[Security] Bump dottie from 2.0.2 to 2.0.4 (!113) · Merge requests · school / jaar2 / billy

Dependabot requested to merge dependabot-npm_and_yarn-dottie-2.0.4 into master Jun 13, 2023

Bumps dottie from 2.0.2 to 2.0.4. This update includes a security fix.

Vulnerabilities fixed

dottie vulnerable to Prototype Pollution Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file.

Patched versions: 2.0.4 Affected versions: < 2.0.4

Release notes

Sourced from dottie's releases.

v2.0.3

null values can now be overriden thanks to @slavivanov (mickhansen/dottie.js#37)

Commits

e0c8bae 2.0.4
7d3aee1 rudimentary proto guarding
b48e227 add github action to run tests
001ca40 2.0.3
dbf26a6 Setting a null value should convert it to object (#37)
b581120 added power support arch ppc64le on yml file. (#35)
See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot rebase will rebase this MR
$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump dottie from 2.0.2 to 2.0.4

v2.0.3

Merge request reports