cz-cli icon indicating copy to clipboard operation
cz-cli copied to clipboard

Published 20 hours ago verified publisher icon commitizen

Vulnerability: Prototype Pollution via the main (merge) function

Open rkristelijn opened this issue 2 years ago • 3 comments

Description

Found by vulnerability check OWASP:UsingComponentWithKnownVulnerability

Filename: merge:2.1.1 | Reference: CVE-2021-23397 | CVSS Score: 9.8 | Category: CWE-1321 | All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead.

dependency tree:

[email protected][email protected][email protected]

caused by https://github.com/callumacrae/find-node-modules/issues/18

awaiting fix to upgrade to [email protected]

Steps to reproduce

  1. Clone this repo
  2. Install dependencies npm i
  3. observe vulnerability

Environment

Wrongly raised in https://github.com/commitizen-tools/commitizen/issues/654

rkristelijn avatar Jan 11 '23 10:01 rkristelijn

Happy to merge the PR on find-node-modules but wanted to raise something here first - commitizen is as far as I can tell the only significant project using find-node-modules, and I'm not using it anymore either. Would the maintainers of commitizen be happy / willing to take ownership of the module? Happy to transfer ownership on both github and npm if so!

Alternatively, I believe from looking in the past that it should be pretty easy to rewrite out the dependency, and then I can archive the project :)

callumacrae avatar Jan 11 '23 11:01 callumacrae

@jimthedev what do you think?

rkristelijn avatar Jan 11 '23 13:01 rkristelijn