Request upgrade y18n version: Synk Failing - Prototype Pollution - High Severity

[samuelkavin]

Currently, we are having some security warning in synk. It's requesting upgrade y18n version update to 5.0.5 from 4.0.0.

Error message Prototype Pollution [High Severity][https://snyk.io/vuln/SNYK-JS-Y18N-1021887] in y18n@4.0.0 introduced by angularx-qrcode@2.1.4 > qrcode@1.4.2 > yargs@13.3.2 > y18n@4.0.0

This issue was fixed in versions: 5.0.5

[Cordobo]

Issue: https://github.com/soldair/node-qrcode/issues/252 PR: https://github.com/soldair/node-qrcode/pull/255

[Cordobo]

Hi @samuelkavin

thanks for opening this issue. I will update the lib when an updated version of the underlying lib becomes available.

[Cordobo]

It appears as the author of the original qrcode dependency currently has no time to merge the open PR mentioned above. For now, I forked [1] the lib and bumped the dependency to a fixed version [2].

In partial this was because of an issue with the lib colors.js, used by qrcode.

The moment the open PR gets merged into the qrcode lib, the dependency will be switched back.

[1] The used fork is located here: https://github.com/Cordobo/node-qrcode

[2] Commit https://github.com/Cordobo/node-qrcode/commit/e09bcd350aa664d4ddc3699617607197d6368a32

[3] colors.js https://github.com/soldair/node-qrcode/issues/294