Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pin dependency grunt to 0.4.5 [SECURITY] #3

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Pin dependency grunt to 0.4.5 [SECURITY] #3

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Feb 28, 2024
edited
Loading

This PR contains the following updates:

Package Type Update Change
grunt (source) devDependencies pin ~0.4.0 -> 0.4.5

GitHub Vulnerability Alerts

CVE-2020-7729

The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

CVE-2022-0436

Grunt prior to version 1.5.2 is vulnerable to path traversal.

CVE-2022-1537

file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.

Add the preset :preserveSemverRanges to your config if you don't want to pin your dependencies.

Configuration

📅 Schedule: Branch creation - "" in timezone America/Vancouver, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 4 times, most recently from d2e50ee to 95cee04 Compare March 1, 2024 08:47
@renovate renovate bot changed the title Pin dependency grunt to 0.4.5 [SECURITY] Update dependency grunt to v1 [SECURITY] Mar 1, 2024
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch from 95cee04 to 4da68df Compare March 13, 2024 02:56
@renovate renovate bot changed the title Update dependency grunt to v1 [SECURITY] Pin dependency grunt to 0.4.5 [SECURITY] Mar 13, 2024
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch from 4da68df to b5a4afb Compare March 16, 2024 05:35
@renovate renovate bot changed the title Pin dependency grunt to 0.4.5 [SECURITY] Update dependency grunt to v1 [SECURITY] Mar 16, 2024
@renovate renovate bot changed the title Update dependency grunt to v1 [SECURITY] Pin dependency grunt to 0.4.5 [SECURITY] Mar 21, 2024
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 2 times, most recently from 30cb81d to a909e19 Compare March 23, 2024 08:52
@renovate renovate bot changed the title Pin dependency grunt to 0.4.5 [SECURITY] Update dependency grunt to v1 [SECURITY] Mar 23, 2024
@renovate renovate bot changed the title Update dependency grunt to v1 [SECURITY] Pin dependency grunt to 0.4.5 [SECURITY] Mar 25, 2024
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 2 times, most recently from efc46fc to 12c7329 Compare March 27, 2024 23:49
@renovate renovate bot changed the title Pin dependency grunt to 0.4.5 [SECURITY] Update dependency grunt to v1 [SECURITY] Mar 27, 2024
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch from 12c7329 to 1c9ced5 Compare April 14, 2024 23:44
@renovate renovate bot changed the title Update dependency grunt to v1 [SECURITY] Pin dependency grunt to 0.4.5 [SECURITY] Apr 14, 2024
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch from 1c9ced5 to 072dae3 Compare April 16, 2024 23:52
@renovate renovate bot changed the title Pin dependency grunt to 0.4.5 [SECURITY] Update dependency grunt to v1 [SECURITY] Apr 16, 2024
@renovate renovate bot changed the title Update dependency grunt to v1 [SECURITY] Pin dependency grunt to 0.4.5 [SECURITY] Apr 23, 2024
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 2 times, most recently from 7ed9244 to c339159 Compare April 24, 2024 23:23
@renovate renovate bot changed the title Pin dependency grunt to 0.4.5 [SECURITY] Update dependency grunt to v1 [SECURITY] Apr 24, 2024
@renovate renovate bot changed the title Update dependency grunt to v1 [SECURITY] Pin dependency grunt to 0.4.5 [SECURITY] Apr 27, 2024
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 2 times, most recently from a06a3c9 to 3c6004d Compare April 28, 2024 11:57
@renovate renovate bot changed the title Pin dependency grunt to 0.4.5 [SECURITY] Update dependency grunt to v1 [SECURITY] Apr 28, 2024
@renovate renovate bot changed the title Update dependency grunt to v1 [SECURITY] Pin dependency grunt to 0.4.5 [SECURITY] May 1, 2024
@renovate renovate bot changed the title Pin dependency grunt to 0.4.5 [SECURITY] Update dependency grunt to v1 [SECURITY] Oct 13, 2024
@renovate renovate bot changed the title Update dependency grunt to v1 [SECURITY] Pin dependency grunt to 0.4.5 [SECURITY] Oct 20, 2024
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 2 times, most recently from 18638c3 to 22075e4 Compare October 21, 2024 05:01
@renovate renovate bot changed the title Pin dependency grunt to 0.4.5 [SECURITY] Update dependency grunt to v1 [SECURITY] Oct 21, 2024
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch from 22075e4 to b95b560 Compare October 30, 2024 20:38
@renovate renovate bot changed the title Update dependency grunt to v1 [SECURITY] Pin dependency grunt to 0.4.5 [SECURITY] Oct 30, 2024
@renovate renovate bot changed the title Pin dependency grunt to 0.4.5 [SECURITY] Update dependency grunt to v1 [SECURITY] Nov 1, 2024
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch from b95b560 to 4efa60b Compare November 1, 2024 05:16
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch from 4efa60b to 69cad2a Compare December 5, 2024 05:41
@renovate renovate bot changed the title Update dependency grunt to v1 [SECURITY] Pin dependency grunt to 0.4.5 [SECURITY] Dec 5, 2024
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch from 69cad2a to a2104c3 Compare December 7, 2024 02:35
@renovate renovate bot changed the title Pin dependency grunt to 0.4.5 [SECURITY] Update dependency grunt to v1 [SECURITY] Dec 7, 2024
@renovate renovate bot changed the title Update dependency grunt to v1 [SECURITY] Pin dependency grunt to 0.4.5 [SECURITY] Dec 21, 2024
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 2 times, most recently from cf9635b to 75695ac Compare December 23, 2024 14:55
@renovate renovate bot changed the title Pin dependency grunt to 0.4.5 [SECURITY] Update dependency grunt to v1 [SECURITY] Dec 23, 2024
@renovate renovate bot changed the title Update dependency grunt to v1 [SECURITY] Pin dependency grunt to 0.4.5 [SECURITY] Jan 2, 2025
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 2 times, most recently from b1dd13d to c87ca9a Compare January 3, 2025 02:24
@renovate renovate bot changed the title Pin dependency grunt to 0.4.5 [SECURITY] Update dependency grunt to v1 [SECURITY] Jan 3, 2025
@renovate renovate bot changed the title Update dependency grunt to v1 [SECURITY] Pin dependency grunt to 0.4.5 [SECURITY] Jan 15, 2025
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 2 times, most recently from 55087dd to 955ed29 Compare January 17, 2025 19:16
@renovate renovate bot changed the title Pin dependency grunt to 0.4.5 [SECURITY] Update dependency grunt to v1 [SECURITY] Jan 17, 2025
@renovate renovate bot changed the title Update dependency grunt to v1 [SECURITY] Pin dependency grunt to 0.4.5 [SECURITY] Jan 24, 2025
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch from 955ed29 to 573668b Compare January 24, 2025 04:15
@socket-security Socket Security
Copy link

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@11ty/[email protected] filesystem Transitive: environment, network +14 891 kB zachleat
npm/@11ty/[email protected] Transitive: network, unsafe +12 2.26 MB zachleat
npm/@11ty/[email protected] environment, filesystem, unsafe Transitive: eval, network, shell +67 8.8 MB zachleat
npm/@tailwindcss/[email protected] None +5 362 kB thecrypticace
npm/[email protected] environment Transitive: filesystem +4 2.6 MB ai
npm/[email protected] None +4 4.01 MB saadeghi
npm/[email protected] None 0 4.33 MB icambron
npm/[email protected] Transitive: environment, filesystem +7 992 kB valeriangalliat
npm/[email protected] Transitive: environment, filesystem +4 2.21 MB solution-loisir

🚮 Removed packages: npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

@socket-security Socket Security
Copy link

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSourceCI
License Policy Violation npm/[email protected]
  • License: -- - No known license was found
 ⚠︎
License Policy Violation npm/[email protected]
  • License: CC-BY-4.0 - Not allowed by license policy (npm metadata, package/LICENSE, package/package.json)
 ⚠︎

View full report↗︎

Next steps

What is a license policy violation?

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants