Skip to content

Commit

Permalink
chore(deps): update dependency grunt to ~1.5.3 [security] (#1204)
Browse files Browse the repository at this point in the history
This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [grunt](https://gruntjs.com/)
([source](https://redirect.github.com/gruntjs/grunt)) | [`~1.1.0` ->
`~1.5.3`](https://renovatebot.com/diffs/npm/grunt/1.1.0/1.5.3) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/grunt/1.5.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/grunt/1.5.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/grunt/1.1.0/1.5.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/grunt/1.1.0/1.5.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

#### [CVE-2020-7729](https://nvd.nist.gov/vuln/detail/CVE-2020-7729)

The package grunt before 1.3.0 are vulnerable to Arbitrary Code
Execution due to the default usage of the function load() instead of its
secure replacement safeLoad() of the package js-yaml inside
grunt.file.readYAML.

#### [CVE-2022-0436](https://nvd.nist.gov/vuln/detail/CVE-2022-0436)

Grunt prior to version 1.5.2 is vulnerable to path traversal.

#### [CVE-2022-1537](https://nvd.nist.gov/vuln/detail/CVE-2022-1537)

file.copy operations in GruntJS are vulnerable to a TOCTOU race
condition leading to arbitrary file write in GitHub repository
gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary
file writes which can lead to local privilege escalation to the GruntJS
user if a lower-privileged user has write access to both source and
destination directories as the lower-privileged user can create a
symlink to the GruntJS user's .bashrc file or replace /etc/shadow file
if the GruntJS user is root.

---

### Release Notes

<details>
<summary>gruntjs/grunt (grunt)</summary>

###
[`v1.5.3`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.5.3)

[Compare
Source](https://redirect.github.com/gruntjs/grunt/compare/v1.5.2...v1.5.3)

- Merge pull request
[#&#8203;1745](https://redirect.github.com/gruntjs/grunt/issues/1745)
from gruntjs/fix-copy-op
[`572d79b`](https://redirect.github.com/gruntjs/grunt/commit/572d79b)
- Patch up race condition in symlink copying.
[`58016ff`](https://redirect.github.com/gruntjs/grunt/commit/58016ff)
- Merge pull request
[#&#8203;1746](https://redirect.github.com/gruntjs/grunt/issues/1746)
from JamieSlome/patch-1
[`0749e1d`](https://redirect.github.com/gruntjs/grunt/commit/0749e1d)
- Create SECURITY.md
[`69b7c50`](https://redirect.github.com/gruntjs/grunt/commit/69b7c50)

###
[`v1.5.2`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.5.2)

[Compare
Source](https://redirect.github.com/gruntjs/grunt/compare/v1.5.1...v1.5.2)

- Update Changelog
[`7f15fd5`](https://redirect.github.com/gruntjs/grunt/commit/7f15fd5)
- Merge pull request
[#&#8203;1743](https://redirect.github.com/gruntjs/grunt/issues/1743)
from gruntjs/cleanup-link
[`b0ec6e1`](https://redirect.github.com/gruntjs/grunt/commit/b0ec6e1)
- Clean up link handling
[`433f91b`](https://redirect.github.com/gruntjs/grunt/commit/433f91b)

###
[`v1.5.1`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.5.1)

[Compare
Source](https://redirect.github.com/gruntjs/grunt/compare/v1.5.0...v1.5.1)

- Merge pull request
[#&#8203;1742](https://redirect.github.com/gruntjs/grunt/issues/1742)
from gruntjs/update-symlink-test
[`ad22608`](https://redirect.github.com/gruntjs/grunt/commit/ad22608)
- Fix symlink test
[`0652305`](https://redirect.github.com/gruntjs/grunt/commit/0652305)

###
[`v1.5.0`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.5.0)

[Compare
Source](https://redirect.github.com/gruntjs/grunt/compare/v1.4.1...v1.5.0)

- Updated changelog
[`b2b2c2b`](https://redirect.github.com/gruntjs/grunt/commit/b2b2c2b)
- Merge pull request
[#&#8203;1740](https://redirect.github.com/gruntjs/grunt/issues/1740)
from gruntjs/update-deps-22-10
[`3eda6ae`](https://redirect.github.com/gruntjs/grunt/commit/3eda6ae)
- Update testing matrix
[`47d32de`](https://redirect.github.com/gruntjs/grunt/commit/47d32de)
- More updates
[`2e9161c`](https://redirect.github.com/gruntjs/grunt/commit/2e9161c)
- Remove console log
[`04b960e`](https://redirect.github.com/gruntjs/grunt/commit/04b960e)
- Update dependencies, tests...
[`aad3d45`](https://redirect.github.com/gruntjs/grunt/commit/aad3d45)
- Merge pull request
[#&#8203;1736](https://redirect.github.com/gruntjs/grunt/issues/1736)
from justlep/main
[`fdc7056`](https://redirect.github.com/gruntjs/grunt/commit/fdc7056)
- support .cjs extension
[`e35fe54`](https://redirect.github.com/gruntjs/grunt/commit/e35fe54)

###
[`v1.4.1`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.4.1)

[Compare
Source](https://redirect.github.com/gruntjs/grunt/compare/v1.4.0...v1.4.1)

- Update Changelog
[`e7625e5`](https://redirect.github.com/gruntjs/grunt/commit/e7625e5)
- Merge pull request
[#&#8203;1731](https://redirect.github.com/gruntjs/grunt/issues/1731)
from gruntjs/update-options
[`5d67e34`](https://redirect.github.com/gruntjs/grunt/commit/5d67e34)
- Fix ci install
[`d13bf88`](https://redirect.github.com/gruntjs/grunt/commit/d13bf88)
- Switch to Actions
[`08896ae`](https://redirect.github.com/gruntjs/grunt/commit/08896ae)
- Update grunt-known-options
[`eee0673`](https://redirect.github.com/gruntjs/grunt/commit/eee0673)
- Add note about a breaking change
[`1b6e288`](https://redirect.github.com/gruntjs/grunt/commit/1b6e288)

###
[`v1.4.0`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.4.0)

[Compare
Source](https://redirect.github.com/gruntjs/grunt/compare/v1.3.0...v1.4.0)

- Merge pull request
[#&#8203;1728](https://redirect.github.com/gruntjs/grunt/issues/1728)
from gruntjs/update-deps-changelog
[`63b2e89`](https://redirect.github.com/gruntjs/grunt/commit/63b2e89)
- Update changelog and util dep
[`106ed17`](https://redirect.github.com/gruntjs/grunt/commit/106ed17)
- Merge pull request
[#&#8203;1727](https://redirect.github.com/gruntjs/grunt/issues/1727)
from gruntjs/update-deps-apr
[`49de70b`](https://redirect.github.com/gruntjs/grunt/commit/49de70b)
- Update CLI and nodeunit
[`47cf8b6`](https://redirect.github.com/gruntjs/grunt/commit/47cf8b6)
- Merge pull request
[#&#8203;1722](https://redirect.github.com/gruntjs/grunt/issues/1722)
from gruntjs/update-through
[`e86db1c`](https://redirect.github.com/gruntjs/grunt/commit/e86db1c)
- Update deps
[`4952368`](https://redirect.github.com/gruntjs/grunt/commit/4952368)

###
[`v1.3.0`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.3.0)

[Compare
Source](https://redirect.github.com/gruntjs/grunt/compare/v1.2.1...v1.3.0)

- Merge pull request
[#&#8203;1720](https://redirect.github.com/gruntjs/grunt/issues/1720)
from gruntjs/update-changelog-deps
[`faab6be`](https://redirect.github.com/gruntjs/grunt/commit/faab6be)
- Update Changelog and legacy-util dependency
[`520fedb`](https://redirect.github.com/gruntjs/grunt/commit/520fedb)
- Merge pull request
[#&#8203;1719](https://redirect.github.com/gruntjs/grunt/issues/1719)
from gruntjs/yaml-refactor
[`7e669ac`](https://redirect.github.com/gruntjs/grunt/commit/7e669ac)
- Switch to use `safeLoad` for loading YML files via `file.readYAML`.
[`e350cea`](https://redirect.github.com/gruntjs/grunt/commit/e350cea)
- Merge pull request
[#&#8203;1718](https://redirect.github.com/gruntjs/grunt/issues/1718)
from gruntjs/legacy-log-bumo
[`7125f49`](https://redirect.github.com/gruntjs/grunt/commit/7125f49)
- Bump legacy-log
[`00d5907`](https://redirect.github.com/gruntjs/grunt/commit/00d5907)

###
[`v1.2.1`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.2.1)

[Compare
Source](https://redirect.github.com/gruntjs/grunt/compare/v1.2.0...v1.2.1)

- Changelog update
[`ae11839`](https://redirect.github.com/gruntjs/grunt/commit/ae11839)
- Merge pull request
[#&#8203;1715](https://redirect.github.com/gruntjs/grunt/issues/1715)
from sibiraj-s/remove-path-is-absolute
[`9d23cb6`](https://redirect.github.com/gruntjs/grunt/commit/9d23cb6)
- Remove path-is-absolute dependency
[`e789b1f`](https://redirect.github.com/gruntjs/grunt/commit/e789b1f)

###
[`v1.2.0`](https://redirect.github.com/gruntjs/grunt/releases/tag/v1.2.0)

[Compare
Source](https://redirect.github.com/gruntjs/grunt/compare/v1.1.0...v1.2.0)

-   Allow usage of grunt plugins that are located in any location that
    is visible to Node.js and NPM, instead of node_modules directly
inside package that have a dev dependency to these
plugin[https://github.com/gruntjs/grunt/pull/1677](https://redirect.github.com/gruntjs/grunt/pull/1677)nt/pull/1677)
-   Removed coffeescript from dependencies. To ease transition, if
    coffeescript is still around, Grunt will attempt to load it.
    If it is not, and the user loads a CoffeeScript file,
    Grunt will print a useful error indicating that the
    coffeescript package should be installed as a dev dependency.
This is considerably more user-friendly than dropping the require
entirely,
    but doing so is feasible with the latest grunt-cli as users
may simply use grunt --require
[https://github.com/gruntjs/grunt/pull/1675](https://redirect.github.com/gruntjs/grunt/pull/1675)thub.com/gruntjs/grunt/pull/1675)
-   Exposes Grunt Option keys for ease of use.

([https://github.com/gruntjs/grunt/pull/1570](https://redirect.github.com/gruntjs/grunt/pull/1570)1570)
-   Avoiding infinite loop on very long command names.

([https://github.com/gruntjs/grunt/pull/1697](https://redirect.github.com/gruntjs/grunt/pull/1697)1697)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone Asia/Bangkok, Automerge
- "0 */6 * * *" in timezone Asia/Bangkok.

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/davidsneighbour/hugo-modules).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41OS4yIiwidXBkYXRlZEluVmVyIjoiMzguNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
  • Loading branch information
renovate[bot] authored Sep 2, 2024
1 parent 87fb3e5 commit c121628
Showing 1 changed file with 1 addition and 1 deletion.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit c121628

Please sign in to comment.