[Security] Bump dottie from 2.0.2 to 2.0.6 (!101) · Merge requests · tools / chat

Dependabot requested to merge dependabot-npm_and_yarn-dottie-2.0.6 into master Jun 13, 2023

Bumps dottie from 2.0.2 to 2.0.6. This update includes a security fix.

Vulnerabilities fixed

dottie vulnerable to Prototype Pollution Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file.

Patched versions: 2.0.4 Affected versions: < 2.0.4

Release notes

Sourced from dottie's releases.

v2.0.3

null values can now be overriden thanks to @slavivanov (mickhansen/dottie.js#37)

Commits

03d7ee7 2.0.6
0371a92 Bump minimatch and mocha (#38)
0715d4c 2.0.5
10e4b14 remove preventExtensions in transform()
0edfecf Bump pathval from 1.1.0 to 1.1.1 (#36)
f840241 add maintenance notice
b183fff remove mention of preventExtensions
e0c8bae 2.0.4
7d3aee1 rudimentary proto guarding
b48e227 add github action to run tests
Additional commits viewable in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot rebase will rebase this MR
$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump dottie from 2.0.2 to 2.0.6

v2.0.3

Merge request reports