expr-eval icon indicating copy to clipboard operation
expr-eval copied to clipboard

Published 20 hours ago verified publisher icon silentmatt

Publish new version with recent changes to address security vulnerability

Open mannybecerra opened this issue 3 years ago • 3 comments

Hi all,

I'm checking to confirm if the most current version of expr-eval is published to npm?

  • Last version appears to have been published 2-years ago, according to npm https://www.npmjs.com/package/expr-eval
  • There's a more current change here, https://github.com/silentmatt/expr-eval/blob/master/src/evaluate.js#L44, that appears to have come-in within the past 2-years
  • The change in reference appears to address an issue that we'd like to have, specifically, banning certain keywords, which will help address a security vulnerability issue that was raised by Dependabot and our Red Team

Please and thanks in advance!

mannybecerra avatar Mar 07 '22 18:03 mannybecerra

@silentmatt can we please have a new version? ;)

johannesschobel avatar Jun 02 '22 07:06 johannesschobel

+1

although seeing no commits activity since a year makes me wonder if the repo owner is very busy with other projects/real life.

owocado avatar Dec 05 '22 07:12 owocado

Since this repository is abandoned, https://www.npmjs.com/package/expr-eval-fork I published a fork with the latest commits as 2.0.2, so you can use this to fix the prototype pollution security issue.

jorenbroekema avatar Jan 10 '24 23:01 jorenbroekema