Skip to content

Update dependency simple-git to v3.15.0 [SECURITY] #6863

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 20, 2022
Merged

Update dependency simple-git to v3.15.0 [SECURITY] #6863

merged 1 commit into from
Dec 20, 2022

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 7, 2022

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
simple-git 3.7.1 -> 3.15.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-25912

The package simple-git before 3.15.0 is vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.

Release Notes

steveukx/git-js

v3.15.0

Compare Source

Minor Changes
  • 7746480: Disables the use of inline configuration arguments to prevent unitentionally allowing non-standard remote protocols without explicitly opting in to this practice with the new allowUnsafeProtocolOverride property having been enabled.
Patch Changes
  • 7746480: - Upgrade repo dependencies - lerna and jest
    • Include node@19 in the test matrix

v3.14.1

Compare Source

Patch Changes
  • 5a2e7e4: Add version parsing support for non-numeric patches (including "built from source" style 1.11.GIT)

v3.14.0

Compare Source

Minor Changes
  • 19029fc: Create the abort plugin to allow cancelling all pending and future tasks.
  • 4259b26: Add .version to return git version information, including whether the git binary is installed.

v3.13.0

Compare Source

Minor Changes
  • 87b0d75: Increase the level of deprecation notices for use of simple-git/promise, which will be fully removed in the next major
  • d0dceda: Allow supplying just one of to/from in the options supplied to git.log
Patch Changes
  • 6b3e05c: Use shared test utilities bundle in simple-git tests, to enable consistent testing across packages in the future

v3.12.0

Compare Source

Minor Changes
  • bfd652b: Add a new configuration option to enable trimming white-space from the response to git.raw

v3.11.0

Compare Source

Minor Changes
  • 80d54bd: Added fields updated + deleted branch info to fetch response, closes #​823
Patch Changes
  • 75dfcb4: Add prettier configuration and apply formatting throughout.

v3.10.0

Compare Source

Minor Changes
  • 2f021e7: Support for importing as an ES module with TypeScript moduleResolution node16 or newer by adding
    simpleGit as a named export.

v3.9.0

Compare Source

Minor Changes
  • a0d4eb8: Branches that have been checked out as a linked work tree will now be included in the BranchSummary output, with a linkedWorkTree property set to true in the BranchSummaryBranch.

v3.8.0

Compare Source

Minor Changes

  • 25230cb: Support for additional log formats in diffSummary / log / stashList.

    Adds support for the --numstat, --name-only and --name-stat in addition to the existing --stat option.

Patch Changes
  • 2cfc16f: Update CI environments to run build and test in node v18, drop node v12 now out of life.
  • 13197f1: Update debug dependency to latest 4.x

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@changeset-bot
Copy link

changeset-bot bot commented Dec 7, 2022

⚠️ No Changeset found

Latest commit: 4450e1d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@google-oss-bot
Copy link
Contributor

Size Report 1

Affected Products

No changes between base commit (649e7f3) and merge commit (543cf88).

Test Logs

  1. https://storage.googleapis.com/firebase-sdk-metric-reports/ULAtDpxrAD.html

@google-oss-bot
Copy link
Contributor

Size Analysis Report 1

Affected Products

No changes between base commit (649e7f3) and merge commit (543cf88).

Test Logs

  1. https://storage.googleapis.com/firebase-sdk-metric-reports/HhnaBKrgM0.html

@hsubox76 hsubox76 merged commit 9d2757a into master Dec 20, 2022
@hsubox76 hsubox76 deleted the renovate/npm-simple-git-vulnerability branch December 20, 2022 19:46
@firebase firebase locked and limited conversation to collaborators Jan 20, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@hsubox76 hsubox76 hsubox76 approved these changes

@dwyfrequency dwyfrequency Awaiting requested review from dwyfrequency

Assignees

@hsubox76 hsubox76

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@google-oss-bot @hsubox76