Skip to content
This repository was archived by the owner on Aug 4, 2022. It is now read-only.

[Security] Bump csv-parse from 4.4.5 to 4.6.5 #11

Closed
dependabot-preview wants to merge 1 commit into from
Closed

[Security] Bump csv-parse from 4.4.5 to 4.6.5 #11

dependabot-preview wants to merge 1 commit into from

Conversation

@dependabot-preview
Copy link

@dependabot-preview dependabot-preview bot commented Oct 22, 2019

Bumps csv-parse from 4.4.5 to 4.6.5. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Low severity vulnerability that affects csv-parse
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.

Affected versions: < 4.4.6

Changelog

Sourced from csv-parse's changelog.

Version 4.6.5

  • context: column is null when cast force the context creation, fix #260

Version 4.6.4

  • errors: don't stringify/parse undefined and null values
  • errors: expose CSV_NON_TRIMABLE_CHAR_AFTER_CLOSING_QUOTE
  • errors: expose CSV_MAX_RECORD_SIZE

Version 4.6.3

  • lint: integrate eslint

Version 4.6.2

  • context: null column when columns number inferieur to record length

Version 4.6.1

  • src: set const in for loop

Version 4.6.0

  • skip_lines_with_empty_values: handle non string value
  • errors: add context information
  • tests: new error assertion framework
  • buffer: serialize to json as string
  • errors: expose INVALID_OPENING_QUOTE

Version 4.5.0

  • errors: start normalizing errors with unique codes and context
  • errors: expose CSV_INVALID_CLOSING_QUOTE
  • errors: expose CSV_QUOTE_NOT_CLOSED
  • errors: expose CSV_INVALID_RECORD_LENGTH_DONT_PREVIOUS_RECORDS
  • errors: expose CSV_INVALID_RECORD_LENGTH_DONT_MATCH_COLUMNS
  • errors: expose CSV_INVALID_COLUMN_MAPPING

Version 4.4.7

  • travis: remove node.js 8 and add 12
  • destroy: test inside readable event

Version 4.4.6

  • security: remove regexp vulnerable to DOS in cast option, npm report 69742
Commits
  • 1d56f41 Bump to version 4.6.5
  • 14686c9 context: column is null when cast force the context creation, fix #260
  • 90cbd5d Bump to version 4.6.4
  • 1f7c5f3 errors: don't stringify/parse undefined and null values, fix #262
  • ad65f3c error: new error CSV_NON_TRIMABLE_CHAR_AFTER_CLOSING_QUOTE
  • abc889b error: new error CSV_MAX_RECORD_SIZE code
  • 6704eab sample: refactor async iterator
  • f134854 Bump to version 4.6.3
  • 6136fd9 lint: integrate eslint
  • 4959359 Bump to version 4.6.2
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

@dependabot-preview
[Security] Bump csv-parse from 4.4.5 to 4.6.5
99eaf3b 
Bumps [csv-parse](https://github.com/wdavidw/node-csv-parse) from 4.4.5 to 4.6.5. **This update includes a security fix.**
- [Release notes](https://github.com/wdavidw/node-csv-parse/releases)
- [Changelog](https://github.com/adaltas/node-csv-parse/blob/master/CHANGELOG.md)
- [Commits](adaltas/node-csv-parse@v4.4.5...v4.6.5)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Oct 22, 2019
@dependabot-preview dependabot-preview bot mentioned this pull request Oct 22, 2019
Closed
@dependabot-preview
Copy link
Author

dependabot-preview bot commented Nov 15, 2019

Superseded by #22.

@dependabot-preview dependabot-preview bot deleted the dependabot/npm_and_yarn/develop/csv-parse-4.6.5 branch November 15, 2019 06:44
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant