Update [email protected] to 1.0.9

[ArthurGerbelot]

Following the Meteor Allow-Deny Vulnerability Disclosure, the dependency to allow-deny in file roles/.versions should be updated to 1.0.9 to fix it.

[topleft]

+1

[alanning]

Merged into master. What is the effect of the roles/.versions file pointing to the pre-patch version?

[topleft]

A vulnerability was found in which a specially formed payload sent over a web socket could gain access to updating docs in the DB.

https://forums.meteor.com/t/meteor-allow-deny-vulnerability-disclosure/39500

[topleft]

@alanning Will you update the Atmosphere package to reflect what is currently on master?

[alanning]

I am aware of the vulnerability. The Roles package itself does not use allow/deny directly so it is not directly vulnerable to my knowledge.

I am wondering if I need to update the Atmosphere package. Not sure what effect, if any, having the older version in roles/.versions has. I would not anticipate it being a problem since people who actually use allow/deny will probably update their app to have the newest and then what's in the roles/.versions will be overwritten.

But this is all conjecture which is why I was asking to see if anyone had more concrete knowledge about this.

[mitar]

I am also unsure here if anything should be done. It is a patch bump. Anyone can just update it locally in their app. This package is not preventing that in any way.

[mitar]

I think this has been done.