set-value
set-value copied to clipboard
jonschlinkert
Backported fix for CVE-2021-23440 to 2.0.1
Hi,
According to some public reports (i.e https://github.com/advisories/GHSA-4jqc-8m5r-9rpr, https://www.cve.org/CVERecord?id=CVE-2021-23440) ,CVE-2021-23440 is fixed in 4.0.1 along with a backport to 2.0.1.
As is understand, this is the fix for 4.0.1: https://github.com/jonschlinkert/set-value/commit/383b72d47c74a55ae8b6e231da548f9280a4296a That was reached via https://github.com/jonschlinkert/set-value/compare/4.0.0...4.0.1.
However, when inspecting the changelog between 2.0.0 and 2.0.1 (https://github.com/jonschlinkert/set-value/compare/2.0.0...2.0.1), it seems the fix for CVE-2021-23440 does not exist. This commit https://github.com/jonschlinkert/set-value/commit/cb12f14955dde6e61829d70d1851bfea6a3c31ad seems to be the fix for CVE-2019-10747, while CVE-2021-23440 states that CVE-2019-10747 is bypassed.
When inspecting it even furtherly, there is a pull request for fixing 2.0.1 https://github.com/jonschlinkert/set-value/pull/38, but it was not merged neither in the GH repo nor the NPM package itself.
Can you confirm the vulnerable range and the fix here (CVE-2021-23440)? It raises some confusion and I would like to make sure 2.0.1 is safe.
Thanks in advance!
