Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-23440 found in set-value dependency #22

Closed
pavanjava opened this issue Sep 14, 2021 · 4 comments
Closed

CVE-2021-23440 found in set-value dependency #22

pavanjava opened this issue Sep 14, 2021 · 4 comments

Comments

@pavanjava
Copy link

#CVE-2021-23440: the cache-base library internally uses set-value, and set value version below 4.0.1 are vulnarable. is there any plan to fix this issue and release a new version.
@joshuanapoli
Copy link

Note that set-value@4 changes the behavior when the set value is undefined. In set-value@3, it sets a property with value undefined. In set-value@4 it deletes the property.

jonschlinkert/set-value@c4eb609#diff-e727e4bdf3657fd1d798edcd6b099d6e092f8573cba266154583a746bba0f346R101

@KevinMike
Copy link

@jonschlinkert We have a PR updating the version of set-value.
PR: #23

@tamas-kiss-resideo tamas-kiss-resideo mentioned this issue Sep 17, 2021
Open
@JustinGrote JustinGrote mentioned this issue Sep 17, 2021
Closed
@joshuanapoli joshuanapoli mentioned this issue Sep 21, 2021
Merged
@BernhardMaier BernhardMaier mentioned this issue Oct 5, 2021
Open
This was referenced Oct 5, 2021
Merged
Merged
Merged
@Jose-Matsuda Jose-Matsuda mentioned this issue Oct 7, 2021
Closed
@gabssnake
Copy link

Any news on this one?
We have a set-value vulnerability 12 levels deep into the dependencies, and this is the culprit.

@jonschlinkert isn't set-value your own package ?

@iamarpitpatidar iamarpitpatidar mentioned this issue Nov 6, 2021
Closed
@jonschlinkert
Copy link
Owner

closed by #23

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@joshuanapoli @jonschlinkert @gabssnake @KevinMike @pavanjava