Skip to content

Update dependency serve to v10.1.2 [SECURITY]#119

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-serve-vulnerability
Open

Update dependency serve to v10.1.2 [SECURITY]#119
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-serve-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 24, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
serve 10.0.0 -> 10.1.2 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-xw79-hhv6-578c

Versions of serve prior to 10.0.2 are vulnerable to Cross-Site Scripting (XSS). The package does not encode output, allowing attackers to execute arbitrary JavaScript in the victim's browser if user-supplied input is rendered.

Recommendation

Upgrade to version 10.0.2 or later.

GHSA-48gc-5j93-5cfq

Versions of serve prior to 10.1.2 are vulnerable to Path Traversal. Explicitly ignored folders can be accessed through relative paths, which allows attackers to access hidden folders and files.

Recommendation

Upgrade to version 10.1.2 or later.

GHSA-cpgr-wmr9-qxv4

Versions of serve prior to 10.0.2 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code.

Recommendation

Upgrade to version 10.0.2 or later.

Release Notes

vercel/serve (serve)

v10.1.2

Compare Source

Patches
  • Use os.networkInterfaces() to detect network address: #​492
  • Bumped serve-handler to latest version: #​505
Credits

Huge thanks to @​saintwinkle for helping!

v10.1.1

Compare Source

Patches
  • Properly encode redirect responses: #​491

v10.1.0

Compare Source

Minor Changes
  • Added support for compression: #​487
  • Added NO_UPDATE_CHECK environment flag: #​457
  • Brought back support for ephemeral port switching: #​490
Patches
  • Bumped serve-handler to the latest version: #​488
  • Deprecate support for now.json and package.json: #​489
Credits

Huge thanks to @​leeyeh for helping!

v10.0.2

Compare Source

Patches
  • Bumped serve-handler to the latest version: #​480

v10.0.1

Compare Source

Patches
  • Bumped @zeit/schemas to the latest version: #​475

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate
Copy link
Contributor Author

renovate bot commented Mar 24, 2023

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock
Error response from daemon: toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies vulnerability

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants