerability Alerts

CVE-2020-7597

codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596.

CVE-2020-15123

Impact

The upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

A similar CVE was issued: CVE-2020-7597, but the fix was incomplete. It only blocked &, and command injection is still possible using backticks instead to bypass the sanitizer.

We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the codecov-node project here.

Patches

This has been patched in version 3.7.1

Workarounds

None, however, the attack surface is low in this case. Particularly in the standard use of codecov, where the module is used directly in a build pipeline, not built against as a library in another application that may supply malicious input and perform command injection.

References

For more information

If you have any questions or comments about this advisory:

CVE-2020-7596

Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument.

Release Notes

codecov/codecov-node (codecov)

v3.7.1

Compare Source

  • Move to execFileSync and security fixes

v3.7.0

Compare Source

  • Remove the X-Amz-Acl: public-read header

v3.6.5

Compare Source

v3.6.4

Compare Source

  • Fix Cirrus CI

v3.6.3

Compare Source

  • Fix for AWS Codebuild & package updates

v3.6.2

Compare Source

  • Command line args sanitized fix

v3.6.1

Compare Source

  • Fix for Semaphore

v3.6.0

Compare Source

  • Added AWS CodeBuild and Semaphore2

v3.5.0

Compare Source

  • Added TeamCity support

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@codecov
Copy link

codecov bot commented Feb 19, 2020
edited
Loading

Codecov Report

Merging #33 (996065e) into master (eb2f838) will decrease coverage by 3.79%.
The diff coverage is n/a.

❗ Current head 996065e differs from pull request most recent head edfc2e9. Consider uploading reports for the commit edfc2e9 to get more accurate results

@@            Coverage Diff             @@
##           master      #33      +/-   ##
==========================================
- Coverage   95.45%   91.66%   -3.79%     
==========================================
  Files           1        1              
  Lines          22       24       +2     
  Branches        3        4       +1     
==========================================
+ Hits           21       22       +1     
- Misses          1        2       +1

see 1 file with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 30eab7c to 6929b5c Compare May 3, 2020 13:00
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 6929b5c to e7abcb8 Compare July 1, 2020 12:49
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from e7abcb8 to a1087bd Compare July 10, 2020 12:51
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from a1087bd to 5852b9f Compare August 22, 2020 01:54
@renovate renovate bot changed the title chore(deps): update devdependency codecov to v3.6.5 [security] chore(deps): update devdependency codecov to v3.7.1 [security] Aug 22, 2020
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 5852b9f to b13e558 Compare October 25, 2020 23:54
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from b13e558 to e539b4b Compare November 26, 2020 23:55
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from e539b4b to ac5b79d Compare December 9, 2020 04:59
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from ac5b79d to b7694c8 Compare April 26, 2021 14:25
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from b7694c8 to 996065e Compare May 9, 2021 22:43
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 996065e to da58629 Compare March 7, 2022 09:14
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from da58629 to f12771a Compare March 26, 2022 12:11
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from f12771a to bf4562d Compare April 24, 2022 22:14
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from bf4562d to eebc9d3 Compare June 18, 2022 15:59
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from eebc9d3 to 335f337 Compare March 16, 2023 15:34
@renovate
Copy link
Contributor Author

renovate bot commented Mar 24, 2023

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock
Error response from daemon: toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit

@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 335f337 to edfc2e9 Compare March 24, 2023 19:48
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch 2 times, most recently from c73cbc6 to bf9a76f Compare January 30, 2025 14:46
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from bf9a76f to acb9c73 Compare May 19, 2025 17:33
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from acb9c73 to 7cfda6e Compare June 22, 2025 12:37
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 7cfda6e to c0dcaff Compare September 25, 2025 16:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants