Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update devdependency codecov to v3.7.1 [security] #51

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update devdependency codecov to v3.7.1 [security] #51

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 14, 2020
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
codecov 3.5.0 -> 3.7.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-7597

codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596.

CVE-2020-15123

Impact

The upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

A similar CVE was issued: CVE-2020-7597, but the fix was incomplete. It only blocked &, and command injection is still possible using backticks instead to bypass the sanitizer.

We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the codecov-node project here.

Patches

This has been patched in version 3.7.1

Workarounds

None, however, the attack surface is low in this case. Particularly in the standard use of codecov, where the module is used directly in a build pipeline, not built against as a library in another application that may supply malicious input and perform command injection.

References

For more information

If you have any questions or comments about this advisory:

CVE-2020-7596

Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument.

Release Notes

codecov/codecov-node (codecov)

v3.7.1

Compare Source

  • Move to execFileSync and security fixes

v3.7.0

Compare Source

  • Remove the X-Amz-Acl: public-read header

v3.6.5

Compare Source

v3.6.4

Compare Source

  • Fix Cirrus CI

v3.6.3

Compare Source

  • Fix for AWS Codebuild & package updates

v3.6.2

Compare Source

  • Command line args sanitized fix

v3.6.1

Compare Source

  • Fix for Semaphore

v3.6.0

Compare Source

  • Added AWS CodeBuild and Semaphore2

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@codecov
Copy link

codecov bot commented Mar 14, 2020
edited
Loading

Codecov Report

Merging #51 (6d04d29) into master (34f27b1) will not change coverage.
The diff coverage is n/a.

❗ Current head 6d04d29 differs from pull request most recent head e90c099. Consider uploading reports for the commit e90c099 to get more accurate results

@@            Coverage Diff            @@
##            master       #51   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           18        18           
  Lines          347       365   +18     
  Branches        97       110   +13     
=========================================
+ Hits           347       365   +18

see 9 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 263d950 to 99422a8 Compare May 7, 2020 17:58
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch 2 times, most recently from a9d2840 to 2b47e71 Compare July 5, 2020 04:59
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 2b47e71 to af3f65f Compare August 26, 2020 00:58
@renovate renovate bot changed the title chore(deps): update devdependency codecov to v3.6.5 [security] chore(deps): update devdependency codecov to v3.7.1 [security] Aug 26, 2020
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from af3f65f to 48a0956 Compare October 28, 2020 15:59
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 48a0956 to f30d58c Compare November 25, 2020 23:00
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from f30d58c to d56e123 Compare December 11, 2020 02:53
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from d56e123 to d4a3d41 Compare April 26, 2021 17:12
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from d4a3d41 to 6d04d29 Compare May 9, 2021 21:02
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 6d04d29 to 058b2e7 Compare March 7, 2022 14:11
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 058b2e7 to a072bb1 Compare March 26, 2022 12:03
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from a072bb1 to 53f840d Compare April 25, 2022 00:20
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 53f840d to 1e5a446 Compare June 18, 2022 20:08
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 1e5a446 to 83b559e Compare March 18, 2023 17:55
@renovate
Copy link
Contributor Author

renovate bot commented Mar 24, 2023

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock
Error response from daemon: toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit

@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 83b559e to e90c099 Compare March 24, 2023 22:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants