Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency redis to v3 [SECURITY] #51

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented May 9, 2021

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
redis ^2.8.0 -> ^3.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-29469

Impact

When a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service.

Patches

The problem was fixed in commit 2d11b6d and was released in version 3.1.1.

References

#​1569 (GHSL-2021-026)


Release Notes

redis/node-redis

v3.1.1

Compare Source

Enhancements
  • Upgrade node and dependencies
Fixes
  • Fix a potential exponential regex in monitor mode

v3.1.0

Compare Source

Enhancements
  • Upgrade node and dependencies and redis-commands to support Redis 6
  • Add support for Redis 6 auth pass [user]

v3.0.2

Compare Source

v3.0.1

Compare Source

v3.0.0

Compare Source

This version is mainly a release to distribute all the unreleased changes on master since 2017 and additionally removes
a lot of old deprecated features and old internals in preparation for an upcoming modernization refactor (v4).

Breaking Changes
  • Dropped support for Node.js < 6
  • Dropped support for hiredis (no longer required)
  • Removed previously deprecated drain event
  • Removed previously deprecated idle event
  • Removed previously deprecated parser option
  • Removed previously deprecated max_delay option
  • Removed previously deprecated max_attempts option
  • Removed previously deprecated socket_no_delay option
Bug Fixes
  • Removed development files from published package (#​1370)
  • Duplicate function now allows db param to be passed (#​1311)
Features
  • Upgraded to latest redis-commands package
  • Upgraded to latest redis-parser package, v3.0.0, which brings performance improvements
  • Replaced double-ended-queue with denque, which brings performance improvements
  • Add timestamps to debug traces
  • Add socket_initial_delay option for socket.setKeepAlive (#​1396)
  • Add support for rediss protocol in url (#​1282)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate
Copy link
Author

renovate bot commented Mar 24, 2023

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant