fix: update dependency simple-git to v3 [security] #156
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^2.23.0
->^3.0.0
GitHub Vulnerability Alerts
CVE-2022-24433
The package simple-git before 3.3.0 is vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options, it was possible to get arbitrary command execution.
CVE-2022-24066
simple-git
(maintained as git-js named repository on GitHub) is a light weight interface for running git commands in any node.js application.The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover. A fix was released in [email protected].CVE-2022-25912
The package simple-git before 3.15.0 is vulnerable to Remote Code Execution (RCE) when enabling the
ext
transport protocol, which makes it exploitable viaclone()
method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.CVE-2022-25860
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.
Release Notes
steveukx/git-js (simple-git)
v3.16.0
Compare Source
Minor Changes
97fde2c
: Support the use of-B
in place of the default-b
in checkout methods0a623e5
: Adds vulnerability detection to prevent use of--upload-pack
and--receive-pack
without explicitly opting in.Patch Changes
ec97a39
: Include restricting the use of git push --exec with other allowUnsafePack exclusions, thanks to @stsewd for the suggestion.v3.15.1
Compare Source
Patch Changes
de570ac
: Resolves an issue whereby non-strings can be passed into the config switch detector.v3.15.0
Compare Source
Minor Changes
7746480
: Disables the use of inline configuration arguments to prevent unitentionally allowing non-standard remote protocols without explicitly opting in to this practice with the newallowUnsafeProtocolOverride
property having been enabled.Patch Changes
7746480
: - Upgrade repo dependencies - lerna and jestv3.14.1
Compare Source
Patch Changes
5a2e7e4
: Add version parsing support for non-numeric patches (including "built from source" style1.11.GIT
)v3.14.0
Compare Source
Minor Changes
19029fc
: Create the abort plugin to allow cancelling all pending and future tasks.4259b26
: Add.version
to return git version information, including whether the git binary is installed.v3.13.0
Compare Source
Minor Changes
87b0d75
: Increase the level of deprecation notices for use ofsimple-git/promise
, which will be fully removed in the next majord0dceda
: Allow supplying just one of to/from in the options supplied to git.logPatch Changes
6b3e05c
: Use shared test utilities bundle in simple-git tests, to enable consistent testing across packages in the futurev3.12.0
Compare Source
Minor Changes
bfd652b
: Add a new configuration option to enable trimming white-space from the response togit.raw
v3.11.0
Compare Source
Minor Changes
80d54bd
: Added fields updated + deleted branch info to fetch response, closes #823Patch Changes
75dfcb4
: Add prettier configuration and apply formatting throughout.v3.10.0
Compare Source
Minor Changes
2f021e7
: Support for importing as an ES module with TypeScript moduleResolutionnode16
or newer by addingsimpleGit
as a named export.v3.9.0
Compare Source
Minor Changes
a0d4eb8
: Branches that have been checked out as a linked work tree will now be included in theBranchSummary
output, with alinkedWorkTree
property set totrue
in theBranchSummaryBranch
.v3.8.0
Compare Source
Minor Changes
25230cb
: Support for additional log formats in diffSummary / log / stashList.Adds support for the
--numstat
,--name-only
and--name-stat
in addition to the existing--stat
option.Patch Changes
2cfc16f
: Update CI environments to run build and test in node v18, drop node v12 now out of life.13197f1
: Updatedebug
dependency to latest4.x
v3.7.1
Compare Source
Patch Changes
adb4346
: Resolves issue whereby renamed files no longer appear correctly in the response togit.status
.v3.7.0
Compare Source
Minor Changes
fa2c7f7
: Enable the use of types when loading with module-resolutionPatch Changes
3805f6b
: Timeout plugin no longer keeps short lived processes alive until timeout is hitv3.6.0
Compare Source
Minor Changes
f2fc5c9
: Show full commit hash in aCommitResult
, prior to this changegit.commit
would result in a partial hash in thecommit
property ifcore.abbrev
is unset or has a value under40
. Following this change thecommit
property will contain the full commit hash.Patch Changes
c4a2a13
: chore(deps): bump minimist from 1.2.5 to 1.2.6v3.5.0
Compare Source
Minor Changes
2040de6
: Resolves potential command injection vulnerability by preventing use of--upload-pack
ingit.clone
v3.4.0
Compare Source
Minor Changes
ed412ef
: Use null separators in git.status to allow for non-ascii file namesv3.3.0
Compare Source
Minor Changes
d119ec4
: Resolves potential command injection vulnerability by preventing use of--upload-pack
ingit.fetch
v3.2.6
Compare Source
Patch Changes
80651d5
: Resolve issue in prePublish scriptv3.2.4
Compare Source
Patch Changes
d35987b
: Release with changesetsv3.1.1
Compare Source
v3.1.0
Compare Source
Features
StatusResult
(70e6767), closes #7183.0.4 (2022-01-23)
Bug Fixes
3.0.3 (2022-01-20)
Bug Fixes
latest
(5db4434)3.0.2 (2022-01-18)
Bug Fixes
simple-git/promise
with deprecation notice until mid-2022. (4413c47)3.0.1 (2022-01-18)
Bug Fixes
v3.0.4
Compare Source
v3.0.3
Compare Source
v3.0.2
Compare Source
v3.0.1
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.