projects / buildroot.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: aa8cf22) | patch
package/nodejs: security bump to version 12.14.0
authorPeter Korsgaard <peter@korsgaard.com>
Wed, 18 Dec 2019 12:57:07 +0000 (13:57 +0100)
committerPeter Korsgaard <peter@korsgaard.com>
Thu, 19 Dec 2019 13:44:08 +0000 (14:44 +0100)
commit65b89f393d274a558ac04715142422c1e134ac8e
tree229945e787cacb30e54f55323278225cf05e2f95tree
parentaa8cf22d7e94158a84cdd3235b83805468629784commit | diff
package/nodejs: security bump to version 12.14.0

Fixes the following security vulnerabilities (in npm):

- CVE-2019-16775: Versions of the npm CLI prior to 6.13.3 are vulnerable to
  an Arbitrary File Write.  It is possible for packages to create symlinks
  to files outside of thenode_modules folder through the bin field upon
  installation
  https://www.npmjs.com/advisories/1436

- CVE-2019-16776: Versions of the npm CLI prior to 6.13.3 are vulnerable to
  an Arbitrary File Write.  It fails to prevent access to folders outside of
  the intended node_modules folder through the bin field
  https://www.npmjs.com/advisories/1434

- CVE-2019-16777: Versions of the npm CLI prior to 6.13.4 are vulnerable to
  an Arbitrary File Overwrite.  It fails to prevent existing
  globally-installed binaries to be overwritten by other package
  installations
  https://www.npmjs.com/advisories/1437

For further details, see the upstream announcements:

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
https://nodejs.org/en/blog/vulnerability/december-2019-security-releases/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/nodejs/nodejs.hash diff | blob | history
package/nodejs/nodejs.mk diff | blob | history