Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency n8n to v1.47.3 #5680

Merged
merged 1 commit into from
Jul 3, 2024

Conversation

uniget-bot
Copy link

This PR contains the following updates:

Package Update Change
n8n (source) patch 1.47.2 -> 1.47.3

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

n8n-io/n8n (n8n)

v1.47.3

Compare Source

Bug Fixes

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Copy link

@nicholasdille-bot nicholasdille-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved because label type/renovate is present.

Copy link

github-actions bot commented Jul 3, 2024

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/n8n:1.47.3

📦 Image Reference ghcr.io/uniget-org/tools/n8n:1.47.3
digestsha256:3affce5c73f42a24dd4a4abb089cfb371cc518791517c5177719ee5c0b456c70
vulnerabilitiescritical: 0 high: 2 medium: 2 low: 0
platformlinux/amd64
size138 MB
packages1343
critical: 0 high: 1 medium: 0 low: 0 pdfjs-dist 2.16.105 (npm)

pkg:npm/pdfjs-dist@2.16.105

high : CVE--2024--4367

Affected range<=4.1.392
Fixed version4.2.67
Description

Impact

If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

The patch removes the use of eval:
mozilla/pdf.js#18015

Workarounds

Set the option isEvalSupported to false.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

critical: 0 high: 1 medium: 0 low: 0 lodash.set 4.3.2 (npm)

pkg:npm/lodash.set@4.3.2

high 7.4: CVE--2020--8203 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Affected range>=3.7.0
<=4.3.2
Fixed versionNot Fixed
CVSS Score7.4
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Description

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

critical: 0 high: 0 medium: 1 low: 0 identity 3.4.2 (npm)

pkg:npm/%40azure/identity@3.4.2

medium 5.5: CVE--2024--35255 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Affected range<4.2.1
Fixed version4.2.1
CVSS Score5.5
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Description

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

critical: 0 high: 0 medium: 1 low: 0 semver 5.3.0 (npm)

pkg:npm/semver@5.3.0

medium 5.3: CVE--2022--25883 Inefficient Regular Expression Complexity

Affected range<5.7.2
Fixed version5.7.2
CVSS Score5.3
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Description

Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Copy link

github-actions bot commented Jul 3, 2024

Copy link

github-actions bot commented Jul 3, 2024

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/9781672293.

@github-actions github-actions bot merged commit 5432c9c into main Jul 3, 2024
9 of 10 checks passed
@github-actions github-actions bot deleted the renovate/n8n-1.47.x branch July 3, 2024 16:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants