robojerk/codeql-action

Merge pull request #993 from github/dependabot/npm_and_yarn/minimist-1.2.6

Browse source 
Bump minimist from 1.2.5 to 1.2.6
This commit is contained in:
Henry Mercer 2022-03-24 18:50:32 +00:00 committed by GitHub
commit df164705ad
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 36 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

5
node_modules/.package-lock.json generated vendored
View file

@ -3593,8 +3593,9 @@
} }
}, },
"node_modules/minimist": { "node_modules/minimist": {
"version": "1.2.5", "version": "1.2.6",
"integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.6.tgz",
"integrity": "sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==",
"dev": true "dev": true
}, },
"node_modules/ms": { "node_modules/ms": {

8
node_modules/minimist/index.js generated vendored
View file

@ -70,7 +70,7 @@ module.exports = function (args, opts) {
var o = obj; var o = obj;
for (var i = 0; i < keys.length-1; i++) { for (var i = 0; i < keys.length-1; i++) {
var key = keys[i]; var key = keys[i];
if (key === '__proto__') return; if (isConstructorOrProto(o, key)) return;
if (o[key] === undefined) o[key] = {}; if (o[key] === undefined) o[key] = {};
if (o[key] === Object.prototype || o[key] === Number.prototype if (o[key] === Object.prototype || o[key] === Number.prototype
|| o[key] === String.prototype) o[key] = {}; || o[key] === String.prototype) o[key] = {};
@ -79,7 +79,7 @@ module.exports = function (args, opts) {
} }
var key = keys[keys.length - 1]; var key = keys[keys.length - 1];
if (key === '__proto__') return; if (isConstructorOrProto(o, key)) return;
if (o === Object.prototype || o === Number.prototype if (o === Object.prototype || o === Number.prototype
|| o === String.prototype) o = {}; || o === String.prototype) o = {};
if (o === Array.prototype) o = []; if (o === Array.prototype) o = [];
@ -243,3 +243,7 @@ function isNumber (x) {
return /^[-+]?(?:\d+(?:\.\d*)?|\.\d+)(e[-+]?\d+)?$/.test(x); return /^[-+]?(?:\d+(?:\.\d*)?|\.\d+)(e[-+]?\d+)?$/.test(x);
} }
function isConstructorOrProto (obj, key) {
return key === 'constructor' && typeof obj[key] === 'function' || key === '__proto__';
}

2
node_modules/minimist/package.json generated vendored
View file

@ -1,6 +1,6 @@
{ {
"name": "minimist", "name": "minimist",
"version": "1.2.5", "version": "1.2.6",
"description": "parse argument options", "description": "parse argument options",
"main": "index.js", "main": "index.js",
"devDependencies": { "devDependencies": {

5
node_modules/minimist/readme.markdown generated vendored
View file

@ -34,7 +34,10 @@ $ node example/parse.js -x 3 -y 4 -n5 -abc --beep=boop foo bar baz
Previous versions had a prototype pollution bug that could cause privilege Previous versions had a prototype pollution bug that could cause privilege
escalation in some circumstances when handling untrusted user input. escalation in some circumstances when handling untrusted user input.
Please use version 1.2.3 or later: https://snyk.io/vuln/SNYK-JS-MINIMIST-559764 Please use version 1.2.6 or later:
* https://security.snyk.io/vuln/SNYK-JS-MINIMIST-2429795 (version <=1.2.5)
* https://snyk.io/vuln/SNYK-JS-MINIMIST-559764 (version <=1.2.3)
# methods # methods

16
node_modules/minimist/test/proto.js generated vendored
View file

@ -42,3 +42,19 @@ test('proto pollution (constructor)', function (t) {
t.equal(argv.y, undefined); t.equal(argv.y, undefined);
t.end(); t.end();
}); });
test('proto pollution (constructor function)', function (t) {
var argv = parse(['--_.concat.constructor.prototype.y', '123']);
function fnToBeTested() {}
t.equal(fnToBeTested.y, undefined);
t.equal(argv.y, undefined);
t.end();
});
// powered by snyk - https://github.com/backstage/backstage/issues/10343
test('proto pollution (constructor function) snyk', function (t) {
var argv = parse('--_.constructor.constructor.prototype.foo bar'.split(' '));
t.equal((function(){}).foo, undefined);
t.equal(argv.y, undefined);
t.end();
})

10
package-lock.json generated
View file

@ -3646,8 +3646,9 @@
} }
}, },
"node_modules/minimist": { "node_modules/minimist": {
"version": "1.2.5", "version": "1.2.6",
"integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.6.tgz",
"integrity": "sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==",
"dev": true "dev": true
}, },
"node_modules/ms": { "node_modules/ms": {
@ -8003,8 +8004,9 @@
} }
}, },
"minimist": { "minimist": {
"version": "1.2.5", "version": "1.2.6",
"integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.6.tgz",
"integrity": "sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==",
"dev": true "dev": true
}, },
"ms": { "ms": {