CVE-2019-10746 (High) detected in mixin-deep-1.3.1.tgz

[mend-bolt-for-github]

CVE-2019-10746 - High Severity Vulnerability

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /Emendare/server/package.json

Path to vulnerable library: /tmp/git/Emendare/server/node_modules/mixin-deep/package.json,/tmp/git/Emendare/server/node_modules/mixin-deep/package.json,/tmp/git/Emendare/server/node_modules/mixin-deep/package.json

Dependency Hierarchy:

• ts-loader-4.5.0.tgz (Root Library)
  • micromatch-3.1.10.tgz
    • snapdragon-0.8.2.tgz
      • base-0.11.2.tgz
        • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 35a45e197f707a98ad11571a99e1ed841041b865

Vulnerability Details

mixin-deep before 1.3.2 is vulnerable to Prototype Pollution.

Publish Date: 2019-07-11

URL: CVE-2019-10746

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/mixin-deep@8f464c8

Release Date: 2019-07-11

Fix Resolution: 1.3.2

---

Step up your Open Source Security Game with WhiteSource here