Closed ChiralMichael closed 5 years ago
Sorry, this is a mistake. I will have a positive repro before re-opening.
@ChiralMichael Please report vulnerabilities in a private fashion so that we have at least some time to decide how to fix them before releasing the info publicly along with a patched version.
At the moment I don't think we really have a good way of security vulnerabilities, we'll try and come up with something soon.
Jake,
Makes sense, I will do in the future. At any rate, I retract the vulnerability, further investigates shows that you are fine. I am sorry for the spam.
--michael
On Fri, Aug 9, 2019 at 8:42 AM Jake notifications@github.com wrote:
@ChiralMichael https://github.com/ChiralMichael Please report vulnerabilities in a private fashion so that we have at least some time to decide how to fix them before releasing the info publicly along with a patched version.
At the moment I don't think we really have a good way of security vulnerabilities, we'll try and come up with something soon.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TehShrike/deepmerge/issues/158?email_source=notifications&email_token=ABHVKNHNUP4QI6VICZESZVTQDWF7XA5CNFSM4IKESW4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD37BESY#issuecomment-519967307, or mute the thread https://github.com/notifications/unsubscribe-auth/ABHVKNDRE35C5OY7755P463QDWF7XANCNFSM4IKESW4A .
Deepmerge has prototype pollution issues. Both what recently hit lodash, as well as merging objects containing '__proto__' definitions. Repros are in the link and elsewhere.
https://snyk.io/blog/snyk-research-team-discovers-severe-prototype-pollution-security-vulnerabilities-affecting-all-versions-of-lodash/