AmadeusITGroup
OSS
@o3r/framework
Sign in / Sign up
Open main menu
@o3r/framework
GitHub
Overview
Runs
Analytics
Loading workspace stats
Loading workspace insights...
Statistics interval
7 days
30 days
Latest CI Pipeline Executions
Status
Fix filter
Filter
Fuzzy
Filter range
Sort by
Sort by
Start time
Sort ascending
Sort descending
Succeeded
main
e0e1bbdc fix(ama-styling): fix metadata formatter edge case when token name has 'value' fragment
by Rajat Gupta
R
Succeeded
main
e0e1bbdc fix(ama-styling): fix metadata formatter edge case when token name has 'value' fragment
by Rajat Gupta
R
Succeeded
main
e0e1bbdc chore(deps): bump postcss from 8.5.8 to 8.5.10 (#4185) Bumps [postcss](https://github.com/postcss/postcss) from 8.5.8 to 8.5.10. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/postcss/postcss/releases">postcss's releases</a>.</em></p> <blockquote> <h2>8.5.10</h2> <ul> <li>Fixed XSS via unescaped <code></style></code> in non-bundler cases (by <a href="https://github.com/TharVid"><code>@TharVid</code></a>).</li> </ul> <h2>8.5.9</h2> <ul> <li>Speed up source map encoding paring in case of the error.</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/postcss/postcss/blob/main/CHANGELOG.md">postcss's changelog</a>.</em></p> <blockquote> <h2>8.5.10</h2> <ul> <li>Fixed XSS via unescaped <code></style></code> in non-bundler cases (by <a href="https://github.com/TharVid"><code>@TharVid</code></a>).</li> </ul> <h2>8.5.9</h2> <ul> <li>Speed up source map encoding paring in case of the error.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/postcss/postcss/commit/33b9790263dc1562a46ce45d9532bd63e95b7986"><code>33b9790</code></a> Release 8.5.10 version</li> <li><a href="https://github.com/postcss/postcss/commit/536c79e4b01e58a3a56b09c3c0cf2323f4b9a28b"><code>536c79e</code></a> Escape </style> in CSS output (<a href="https://redirect.github.com/postcss/postcss/issues/2074">#2074</a>)</li> <li><a href="https://github.com/postcss/postcss/commit/afa96b2a139ce625c4d27973313479c7c85f39d4"><code>afa96b2</code></a> Update dependencies (<a href="https://redirect.github.com/postcss/postcss/issues/2073">#2073</a>)</li> <li><a href="https://github.com/postcss/postcss/commit/effe88bb87cabdc1876e02adbdd30f392f19f40d"><code>effe88b</code></a> Typo (<a href="https://redirect.github.com/postcss/postcss/issues/2072">#2072</a>)</li> <li><a href="https://github.com/postcss/postcss/commit/3ee79a2c4a11e41d52db50b444eebe38299495ad"><code>3ee79a2</code></a> Thread model (<a href="https://redirect.github.com/postcss/postcss/issues/2071">#2071</a>)</li> <li><a href="https://github.com/postcss/postcss/commit/2e0683daca4dc2919211b03774f6b2d137136c01"><code>2e0683d</code></a> Create incident response docs (<a href="https://redirect.github.com/postcss/postcss/issues/2070">#2070</a>)</li> <li><a href="https://github.com/postcss/postcss/commit/fe88ac29c06b7b218be32994cdc6ca1525bdf2c9"><code>fe88ac2</code></a> Release 8.5.9 version</li> <li><a href="https://github.com/postcss/postcss/commit/c551632496b87ab3f1965bfda5dc386b6c71963e"><code>c551632</code></a> Avoid RegExp when we can use simple JS</li> <li><a href="https://github.com/postcss/postcss/commit/89a6b744060eb8dee743351c785a9fbe37d4525a"><code>89a6b74</code></a> Move SECURITY.txt for docs folder to keep GitHub page cleaner</li> <li><a href="https://github.com/postcss/postcss/commit/6ceb8a46af9f9de821faee98f861bdf84617347b"><code>6ceb8a4</code></a> Create SECURITY.md</li> <li>Additional commits viewable in <a href="https://github.com/postcss/postcss/compare/8.5.8...8.5.10">compare view</a></li> </ul> </details> <br />
by Kilian Panot
K
Succeeded
main
e0e1bbdc chore(deps): bump postcss from 8.5.8 to 8.5.10 (#4185) Bumps [postcss](https://github.com/postcss/postcss) from 8.5.8 to 8.5.10. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/postcss/postcss/releases">postcss's releases</a>.</em></p> <blockquote> <h2>8.5.10</h2> <ul> <li>Fixed XSS via unescaped <code></style></code> in non-bundler cases (by <a href="https://github.com/TharVid"><code>@TharVid</code></a>).</li> </ul> <h2>8.5.9</h2> <ul> <li>Speed up source map encoding paring in case of the error.</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/postcss/postcss/blob/main/CHANGELOG.md">postcss's changelog</a>.</em></p> <blockquote> <h2>8.5.10</h2> <ul> <li>Fixed XSS via unescaped <code></style></code> in non-bundler cases (by <a href="https://github.com/TharVid"><code>@TharVid</code></a>).</li> </ul> <h2>8.5.9</h2> <ul> <li>Speed up source map encoding paring in case of the error.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/postcss/postcss/commit/33b9790263dc1562a46ce45d9532bd63e95b7986"><code>33b9790</code></a> Release 8.5.10 version</li> <li><a href="https://github.com/postcss/postcss/commit/536c79e4b01e58a3a56b09c3c0cf2323f4b9a28b"><code>536c79e</code></a> Escape </style> in CSS output (<a href="https://redirect.github.com/postcss/postcss/issues/2074">#2074</a>)</li> <li><a href="https://github.com/postcss/postcss/commit/afa96b2a139ce625c4d27973313479c7c85f39d4"><code>afa96b2</code></a> Update dependencies (<a href="https://redirect.github.com/postcss/postcss/issues/2073">#2073</a>)</li> <li><a href="https://github.com/postcss/postcss/commit/effe88bb87cabdc1876e02adbdd30f392f19f40d"><code>effe88b</code></a> Typo (<a href="https://redirect.github.com/postcss/postcss/issues/2072">#2072</a>)</li> <li><a href="https://github.com/postcss/postcss/commit/3ee79a2c4a11e41d52db50b444eebe38299495ad"><code>3ee79a2</code></a> Thread model (<a href="https://redirect.github.com/postcss/postcss/issues/2071">#2071</a>)</li> <li><a href="https://github.com/postcss/postcss/commit/2e0683daca4dc2919211b03774f6b2d137136c01"><code>2e0683d</code></a> Create incident response docs (<a href="https://redirect.github.com/postcss/postcss/issues/2070">#2070</a>)</li> <li><a href="https://github.com/postcss/postcss/commit/fe88ac29c06b7b218be32994cdc6ca1525bdf2c9"><code>fe88ac2</code></a> Release 8.5.9 version</li> <li><a href="https://github.com/postcss/postcss/commit/c551632496b87ab3f1965bfda5dc386b6c71963e"><code>c551632</code></a> Avoid RegExp when we can use simple JS</li> <li><a href="https://github.com/postcss/postcss/commit/89a6b744060eb8dee743351c785a9fbe37d4525a"><code>89a6b74</code></a> Move SECURITY.txt for docs folder to keep GitHub page cleaner</li> <li><a href="https://github.com/postcss/postcss/commit/6ceb8a46af9f9de821faee98f861bdf84617347b"><code>6ceb8a4</code></a> Create SECURITY.md</li> <li>Additional commits viewable in <a href="https://github.com/postcss/postcss/compare/8.5.8...8.5.10">compare view</a></li> </ul> </details> <br />
by Kilian Panot
K
Succeeded
main
e0e1bbdc chore(deps): bump postcss from 8.5.8 to 8.5.10 (#4185) Bumps [postcss](https://github.com/postcss/postcss) from 8.5.8 to 8.5.10. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/postcss/postcss/releases">postcss's releases</a>.</em></p> <blockquote> <h2>8.5.10</h2> <ul> <li>Fixed XSS via unescaped <code></style></code> in non-bundler cases (by <a href="https://github.com/TharVid"><code>@TharVid</code></a>).</li> </ul> <h2>8.5.9</h2> <ul> <li>Speed up source map encoding paring in case of the error.</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/postcss/postcss/blob/main/CHANGELOG.md">postcss's changelog</a>.</em></p> <blockquote> <h2>8.5.10</h2> <ul> <li>Fixed XSS via unescaped <code></style></code> in non-bundler cases (by <a href="https://github.com/TharVid"><code>@TharVid</code></a>).</li> </ul> <h2>8.5.9</h2> <ul> <li>Speed up source map encoding paring in case of the error.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/postcss/postcss/commit/33b9790263dc1562a46ce45d9532bd63e95b7986"><code>33b9790</code></a> Release 8.5.10 version</li> <li><a href="https://github.com/postcss/postcss/commit/536c79e4b01e58a3a56b09c3c0cf2323f4b9a28b"><code>536c79e</code></a> Escape </style> in CSS output (<a href="https://redirect.github.com/postcss/postcss/issues/2074">#2074</a>)</li> <li><a href="https://github.com/postcss/postcss/commit/afa96b2a139ce625c4d27973313479c7c85f39d4"><code>afa96b2</code></a> Update dependencies (<a href="https://redirect.github.com/postcss/postcss/issues/2073">#2073</a>)</li> <li><a href="https://github.com/postcss/postcss/commit/effe88bb87cabdc1876e02adbdd30f392f19f40d"><code>effe88b</code></a> Typo (<a href="https://redirect.github.com/postcss/postcss/issues/2072">#2072</a>)</li> <li><a href="https://github.com/postcss/postcss/commit/3ee79a2c4a11e41d52db50b444eebe38299495ad"><code>3ee79a2</code></a> Thread model (<a href="https://redirect.github.com/postcss/postcss/issues/2071">#2071</a>)</li> <li><a href="https://github.com/postcss/postcss/commit/2e0683daca4dc2919211b03774f6b2d137136c01"><code>2e0683d</code></a> Create incident response docs (<a href="https://redirect.github.com/postcss/postcss/issues/2070">#2070</a>)</li> <li><a href="https://github.com/postcss/postcss/commit/fe88ac29c06b7b218be32994cdc6ca1525bdf2c9"><code>fe88ac2</code></a> Release 8.5.9 version</li> <li><a href="https://github.com/postcss/postcss/commit/c551632496b87ab3f1965bfda5dc386b6c71963e"><code>c551632</code></a> Avoid RegExp when we can use simple JS</li> <li><a href="https://github.com/postcss/postcss/commit/89a6b744060eb8dee743351c785a9fbe37d4525a"><code>89a6b74</code></a> Move SECURITY.txt for docs folder to keep GitHub page cleaner</li> <li><a href="https://github.com/postcss/postcss/commit/6ceb8a46af9f9de821faee98f861bdf84617347b"><code>6ceb8a4</code></a> Create SECURITY.md</li> <li>Additional commits viewable in <a href="https://github.com/postcss/postcss/compare/8.5.8...8.5.10">compare view</a></li> </ul> </details> <br />
by Kilian Panot
K
Succeeded
main
8734fd6f Merge branch 'main' of github:AmadeusITGroup/otter into cascading/14.3.0-rc-main
by Kilian Panot
K
Succeeded
main
8734fd6f [cascading] from release/14.3.0-rc to main (#4212) <!-- {"currentBranch":"release/14.3.0-rc","targetBranch":"main","bypassReviewers":false,"isConflicting":false} --> ## Cascading from release/14.3.0-rc to main --- :heavy_exclamation_mark: The pull request is conflicting with the target branch. You can fix the issue locally with the following commands: <details open> <summary>Using <b>gh CLI</b></summary> ```shell gh pr checkout 4212 git pull --ff origin main ``` and update this Pull Request with ```shell gh pr push 4212 ``` </details> <details> <summary>Using <b>git</b> only</summary> ```shell git fetch origin git checkout origin/cascading/14.3.0-rc-main git pull --ff origin main ``` and update this Pull Request with ```shell git push origin HEAD:cascading/14.3.0-rc-main ``` </details> --- <small>This Pull Request has been generated with :heart: by the [Otter](https://github.com/AmadeusITGroup/otter) cascading tool.</small>
by mrednic-1A
m
Succeeded
main
8734fd6f [cascading] from release/14.3.0-rc to main (#4212) <!-- {"currentBranch":"release/14.3.0-rc","targetBranch":"main","bypassReviewers":false,"isConflicting":false} --> ## Cascading from release/14.3.0-rc to main --- :heavy_exclamation_mark: The pull request is conflicting with the target branch. You can fix the issue locally with the following commands: <details open> <summary>Using <b>gh CLI</b></summary> ```shell gh pr checkout 4212 git pull --ff origin main ``` and update this Pull Request with ```shell gh pr push 4212 ``` </details> <details> <summary>Using <b>git</b> only</summary> ```shell git fetch origin git checkout origin/cascading/14.3.0-rc-main git pull --ff origin main ``` and update this Pull Request with ```shell git push origin HEAD:cascading/14.3.0-rc-main ``` </details> --- <small>This Pull Request has been generated with :heart: by the [Otter](https://github.com/AmadeusITGroup/otter) cascading tool.</small>
by mrednic-1A
m
Succeeded
main
8734fd6f [cascading] from release/14.3.0-rc to main (#4212) <!-- {"currentBranch":"release/14.3.0-rc","targetBranch":"main","bypassReviewers":false,"isConflicting":false} --> ## Cascading from release/14.3.0-rc to main --- :heavy_exclamation_mark: The pull request is conflicting with the target branch. You can fix the issue locally with the following commands: <details open> <summary>Using <b>gh CLI</b></summary> ```shell gh pr checkout 4212 git pull --ff origin main ``` and update this Pull Request with ```shell gh pr push 4212 ``` </details> <details> <summary>Using <b>git</b> only</summary> ```shell git fetch origin git checkout origin/cascading/14.3.0-rc-main git pull --ff origin main ``` and update this Pull Request with ```shell git push origin HEAD:cascading/14.3.0-rc-main ``` </details> --- <small>This Pull Request has been generated with :heart: by the [Otter](https://github.com/AmadeusITGroup/otter) cascading tool.</small>
by mrednic-1A
m
Succeeded
main
9da9712f chore(deps): bump vm2 from 3.11.2 to 3.11.3 Bumps [vm2](https://github.com/patriksimek/vm2) from 3.11.2 to 3.11.3. - [Release notes](https://github.com/patriksimek/vm2/releases) - [Changelog](https://github.com/patriksimek/vm2/blob/main/CHANGELOG.md) - [Commits](https://github.com/patriksimek/vm2/compare/v3.11.2...v3.11.3) --- updated-dependencies: - dependency-name: vm2 dependency-version: 3.11.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
by dependabot...
d
Succeeded
main
9da9712f chore(deps): bump vm2 from 3.11.2 to 3.11.3 Bumps [vm2](https://github.com/patriksimek/vm2) from 3.11.2 to 3.11.3. - [Release notes](https://github.com/patriksimek/vm2/releases) - [Changelog](https://github.com/patriksimek/vm2/blob/main/CHANGELOG.md) - [Commits](https://github.com/patriksimek/vm2/compare/v3.11.2...v3.11.3) --- updated-dependencies: - dependency-name: vm2 dependency-version: 3.11.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
by dependabot...
d
Failed
main
9da9712f chore(deps): bump vm2 from 3.11.2 to 3.11.3 (#4216) Bumps [vm2](https://github.com/patriksimek/vm2) from 3.11.2 to 3.11.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/patriksimek/vm2/releases">vm2's releases</a>.</em></p> <blockquote> <h2>v3.11.3</h2> <h2>What's Changed</h2> <h3>Security fix</h3> <ul> <li><strong>GHSA-248r-7h7q-cr24</strong> — Async generator <code>yield*</code>-return thenable exception capture (RCE)</li> </ul> <h2>Documentation</h2> <ul> <li><a href="https://github.com/patriksimek/vm2/blob/main/docs/ATTACKS.md"><code>docs/ATTACKS.md</code></a> updated through Category 29.</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/patriksimek/vm2/compare/v3.11.2...v3.11.3">https://github.com/patriksimek/vm2/compare/v3.11.2...v3.11.3</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/patriksimek/vm2/blob/main/CHANGELOG.md">vm2's changelog</a>.</em></p> <blockquote> <h2>[3.11.3]</h2> <p>Single advisory closed. Patch release — no API changes.</p> <h3>Security fix</h3> <ul> <li><strong>GHSA-248r-7h7q-cr24</strong> — async generator <code>yield*</code>-return thenable exception capture. Calling <code>i.return(thenable)</code> on an async generator delegating to a no-<code>return</code> inner iterator let V8's <code>PromiseResolveThenableJob</code> capture synchronous throws from the thenable's <code>.then</code> and surface them to sandbox code as iterator results — bypassing both the transformer's <code>catch</code> instrumentation and the <code>globalPromise.prototype.then</code> rejection sanitiser. Two-layer defense on <code>%AsyncGeneratorPrototype%.next/.return/.throw</code> in <code>lib/setup-sandbox.js</code>: every iterator-result promise routes value and rejection through <code>handleException</code>, and every thenable argument is replaced with a sandbox-realm wrapper whose <code>.then</code> is a fixed <code>safeThen</code> that sanitises sync throws and recursively re-wraps any nested thenable handed to <code>resolve(...)</code>. When <code>safeThen</code> reads <code>value.then</code> and it is non-function, the wrapper always resolves with a <code>{__proto__: null}</code> shadow so V8's re-read of <code>.then</code> cannot observe attacker-controlled values — closing every counting/self-replacing-getter TOCTOU variant. Trade-off: identity is not preserved for non-thenable values passed to <code>i.return(x)</code>. ATTACKS.md Category 29.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/patriksimek/vm2/commit/093494c0c3ef2390d2e56909f9d56e290e6f18b0"><code>093494c</code></a> fix(GHSA-248r-7h7q-cr24): close async generator yield*-return thenable except...</li> <li>See full diff in <a href="https://github.com/patriksimek/vm2/compare/v3.11.2...v3.11.3">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/AmadeusITGroup/otter/network/alerts). </details>
by Kilian Panot
K
Succeeded
main
9da9712f chore: fix sub dependency
by Kilian Panot
K
Succeeded
main
2c9ad4b8 chore: upgrade angular dependencies (#2729) ## Proposed change <!-- Please include a summary of the changes and the related issue. Please also include relevant motivation and context. --> ## Related issues <!-- Please make sure to follow the [contribution guidelines](https://github.com/amadeus-digital/Otter/blob/main/CONTRIBUTING.md) --> *- No issue associated -* <!-- * :bug: Fix #issue --> <!-- * :bug: Fix resolves #issue --> <!-- * :rocket: Feature #issue --> <!-- * :rocket: Feature resolves #issue --> <!-- * :octocat: Pull Request #issue -->
by Florian PAUL
F
Succeeded
main
9da9712f Merge branch 'release/14.3.0-rc' into feature/ama-openapi/skill
by Kilian Panot
K
Failed
main
9da9712f chore(deps): bump vm2 from 3.11.2 to 3.11.3 Bumps [vm2](https://github.com/patriksimek/vm2) from 3.11.2 to 3.11.3. - [Release notes](https://github.com/patriksimek/vm2/releases) - [Changelog](https://github.com/patriksimek/vm2/blob/main/CHANGELOG.md) - [Commits](https://github.com/patriksimek/vm2/compare/v3.11.2...v3.11.3) --- updated-dependencies: - dependency-name: vm2 dependency-version: 3.11.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
by dependabot...
d
Failed
main
9da9712f chore(deps): bump vm2 from 3.11.2 to 3.11.3 Bumps [vm2](https://github.com/patriksimek/vm2) from 3.11.2 to 3.11.3. - [Release notes](https://github.com/patriksimek/vm2/releases) - [Changelog](https://github.com/patriksimek/vm2/blob/main/CHANGELOG.md) - [Commits](https://github.com/patriksimek/vm2/compare/v3.11.2...v3.11.3) --- updated-dependencies: - dependency-name: vm2 dependency-version: 3.11.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
by dependabot...
d
Failed
main
9da9712f chore(deps): bump vm2 from 3.11.2 to 3.11.3 Bumps [vm2](https://github.com/patriksimek/vm2) from 3.11.2 to 3.11.3. - [Release notes](https://github.com/patriksimek/vm2/releases) - [Changelog](https://github.com/patriksimek/vm2/blob/main/CHANGELOG.md) - [Commits](https://github.com/patriksimek/vm2/compare/v3.11.2...v3.11.3) --- updated-dependencies: - dependency-name: vm2 dependency-version: 3.11.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
by dependabot...
d
Failed
main
9da9712f chore(deps): bump vm2 from 3.11.2 to 3.11.3 Bumps [vm2](https://github.com/patriksimek/vm2) from 3.11.2 to 3.11.3. - [Release notes](https://github.com/patriksimek/vm2/releases) - [Changelog](https://github.com/patriksimek/vm2/blob/main/CHANGELOG.md) - [Commits](https://github.com/patriksimek/vm2/compare/v3.11.2...v3.11.3) --- updated-dependencies: - dependency-name: vm2 dependency-version: 3.11.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
by dependabot...
d
Succeeded
main
9da9712f chore(deps): bump vm2 from 3.11.2 to 3.11.3 (#4216) Bumps [vm2](https://github.com/patriksimek/vm2) from 3.11.2 to 3.11.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/patriksimek/vm2/releases">vm2's releases</a>.</em></p> <blockquote> <h2>v3.11.3</h2> <h2>What's Changed</h2> <h3>Security fix</h3> <ul> <li><strong>GHSA-248r-7h7q-cr24</strong> — Async generator <code>yield*</code>-return thenable exception capture (RCE)</li> </ul> <h2>Documentation</h2> <ul> <li><a href="https://github.com/patriksimek/vm2/blob/main/docs/ATTACKS.md"><code>docs/ATTACKS.md</code></a> updated through Category 29.</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/patriksimek/vm2/compare/v3.11.2...v3.11.3">https://github.com/patriksimek/vm2/compare/v3.11.2...v3.11.3</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/patriksimek/vm2/blob/main/CHANGELOG.md">vm2's changelog</a>.</em></p> <blockquote> <h2>[3.11.3]</h2> <p>Single advisory closed. Patch release — no API changes.</p> <h3>Security fix</h3> <ul> <li><strong>GHSA-248r-7h7q-cr24</strong> — async generator <code>yield*</code>-return thenable exception capture. Calling <code>i.return(thenable)</code> on an async generator delegating to a no-<code>return</code> inner iterator let V8's <code>PromiseResolveThenableJob</code> capture synchronous throws from the thenable's <code>.then</code> and surface them to sandbox code as iterator results — bypassing both the transformer's <code>catch</code> instrumentation and the <code>globalPromise.prototype.then</code> rejection sanitiser. Two-layer defense on <code>%AsyncGeneratorPrototype%.next/.return/.throw</code> in <code>lib/setup-sandbox.js</code>: every iterator-result promise routes value and rejection through <code>handleException</code>, and every thenable argument is replaced with a sandbox-realm wrapper whose <code>.then</code> is a fixed <code>safeThen</code> that sanitises sync throws and recursively re-wraps any nested thenable handed to <code>resolve(...)</code>. When <code>safeThen</code> reads <code>value.then</code> and it is non-function, the wrapper always resolves with a <code>{__proto__: null}</code> shadow so V8's re-read of <code>.then</code> cannot observe attacker-controlled values — closing every counting/self-replacing-getter TOCTOU variant. Trade-off: identity is not preserved for non-thenable values passed to <code>i.return(x)</code>. ATTACKS.md Category 29.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/patriksimek/vm2/commit/093494c0c3ef2390d2e56909f9d56e290e6f18b0"><code>093494c</code></a> fix(GHSA-248r-7h7q-cr24): close async generator yield*-return thenable except...</li> <li>See full diff in <a href="https://github.com/patriksimek/vm2/compare/v3.11.2...v3.11.3">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/AmadeusITGroup/otter/network/alerts). </details>
by Kilian Panot
K
Previous page
Previous
Next
Next page