Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove dependency on fast-equals #311

Closed
btelles opened this issue Apr 28, 2022 · 2 comments · Fixed by #312
Closed

Remove dependency on fast-equals #311

btelles opened this issue Apr 28, 2022 · 2 comments · Fixed by #312
Labels
released triage me I really want to be triaged. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@btelles
Copy link
Contributor

btelles commented Apr 28, 2022

fast-equals uses the following code which violates security performance check in some environments:

const hasOwnProperty = Function.prototype.bind.call(
  Function.prototype.call,
  Object.prototype.hasOwnProperty,
);

You can find it at https://github.com/planttheidea/fast-equals/blob/master/src/utils.ts#L234

It another variant of the library called fast-deep-equals passes this security check, is already included in js-markerclusterer dependencies, and has exactly the same effect. Removing the dependency fast-equals removes this violation.
@btelles btelles added triage me I really want to be triaged. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Apr 28, 2022
@btelles btelles mentioned this issue Apr 28, 2022
Merged
1 task
@jpoehnelt
Copy link
Contributor

@btelles Thank you for opening this issue. 🙏
Please check out these other resources that might be applicable:

This is an automated message, feel free to ignore.

@github-actions
Copy link

🎉 This issue has been resolved in version 2.0.6 🎉

The release is available on:

Your semantic-release bot 📦🚀

@jpoehnelt jpoehnelt removed their assignment Jun 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
released triage me I really want to be triaged. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: change dependency on fast-{,deep-}equals. btelles/js-markerclusterer
2 participants
@btelles @jpoehnelt