High vulnerability from set-value

Question

High vulnerability from set-value

TheoMugnier opened this issue 5 years ago · 2 comments

🚫Pinning group array to 0.3.3 lead to a high vulnerability ! 🚫
So this can't be considered a permanent fix (Fixed in 0.3.4 of group-array)
(Merged PR: #258)

From npm audit security report :

High : Prototype Pollution
Package : set-value
Patched in : >=2.0.1 <3.0.0 || >=3.0.1
Dependency of : gulp-inject
Path : gulp-inject > group-array > union-value > set-value
More info : https://npmjs.com/advisories/1012

Answer 1 · 2019-07-23T05:31:02.000Z

🎉 This issue has been resolved in version 5.0.4 🎉

The release is available on:

Your semantic-release bot 📦🚀

Answer 2 · 2019-07-26T22:23:47.000Z

Just an FYI as I'm not sure if the version I'm using is deprecated.
I am using gulp-inject@4.3.2 and in the latest npm install it replaced group-array@0.3.3 with group-array@0.3.4. ["group-array": "^0.3.0"].
This has caused the src stream consumption in inject to fail as it just takes the last element of the stream. I was able to fix this by moving back to group-array@0.3.3.