Please backport CVE-2020-8116 security fix to 4.x.

[davehensley]

Based on the severity of CVE-2020-8116 and the fact that 4.x is still very commonly used as a dependency, I would like to kindly request for the fix to be backported to 4.x and released as (presumably) v4.2.1.

Would this be possible? Many thanks in advance.

[samstash]

+1

Please consider reopening #61 . The v4 release line may be old but it's still used by many packages and is installed millions of times each week.

As a CVSS-high-severity vulnerability, we have had no option but to manually resolve to v5, introducing breaking changes to dozens of projects.

[Trott]

I was trying to open a pull request for v4.2.0...Trott:sec-fix and came across this. I know it's an annoyance and that Node.js 6 and 8 are end-of-life, but that means users of upstream dependencies like serverless have to wait for a breaking change to get the security fix--even if they are running the latest Node.js and have been security-conscious otherwise. And then they have to endure the anxiety of a major release upgrade instead of a security patch. And it's not the user's fault. They've been staying up-to-date, etc.

I totally get the argument for not patching old release lines generally, and you certainly don't owe it to anyone, but if you can be persuaded to release a 4.2.1 in this particular instance, I think it would be a good thing.

And if not, hey, thanks for reading anyway.

[ruyadorno]

we're going to have to patch this for npm@6 so I'm proposing the idea of maintaining a legacy fork in order to be able to fix vulns warnings such as this for legacy release lines, it might be an ephemeral fork though it should stay around (in terms of receiving active maintenance) for as long as npm@6 is still around 😊 To get it:

npm install dot-prop@npm:dot-prop-legacy@latest

---

@sindresorhus I'd much prefer consolidating maintenance so let me know if you're open to have folks publish these versions over here in dot-prop itself instead of a fork 😄 but it's fine otherwise.

[davehensley]

Thank you @ruyadorno for creating the legacy fork! It seems to already be very popular (52,171 downloads in less than 2 days).

[sindresorhus]

Sure. I didn't anticipate how many problems this would cause. I've published https://github.com/sindresorhus/dot-prop/tree/v4 as 4.2.1 (on the legacy dist tag).

[ruyadorno]

That's awesome! ❤️ Thanks Sindre!

[ruyadorno]

@sindresorhus I noticed the tag hasn't been pushed to the repo, maybe you want to push that in the future, just in case

[dominopetter]

Awesome!!! Big Thank You!

[sindresorhus]

I noticed the tag hasn't been pushed to the repo, maybe you want to push that in the future, just in case

Done: https://github.com/sindresorhus/dot-prop/releases/tag/v4.2.1