Skip to content

🔒 Security / Bump plug to 1.20.2 (EEF-CVE-2026-54892)#47

Open
Actalab wants to merge 1 commit into
mainfrom
security/bump-plug-cve
Open

🔒 Security / Bump plug to 1.20.2 (EEF-CVE-2026-54892)#47
Actalab wants to merge 1 commit into
mainfrom
security/bump-plug-cve

Conversation

@Actalab

@Actalab Actalab commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Contexte

mix hex.audit (CI Code Quality) échoue sur plug 1.19.2 — EEF-CVE-2026-54892 / GHSA-j43x-5hjq-rgxf (décodage en temps quadratique des paramètres imbriqués query/body → DoS).

Changement

Bump de plug 1.19.2 → 1.20.2 dans mix.lock uniquement. La contrainte mix.exs ({:plug, "~> 1.18"}) autorisait déjà le correctif. 1.20.2 retenu car 1.20.0 / 1.20.1 sont retired.

Vérification (lancée en local)

  • mix hex.audit : No retired packages found
  • mix test : 215 tests, 0 failures
  • Diff limité à une ligne de mix.lock.

plug 1.19.2 is affected by EEF-CVE-2026-54892 / GHSA-j43x-5hjq-rgxf
(quadratic-time decoding of nested query/body params → DoS). The mix.exs
constraint (~> 1.18) already allows the fix; only the lock needed
bumping. 1.20.2 chosen (1.20.0/1.20.1 are retired). mix hex.audit clean;
215 tests, 0 failures.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant