Update dependency grunt to v1.5.3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
grunt (source)	1.4.1 → 1.5.3

---

Path Traversal in Grunt

CVE-2022-0436 / GHSA-j383-35pm-c5h4

More information

Details

Grunt prior to version 1.5.2 is vulnerable to path traversal.

Severity

• CVSS Score: 5.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-0436
• https://github.com/gruntjs/grunt/commit/aad3d4521c3098fb255fb2db8f2e1d691a033665
• https://huntr.dev/bounties/f55315e9-9f6d-4dbb-8c40-bae50c1ae92b
• https://github.com/gruntjs/grunt/pull/1743
• https://github.com/gruntjs/grunt/commit/b0ec6e12426fc8d5720dee1702f6a67455c5986c
• https://lists.debian.org/debian-lts-announce/2023/04/msg00008.html
• https://github.com/advisories/GHSA-j383-35pm-c5h4

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Race Condition in Grunt

CVE-2022-1537 / GHSA-rm36-94g8-835r

More information

Details

file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.

Severity

• CVSS Score: 7.0 / 10 (High)
• Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-1537
• https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae
• https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d
• https://lists.debian.org/debian-lts-announce/2023/04/msg00006.html
• https://github.com/advisories/GHSA-rm36-94g8-835r

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

gruntjs/grunt (grunt)

v1.5.3

Compare Source

• Merge pull request #​1745 from gruntjs/fix-copy-op 572d79b
• Patch up race condition in symlink copying. 58016ff
• Merge pull request #​1746 from JamieSlome/patch-1 0749e1d
• Create SECURITY.md 69b7c50

v1.5.2

Compare Source

• Update Changelog 7f15fd5
• Merge pull request #​1743 from gruntjs/cleanup-link b0ec6e1
• Clean up link handling 433f91b

v1.5.1

Compare Source

• Merge pull request #​1742 from gruntjs/update-symlink-test ad22608
• Fix symlink test 0652305

v1.5.0

Compare Source

• Updated changelog b2b2c2b
• Merge pull request #​1740 from gruntjs/update-deps-22-10 3eda6ae
• Update testing matrix 47d32de
• More updates 2e9161c
• Remove console log 04b960e
• Update dependencies, tests... aad3d45
• Merge pull request #​1736 from justlep/main fdc7056
• support .cjs extension e35fe54

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.