Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Transitive dependency on unset-value/1.0.0 #147

Open
janpospisil-eaton opened this issue Sep 11, 2024 · 1 comment
Open

Transitive dependency on unset-value/1.0.0 #147

janpospisil-eaton opened this issue Sep 11, 2024 · 1 comment

Comments

@janpospisil-eaton
Copy link

Hi, our last cyber security scan resulted in a high risk being detected regarding the unset-value dependency that is used within this project. Can you update the find-yarn-workspace-root library and use latest version 2.0.0 ? Are there any other ways how to resolve the issue ?

Thank you.

@janpospisil-eaton
Copy link
Author

Hi again,

unset-value is vulnerable to a prototype pollution attack. A remote attacker may be able to execute arbitrary code, or cause a denial-of-service (DoS) by tricking the library into modifying or adding properties of Object.prototype.

The fix is in 2.0.1 version: https://github.com/jonschlinkert/unset-value/releases

Can you update the find-yarn-workspace-root library and use latest version 2.0.0 ? Are there any compatibility issues with other dependencies ? Does it require broader re-factoring ?

Thank you,
Jan

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant