New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Bump dot-prop to 5.2.0 (CVE-2020-8116) #2623
Conversation
please merge and release a new version of lerna. |
There are two additional paths to a vulnerable version of dot-prop in lerna.
We probably need to upgrade conventional-changelog-core and conventional-changelog-angular as well. |
@evocateur any chance you've got time to review this? how can we assist? |
Can you guys update this? This is a pretty high critical vulnerability in dot-prop: Issues |
Can I help with anything here? This is a pretty big vulnerability that should be updated... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Any updates on this, will you be merging this soon? |
this popped up 17 days ago in my github dependabot alerts, anyway for this to get merge? do any body know what would be the consequences to let github to patch the yarn.lock meanwhile this gets merge? 🙏 |
Any updates on this? still seeing this issue on dependabot |
v4.0.0 (now available as |
Description
Bumps
dot-prop
to 5.2.0. Versions between 1.0.1 and 5.1.1 are vulnerable to prototype pollution according to Snyk. This could cause Lerna users to have failing dependency audit pipelines.In
dot-prop
5.0.0, support for Node <8 was removed according to the release notes. It doesn't look like there were functional changes in sindresorhus/dot-prop@a19fd41 though. Nonetheless, this could be considered a breaking change, as I noticed theengines
field in thepackage.json
says"node": ">= 6.9.0"
.Motivation and Context
Fixes #2606
Fixes #2492
Related to #2575
How Has This Been Tested?
Types of changes
Checklist: