ericelliott
Update dependency grunt to v1 [SECURITY]
This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| grunt (source) | 0.4.5 → 1.5.3 |
GitHub Vulnerability Alerts
CVE-2020-7729
The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.
CVE-2022-0436
Grunt prior to version 1.5.2 is vulnerable to path traversal.
CVE-2022-1537
file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.
Release Notes
gruntjs/grunt (grunt)
v1.5.3
- Merge pull request #1745 from gruntjs/fix-copy-op
572d79b - Patch up race condition in symlink copying.
58016ff - Merge pull request #1746 from JamieSlome/patch-1
0749e1d - Create SECURITY.md
69b7c50
v1.5.2
- Update Changelog
7f15fd5 - Merge pull request #1743 from gruntjs/cleanup-link
b0ec6e1 - Clean up link handling
433f91b
v1.5.1
v1.5.0
- Updated changelog
b2b2c2b - Merge pull request #1740 from gruntjs/update-deps-22-10
3eda6ae - Update testing matrix
47d32de - More updates
2e9161c - Remove console log
04b960e - Update dependencies, tests...
aad3d45 - Merge pull request #1736 from justlep/main
fdc7056 - support .cjs extension
e35fe54
v1.4.1
- Update Changelog
e7625e5 - Merge pull request #1731 from gruntjs/update-options
5d67e34 - Fix ci install
d13bf88 - Switch to Actions
08896ae - Update grunt-known-options
eee0673 - Add note about a breaking change
1b6e288
v1.4.0
- Merge pull request #1728 from gruntjs/update-deps-changelog
63b2e89 - Update changelog and util dep
106ed17 - Merge pull request #1727 from gruntjs/update-deps-apr
49de70b - Update CLI and nodeunit
47cf8b6 - Merge pull request #1722 from gruntjs/update-through
e86db1c - Update deps
4952368
v1.3.0
- Merge pull request #1720 from gruntjs/update-changelog-deps
faab6be - Update Changelog and legacy-util dependency
520fedb - Merge pull request #1719 from gruntjs/yaml-refactor
7e669ac - Switch to use
safeLoadfor loading YML files viafile.readYAML.e350cea - Merge pull request #1718 from gruntjs/legacy-log-bumo
7125f49 - Bump legacy-log
00d5907
v1.2.1
- Changelog update
ae11839 - Merge pull request #1715 from sibiraj-s/remove-path-is-absolute
9d23cb6 - Remove path-is-absolute dependency
e789b1f
v1.2.0
- Allow usage of grunt plugins that are located in any location that is visible to Node.js and NPM, instead of node_modules directly inside package that have a dev dependency to these plugins. (PR: #1677)
- Removed coffeescript from dependencies. To ease transition, if coffeescript is still around, Grunt will attempt to load it. If it is not, and the user loads a CoffeeScript file, Grunt will print a useful error indicating that the coffeescript package should be installed as a dev dependency. This is considerably more user-friendly than dropping the require entirely, but doing so is feasible with the latest grunt-cli as users may simply use grunt --require coffeescript/register. (PR: #1675)
- Exposes Grunt Option keys for ease of use. (PR: #1570)
- Avoiding infinite loop on very long command names. (PR: #1697)
v1.1.0
- Update to mkdirp ~1.0.3
- Only support versions of Node >= 8
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}