Skip to content

chore(deps): update dependency immer to v9.0.6 [security] - autoclosed#1192

Closed
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-immer-vulnerability
Closed

chore(deps): update dependency immer to v9.0.6 [security] - autoclosed#1192
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-immer-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Aug 13, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
immer 9.0.5 -> 9.0.6 age confidence

GitHub Vulnerability Alerts

CVE-2021-3757

immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').

CVE-2021-23436

This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "__proto__" || p === "constructor") in applyPatches_ returns false if p is ['__proto__'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

Release Notes

immerjs/immer (immer)

v9.0.6

Compare Source

Bug Fixes
  • security: Follow up on CVE-2020-28477 where path: [["__proto__"], "x"] could still pollute the prototype (fa671e5)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Aug 13, 2025
@netlify
Copy link

netlify bot commented Aug 13, 2025
edited
Loading

Deploy Preview for quirrel-docs canceled.

Name Link
🔨 Latest commit 23ad1ae
🔍 Latest deploy log https://app.netlify.com/projects/quirrel-docs/deploys/689cbfe16599840007799bdc

@netlify
Copy link

netlify bot commented Aug 13, 2025
edited
Loading

Deploy Preview for quirrel-development-ui ready!

Name Link
🔨 Latest commit 23ad1ae
🔍 Latest deploy log https://app.netlify.com/projects/quirrel-development-ui/deploys/689cbfe1a16be200085ae919
😎 Deploy Preview https://deploy-preview-1192--quirrel-development-ui.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@renovate renovate bot changed the title fix(deps): update dependency immer to v9.0.6 [security] chore(deps): update dependency immer to v9.0.6 [security] Sep 25, 2025
@renovate renovate bot changed the title chore(deps): update dependency immer to v9.0.6 [security] chore(deps): update dependency immer to v9.0.6 [security] - autoclosed Oct 16, 2025
@renovate renovate bot closed this Oct 16, 2025
@renovate renovate bot deleted the renovate/npm-immer-vulnerability branch October 16, 2025 01:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants

Comments