Skip to content
This repository was archived by the owner on Aug 4, 2022. It is now read-only.

[Security] Bump csv-parse from 4.4.5 to 4.7.0 #22

Closed
dependabot-preview wants to merge 1 commit into from
Closed

[Security] Bump csv-parse from 4.4.5 to 4.7.0 #22

dependabot-preview wants to merge 1 commit into from

Conversation

@dependabot-preview
Copy link

@dependabot-preview dependabot-preview bot commented Nov 15, 2019

Bumps csv-parse from 4.4.5 to 4.7.0. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Low severity vulnerability that affects csv-parse
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.

Affected versions: < 4.4.6

Changelog

Sourced from csv-parse's changelog.

Version 4.7.0

New Feature:

  • on_record: user function to alter and filter records

Minor improvements:

  • test: ensure every sample is valid
  • from_line: honours inferred column names
  • from_line: new sample
  • errors: expose CSV_INVALID_ARGUMENT
  • errors: expose CSV_INVALID_COLUMN_DEFINITION
  • errors: expose CSV_OPTION_COLUMNS_MISSING_NAME
  • errors: expose CSV_INVALID_OPTION_BOM
  • errors: expose CSV_INVALID_OPTION_CAST
  • errors: expose CSV_INVALID_OPTION_CAST_DATE
  • errors: expose CSV_INVALID_OPTION_COLUMNS
  • errors: expose CSV_INVALID_OPTION_COMMENT
  • errors: expose CSV_INVALID_OPTION_DELIMITER
  • error: fix call to supper

Project management:

  • package: contributing
  • package: code of conduct

Version 4.6.5

  • context: column is null when cast force the context creation, fix #260

Version 4.6.4

  • errors: don't stringify/parse undefined and null values
  • errors: expose CSV_NON_TRIMABLE_CHAR_AFTER_CLOSING_QUOTE
  • errors: expose CSV_MAX_RECORD_SIZE

Version 4.6.3

  • lint: integrate eslint

Version 4.6.2

  • context: null column when columns number inferieur to record length

Version 4.6.1

  • src: set const in for loop

Version 4.6.0

  • skip_lines_with_empty_values: handle non string value
  • errors: add context information
... (truncated)
Commits
  • 584ac52 Bump to version 4.7.0
  • eb96ee0 on_record: user function to alter and filter records
  • 80bc8e0 test: ensure every sample is valid
  • de7bd43 errors: expose CSV_INVALID_OPTION_DELIMITER
  • 5d8be7f from_line: honor inferred column names #263
  • dda1382 from_line: new sample
  • b76d470 errors: expose CSV_OPTION_COLUMNS_MISSING_NAME
  • a37dd48 errors: expose CSV_INVALID_COLUMN_DEFINITION
  • 5e28586 errors: expose CSV_INVALID_OPTION_COLUMNS
  • cf97e36 errors: expose CSV_INVALID_ARGUMENT
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

@dependabot-preview
[Security] Bump csv-parse from 4.4.5 to 4.7.0
3d1c117 
Bumps [csv-parse](https://github.com/wdavidw/node-csv-parse) from 4.4.5 to 4.7.0. **This update includes a security fix.**
- [Release notes](https://github.com/wdavidw/node-csv-parse/releases)
- [Changelog](https://github.com/adaltas/node-csv-parse/blob/master/CHANGELOG.md)
- [Commits](adaltas/node-csv-parse@v4.4.5...v4.7.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Nov 15, 2019
@dependabot-preview dependabot-preview bot mentioned this pull request Nov 15, 2019
Closed
@dependabot-preview
Copy link
Author

dependabot-preview bot commented Nov 18, 2019

Superseded by #24.

@dependabot-preview dependabot-preview bot deleted the dependabot/npm_and_yarn/develop/csv-parse-4.7.0 branch November 18, 2019 06:51
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant