Skip to content

Vulnerability: Prototype Pollution via the main (merge) function #654

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rkristelijn opened this issue Jan 11, 2023 · 1 comment
Closed

Vulnerability: Prototype Pollution via the main (merge) function #654

rkristelijn opened this issue Jan 11, 2023 · 1 comment
Labels
type: bug

Comments

@rkristelijn
Copy link

rkristelijn commented Jan 11, 2023
edited
Loading

Description

Found by vulnerability check OWASP:UsingComponentWithKnownVulnerability

Filename: merge:2.1.1 | Reference: CVE-2021-23397 | CVSS Score: 9.8 | Category: CWE-1321 | All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead.

dependency tree:

[email protected][email protected][email protected]

caused by callumacrae/find-node-modules#18

awaiting fix to upgrade to [email protected]

Steps to reproduce

  1. Clone this repo
  2. Install dependencies npm i
  3. observe vulnerability

Current behavior

n/a

Desired behavior

n/a

Screenshots

No response

Environment
@Lee-W
Copy link
Member

Lee-W commented Jan 11, 2023

I believe this is for https://www.npmjs.com/package/commitizen instead of this one.

@Lee-W Lee-W closed this as completed Jan 11, 2023
@rkristelijn rkristelijn mentioned this issue Jan 11, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Lee-W @rkristelijn