Replies: 3 comments 3 replies
-
Thanks. But as ANd even if you use it in production or someone attempts an attack on your CI/local environment, the way we use const expand = input =>
Object.entries(input).reduce((acc, [k, v]) => set(acc, k, v), {}) We don't set properties on an existing object, but only a new |
Beta Was this translation helpful? Give feedback.
-
Recent issue on the same topic #2304 @gr2m is correct that there is no risk of the attack vector being used via Nock. |
Beta Was this translation helpful? Give feedback.
-
I've opened this #2306 |
Beta Was this translation helpful? Give feedback.
-
I'd like to let you know that I have received security reports from Snyk and found that one of the 'high' issues is related to the nock package. To be exact it's lodash.set dependency.
https://security.snyk.io/vuln/SNYK-JS-LODASHSET-1320032
lodash.set is a lodash method _.set exported as a Node.js module.
Affected versions of this package are vulnerable to Prototype Pollution via the setWith and set functions.
Beta Was this translation helpful? Give feedback.
All reactions