fix(deps): update dependency cloudinary to v2 [security] #265

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

renovate wants to merge 1 commit into master from renovate/npm-cloudinary-vulnerability

Contributor

renovate bot commented Nov 13, 2025 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
cloudinary (source)	`^1.14.0` -> `^2.0.0`

GitHub Vulnerability Alerts

CVE-2025-12613

Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand. An attacker can inject additional, unintended parameters. This could lead to a variety of malicious outcomes, such as bypassing security checks, altering data, or manipulating the application's behavior.

Note:
Following our established security policy, we attempted to contact the maintainer regarding this vulnerability, but haven't received a response.

Release Notes

cloudinary/cloudinary_npm (cloudinary)

`v2.7.0`

==================

fix: prevent parameter injection via ampersand in parameter values (#709)

`v2.6.1`

==================

`v2.6.0`

==================

chore: bumped jsdoc
fix: defaults for related asset methods and proper content_type
chore: Updated Sample Projects (#698)
fix: metadata field datasource type (#693)
feat: Add support for DELETE /resources/backup/:asset_id (#700)
chore: dev dependencies cleanup
chore: new node version support in CI

`v2.5.1`

==================

fix: added missing stream method to ts spec

`v2.5.0`

==================

feat: auto_transcription on upload and explicit support (#690)
feat: auto_chaptering on upload and explicit support (#689)
feat: access key management via provisioning api (#687)

`v2.4.0`

==================

feat: exposing config endpoint from admin api
fix: update metadata field added missing param default_disabled
fix: types definitions

`v2.3.1`

==================

fix: use 0.0.0 as fallback when package.json unavailable
fix: upload_chunked_stream works properly with more than 2 chunks

`v2.3.0`

==================

fix: url analytics property name
fix: dependencies explicit version (fix for CI)
fix: decoding transformation string before sending in upload payload
feat: update folders

`v2.2.0`

==================

feat: selective response for admin and search api
feat: multiple values support for fields and with_field methods in search api

`v2.1.0`

==================

feat: added support for new api in beta - analyze api
chore: added state to datasource entry type
fix: metadata field api response datasource type improved
feat: notification-url for rename and destroy methods

`v2.0.3`

==================

fix: file and field encoding fixed for next.js production build

`v2.0.2`

==================

fix: custom regions

`v2.0.1`

==================

fix: search expression not required
chore: proxy-agent not needed any more
chore: cleanup
feat: supporting new analytics options, changed analytics algorithm

`v2.0.0`

==================

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          fix(deps): update dependency cloudinary to v2 [security]

9b78bd8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet