Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency codecov to v3.7.1 [security] #44

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update dependency codecov to v3.7.1 [security] #44

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 20, 2020
edited

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
codecov 3.7.0 -> 3.7.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-15123

Impact

The upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

A similar CVE was issued: CVE-2020-7597, but the fix was incomplete. It only blocked &, and command injection is still possible using backticks instead to bypass the sanitizer.

We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the codecov-node project here.

Patches

This has been patched in version 3.7.1

Workarounds

None, however, the attack surface is low in this case. Particularly in the standard use of codecov, where the module is used directly in a build pipeline, not built against as a library in another application that may supply malicious input and perform command injection.

References

For more information

If you have any questions or comments about this advisory:

Release Notes

codecov/codecov-node (codecov)

v3.7.1

Compare Source

  • Move to execFileSync and security fixes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 959a5c9 to 15d9976 Compare July 22, 2020 02:30
@codecov
Copy link

codecov bot commented Jul 22, 2020
edited

Codecov Report

Merging #44 (807b922) into master (e3fee16) will increase coverage by 0.09%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master      #44      +/-   ##
==========================================
+ Coverage   98.80%   98.90%   +0.09%     
==========================================
  Files          14       14              
  Lines          84       91       +7     
  Branches       14       14              
==========================================
+ Hits           83       90       +7     
  Misses          1        1

see 6 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 15d9976 to 6873af0 Compare October 28, 2020 16:52
@renovate renovate bot changed the title Update dependency codecov to v3.7.1 [SECURITY] chore(deps): update dependency codecov to v3.7.1 [security] Oct 28, 2020
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 6873af0 to 55b2675 Compare November 27, 2020 13:00
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 55b2675 to 819077f Compare December 10, 2020 06:55
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 819077f to a42e393 Compare April 26, 2021 14:00
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from a42e393 to a38cff4 Compare May 9, 2021 22:57
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from a38cff4 to 931258d Compare March 7, 2022 17:27
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 931258d to b831d68 Compare March 26, 2022 12:40
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from b831d68 to 27ba33b Compare April 24, 2022 22:08
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 27ba33b to 66a510c Compare June 18, 2022 19:46
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 66a510c to 1f6333f Compare March 16, 2023 07:28
@renovate
Copy link
Contributor Author

renovate bot commented Mar 24, 2023

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock
Error response from daemon: toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit

@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 1f6333f to 807b922 Compare March 24, 2023 23:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants