Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency grunt to v1 [security] #52

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update dependency grunt to v1 [security] #52

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented May 9, 2021
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
grunt (source) ~0.4.0 -> ~1.5.3 age adoption passing confidence
grunt (source) ~0.4.5 -> ~1.5.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-7729

The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

CVE-2022-0436

Grunt prior to version 1.5.2 is vulnerable to path traversal.

CVE-2022-1537

file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.

Release Notes

gruntjs/grunt (grunt)

v1.5.3

Compare Source

v1.5.2

Compare Source

v1.5.1

Compare Source

v1.5.0

Compare Source

v1.4.1

Compare Source

v1.4.0

Compare Source

v1.3.0

Compare Source

  • Merge pull request #​1720 from gruntjs/update-changelog-deps faab6be
  • Update Changelog and legacy-util dependency 520fedb
  • Merge pull request #​1719 from gruntjs/yaml-refactor 7e669ac
  • Switch to use safeLoad for loading YML files via file.readYAML. e350cea
  • Merge pull request #​1718 from gruntjs/legacy-log-bumo 7125f49
  • Bump legacy-log 00d5907

v1.2.1

Compare Source

v1.2.0

Compare Source

v1.1.0

Compare Source

  • Update to mkdirp ~1.0.3
  • Only support versions of Node >= 8

v1.0.4

Compare Source

v1.0.3

Compare Source

v1.0.2

Compare Source

v1.0.1

Compare Source

v1.0.0

Compare Source

v0.4.5

Compare Source

v0.4.4

Compare Source

v0.4.3

Compare Source

v0.4.2

Compare Source

v0.4.1

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from moul as a code owner May 9, 2021 22:11
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch from cff2316 to a02310d Compare May 15, 2021 19:33
@renovate renovate bot changed the title chore(deps): pin dependency grunt to 0.4.5 [security] chore(deps): update dependency grunt to v1 [security] May 15, 2021
@renovate renovate bot changed the title chore(deps): update dependency grunt to v1 [security] chore(deps): pin dependency grunt to v0.4.5 [security] Jun 6, 2021
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch from a02310d to e751028 Compare June 6, 2021 21:47
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch from e751028 to 23f9f5a Compare February 14, 2022 00:52
@trafico-bot trafico-bot bot added the 🔍 Ready for Review Pull Request is not reviewed yet label Feb 14, 2022
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch from 23f9f5a to 043e3e4 Compare February 14, 2022 04:17
@renovate renovate bot changed the title chore(deps): pin dependency grunt to v0.4.5 [security] chore(deps): update dependency grunt to v1 [security] Feb 14, 2022
@renovate renovate bot changed the title chore(deps): update dependency grunt to v1 [security] chore(deps): pin dependency grunt to v0.4.5 [security] Feb 15, 2022
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 2 times, most recently from 9596298 to fad519e Compare February 15, 2022 14:51
@renovate renovate bot changed the title chore(deps): pin dependency grunt to v0.4.5 [security] chore(deps): update dependency grunt to v1 [security] Feb 15, 2022
@renovate renovate bot changed the title chore(deps): update dependency grunt to v1 [security] chore(deps): pin dependency grunt to v0.4.5 [security] Feb 16, 2022
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 2 times, most recently from a9530eb to 7a70a0e Compare February 16, 2022 12:50
@renovate renovate bot changed the title chore(deps): pin dependency grunt to v0.4.5 [security] chore(deps): update dependency grunt to v1 [security] Feb 16, 2022
@renovate renovate bot changed the title chore(deps): update dependency grunt to v1 [security] chore(deps): pin dependency grunt to v0.4.5 [security] Feb 17, 2022
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 2 times, most recently from 40e37a4 to f2ec296 Compare February 17, 2022 12:48
@renovate renovate bot changed the title chore(deps): pin dependency grunt to v0.4.5 [security] chore(deps): update dependency grunt to v1 [security] Feb 17, 2022
@renovate renovate bot changed the title chore(deps): update dependency grunt to v1 [security] chore(deps): pin dependency grunt to v0.4.5 [security] Feb 18, 2022
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 2 times, most recently from 53d5943 to 77ccfc9 Compare February 18, 2022 14:43
@renovate renovate bot changed the title chore(deps): pin dependency grunt to v0.4.5 [security] chore(deps): update dependency grunt to v1 [security] Feb 18, 2022
@renovate renovate bot changed the title chore(deps): update dependency grunt to v1 [security] chore(deps): pin dependency grunt to v0.4.5 [security] Feb 23, 2022
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch from 77ccfc9 to 1bf5ad0 Compare February 23, 2022 14:47
@renovate renovate bot changed the title chore(deps): pin dependency grunt to v0.4.5 [security] chore(deps): update dependency grunt to v1 [security] Feb 23, 2022
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch from 1bf5ad0 to c8ebea0 Compare February 23, 2022 17:02
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch from 878b6ce to cd692b3 Compare March 29, 2024 02:41
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 2 times, most recently from 82f63b7 to e56c9bc Compare April 16, 2024 23:38
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 4 times, most recently from b01dc12 to 2061c8c Compare April 27, 2024 08:43
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 3 times, most recently from 4ccd2d0 to 095a1a8 Compare May 9, 2024 08:56
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch from 095a1a8 to 89ba940 Compare May 10, 2024 23:43
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 2 times, most recently from 61fa2bb to dc1d1f6 Compare May 25, 2024 05:30
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 2 times, most recently from 5d3d624 to cb27317 Compare June 6, 2024 05:58
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 2 times, most recently from b2463f0 to e34c2ec Compare June 20, 2024 05:16
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 2 times, most recently from 185e5ef to 77f895f Compare June 29, 2024 08:42
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 2 times, most recently from 5878848 to ed68d1e Compare July 15, 2024 05:57
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 2 times, most recently from fc2c985 to 76e4743 Compare July 24, 2024 05:24
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 2 times, most recently from 64d4b5d to 5feda49 Compare July 31, 2024 11:31
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch 2 times, most recently from 934d284 to 6416684 Compare October 11, 2024 05:35
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch from 6416684 to bc8149f Compare October 28, 2024 20:50
@renovate renovate bot force-pushed the renovate/npm-grunt-vulnerability branch from bc8149f to df16a21 Compare October 30, 2024 20:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moul moul Awaiting requested review from moul moul is a code owner

Assignees
No one assigned
Labels
dependencies 🔍 Ready for Review Pull Request is not reviewed yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants