node.flow icon indicating copy to clipboard operation
node.flow copied to clipboard

Published 20 hours ago verified publisher icon dreamerslab

Hardcoded dependency version in package.json

Open ghost opened this issue 2 years ago • 0 comments

Hi, @ben-lin

When I use this package in my nodejs application, I encounter a Snyk Scan issue.

Snyk points the origin of the issue is node.flow's dependency [email protected].

Affected versions of this package are vulnerable to Prototype Pollution. An attacker could inject arbitrary properties onto Object.prototype

And then, I found the hard-code in package.json.

"node.extend": "1.0.8"

Snyk also shows that the issue has already fixed in [email protected] and [email protected].

I compare the code between [email protected] and [email protected]. I think it's not much difference from the functional point of view, right?

So could help remove the lock of version in [email protected] and define node.extend to a right version and put it into npm, at the same time, it will not affect [email protected].

Thanks!

ghost avatar Jun 29 '22 06:06 ghost