[Security] Bump ssri from 6.0.1 to 6.0.2 in /assets (!193) · Merge requests · Up Learn / Admin Elf

Dependabot Zahir's Email requested to merge dependabot-npm_and_yarn-assets-ssri-6.0.2 into master Nov 20, 2023

Bumps ssri from 6.0.1 to 6.0.2. This update includes a security fix.

Vulnerabilities fixed

Regular Expression Denial of Service (ReDoS) npm ssri 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Patched versions: 6.0.2 Affected versions: >= 5.2.2, < 6.0.2

Changelog

Sourced from ssri's changelog.

6.0.2 (2021-04-07)

Bug Fixes

backport regex change from 8.0.1 (b30dfdb), closes #19

Commits

b7c8c7c chore(release): 6.0.2
b30dfdb fix: backport regex change from 8.0.1
See full diff in compare view

Maintainer changes

This version was pushed to npm by nlf, a new releaser for ssri since your current version.

[Security] Bump ssri from 6.0.1 to 6.0.2 in /assets

6.0.2 (2021-04-07)

Bug Fixes

Merge request reports