Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include the fix for pollution vulnerability in deepmerge in version 5 #42621

Closed
pufflefish opened this issue Jun 11, 2024 · 3 comments
Closed

Include the fix for pollution vulnerability in deepmerge in version 5 #42621

pufflefish opened this issue Jun 11, 2024 · 3 comments
Labels
duplicate This issue or pull request already exists

Comments

@pufflefish
Copy link

pufflefish commented Jun 11, 2024
edited
Loading

Summary

Hello! I wonder if it would be possible to release a hotfix of version 5 that includes the fix for the security vulnerability in @mui/utils, more specifically in deepmerge.

Examples

No response

Motivation

A fix was already included in version 6.0.0-alpha.9, but users of version 5 don't have access to this fix.

Search keywords: deepmerge, pollution, vulnerability, mui/utils
@pufflefish pufflefish added the status: waiting for maintainer These issues haven't been looked at yet by a maintainer label Jun 11, 2024
@zannager zannager added the package: utils (private) Specific to the private @mui/utils package label Jun 11, 2024
@ranjithsai
Copy link

Yes, I agree. We use version 5 and are now blocked. Version 5 is still supported correct, shouldn't this fix be included there too and do hot fix?

@tjcouch-sil
Copy link
Contributor

Please see #42607 - snyk is currently reviewing this vulnerability as a potential false positive.

@oliviertassinari oliviertassinari added status: expected behavior Does not imply the behavior is intended. Just that we know about it and can't work around it duplicate This issue or pull request already exists and removed package: utils (private) Specific to the private @mui/utils package status: waiting for maintainer These issues haven't been looked at yet by a maintainer status: expected behavior Does not imply the behavior is intended. Just that we know about it and can't work around it labels Jun 11, 2024
@ZeeshanTamboli ZeeshanTamboli removed their assignment Jun 12, 2024
@tjcouch-sil
Copy link
Contributor

Snyk has confirmed this is a false positive and has revoked the vulnerability report. https://security.snyk.io/vuln/SNYK-JS-MUIUTILS-7231125

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate This issue or pull request already exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@oliviertassinari @ZeeshanTamboli @ranjithsai @tjcouch-sil @pufflefish @zannager