Update dependency ini to ~1.3.0 [SECURITY] by renovate[bot] · Pull Request #3 · nookala/first_app

renovate · 2025-01-09T16:03:35Z

This PR contains the following updates:

Package	Change	Age	Confidence
ini	`~1.0.5` → `~1.3.0`

GitHub Vulnerability Alerts

CVE-2020-7788

Overview

The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6.

Steps to reproduce

payload.ini

[__proto__]
polluted = "polluted"

poc.js:

var fs = require('fs')
var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)

> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted

Severity

CVSS Score: 7.3 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Release Notes

npm/ini (ini)

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from 6d179a4 to 54d695a Compare January 11, 2025 11:48

renovate Bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Jan 11, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from 54d695a to 1a9a1bd Compare January 15, 2025 19:39

renovate Bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Jan 15, 2025

renovate Bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Jan 17, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from 1a9a1bd to 1748f4c Compare January 17, 2025 11:45

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from 1748f4c to e22c243 Compare January 25, 2025 11:49

renovate Bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Jan 25, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from e22c243 to 946b185 Compare January 26, 2025 06:13

renovate Bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Jan 26, 2025

renovate Bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Jan 31, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch 2 times, most recently from b70e725 to a0ab166 Compare February 1, 2025 19:46

renovate Bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Feb 1, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from a0ab166 to b9c4aab Compare February 9, 2025 11:30

renovate Bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Feb 9, 2025

renovate Bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Feb 12, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from b9c4aab to 68c8dba Compare February 12, 2025 07:53

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from 68c8dba to c945314 Compare March 5, 2025 03:43

renovate Bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Mar 5, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from c945314 to cd5b3a9 Compare March 8, 2025 03:31

renovate Bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Mar 8, 2025

renovate Bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Mar 13, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch 2 times, most recently from df38326 to 441013a Compare March 15, 2025 11:17

renovate Bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Mar 15, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from 441013a to 757dd73 Compare March 19, 2025 23:58

renovate Bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Mar 19, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from 757dd73 to 610a988 Compare March 21, 2025 23:48

renovate Bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Mar 21, 2025

renovate Bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] May 10, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from 3bc9432 to 6dbb888 Compare May 17, 2025 04:01

renovate Bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] May 17, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from 6dbb888 to fab7300 Compare May 18, 2025 19:27

renovate Bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] May 18, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from fab7300 to 5930959 Compare May 24, 2025 11:32

renovate Bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] May 24, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from 5930959 to 6967aaf Compare May 25, 2025 11:37

renovate Bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] May 25, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from 6967aaf to 0204803 Compare May 31, 2025 12:11

renovate Bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] May 31, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from 0204803 to d99b1e8 Compare June 1, 2025 19:14

renovate Bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Jun 1, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from d99b1e8 to 71becd5 Compare June 6, 2025 18:22

renovate Bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Jun 6, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from 71becd5 to 4b61b6a Compare June 8, 2025 10:34

renovate Bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Jun 8, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from 4b61b6a to 996913d Compare June 21, 2025 12:02

renovate Bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Jun 21, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from 996913d to 269e2da Compare July 13, 2025 23:55

renovate Bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Jul 13, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from 269e2da to a046d70 Compare August 11, 2025 03:26

renovate Bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Aug 11, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from a046d70 to d477a2a Compare August 16, 2025 11:48

renovate Bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Aug 16, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from d477a2a to 9d9d9a8 Compare August 21, 2025 04:15

renovate Bot changed the title ~~Update dependency ini to ~1.3.6 [SECURITY]~~ Update dependency ini to ~1.3.0 [SECURITY] Aug 21, 2025

renovate Bot force-pushed the renovate/npm-ini-vulnerability branch from 9d9d9a8 to 1ad4f6c Compare August 24, 2025 04:11

renovate Bot changed the title ~~Update dependency ini to ~1.3.0 [SECURITY]~~ Update dependency ini to ~1.3.6 [SECURITY] Aug 24, 2025

Update dependency ini to ~1.3.0 [SECURITY]

3d3d26a

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency ini to ~1.3.0 [SECURITY]#3

Update dependency ini to ~1.3.0 [SECURITY]#3
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-ini-vulnerability

renovate Bot commented Jan 9, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Jan 9, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Overview

Patches

Steps to reproduce

Severity

Release Notes

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate Bot commented Jan 9, 2025 •

edited

Loading