Commit a0a31ad
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4&size=40){kind=avatar}
[Security] Bump sshpk from 1.13.1 to 1.15.1 (#63)
Bumps [sshpk](https://github.com/joyent/node-sshpk) from 1.13.1 to 1.15.1. **This update includes security fixes.**
<details>
<summary>Vulnerabilities fixed</summary>
*Sourced from [The Sonatype OSS Index](https://ossindex.sonatype.org/vuln/fc393f9f-282f-4bc9-953b-d7e4b48352e9).*
> **CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')**
> The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
>
> Affected versions: <1.14.1
*Sourced from The GitHub Vulnerability Alert Database.*
> **CVE-2018-3737**
> See https://nvd.nist.gov/vuln/detail/CVE-2018-3737.
>
> Affected versions: < 1.13.2
*Sourced from [The Node Security Working Group](https://github.com/nodejs/security-wg/blob/master/vuln/npm/401.json).*
> **Denial of Service**
> `sshpk` is vulnerable to ReDoS when parsing crafted invalid public keys
>
> Affected versions: <=1.13.1
</details>
<details>
<summary>Release notes</summary>
*Sourced from [sshpk's releases](https://github.com/joyent/node-sshpk/releases).*
> ## v1.14.1
> * Remove all remaining usage of jodid25519 (abandoned dep)
> * Add support for DNSSEC key format
> * Add support for Ed25519 keys in PEM format (according to draft-curdle-pkix)
> * Fixes for X.509 encoding issues (asn.1 NULLs in RSA certs, cert string type mangling)
> * Performance issues parsing long SSH public keys
</details>
<details>
<summary>Commits</summary>
- [`2ab4f2a`](TritonDataCenter/node-sshpk@2ab4f2a) TritonDataCenter/node-sshpk#56 md5 fingerprints not quite right
- [`026ef47`](TritonDataCenter/node-sshpk@026ef47) TritonDataCenter/node-sshpk#53 stop using optional deps to fix webpack
- [`53e23fe`](TritonDataCenter/node-sshpk@53e23fe) TritonDataCenter/node-sshpk#50 Support PKCS#5 AES-256-CBC encrypted private keys
- [`6b68d49`](TritonDataCenter/node-sshpk@6b68d49) TritonDataCenter/node-sshpk#54 want API for accessing x509 extensions
- [`1088992`](TritonDataCenter/node-sshpk@1088992) TritonDataCenter/node-sshpk#52 Buffer no longer performs length check for hex strings i...
- [`6ec6f9d`](TritonDataCenter/node-sshpk@6ec6f9d) TritonDataCenter/node-sshpk#38 want support for more obscure DN OIDs
- [`1cc4c99`](TritonDataCenter/node-sshpk@1cc4c99) TritonDataCenter/node-sshpk#51 package.json repository does not point to Joyent
- [`175758a`](TritonDataCenter/node-sshpk@175758a) TritonDataCenter/node-sshpk#46 Use Buffer.(from|alloc) instead of deprecated Buffer API
- [`6edb37c`](TritonDataCenter/node-sshpk@6edb37c) Release 1.14.0
- [`46065d3`](TritonDataCenter/node-sshpk@46065d3) TritonDataCenter/node-sshpk#44 Performance issues parsing long SSH public keys
- Additional commits viewable in [compare view](TritonDataCenter/node-sshpk@v1.13.1...v1.15.1)
</details>
<br />
[](https://dependabot.com/compatibility-score.html?dependency-name=sshpk&package-manager=npm_and_yarn&previous-version=1.13.1&new-version=1.15.1)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
Dependabot will **not** automatically merge this PR because it includes a minor update to a production dependency.
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Finally, you can contact us by mentioning @dependabot.
</details>1 parent 9c0aaa9 commit a0a31ad
1 file changed
+6
-6
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2731 | 2731 | | |
2732 | 2732 | | |
2733 | 2733 | | |
2734 | | - | |
| 2734 | + | |
2735 | 2735 | | |
2736 | 2736 | | |
2737 | 2737 | | |
| |||
2913 | 2913 | | |
2914 | 2914 | | |
2915 | 2915 | | |
2916 | | - | |
2917 | | - | |
| 2916 | + | |
| 2917 | + | |
2918 | 2918 | | |
2919 | 2919 | | |
2920 | 2920 | | |
2921 | | - | |
2922 | | - | |
2923 | | - | |
2924 | 2921 | | |
| 2922 | + | |
2925 | 2923 | | |
| 2924 | + | |
2926 | 2925 | | |
| 2926 | + | |
2927 | 2927 | | |
2928 | 2928 | | |
2929 | 2929 | | |
| |||
0 commit comments