[Critical Vulnerability]: Serverless-plugin-canary-deployments Depends on vulnerable versions of flat

[a-khalilov]

trafficstars

(Thanks for reporting an issue! Please, then fill out the blanks below.)

What are the steps to reproduce this issue?

1. npm install serverless-plugin-canary-deployments
2. npm audit

What happens?

Current version of "flat" is 4.1.0" https://github.com/davidgf/serverless-plugin-canary-deployments/blob/master/package.json#L25" This version is contain 2 critical vulnerabilities https://security.snyk.io/vuln/SNYK-JS-FLAT-596927

What were you expecting to happen?

Command npm install serverless-plugin-canary-deployments && npm audit shouldn't show 2 critical vulnerabilities depends on vulnerable versions of flat

Any logs, error output, etc?

(If it’s long, please paste to https://pastebin.com/ and insert the link here.)

up to date, audited 1114 packages in 3s

193 packages are looking for funding
  run `npm fund` for details

2 critical severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.
# npm audit report

flat  <5.0.1
Severity: critical
flat vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-2j2x-2gpw-g8fm
No fix available
node_modules/serverless-plugin-canary-deployments/node_modules/flat
  serverless-plugin-canary-deployments  *
  Depends on vulnerable versions of flat
  node_modules/serverless-plugin-canary-deployments

2 critical severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Any other comments?

How to fix? Upgrade flat to version 5.0.2, 4.1.1, 3.0.1, 2.0.2, 1.6.2 or higher.

What versions of software are you using?

Latest - 0.8.0

[khvn26]

Hello @a-khalilov! We bumped a bunch of dependencies, including flat, in our fork and published it to npm.

You can try npm i @flagsmith/serverless-plugin-canary-deployments and tell us what you think!