Skip to content

Update dependency morgan to v1.11.0 [SECURITY]#9779

Open
backstage-goalie[bot] wants to merge 1 commit into
mainfrom
renovate/npm-morgan-vulnerability
Open

Update dependency morgan to v1.11.0 [SECURITY]#9779
backstage-goalie[bot] wants to merge 1 commit into
mainfrom
renovate/npm-morgan-vulnerability

Conversation

@backstage-goalie

@backstage-goalie backstage-goalie Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
morgan 1.10.01.11.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


morgan vulnerable to Log Forging via unneutralized control characters in :remote-user

CVE-2026-5078 / GHSA-4vj7-5mj6-jm8m

More information

Details

Impact

Morgan's :remote-user token extracts the Basic auth username from the Authorization header and writes it to the log stream without neutralizing control characters. An attacker can send a crafted Authorization: Basic header containing CR/LF characters to inject forged log lines, corrupting the one-request-per-line structure of access logs.

The built-in combined, common, default, and short formats are affected, as well as any custom format that includes :remote-user.

Patches

Users should upgrade to version 1.11.0.

Workarounds

Use a custom format string that does not include :remote-user.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

expressjs/morgan (morgan)

v1.11.0

Compare Source

===================

  • add :pid token

Security Fix:

v1.10.1

Compare Source

===================


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

Copilot AI review requested due to automatic review settings July 10, 2026 17:40
@backstage-goalie backstage-goalie Bot added the dependencies Pull requests that update a dependency file label Jul 10, 2026
@backstage-goalie backstage-goalie Bot requested a review from andrewthauer as a code owner July 10, 2026 17:40
@backstage-goalie backstage-goalie Bot requested a review from a team as a code owner July 10, 2026 17:40
@backstage-goalie backstage-goalie Bot added the dependencies Pull requests that update a dependency file label Jul 10, 2026
@backstage-goalie backstage-goalie Bot requested a review from vinzscam July 10, 2026 17:40

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Copilot AI review requested due to automatic review settings July 10, 2026 20:38
@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-morgan-vulnerability branch from 01a2b8a to 42a186d Compare July 10, 2026 20:38

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Copilot AI review requested due to automatic review settings July 11, 2026 14:34
@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-morgan-vulnerability branch from 42a186d to 55b1204 Compare July 11, 2026 14:34

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Copilot AI review requested due to automatic review settings July 13, 2026 15:05
@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-morgan-vulnerability branch from 55b1204 to 5d89bae Compare July 13, 2026 15:05

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Copilot AI review requested due to automatic review settings July 13, 2026 16:55
@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-morgan-vulnerability branch from 5d89bae to 0d9fe8b Compare July 13, 2026 16:55

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-morgan-vulnerability branch from 0d9fe8b to 6f41398 Compare July 13, 2026 17:47
Copilot AI review requested due to automatic review settings July 13, 2026 17:47

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Copilot AI review requested due to automatic review settings July 13, 2026 22:26
@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-morgan-vulnerability branch from 6f41398 to fbd511c Compare July 13, 2026 22:26
@backstage-goalie backstage-goalie Bot changed the title Update dependency morgan to v1.11.0 [SECURITY] chore(deps): update dependency morgan to v1.11.0 [security] Jul 13, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Copilot AI review requested due to automatic review settings July 14, 2026 13:42
@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-morgan-vulnerability branch from fbd511c to 1b8ad0f Compare July 14, 2026 13:42

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Copilot AI review requested due to automatic review settings July 14, 2026 14:56
@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-morgan-vulnerability branch from 1b8ad0f to b7270b1 Compare July 14, 2026 14:56

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-morgan-vulnerability branch from b7270b1 to 341d0d7 Compare July 14, 2026 16:23
Copilot AI review requested due to automatic review settings July 14, 2026 16:23

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Copilot AI review requested due to automatic review settings July 14, 2026 17:21
@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-morgan-vulnerability branch from 341d0d7 to ab22898 Compare July 14, 2026 17:21

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Signed-off-by: Renovate Bot <bot@renovateapp.com>
Copilot AI review requested due to automatic review settings July 14, 2026 18:30
@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-morgan-vulnerability branch from ab22898 to d8562b4 Compare July 14, 2026 18:30
@backstage-goalie backstage-goalie Bot changed the title chore(deps): update dependency morgan to v1.11.0 [security] Update dependency morgan to v1.11.0 [SECURITY] Jul 14, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file security workspace/rollbar

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants