Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: possible prototype pollution within merge #34

Merged
merged 1 commit into from
May 3, 2022

Conversation

n1ru4l
Copy link
Contributor

@n1ru4l n1ru4l commented Apr 14, 2022

Rather than everyone abandoning dset, why not just fix the security vulnerability... 😓

Hey @lukeed, can you review and release this? ☺️


Related:

@maraisr
Copy link
Contributor

maraisr commented Apr 20, 2022

Probably you can filter this in the user code?

@spratt
Copy link

spratt commented Apr 26, 2022

While you probably can filter this in the user code, this function is flagged by security scans for a dangerous prototype pollution vulnerability. I have to justify how I'm not creating a liability to my security team every time dset gets pulled in by a dependency. Please fix this function so I can keep using dset.

@n1ru4l
Copy link
Contributor Author

n1ru4l commented Apr 26, 2022

Since this is already properly addressed within dset:

if (k === '__proto__' || k === 'constructor' || k === 'prototype') break;

if (k === '__proto__' || k === 'constructor' || k === 'prototype') break;

I don't see why it should not be addressed within the merge function 🤔

@lukeed lukeed merged commit 2d156c7 into lukeed:master May 3, 2022
@n1ru4l n1ru4l deleted the patch-1 branch May 3, 2022 16:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants