Using v3 of npm-check-updates is vulnerable to CVE-2020-8116. #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Closed

andyedwardsibm opened this issue Mar 2, 2020 · 1 comment

Contributor

andyedwardsibm commented Mar 2, 2020

dot-prop is pulled in to this module by the dependency chain [email protected] > [email protected] > [email protected] > [email protected] > dot-prop@^4.1.0.

dot-prop at 5.1.0 and earlier is subject to CVE-2020-8116:

Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

This is resolved in npm-check-updates in version 4. I've made PR #40 as a speculative fix.

The text was updated successfully, but these errors were encountered:

Contributor Author

andyedwardsibm commented Mar 5, 2020

PR merged, so closing

andyedwardsibm closed this as completed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment