New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency simple-git to v3 [security] - abandoned #206

Open

renovate wants to merge 1 commit into master from renovate/npm-simple-git-vulnerability

Contributor

renovate bot commented Mar 26, 2022 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
simple-git	`^2.4.0` -> `^3.0.0`

GitHub Vulnerability Alerts

CVE-2022-24433

The package simple-git before 3.3.0 is vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options, it was possible to get arbitrary command execution.

CVE-2022-24066

simple-git (maintained as git-js named repository on GitHub) is a light weight interface for running git commands in any node.js application.The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover. A fix was released in [email protected].

CVE-2022-25912

The package simple-git before 3.15.0 is vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.

CVE-2022-25860

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.

Release Notes

steveukx/git-js

`v3.16.0`

Minor Changes

97fde2c: Support the use of -B in place of the default -b in checkout methods
0a623e5: Adds vulnerability detection to prevent use of --upload-pack and --receive-pack without explicitly opting in.

Patch Changes

ec97a39: Include restricting the use of git push --exec with other allowUnsafePack exclusions, thanks to @stsewd for the suggestion.

`v3.15.1`

Patch Changes

de570ac: Resolves an issue whereby non-strings can be passed into the config switch detector.

`v3.15.0`

Minor Changes

7746480: Disables the use of inline configuration arguments to prevent unitentionally allowing non-standard remote protocols without explicitly opting in to this practice with the new allowUnsafeProtocolOverride property having been enabled.

Patch Changes

7746480: - Upgrade repo dependencies - lerna and jest
- Include node@19 in the test matrix

`v3.14.1`

Patch Changes

5a2e7e4: Add version parsing support for non-numeric patches (including "built from source" style 1.11.GIT)

`v3.14.0`

Minor Changes

19029fc: Create the abort plugin to allow cancelling all pending and future tasks.
4259b26: Add .version to return git version information, including whether the git binary is installed.

`v3.13.0`

Minor Changes

87b0d75: Increase the level of deprecation notices for use of simple-git/promise, which will be fully removed in the next major
d0dceda: Allow supplying just one of to/from in the options supplied to git.log

Patch Changes

6b3e05c: Use shared test utilities bundle in simple-git tests, to enable consistent testing across packages in the future

`v3.12.0`

Minor Changes

bfd652b: Add a new configuration option to enable trimming white-space from the response to git.raw

`v3.11.0`

Minor Changes

80d54bd: Added fields updated + deleted branch info to fetch response, closes #823

Patch Changes

75dfcb4: Add prettier configuration and apply formatting throughout.

`v3.10.0`

Minor Changes

2f021e7: Support for importing as an ES module with TypeScript moduleResolution node16 or newer by adding
simpleGit as a named export.

`v3.9.0`

Minor Changes

a0d4eb8: Branches that have been checked out as a linked work tree will now be included in the BranchSummary output, with a linkedWorkTree property set to true in the BranchSummaryBranch.

`v3.8.0`

Minor Changes

25230cb: Support for additional log formats in diffSummary / log / stashList.

Adds support for the --numstat, --name-only and --name-stat in addition to the existing --stat option.

Patch Changes

2cfc16f: Update CI environments to run build and test in node v18, drop node v12 now out of life.
13197f1: Update debug dependency to latest 4.x

`v3.7.1`

Patch Changes

adb4346: Resolves issue whereby renamed files no longer appear correctly in the response to git.status.

`v3.7.0`

Minor Changes

fa2c7f7: Enable the use of types when loading with module-resolution

Patch Changes

3805f6b: Timeout plugin no longer keeps short lived processes alive until timeout is hit

`v3.6.0`

Minor Changes

f2fc5c9: Show full commit hash in a CommitResult, prior to this change git.commit would result in a partial hash in the commit property if core.abbrev is unset or has a value under 40. Following this change the commit property will contain the full commit hash.

Patch Changes

c4a2a13: chore(deps): bump minimist from 1.2.5 to 1.2.6

`v3.5.0`

Minor Changes

2040de6: Resolves potential command injection vulnerability by preventing use of --upload-pack in git.clone

`v3.4.0`

Minor Changes

ed412ef: Use null separators in git.status to allow for non-ascii file names

`v3.3.0`

Minor Changes

d119ec4: Resolves potential command injection vulnerability by preventing use of --upload-pack in git.fetch

`v3.2.6`

Patch Changes

80651d5: Resolve issue in prePublish script

`v3.2.4`

Patch Changes

d35987b: Release with changesets

`v3.1.1`

`v3.1.0`

Features

optionally include ignored files in StatusResult (70e6767), closes #718

3.0.4 (2022-01-23)

Bug Fixes

support parsing empty responses (91eb7fb), closes #713

3.0.3 (2022-01-20)

Bug Fixes

allow branches without labels (07a1388)
implement v3 deprecations (ed6d18e)
publish v3 as latest (5db4434)

3.0.2 (2022-01-18)

Bug Fixes

Backward compatibility - permit loading simple-git/promise with deprecation notice until mid-2022. (4413c47)

3.0.1 (2022-01-18)

Bug Fixes

Documentation update (4e000f6)

`v3.0.4`

`v3.0.3`

`v3.0.2`

`v3.0.1`

`v2.48.0`

Features

StatusResult returned by git.status() should include detached state of the working copy. (#695) (f464ebe)

Bug Fixes

Add example for empty commit message in git.commit() (61089cb)

2.47.1 (2021-11-29)

Bug Fixes

Add support for node@17 in unit tests (0d3bf47)
Add support for node@17 in unit tests (0d3bf47)

`v2.47.1`

`v2.47.0`

Features

git-grep (653065e)

`v2.46.0`

Features

completion plugin (#684) (ecb7bd6)
completion plugin to allow configuring when simple-git determines the git tasks to be complete. (ecb7bd6)

2.45.1 (2021-09-04)

Bug Fixes

support progress events in locales other than western european character sets. (8cc42f8)

`v2.45.1`

`v2.45.0`

Features

Use author email field that respects mailmap (589d624)

Bug Fixes

getConfig always returns null despite values being present in configuration (9fd483a)

`v2.44.0`

Features

add support for getting the current value of a git configuration setting based on its name. (1d09204)

`v2.43.0`

Features

task callback types defined as single function type (b0a832c)

`v2.42.0`

Features

move log task to separate task builder (0712f86)
support scope argument in listConfig to return a specific scope's configuration (0685a8b)

2.41.2 (2021-07-29)

Bug Fixes

use literal true and false in DiffResultTextFile | DiffResultBinaryFile to aid type assertions. (8059099)

2.41.1 (2021-07-11)

Bug Fixes

Commit parsing should cater for file names with square brackets (ae81134)

`v2.41.2`

`v2.41.1`

`v2.41.0`

Features

allow setting the scope of git config add to work on the local, global or system configuration. (c7164e7)
allow setting the scope of git config add to work on the local, global or system configuration. (00ada06)

`v2.40.0`

Features

create the spawnOptions plugin to allow setting uid / gid owner for the spawned git child processes. (cc70220)

2.39.1 (2021-06-09)

Bug Fixes

add types and tests for the documented .exec api (#631) (c9207da)
add types and tests for the documented .exec api (c9207da)
updates the documentation for mergeFromTo to more closely represent its functionality (see #50 for the original requirement). (dd2244e)

`v2.39.1`

`v2.39.0`

Features

git.cwd can now be configured to affect just the chain rather than root instance. (4110662)

2.38.1 (2021-05-09)

Bug Fixes

Export GitPluginError from the main package. (2aa7e55), closes #616

`v2.38.1`

`v2.38.0`

Features

Support enabling / disabling debug logs programmatically. (#610) (c901b9c)

`v2.37.0`

Features

errorDetectionPlugin to handle creating error messages when tasks fail. (c65a419)

2.36.2 (2021-03-11)

Bug Fixes

Export missing SimpleGitProgressEvent (038870e), closes #601

2.36.1 (2021-03-06)

Bug Fixes

Documentation update for outputHandler (775d81e)
Support parsing git.branch where branches have carriage returns in the commit detail. (5b71012)

`v2.36.2`

`v2.36.1`

`v2.36.0`

Features

Timeout Plugin (59f3d98)

Bug Fixes

Fix broken link in no-response auto-generated comment (16fe73f)

2.35.2 (2021-02-23)

Bug Fixes

Progress plugin should request progress events for fetch as well as other common long running tasks. (ea68857)
upgrade debug from 4.3.1 to 4.3.2 (4b6eda8)
While use of the ListLogSummary type is deprecated in favour of the new LogResult, the alias type should also support the default generic DefaultLogFields to allow downstream consumers to upgrade to newer 2.x versions without the need to specify a generic. (508e602), closes #586

2.35.1 (2021-02-19)

Bug Fixes

Update documentation for configuring SimpleGit - options should be a Partial<SimpleGitOptions> to allow for supplying just some of its properties. (30523df), closes #580

`v2.35.2`

`v2.35.1`

`v2.35.0`

Features

Progress Handler (5508bd4)

2.34.2 (2021-02-07)

Bug Fixes

fix npm publish token definition (fb066c3)

2.34.1 (2021-02-07)

Bug Fixes

auto-release with release-please (0ed2d96)

`v2.34.2`

`v2.32.0`

Supports passing configuration arguments to the git binary (via its -c argument as a prefix to any other
arguments). Eg: to supply some custom http proxy to a git pull command, use
simpleGit('/some/path', { config: ['http.proxy=someproxy'] }).pull()
Add deprecation notice to git.silent
Internal Updates:
- switch from run to runTask in git core
- finish converting all mocks to TypeScript

`v2.31.0`

Adds a root: boolean property to the CommitResult interface representing whether the commit was a 'root' commit
(which is a commit that has no parent, most commonly the first commit in a repo).

`v2.30.0`

Reinstates native support for node.js v10 by removing use of ES6 constructs

`v2.29.0`

Update type definition for git.mergeFromTo to be the MergeResult returned
when using the more generic git.merge method.
Thanks to @ofirelias for the pull request.

`v2.28.0`

Adds support for git.applyPatch to apply patches generated in a git diff to the working index,
TypeScript consumers can make use of the ApplyOptions type definition to make use of strong types
for the supported options. Thanks to @andreterron for the pull request.
Integration tests converted to TypeScript to ensure type safety across all tests.

`v2.27.0`

Update the git.status parser to account for staged deleted/modified files and staged files with subsequent
modifications meaning a status of:
- RM old -> new will now appear in renamed and new will also appear in modified
- D file will now appear in both deleted and staged where D file would only appear in deleted

`v2.26.0`

Resolves an issue whereby using git.log with a callback (or awaiting the promise created from the now deprecated
simple-git/promise import) would fail to return the response to the caller.

`v2.25.0`

See Legacy Node Versions for details of how to use simple-git with node.js
versions 11 and below.
To help keep the TypeScript definitions in line with functionality, unit tests are now written in TypeScript.
When using git.commit, the first argument must be a string or array of strings. Passing another data type has long
been considered an error, but now a deprecation warning will be shown in the log and will be switched to an error
in version 3.
Fixes an issue in git.commit whereby a commit that included only deleted lines would be parsed as though the
deletions were inclusions.

`v2.24.0`

pull, push and pushTags parameter types updated to match new functionality and tests switched to TypeScript to ensure they are kept in sync

`v2.23.0`

Upgrade debug dependency and remove use of now deprecated debug().destroy()
Renames the default source branch from master to main

`v2.22.0`

Adds support for git hash-object FILE and git hash-object -w FILE
with new interface git.hashObject(...), with thanks to @MiOnim

`v2.21.0`

Adds string[] to the set of types supported as options for git.log
Fix readme typos

`v2.20.1`

LogOptions should be intersection rather than union types

`v2.20.0`

`v2.19.0`

move the command/task option processing function to TypeScript

`v2.18.0`

git.clone and git.mirror rewritten to fit the TypeScript tasks style.
resolves issue whereby git.clone didn't accept an object of options despite being documented as supporting.

`v2.17.0`

git pull (and by extension git merge) adds remote message parsing to the PullResult type
Remote message parsing adds property remoteMessages.objects of type RemoteMessagesObjectEnumeration to capture the objects transferred in fetch and push.

`v2.16.0`

git.mv rewritten to fit the TypeScript tasks style.
set up github actions for CI

`v2.15.0`

adds the TaskParser type to describe a task's parser function and creates the LineParser utility to simplify line-by-line parsing of string responses.
renames some interfaces for consistency of naming, the original name remains as a type alias marked as @deprecated until version 3.x:
- BranchDeletionSummary > BranchSingleDeleteResult
- BranchDeletionBatchSummary > BranchMultiDeleteResult
- MergeSummary > MergeResult

`v2.14.0`

resolves an issue whereby the git.checkoutBranch method would not pass the branch detail through to the underlying child process.

`v2.13.2`

Further to 2.13.0 includes all (non-empty) remote: lines in the PushResult,
including remote: lines used for other parser results (ie: pullRequestUrl etc).

`v2.13.1`

Further to 2.13.0 adding support for parsing the reponse to git.push, adds support for the pull request message
used by gitlab.

`v2.13.0`

.push and .pushTags rewritten as v2 style tasks. The git response is now parsed and returned as a
PushResult
Pull and merge rewritten to fit the TypeScript tasks style.
Integration tests updated to run through jest directly without compiling from nodeunit

`v2.12.0`

resolves an issue whereby the git.tags method could not be chained or used as an async/promise.

`v2.11.0`

until now, simple-git reject all pending tasks in the queue when a task has failed. From 2.11.0, only
tasks chained from the failing one will be rejected, other tasks can continue to be processed as normal,
giving the developer more control over which tasks should be treated as atomic chains, and which can be
run in parallel.

To support this, and to prevent the issues seen when git is run concurrently in too many child processes,
simple-git will limit the number of tasks running in parallel at any one time to be at most 1 from each
chain (ie: chained tasks are still run in series) and at most 5 tasks across all chains (
configurable by passing {maxConcurrentProcesses: x} in the simpleGit constructor).
add support to git.status() for parsing the response of a repo that has no commits yet, previously
it wouldn't determine the branch name correctly.
resolved a flaw introduced in 2.9.0 whereby checkoutLocalBranch would silently fail and not check out the branch

`v2.10.0`

git.checkout now supports both object and array forms of supplying trailing options.

import simpleGit from 'simple-git';
await simpleGit().checkout('branch-name', ['--track', 'remote/branch']);
await simpleGit().checkout(['branch-name', '--track', 'remote/branch']);
await simpleGit().checkout({ 'branch-name': null });

git.init now supports both object and array forms of supplying trailing options and now
parses the response to return an InitResult;

import simpleGit, { InitResult } from 'simple-git';
const notSharedInit: InitResult = await simpleGit().init(false, ['--shared=false']);
const notSharedBareInit: InitResult = await simpleGit().init(['--bare', '--shared=false']);
const sharedInit: InitResult = await simpleGit().init(false, {
   '--shared': 'true',
});
const sharedBareInit: InitResult = await simpleGit().init({
   '--bare': null,
   '--shared': 'false',
});

git.status now supports both object and array forms of supplying trailing options.

import simpleGit, { StatusResult } from 'simple-git';
const repoStatus: StatusResult = await simpleGit().status();
const subDirStatus: StatusResult = await simpleGit().status(['--', 'sub-dir']);

git.reset upgraded to the new task style and exports an enum ResetMode with all supported
merge modes and now supports both object and array forms of supplying trailing options.

import simpleGit, { ResetMode } from 'simple-git';

// git reset --hard
await simpleGit().reset(ResetMode.HARD);

// git reset --soft -- sub-dir
await simpleGit().reset(ResetMode.SOFT, ['--', 'sub-dir']);

bug-fix: it should not be possible to await the simpleGit() task runner, only the tasks it returns.

expect(simpleGit().then).toBeUndefined();
expect(simpleGit().init().then).toBe(expect.any(Function));

`v2.9.0`

.checkIsRepo() updated to allow choosing the type of check to run, either by using the exported CheckRepoActions enum
or the text equivalents ('bare', 'root' or 'tree'):
- checkIsRepo(CheckRepoActions.BARE): Promise<boolean> determines whether the working directory represents a bare repo.
- checkIsRepo(CheckRepoActions.IS_REPO_ROOT): Promise<boolean> determines whether the working directory is at the root of a repo.
- checkIsRepo(CheckRepoActions.IN_TREE): Promise<boolean> determines whether the working directory is a descendent of a git root.
.revparse() converted to a new style task

`v2.8.0`

Enables support for using the default export of simple-git as an es module, in TypeScript it is no
longer necessary to enable the esModuleInterop flag in the tsconfig.json to consume the default
export.

2.7.2 - Bug Fix: Remove `promise.ts` source from `simple-git` published artifact

Closes #471, whereby the source for the promise wrapped runner would be included in the published artifact
due to sharing the same name as the explicitly included promise.js in the project root.

2.7.1 - Bug Fix: `await git.log` having imported from root `simple-git`

Fixes #464, whereby using await on git.log without having supplied a callback would ignore the leading options
object or options array.

`v2.7.2`

Closes #471, whereby the source for the promise wrapped runner would be included in the published artifact
due to sharing the same name as the explicitly included promise.js in the project root.

`v2.7.1`

Fixes #464, whereby using await on git.log without having supplied a callback would ignore the leading options
object or options array.

`v2.7.0`

Updated to the outputHandler type to add a trailing argument for the arguments passed into the child process.
All logging now uses the debug library. Enable logging by adding simple-git
to the DEBUG environment variable. git.silent(false) can still be used to explicitly enable logging and is
equivalent to calling require('debug').enable('simple-git').

`v2.6.0`

Native Promises

TL;DR - .then and .catch can now be called on the standard simpleGit chain to handle the promise
returned by the most recently added task... essentially, promises now just work the way you would expect
them to.
The main export from simple-git no longer shows the deprecation notice for using the
.then function, it now exposes the promise chain generated from the most recently run
task, allowing the combination of chain building and ad-hoc splitting off to a new promise chain.
- See the unit and integration tests.
- See the typescript consumer test.

TypeScript Importing

Promise / async interface and TypeScript types all available from the simple-git import rather than needing
simple-git/promise, see examples in the ReadMe or in the consumer tests.

Typed Errors

Tasks that previously validated their usage and rejected with a TypeError will now reject with a
TaskConfigurationError.
Tasks that previously rejected with a custom object (currently only git.merge when the auto-merge fails)
will now reject with a GitResponseError where previously it
was a modified Error.

Git Clean

git.clean(...) will now return a CleanSummary instead of the raw string data

Git Raw

git.raw(...) now accepts any number of leading string arguments as an alternative to the
single array of strings.

`v2.5.0`

all git.remote related functions converted to TypeScript

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          fix(deps): update dependency simple-git to v3 [security]

070f8c9

github-actions bot added the bug label

Contributor Author

renovate bot commented Mar 24, 2023 •

edited

Loading

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

renovate bot changed the title ~~fix(deps): update dependency simple-git to v3 [security]~~ fix(deps): update dependency simple-git to v3 [security] - abandoned

Contributor Author

renovate bot commented Feb 24, 2024

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug