chore(deps): update dependency dot-prop to v4.2.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
dot-prop	4.2.0 → 4.2.1

---

dot-prop Prototype Pollution vulnerability

CVE-2020-8116 / GHSA-ff7x-qrg7-qggm

More information

Details

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Severity

• CVSS Score: 7.3 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-8116
• https://hackerone.com/reports/719856
• https://github.com/sindresorhus/dot-prop/issues/63
• https://github.com/advisories/GHSA-ff7x-qrg7-qggm
• https://github.com/sindresorhus/dot-prop/tree/v4
• https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2
• https://github.com/sindresorhus/dot-prop/commit/c914124f418f55edea27928e89c94d931babe587

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

sindresorhus/dot-prop (dot-prop)

v4.2.1

Compare Source

• Backport 3039c8c to the v4.x release line.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.