GMS-2022-563: Automatic named constructor discovery

April 1, 2022 (updated April 5, 2022)

The issue arises when upgrading from cuyz/valinor:0.3.0 to a newer system on an existing application, which broke due to the wrong constructor being picked. The bigger security concern is akin to https://github.com/rails/rails/issues/5228.

References

github.com/CuyZ/Valinor/commit/718d3c1bc2ea7d28b4b1f6c062addcd1dde8660b
github.com/CuyZ/Valinor/releases/tag/0.7.0
github.com/CuyZ/Valinor/security/advisories/GHSA-xhr8-mpwq-2rr2
github.com/advisories/GHSA-xhr8-mpwq-2rr2

Detect and mitigate GMS-2022-563 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →