Snyk reports security vulnerability in dojo prototype pollution

[NorthDecoder]

dojo Prototype Pollution

copy and pasted from the Snyk security report

Vulnerability Score: 482

Introduced through    dojo@1.10.4
Fixed in              dojo@1.17.0

Exploit maturity:    Proof of Concept

Detailed paths Introduced through: dijit@1.10.4 › dojo@1.10.4 Fix: No remediation path available.

Security information Factors contributing to the scoring:

Snyk: [CVSS 7.5](https://security.snyk.io/vuln/SNYK-JS-DOJO-1535223) - High Severity
NVD: [CVSS 9.8](https://nvd.nist.gov/vuln/detail/CVE-2021-23450) - Critical Severity

dojo is a foundation package for the Dojo 1 Toolkit. While still being maintained, new development is primarily focused on modern Dojo. Affected versions of this package are vulnerable to Prototype Pollution via the setObject function.

[NorthDecoder]

Also

M dojo Cross-site Scripting (XSS)

Vulnerability Score: 325

Introduced through:     dojo@1.10.4
Fixed in:    dojo@1.14.0, @1.13.1, @1.12.4, @1.11.6, @1.10.10

Exploit maturity:     No known exploit

Detailed paths

Introduced through: dijit@1.10.4 › dojo@1.10.4
Fix: No remediation path available. 

Security information Factors contributing to the scoring:

Snyk: [CVSS 6.5](https://security.snyk.io/vuln/SNYK-JS-DOJO-72305) - Medium Severity
NVD: [CVSS 6.1](https://nvd.nist.gov/vuln/detail/CVE-2018-1000665) - Medium Severity

Overview dojo is a foundation package for the Dojo 1 Toolkit. While still being maintained, new development is primarily focused on modern Dojo.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS).

[ggetz]

Thanks for the report @NorthDecoder.

Just a note that dojo is not shipped as part of the CesiumJS library itself; It's only used in the Sandcastle and Timeline demo apps.