fix(deps): update dependency redis to v3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
redis	^2.8.0 → ^3.0.0

---

Node-Redis potential exponential regex in monitor mode

CVE-2021-29469 / GHSA-35q2-47q7-3pc3

More information

Details

Impact

When a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service.

Patches

The problem was fixed in commit 2d11b6d and was released in version 3.1.1.

References

#​1569 (GHSL-2021-026)

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/NodeRedis/node-redis/security/advisories/GHSA-35q2-47q7-3pc3
• https://nvd.nist.gov/vuln/detail/CVE-2021-29469
• https://github.com/NodeRedis/node-redis/commit/2d11b6dc9b9774464a91fb4b448bad8bf699629e
• https://github.com/NodeRedis/node-redis/releases/tag/v3.1.1
• https://security.netapp.com/advisory/ntap-20210611-0010/
• https://github.com/advisories/GHSA-35q2-47q7-3pc3

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

redis/node-redis (redis)

v3.1.1

Compare Source

Enhancements

• Upgrade node and dependencies

Fixes

• Fix a potential exponential regex in monitor mode

v3.1.0

Compare Source

Enhancements

• Upgrade node and dependencies and redis-commands to support Redis 6
• Add support for Redis 6 auth pass [user]

v3.0.2

Compare Source

v3.0.1

Compare Source

v3.0.0

Compare Source

This version is mainly a release to distribute all the unreleased changes on master since 2017 and additionally removes
a lot of old deprecated features and old internals in preparation for an upcoming modernization refactor (v4).

Breaking Changes

• Dropped support for Node.js < 6
• Dropped support for hiredis (no longer required)
• Removed previously deprecated drain event
• Removed previously deprecated idle event
• Removed previously deprecated parser option
• Removed previously deprecated max_delay option
• Removed previously deprecated max_attempts option
• Removed previously deprecated socket_no_delay option

Bug Fixes

• Removed development files from published package (#​1370)
• Duplicate function now allows db param to be passed (#​1311)

Features

• Upgraded to latest redis-commands package
• Upgraded to latest redis-parser package, v3.0.0, which brings performance improvements
• Replaced double-ended-queue with denque, which brings performance improvements
• Add timestamps to debug traces
• Add socket_initial_delay option for socket.setKeepAlive (#​1396)
• Add support for rediss protocol in url (#​1282)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.