High Vulnerability in csvtojson@2.0.12

[adityadhrm]

Hi,

My application is currently using csvtojson version 2.0.12. and a high-severity vulnerability has been identified in the csvtojson.
Attached is the screenshot of the vulnerability reported

[Lucas-C]

I face the same issue.

First, thank you for releasing new versions 2.0.11 & 2.0.12, :
https://www.npmjs.com/package/csvtojson?activeTab=versions
You hence fixed a previous vulnerability:

• Prototype Pollution Vulnerability in csvtojson Prior to 2.0.10 #498
• Publish 2.0.11 to https://www.npmjs.com/package/csvtojson #499

However by doing so in commit 4caeebd, you switched from using lodash/set to using lodash.set, which also has a security vulnerability: GHSA-p6mc-m468-83gw & CVE-2020-8203.

[Keyang]

Thanks. Switched back to lodash with latest version.

[adityadhrm]

Hi @Keyang

Appreciate the quick fix! Unfortunately, I noticed a new issue introduced in the latest update — here’s what I found:

[Lucas-C]

Appreciate the quick fix! Unfortunately, I noticed a new issue introduced in the latest update — here’s what I found:

Thanks for reporting it.

I'm not a maintainer here, but maybe it would be worth creating a dedicated issue?
Project maintainers do not always see comments on closed issues.

[adityadhrm]

Appreciate the quick fix! Unfortunately, I noticed a new issue introduced in the latest update — here’s what I found:

Thanks for reporting it.

I'm not a maintainer here, but maybe it would be worth creating a dedicated issue? Project maintainers do not always see comments on closed issues.

Thanks for the suggestion, I’ve created a new issue to track this: #502