MyScriptJS icon indicating copy to clipboard operation
MyScriptJS copied to clipboard
verified publisher icon MyScript

Vulnerability in `assign-deep` dependency

Open ryan-codingintrigue opened this issue 5 years ago • 1 comments

The version of assign-deep used by the project has an active vulnerability and is recommended to update to the latest version: https://github.com/jonschlinkert/assign-deep/blob/1.0.1/README.md

Would it be possible to upgrade the project to use this new version?

Thanks!

ryan-codingintrigue avatar May 18 '20 08:05 ryan-codingintrigue

Dear Ryan,

Thank you for raising our attention to this issue.

This vulnerability is a concern in case a Javascript payload is sent to the BackEnd in Javascript, which is not the case of our BackEnd server (that is in Java).

Nevertheless, the version of assign-deep is already UpToDate in the next MyScript JS release that should be available in a few weeks. In the meantime you might want to take the version that is available in the branch corresponding to https://github.com/MyScript/MyScriptJS/pull/23 to get the UpToDate version of assign-deep. This fix is provided as is, without qualification.

Best regards,

MyScript Support.

MyScriptSupport avatar May 18 '20 14:05 MyScriptSupport