Skip to content
This repository has been archived by the owner on Dec 16, 2023. It is now read-only.

Update dependencies to fix some vulnerabilities #1212

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Update dependencies to fix some vulnerabilities #1212

wants to merge 9 commits into from

Conversation

striezel
Copy link

@striezel striezel commented Jun 1, 2021

These commits fix some vulnerabilities in several dependencies.

While this still does not fix all vulnerabilities that currently exist in dependencies, it should be a step in the right direction.

@striezel
update lodash to 4.17.21
467d2e2 
This fixes several vulnerabilities in lodash.

- several prototype pollution issues in lodash
  - see <https://www.npmjs.com/advisories/1065>
  - see <https://www.npmjs.com/advisories/1523>
- command injection vulnerability (CVE-2021-23337),
  see <https://www.npmjs.com/advisories/1673>
@striezel
update mixin-deep to 1.3.2
d381086 
This fixes a prototype pollution vulnerability in mixin-deep.
See <https://www.npmjs.com/advisories/1013> for more information.
@striezel
update union-value package to 1.0.1 + set-value to 2.0.1
5cb2700 
Fixes a prototype pollution vulnerability in set-value,
see <https://www.npmjs.com/advisories/1012> for more information.
@striezel
update acorn to 5.7.4
b2b7776 
Fixes a regular expression denial of service vulnerability,
see <https://www.npmjs.com/advisories/1488> for more info.
@striezel
update eslint-utils to 1.4.3
f456435 
This fixes an arbitrary code execution vulnerability,
see <https://www.npmjs.com/advisories/1118> for more info.
@striezel
update hosted-git-info to version 2.8.9 (CVE-2021-23362)
4d091ff 
Fixes a regular expression denial of service vulnerability,
see <https://www.npmjs.com/advisories/1677> for more info.
@striezel
update url-parse to 1.5.1 (CVE-2021-27515)
bd4ed4e 
Fixes a path traversal vulnerability in url-parse.
See <https://www.npmjs.com/advisories/1678> for more information.
@striezel
update y18n to 3.2.2 (CVE-2020-7774)
8d219a8 
This update fixes a prototype pollution vulnerability in y18n.
See <https://www.npmjs.com/advisories/1654> for more information.
@striezel
Copy link
Author

striezel commented Jun 1, 2021

@assaf Sorry if the force pushes make this PR a bit more complicated than necessary, but the previously pushed commits were missing some changes.

@striezel
update ini to 1.3.8
3dada46 
This fixes a prototype pollution vulnerability in ini.
See <https://www.npmjs.com/advisories/1589> for more information.
@striezel
Copy link
Author

striezel commented Jul 3, 2021

@assaf
Since there has been no response here for a month now: Is there anything wrong with this pull request? If that is the case, please let me know and I will try to fix it.

I've also added another update for ini, because why not? :)

@andress134
Copy link

@assaf
Since there has been no response here for a month now: Is there anything wrong with this pull request? If that is the case, please let me know and I will try to fix it.

I've also added another update for ini, because why not? :)

that lib look dead when try to get cookies, can u try to update it sir ?
thanks

@striezel
Copy link
Author

@assaf
Since there has been no response here for a month now: Is there anything wrong with this pull request? If that is the case, please let me know and I will try to fix it.
I've also added another update for ini, because why not? :)

that lib look dead when try to get cookies, can u try to update it sir ?
thanks

@andress134:
I do not understand the question. This pull request tries to get some of the project's dependencies updated. However, it has nothing to do with cookies and how they are handled, as far as I can tell.

And yes, the assaf/zombie project seems to be "dead" or at least the owner is very slow to respond, but I will keep this pull request open anyway. Maybe it will get merged later.

@andress134
Copy link

@assaf
Since there has been no response here for a month now: Is there anything wrong with this pull request? If that is the case, please let me know and I will try to fix it.
I've also added another update for ini, because why not? :)

that lib look dead when try to get cookies, can u try to update it sir ?
thanks

@andress134:
I do not understand the question. This pull request tries to get some of the project's dependencies updated. However, it has nothing to do with cookies and how they are handled, as far as I can tell.

And yes, the assaf/zombie project seems to be "dead" or at least the owner is very slow to respond, but I will keep this pull request open anyway. Maybe it will get merged later.

I'm try to bypass a cloudflare page but can't
My english is bad xD
I'm using zombie to generate a browser session open the target get the html page and extract cookies from here but it look dead

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@striezel @andress134