Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prototype Pollution in JSON5 via Parse Method #21

Closed
UlisesGascon opened this issue Jan 10, 2023 · 2 comments
Closed

Prototype Pollution in JSON5 via Parse Method #21

UlisesGascon opened this issue Jan 10, 2023 · 2 comments
Assignees
@inigomarquinez
Labels
security

Comments

@UlisesGascon
Copy link
Member

Ref: GHSA-9c47-m6qq-7p4h
Context: Some of our repositories are using this library as a sub-dependency.
Action: Check if we need to patch the repos and coordinate the patching priority
@UlisesGascon UlisesGascon self-assigned this Jan 10, 2023
@UlisesGascon UlisesGascon mentioned this issue Jan 24, 2023
Closed
@UlisesGascon UlisesGascon mentioned this issue Feb 3, 2023
Closed
@cressie176
Copy link

@UlisesGascon
I'm not aware of a way to patch a transitive dependencies. Updating package-lock is useless for modules since it is excluded from the bundle published to npm. The only benefit is that it ensures everyone checking out the module has the same set of dependencies, but will not benefit anyone installing the module from npm.

@UlisesGascon
Copy link
Member Author

I Agree @cressie176. I believe in most cases we get rid of the warning once we do the dependencies upgrade as part of the project lifecycle. @inigomarquinez is checking in case that we use it directly in any project and can affect us in a real scenario

@inigomarquinez inigomarquinez mentioned this issue Mar 9, 2023
Closed
@inigomarquinez inigomarquinez mentioned this issue Mar 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@inigomarquinez inigomarquinez

Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cressie176 @UlisesGascon @inigomarquinez