Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency class-validator to ^0.14.0 [SECURITY] #419

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency class-validator to ^0.14.0 [SECURITY] #419

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 8, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
class-validator ^0.13.1 -> ^0.14.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2019-18413

In TypeStack class-validator, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input.

The default settings for forbidUnknownValues has been changed to true in 0.14.0.

NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product.

Release Notes

typestack/class-validator (class-validator)

v0.14.0

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@manuelblum manuelblum requested review from manuelblum and removed request for manuelblum November 8, 2024 10:22
@thomasdax98
Copy link
Member

thomasdax98 commented Nov 11, 2024
edited
Loading

This is a major update and I think it can't be done until COMET is compatible (vivid-planet/comet#2414). Otherwise we might run into problems

@renovate renovate bot force-pushed the renovate/npm-class-validator-vulnerability branch 5 times, most recently from b6a2ac5 to 2e6f1fe Compare November 14, 2024 12:49
@renovate renovate bot added the dependencies Pull requests that update a dependency file label Nov 15, 2024
@renovate renovate bot changed the title fix(deps): update dependency class-validator to ^0.14.0 [security] Update dependency class-validator to ^0.14.0 [SECURITY] Nov 15, 2024
@johnnyomair johnnyomair removed their request for review November 20, 2024 08:21
@renovate renovate bot force-pushed the renovate/npm-class-validator-vulnerability branch from 2e6f1fe to a1b5755 Compare December 1, 2024 07:50
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Dec 1, 2024
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: api/package-lock.json
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @comet/[email protected]
npm error Found: [email protected]
npm error node_modules/class-validator
npm error   class-validator@"^0.14.0" from the root project
npm error   peerOptional class-validator@"*" from @nestjs/[email protected]
npm error   node_modules/@nestjs/common
npm error     @nestjs/common@"^9.4.3" from the root project
npm error     peer @nestjs/common@"^9.0.0" from @comet/[email protected]
npm error     node_modules/@comet/blocks-api
npm error       @comet/blocks-api@"^7.10.0" from the root project
npm error       1 more (@comet/cms-api)
npm error     12 more (@comet/cms-api, @golevelup/nestjs-discovery, ...)
npm error   2 more (@nestjs/graphql, @nestjs/mapped-types)
npm error
npm error Could not resolve dependency:
npm error peer class-validator@"^0.11.1 || ^0.12.0 || ^0.13.0" from @comet/[email protected]
npm error node_modules/@comet/blocks-api
npm error   @comet/blocks-api@"^7.10.0" from the root project
npm error   @comet/blocks-api@"^7.10.0" from @comet/[email protected]
npm error   node_modules/@comet/cms-api
npm error     @comet/cms-api@"^7.10.0" from the root project
npm error
npm error Conflicting peer dependency: [email protected]
npm error node_modules/class-validator
npm error   peer class-validator@"^0.11.1 || ^0.12.0 || ^0.13.0" from @comet/[email protected]
npm error   node_modules/@comet/blocks-api
npm error     @comet/blocks-api@"^7.10.0" from the root project
npm error     @comet/blocks-api@"^7.10.0" from @comet/[email protected]
npm error     node_modules/@comet/cms-api
npm error       @comet/cms-api@"^7.10.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /tmp/renovate/cache/others/npm/_logs/2024-12-20T08_26_12_677Z-eresolve-report.txt
npm error A complete log of this run can be found in: /tmp/renovate/cache/others/npm/_logs/2024-12-20T08_26_12_677Z-debug-0.log

@renovate renovate bot force-pushed the renovate/npm-class-validator-vulnerability branch 2 times, most recently from 6ce1032 to 13801ec Compare December 3, 2024 05:55
@renovate renovate bot force-pushed the renovate/npm-class-validator-vulnerability branch from 13801ec to a9ea5ff Compare December 20, 2024 08:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dkarnutsch dkarnutsch Awaiting requested review from dkarnutsch

@fraxachun fraxachun Awaiting requested review from fraxachun

@nsams nsams Awaiting requested review from nsams

@thomasdax98 thomasdax98 Awaiting requested review from thomasdax98

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@thomasdax98