Medium Vulnerability in csvtojson@2.0.13

[adityadhrm]

Hi @Keyang ,

First of all, thank you for the quick response and fix on the previous issue #500 — really appreciate it. 🙏

I’ve recently detected a new medium vulnerability reported by Snyk.

Here are the details:

[Keyang]

Is that the same issue in #498 ?
That issue should have been addressed since 2.0.11 as part of this commit

[adityadhrm]

Is that the same issue in #498 ? That issue should have been addressed since 2.0.11 as part of this commit

Yes, same issue as #498 . Also documented here: https://security.snyk.io/vuln/SNYK-JS-CSVTOJSON-13109616
Note that Snyk currently shows "no fixed version" for this vulnerability, so it may be worth verifying if 2.0.11 / 2.0.13 fully addresses the issue.

[stof]

@adityadhrm I suggest reporting that to Snyk as well. They might not have updated their advisory yet after the new release.

[noren95]

So - in the bottom line. which version is considered the patch?
The description states "prior to 2.0.10" which is wrong.
According to @Keyang the owner this was fixed in 2.0.11 but it still doesn't settle with the dates of the NPM release date (2.0.11 was released on oct 21 before the commit on oct 22 4caeebd).

I want to verify which of 2.0.12/2.0.13 is considered the first patched version.

[Keyang]

Hi @noren95 , I would say 2.0.12 as the first version patching this issue.
Thanks.

[Keyang]

Updated Snyk