Skip to content

chore(deps): update dependency minimist to v1.2.6 [security]#72

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-minimist-vulnerability
Open

chore(deps): update dependency minimist to v1.2.6 [security]#72
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-minimist-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate bot commented Aug 6, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
minimist 1.2.51.2.6 age confidence

GitHub Vulnerability Alerts

CVE-2020-7598

Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.

Recommendation

Upgrade to versions 0.2.1, 1.2.3 or later.

CVE-2021-44906

Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Release Notes

minimistjs/minimist (minimist)

v1.2.6

Compare Source

Commits
  • test from prototype pollution PR bc8ecee
  • isConstructorOrProto adapted from PR c2b9819
  • security notice for additional prototype pollution issue ef88b93

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the security label Aug 6, 2024
@renovate renovate bot changed the title fix(deps): update dependency minimist to v1.2.6 [security] fix(deps): update dependency minimist to v1.2.6 [security] - autoclosed Dec 8, 2024
@renovate renovate bot closed this Dec 8, 2024
@renovate renovate bot deleted the renovate/npm-minimist-vulnerability branch December 8, 2024 18:43
@renovate renovate bot changed the title fix(deps): update dependency minimist to v1.2.6 [security] - autoclosed fix(deps): update dependency minimist to v1.2.6 [security] Dec 8, 2024
@renovate renovate bot reopened this Dec 8, 2024
@renovate renovate bot force-pushed the renovate/npm-minimist-vulnerability branch from d5766bf to 25af370 Compare December 8, 2024 21:46
@renovate renovate bot changed the title fix(deps): update dependency minimist to v1.2.6 [security] chore(deps): update dependency minimist to v1.2.6 [security] Sep 25, 2025
@renovate renovate bot changed the title chore(deps): update dependency minimist to v1.2.6 [security] chore(deps): update dependency minimist to v1.2.6 [security] - autoclosed Mar 27, 2026
@renovate renovate bot closed this Mar 27, 2026
@renovate renovate bot changed the title chore(deps): update dependency minimist to v1.2.6 [security] - autoclosed chore(deps): update dependency minimist to v1.2.6 [security] Mar 30, 2026
@renovate renovate bot reopened this Mar 30, 2026
@renovate renovate bot force-pushed the renovate/npm-minimist-vulnerability branch 2 times, most recently from 25af370 to 652e81e Compare March 30, 2026 21:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@TiagoDanin TiagoDanin

Labels

security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TiagoDanin