Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hardcoded dependency version in package.json #9

Open
ghost opened this issue Jun 29, 2022 · 0 comments
Open

Hardcoded dependency version in package.json #9

ghost opened this issue Jun 29, 2022 · 0 comments

Comments

@ghost
Copy link

ghost commented Jun 29, 2022
edited by ghost
Loading

Hi, @ben-lin

When I use this package in my nodejs application, I encounter a Snyk Scan issue.

Snyk points the origin of the issue is node.flow's dependency [email protected].

Affected versions of this package are vulnerable to Prototype Pollution. An attacker could inject arbitrary properties onto Object.prototype

And then, I found the hard-code in package.json.

"node.extend": "1.0.8"

Snyk also shows that the issue has already fixed in [email protected] and [email protected].

I compare the code between [email protected] and [email protected].
I think it's not much difference from the functional point of view, right?

So could help remove the lock of version in [email protected] and define node.extend to a right version and put it into npm, at the same time, it will not affect [email protected].

Thanks!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants