NSP Security Vulnerability - Update to deep-extend@0.5.1
shellscape opened this issue · 4 comments
NSP is reporting a vulnerability for Prototype Pollution on a direct dependency of this module:
┌────────────┬────────────────────────────────────────────────────────────────────┐
│ │ Prototype Pollution │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Name │ deep-extend │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ CVSS │ 2 (Low) │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Installed │ 0.4.2 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ <=0.5.0 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Patched │ >=0.5.1 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Path │ webpack-command@0.1.0 > update-notifier@2.5.0 > │
│ │ latest-version@3.1.0 > package-json@4.0.1 > registry-url@3.1.0 > │
│ │ rc@1.2.6 > deep-extend@0.4.2 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ More Info │ https://nodesecurity.io/advisories/612 │
└────────────┴────────────────────────────────────────────────────────────────────┘deep-extend@0.5.1 was released to address this, and the module should be updated to depend on that version.
I'm trying to sort this out as well; it doesn't help that I can't find a tag, release or release notes for any v1.2.x release.
Looks like this was done in b633779, which was released as rc@1.2.7 last week.
A fresh npm i -D webpack-command yields a transitive dependency on rc@1.2.7 and I don't get the vulnerability warning from npm audit, so it looks like this is taken care of.
deep-extend released 0.6.0 yesterday, and this should fix this issue: unclechu/node-deep-extend#41 (comment). Anybody know when rc will be updated?
fixed in 1.2.8