socket-security[bot]
commented
3 months ago New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
| Package | New capabilities | Transitives | Size | Publisher |
|---|---|---|---|---|
| npm/set-value@3.0.3 | None | 0 |
18.1 kB | doowb |
🚮 Removed packages: npm/set-value@3.0.2
This PR contains the following updates:
3.0.2->3.0.3Prototype Pollution in set-value
CVE-2021-23440 / GHSA-4jqc-8m5r-9rpr / SNYK-JAVA-ORGWEBJARSNPM-1584212 / SNYK-JS-SETVALUE-1540541
More information
#### Details This affects the package `set-value`. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays. #### Severity - CVSS Score: 7.3 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-23440](https://nvd.nist.gov/vuln/detail/CVE-2021-23440) - [https://github.com/jonschlinkert/set-value/pull/33](https://togithub.com/jonschlinkert/set-value/pull/33) - [https://github.com/jonschlinkert/set-value/pull/33/commits/383b72d47c74a55ae8b6e231da548f9280a4296a](https://togithub.com/jonschlinkert/set-value/pull/33/commits/383b72d47c74a55ae8b6e231da548f9280a4296a) - [https://github.com/jonschlinkert/set-value/commit/09c4b108fea3c0260008590053ff13da64913245](https://togithub.com/jonschlinkert/set-value/commit/09c4b108fea3c0260008590053ff13da64913245) - [https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452](https://togithub.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452) - [https://github.com/jonschlinkert/set-value/commit/cb12f14955dde6e61829d70d1851bfea6a3c31ad](https://togithub.com/jonschlinkert/set-value/commit/cb12f14955dde6e61829d70d1851bfea6a3c31ad) - [https://github.com/jonschlinkert/set-value](https://togithub.com/jonschlinkert/set-value) - [https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212](https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212) - [https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541](https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541) - [https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2](https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2) - [https://www.oracle.com/security-alerts/cpujan2022.html](https://www.oracle.com/security-alerts/cpujan2022.html) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-4jqc-8m5r-9rpr) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
jonschlinkert/set-value (set-value)
### [`v3.0.3`](https://togithub.com/jonschlinkert/set-value/compare/3.0.2...3.0.3) [Compare Source](https://togithub.com/jonschlinkert/set-value/compare/3.0.2...3.0.3)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.