thenify before 3.3.1 made use of unsafe calls to eval
.
#39076
Labels
frontend-platform
Issues related to our frontend platform, owned collectively by our frontend crew.
gitstart
Contract partner
Projects
Problem statement
Versions of thenify prior to 3.3.1 made use of unsafe calls to eval. Untrusted user input could thus lead to arbitrary code execution on the host. The patch in version 3.3.1 removes calls to eval.
Success criteria
Update thenify to a non-vulnerable version
Implementation details
The latest possible version of thenify that can be installed is 3.3.0.
The earliest fixed version is 3.3.1.
< 3.3.1
Ref
#35989
Link to dependabot alert
Time estimate
The text was updated successfully, but these errors were encountered: