Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SECURITY ISSUE: Prototype Pollution #268

Closed
bchohon opened this issue Mar 21, 2022 · 1 comment
Closed

SECURITY ISSUE: Prototype Pollution #268

bchohon opened this issue Mar 21, 2022 · 1 comment
Assignees
@jordanbtucker
Labels
enhancement 👍

Comments

@bchohon
Copy link

bchohon commented Mar 21, 2022

Hello: I am reporting a security vulnerability present in the minimist sub-dependency that this package is using.

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Note: It looks like minimist#v1.2.5 is currently the latest version, so they have not patched the issue yet. However, reading through some of the comments posted by other developers, it looks like there is a fork called minimist-lite that doesn't have the issue present. Not sure if that is compatible with your package, but wanted to call it out as a potential option.
@jordanbtucker
Copy link
Member

Thanks for the report. This is already fixed in v2.2.1 via #267.

@jordanbtucker jordanbtucker self-assigned this Mar 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jordanbtucker jordanbtucker

Labels
enhancement 👍
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jordanbtucker @bchohon