chore(deps-dev): Bump nuxt from 3.17.7 to 3.21.7#21606
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
requested review from
chargome and
nicohrubec
and removed request for
a team
dependabot
Bot
added
dependencies
![semgrep-code-getsentry[bot]](https://avatars.githubusercontent.com/in/1153895?s=60&v=4){kind=small}
| @@ -30101,7 +31360,7 @@ vite@^5.0.0, vite@^5.4.11, vite@^5.4.21: | |||
| optionalDependencies: | |||
| fsevents "~2.3.3" | |||
|
|
|||
| "vite@^5.0.0 || ^6.0.0 || ^7.0.0-0", vite@^6.3.5, vite@^6.4.1, vite@^6.4.2: | |||
| "vite@^5.0.0 || ^6.0.0 || ^7.0.0-0", vite@^6.4.1, vite@^6.4.2: | |||
There was a problem hiding this comment.
Risk: Affected versions of vite and vite-plus are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor / Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). Vite's server.fs.deny blocklist—which protects sensitive files such as .env and certificate files from being served—can be bypassed on Windows using alternate path representations (NTFS Alternate Data Stream syntax like /.env::$DATA?raw, or 8.3 short filenames), allowing an attacker to read otherwise-denied files when the dev server is exposed to the network.
Manual Review Advice: A vulnerability from this advisory is reachable if you expose the Vite dev server or vite-plus to the network by configuring a non-loopback address using the --host CLI flag on Windows
Fix: Upgrade this library to at least version 6.4.3 at sentry-javascript/yarn.lock:31298.
Reference(s): GHSA-fx2h-pf6j-xcff
🥳 Fixed in commit 51ff96c 🥳
| @@ -16104,6 +17005,38 @@ esbuild@^0.25.0, esbuild@^0.25.3, esbuild@^0.25.6: | |||
| "@esbuild/win32-ia32" "0.25.12" | |||
| "@esbuild/win32-x64" "0.25.12" | |||
|
|
|||
| esbuild@^0.27.0: | |||
There was a problem hiding this comment.
Risk: Affected versions of esbuild are vulnerable to Download of Code Without Integrity Check / Untrusted Search Path. esbuild's Deno distribution module (lib/deno/mod.ts) contains an import.meta.main CLI entrypoint that calls install() directly when the module is run as a script (deno run https://deno.land/x/esbuild@vX/mod.js). This download path has no SHA-256 integrity verification: if NPM_CONFIG_REGISTRY resolves to an attacker-controlled registry, the fetched binary is executed immediately, yielding arbitrary code execution without any API call in user code.
Manual Review Advice: A vulnerability from this advisory is reachable if you invoke the esbuild Deno module directly as a CLI tool (e.g. deno run https://deno.land/x/esbuild@vX/mod.js) and the NPM_CONFIG_REGISTRY environment variable resolves the binary download to an untrusted registry
Fix: Upgrade this library to at least version 0.28.1 at sentry-javascript/yarn.lock:17066.
Reference(s): GHSA-gv7w-rqvm-qjhr
🌟 Fixed in commit e073e16 🌟
| @@ -16072,7 +16973,7 @@ esbuild@^0.23.0: | |||
| "@esbuild/win32-ia32" "0.23.1" | |||
| "@esbuild/win32-x64" "0.23.1" | |||
|
|
|||
| esbuild@^0.25.0, esbuild@^0.25.3, esbuild@^0.25.6: | |||
| esbuild@^0.25.0, esbuild@^0.25.3: | |||
There was a problem hiding this comment.
Risk: Affected versions of esbuild are vulnerable to Download of Code Without Integrity Check / Untrusted Search Path. esbuild's Deno distribution module (lib/deno/mod.ts) contains an import.meta.main CLI entrypoint that calls install() directly when the module is run as a script (deno run https://deno.land/x/esbuild@vX/mod.js). This download path has no SHA-256 integrity verification: if NPM_CONFIG_REGISTRY resolves to an attacker-controlled registry, the fetched binary is executed immediately, yielding arbitrary code execution without any API call in user code.
Manual Review Advice: A vulnerability from this advisory is reachable if you invoke the esbuild Deno module directly as a CLI tool (e.g. deno run https://deno.land/x/esbuild@vX/mod.js) and the NPM_CONFIG_REGISTRY environment variable resolves the binary download to an untrusted registry
Fix: Upgrade this library to at least version 0.28.1 at sentry-javascript/yarn.lock:16976.
Reference(s): GHSA-gv7w-rqvm-qjhr
✨ Fixed in commit 9a26941 ✨
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
|
@dependabot recreate |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/nuxt-3.21.7
branch
2 times, most recently
from
66edd12 to
9a26941
Compare
| @@ -16194,6 +17095,38 @@ esbuild@^0.25.0, esbuild@^0.25.3, esbuild@^0.25.6: | |||
| "@esbuild/win32-ia32" "0.25.12" | |||
| "@esbuild/win32-x64" "0.25.12" | |||
|
|
|||
| esbuild@^0.27.0: | |||
There was a problem hiding this comment.
Risk: Affected versions of esbuild are vulnerable to Download of Code Without Integrity Check / Untrusted Search Path. esbuild's Deno distribution module (lib/deno/mod.ts) contains an import.meta.main CLI entrypoint that calls install() directly when the module is run as a script (deno run https://deno.land/x/esbuild@vX/mod.js). This download path has no SHA-256 integrity verification: if NPM_CONFIG_REGISTRY resolves to an attacker-controlled registry, the fetched binary is executed immediately, yielding arbitrary code execution without any API call in user code.
Manual Review Advice: A vulnerability from this advisory is reachable if you invoke the esbuild Deno module directly as a CLI tool (e.g. deno run https://deno.land/x/esbuild@vX/mod.js) and the NPM_CONFIG_REGISTRY environment variable resolves the binary download to an untrusted registry
Fix: Upgrade this library to at least version 0.28.1 at sentry-javascript/yarn.lock:17098.
Reference(s): GHSA-gv7w-rqvm-qjhr
🧼 Fixed in commit e073e16 🧼
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/nuxt-3.21.7
branch
from
9a26941 to
e073e16
Compare
| @@ -16019,7 +16920,7 @@ esbuild@^0.23.0: | |||
| "@esbuild/win32-ia32" "0.23.1" | |||
| "@esbuild/win32-x64" "0.23.1" | |||
|
|
|||
| esbuild@^0.25.0, esbuild@^0.25.3, esbuild@^0.25.6: | |||
| esbuild@^0.25.0, esbuild@^0.25.3: | |||
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 16923 lists a dependency (esbuild) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of esbuild are vulnerable to Download of Code Without Integrity Check / Untrusted Search Path. esbuild's Deno distribution module (lib/deno/mod.ts) contains an import.meta.main CLI entrypoint that calls install() directly when the module is run as a script (deno run https://deno.land/x/esbuild@vX/mod.js). This download path has no SHA-256 integrity verification: if NPM_CONFIG_REGISTRY resolves to an attacker-controlled registry, the fetched binary is executed immediately, yielding arbitrary code execution without any API call in user code.
References: GHSA
To resolve this comment:
Check if you invoke the esbuild Deno module directly as a CLI tool (e.g. deno run https://deno.land/x/esbuild@vX/mod.js) and the NPM_CONFIG_REGISTRY environment variable resolves the binary download to an untrusted registry.
- If you're affected, upgrade this dependency to at least version 0.28.1 at yarn.lock.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
|
@dependabot recreate |
Bumps [nuxt](https://github.com/nuxt/nuxt/tree/HEAD/packages/nuxt) from 3.17.7 to 3.21.7. - [Release notes](https://github.com/nuxt/nuxt/releases) - [Commits](https://github.com/nuxt/nuxt/commits/v3.21.7/packages/nuxt) --- updated-dependencies: - dependency-name: nuxt dependency-version: 3.21.7 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/nuxt-3.21.7
branch
from
e073e16 to
51ff96c
Compare
| @@ -15875,7 +16776,7 @@ esbuild@^0.23.0: | |||
| "@esbuild/win32-ia32" "0.23.1" | |||
| "@esbuild/win32-x64" "0.23.1" | |||
|
|
|||
| esbuild@^0.25.0, esbuild@^0.25.3, esbuild@^0.25.6: | |||
| esbuild@^0.25.0, esbuild@^0.25.3: | |||
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 16779 lists a dependency (esbuild) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of esbuild are vulnerable to Download of Code Without Integrity Check / Untrusted Search Path. esbuild's Deno distribution module (lib/deno/mod.ts) contains an import.meta.main CLI entrypoint that calls install() directly when the module is run as a script (deno run https://deno.land/x/esbuild@vX/mod.js). This download path has no SHA-256 integrity verification: if NPM_CONFIG_REGISTRY resolves to an attacker-controlled registry, the fetched binary is executed immediately, yielding arbitrary code execution without any API call in user code.
References: GHSA
To resolve this comment:
Check if you invoke the esbuild Deno module directly as a CLI tool (e.g. deno run https://deno.land/x/esbuild@vX/mod.js) and the NPM_CONFIG_REGISTRY environment variable resolves the binary download to an untrusted registry.
- If you're affected, upgrade this dependency to at least version 0.28.1 at yarn.lock.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
2 participants
Bumps nuxt from 3.17.7 to 3.21.7.
Release notes
Sourced from nuxt's releases.
... (truncated)
Commits
fd806bev3.21.7d11d7b1fix(nuxt): do not absolutely resolvedefu13e177efix(nuxt): clarify page and layout usage warnings (#35184)5328404fix(nuxt): reject script-capable protocols in\<NuxtLink>href6497d99fix(nuxt): reject cross-origin paths inreloadNuxtApp1f2dd5efix(nuxt): block path-normalization open redirect innavigateTo7fea9fdfix(nuxt): escape\<NoScript>slot content3f3e3fafix(nuxt): match route rules case-insensitively to mirrorvue-router40bedf0fix(nuxt): absolutely resolvedefuin app config template62fc32efix(nuxt): applyisScriptProtocolguard tonavigateToopen option (#35206)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for nuxt since your current version.