chore(deps): update devdependency codecov to v3.7.1 [security] by renovate[bot] · Pull Request #45 · Developmint/vue-link

renovate · 2020-02-22T13:00:09Z

This PR contains the following updates:

Package	Change	Age	Confidence
codecov	`3.2.0` → `3.7.1`

codecov NPM module allows remote attackers to execute arbitrary commands

CVE-2020-7597 / GHSA-5q88-cjfq-g2mh

More information

Details

codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596.

Severity

CVSS Score: 8.8 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Command injection in codecov (npm package)

CVE-2020-15123 / GHSA-xp63-6vf5-xf3v

More information

Details

Impact

The upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

A similar CVE was issued: CVE-2020-7597, but the fix was incomplete. It only blocked &, and command injection is still possible using backticks instead to bypass the sanitizer.

We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the codecov-node project here.

Patches

This has been patched in version 3.7.1

Workarounds

None, however, the attack surface is low in this case. Particularly in the standard use of codecov, where the module is used directly in a build pipeline, not built against as a library in another application that may supply malicious input and perform command injection.

References

CVE-2020-7597

For more information

If you have any questions or comments about this advisory:

Contact us via our Security Email

Severity

CVSS Score: 9.3 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Improper Neutralization of Special Elements in Output Used by a Downstream Component in Codecov

CVE-2020-7596 / GHSA-mh2h-6j8q-x246

More information

Details

Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument.

Severity

CVSS Score: 8.8 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

codecov/codecov-node (codecov)

`v3.7.1`

Compare Source

Move to execFileSync and security fixes

`v3.7.0`

Compare Source

Remove the X-Amz-Acl: public-read header

`v3.6.5`

Compare Source

`v3.6.4`

Compare Source

Fix Cirrus CI

`v3.6.3`

Compare Source

Fix for AWS Codebuild & package updates

`v3.6.2`

Compare Source

Command line args sanitized fix

`v3.6.1`

Compare Source

Fix for Semaphore

`v3.6.0`

Compare Source

Added AWS CodeBuild and Semaphore2

`v3.5.0`

Compare Source

Added TeamCity support

`v3.4.0`

Compare Source

Added Heroku CI support

`v3.3.0`

Compare Source

Added pipe with --pipe, -l

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

codecov-io · 2020-04-28T00:02:18Z

Codecov Report

Merging #45 into master will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff            @@
##            master       #45   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            1         1           
  Lines           27        27           
  Branches        11        11           
=========================================
  Hits            27        27

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bffdda5...7904258. Read the comment docs.

codecov-commenter · 2020-08-24T23:58:32Z

Codecov Report

Merging #45 into master will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff            @@
##            master       #45   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            1         1           
  Lines           27        27           
  Branches        11        11           
=========================================
  Hits            27        27

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bffdda5...227b30c. Read the comment docs.

codecov-io · 2020-11-28T12:01:12Z

Codecov Report

Merging #45 (5a0d19d) into master (0b335a8) will increase coverage by 100.00%.
The diff coverage is n/a.

@@              Coverage Diff              @@
##           master       #45        +/-   ##
=============================================
+ Coverage        0   100.00%   +100.00%     
=============================================
  Files           0         1         +1     
  Lines           0        28        +28     
  Branches        0        11        +11     
=============================================
+ Hits            0        28        +28

Impacted Files	Coverage Δ
lib/index.js	`100.00% <0.00%> (ø)`

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0b335a8...5a0d19d. Read the comment docs.

codecov-commenter · 2021-05-09T20:37:42Z

Codecov Report

Merging #45 (ea17f4e) into master (0b335a8) will increase coverage by 100.00%.
The diff coverage is n/a.

@@              Coverage Diff              @@
##           master       #45        +/-   ##
=============================================
+ Coverage        0   100.00%   +100.00%     
=============================================
  Files           0         1         +1     
  Lines           0        36        +36     
  Branches        0        18        +18     
=============================================
+ Hits            0        36        +36

Impacted Files	Coverage Δ
lib/index.js	`100.00% <0.00%> (ø)`

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0b335a8...ea17f4e. Read the comment docs.

renovate · 2023-03-24T23:07:07Z

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

Error response from daemon: toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch from dbca704 to 7904258 Compare April 28, 2020 00:00

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch from 7904258 to 20eba6a Compare June 30, 2020 17:58

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch from 20eba6a to 9d53bb1 Compare July 10, 2020 09:52

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch from 9d53bb1 to 227b30c Compare August 24, 2020 23:56

renovate Bot changed the title ~~chore(deps): update devdependency codecov to v3.6.5 [security]~~ chore(deps): update devdependency codecov to v3.7.1 [security] Aug 24, 2020

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch from 227b30c to 621cff5 Compare October 28, 2020 09:58

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch from 621cff5 to cbbefe6 Compare November 28, 2020 11:59

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch from cbbefe6 to 5a0d19d Compare December 9, 2020 17:00

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch from 5a0d19d to 0668d08 Compare April 26, 2021 17:52

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch from 0668d08 to ea17f4e Compare May 9, 2021 20:36

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch from ea17f4e to f401e56 Compare March 7, 2022 07:39

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch from f401e56 to 26280a4 Compare March 26, 2022 12:04

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch from 26280a4 to fa6868c Compare April 24, 2022 19:12

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch from fa6868c to 0dab2ad Compare June 18, 2022 20:07

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch from 0dab2ad to 781fe60 Compare March 18, 2023 09:56

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch from 781fe60 to 73f3a16 Compare March 24, 2023 23:07

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch from 73f3a16 to 2bd7da0 Compare January 14, 2025 20:51

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch from 2bd7da0 to 87d5556 Compare January 23, 2025 22:48

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch from 87d5556 to 4f03fd2 Compare May 19, 2025 16:33

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch from 4f03fd2 to ea0a704 Compare June 22, 2025 14:54

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch from ea0a704 to 7c68d1e Compare September 25, 2025 16:45

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch from 7c68d1e to 8335987 Compare March 5, 2026 19:40

renovate Bot changed the title ~~chore(deps): update devdependency codecov to v3.7.1 [security]~~ chore(deps): update devdependency codecov to v3.7.1 [security] - autoclosed Mar 27, 2026

renovate Bot closed this Mar 27, 2026

renovate Bot deleted the renovate/npm-codecov-vulnerability branch March 27, 2026 01:32

chore(deps): update devdependency codecov to v3.7.1 [security]

9b8cb15

renovate Bot changed the title ~~chore(deps): update devdependency codecov to v3.7.1 [security] - autoclosed~~ chore(deps): update devdependency codecov to v3.7.1 [security] Mar 30, 2026

renovate Bot reopened this Mar 30, 2026

renovate Bot force-pushed the renovate/npm-codecov-vulnerability branch 2 times, most recently from 8335987 to 9b8cb15 Compare March 30, 2026 17:42

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update devdependency codecov to v3.7.1 [security]#45

chore(deps): update devdependency codecov to v3.7.1 [security]#45
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-codecov-vulnerability

renovate Bot commented Feb 22, 2020 •

edited

Loading

Uh oh!

codecov-io commented Apr 28, 2020 •

edited

Loading

Uh oh!

codecov-commenter commented Aug 24, 2020

Uh oh!

codecov-io commented Nov 28, 2020 •

edited

Loading

Uh oh!

codecov-commenter commented May 9, 2021 •

edited

Loading

Uh oh!

renovate Bot commented Mar 24, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

renovate Bot commented Feb 22, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

codecov NPM module allows remote attackers to execute arbitrary commands

Details

Severity

References

Command injection in codecov (npm package)

Details

Impact

Patches

Workarounds

References

For more information

Severity

References

Improper Neutralization of Special Elements in Output Used by a Downstream Component in Codecov

Details

Severity

References

Release Notes

Configuration

Uh oh!

codecov-io commented Apr 28, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

codecov-commenter commented Aug 24, 2020

Codecov Report

Uh oh!

codecov-io commented Nov 28, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

codecov-commenter commented May 9, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

renovate Bot commented Mar 24, 2023

⚠ Artifact update problem

File name: yarn.lock

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

renovate Bot commented Feb 22, 2020 •

edited

Loading

codecov-io commented Apr 28, 2020 •

edited

Loading

codecov-io commented Nov 28, 2020 •

edited

Loading

codecov-commenter commented May 9, 2021 •

edited

Loading