New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency simple-git to v3 [security] #1882

Open

renovate wants to merge 1 commit into master from renovate/npm-simple-git-vulnerability

Contributor

renovate bot commented Mar 26, 2022 •

edited

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
simple-git	`^2.36.1` -> `^3.0.0`

GitHub Vulnerability Alerts

CVE-2022-24433

The package simple-git before 3.3.0 is vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options, it was possible to get arbitrary command execution.

CVE-2022-24066

simple-git (maintained as git-js named repository on GitHub) is a light weight interface for running git commands in any node.js application.The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover. A fix was released in simple-git@3.5.0.

CVE-2022-25912

The package simple-git before 3.15.0 is vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.

CVE-2022-25860

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.

Release Notes

steveukx/git-js

`v3.5.0`

Minor Changes

2040de6: Resolves potential command injection vulnerability by preventing use of --upload-pack in git.clone

`v3.4.0`

Minor Changes

ed412ef: Use null separators in git.status to allow for non-ascii file names

`v3.3.0`

Minor Changes

d119ec4: Resolves potential command injection vulnerability by preventing use of --upload-pack in git.fetch

`v3.2.6`

Patch Changes

80651d5: Resolve issue in prePublish script

`v3.2.4`

Patch Changes

d35987b: Release with changesets

`v3.1.1`

`v3.1.0`

Features

optionally include ignored files in StatusResult (70e6767), closes #718

3.0.4 (2022-01-23)

Bug Fixes

support parsing empty responses (91eb7fb), closes #713

3.0.3 (2022-01-20)

Bug Fixes

allow branches without labels (07a1388)
implement v3 deprecations (ed6d18e)
publish v3 as latest (5db4434)

3.0.2 (2022-01-18)

Bug Fixes

Backward compatibility - permit loading simple-git/promise with deprecation notice until mid-2022. (4413c47)

3.0.1 (2022-01-18)

Bug Fixes

Documentation update (4e000f6)

`v3.0.4`

`v3.0.3`

`v3.0.2`

`v3.0.1`

`v2.48.0`

Features

StatusResult returned by git.status() should include detached state of the working copy. (#695) (f464ebe)

Bug Fixes

Add example for empty commit message in git.commit() (61089cb)

2.47.1 (2021-11-29)

Bug Fixes

Add support for node@17 in unit tests (0d3bf47)
Add support for node@17 in unit tests (0d3bf47)

`v2.47.1`

`v2.47.0`

Features

git-grep (653065e)

`v2.46.0`

Features

completion plugin (#684) (ecb7bd6)
completion plugin to allow configuring when simple-git determines the git tasks to be complete. (ecb7bd6)

2.45.1 (2021-09-04)

Bug Fixes

support progress events in locales other than western european character sets. (8cc42f8)

`v2.45.1`

`v2.45.0`

Features

Use author email field that respects mailmap (589d624)

Bug Fixes

getConfig always returns null despite values being present in configuration (9fd483a)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          fix(deps): update dependency simple-git to v3 [security]

9df0b8a

renovate bot changed the title ~~fix(deps): update dependency simple-git to v3 [security]~~ fix(deps): update dependency simple-git to v3 [SECURITY]

renovate bot changed the title ~~fix(deps): update dependency simple-git to v3 [SECURITY]~~ fix(deps): update dependency simple-git to v3 [security]

Contributor Author

renovate bot commented Mar 24, 2023 •

edited

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment