Update dependency vm2 to v3.9.6 [SECURITY] #452
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.7.0->3.9.6GitHub Vulnerability Alerts
CVE-2021-23449
This affects the package vm2 before 3.9.4. Prototype Pollution attack vector can lead to sandbox escape and execution of arbitrary code on the host machine.
CVE-2021-23555
The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.
Release Notes
patriksimek/vm2
v3.9.6Compare Source
[fix] Security fixes (XmiliaH)
v3.9.5Compare Source
[new] Editor config (aubelsb2)
[fix] Fix for Promise.then breaking
[fix] Fix for missing properties on CallSite
v3.9.4Compare Source
[new] Added strict option
[fix] Security fixes (XmiliaH)
[fix] Fixed bound function causes TypeError (XmiliaH)
[fix] Allow extending of frozen objects
v3.9.3Compare Source
[fix] Security fixes
[fix] Fixed problems when Promise object is deleted (XmiliaH)
[fix] Fixed oversight that write ability can change on non configurable properties (XmiliaH)
[fix] Support shebang as node does (XmiliaH)
[fix] Property typos (Shigma)
v3.9.2Compare Source
[new] Added NodeVM options to pass argv & env to process object (XmiliaH)
[fix] Fixed breakouts in NodeVM (XmiliaH)
[fix] Made async check more robust (XmiliaH)
v3.9.1Compare Source
[fix] Require helpers statically in main (XmiliaH)
[fix] Fix for non-configurable property access (XmiliaH)
v3.9.0Compare Source
[new] Added vm.Script
lineOffsetandcolumnOffsetoptions (azu)[new] Allow to specify a compiler per VMScript (XmiliaH)
[new] Add option to disable async (XmiliaH)
[new] Added allot of jsdoc (XmiliaH)
[fix] Fix access to frozen or unconfigurable properties (XmiliaH)
[fix] Double wrap Objects to prevent breakout via inspect (XmiliaH)
[fix] Compile now compiles VM code (XmiliaH)
v3.8.4Compare Source
[fix] Do not allow precompiling VMScript (XmiliaH)
[fix] Security fixes (XmiliaH)
v3.8.3Compare Source
[fix] Security fixes
v3.8.2Compare Source
[fix] toString() on builtin objects
v3.8.1Compare Source
[fix] Module resolver fixes
[fix] require('events') works correctly in Node 12
[fix] SyntaxError not being instanceOf Error
v3.8.0Compare Source
[new] Allow prohibiting access to eval/wasm in sandbox context
[new] Allow transitive external dependencies in sandbox context (Idan Attias)
[new] Allow using wildcards in module-names passed using the external attribute (Harel Moshe)
[fix] Default to index.js when specified "main" does not exist (Harel Moshe)
[fix] Security fixes
Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.