Prototype Pollution vulnerabilities

championswimmer / vuex-persist

A Vuex plugin to persist the store. (Fully Typescript enabled)

http://championswimmer.in/vuex-persist

MIT License

1.67k stars 116 forks source link

Prototype Pollution vulnerabilities #114

Open AnandChowdhary opened 5 years ago

AnandChowdhary commented 5 years ago

The dependency lodash.merge has a high severity vulnerability.

Source: https://app.snyk.io/vuln/SNYK-JS-LODASHMERGE-173732

Seems like using lodash instead of lodash.merge is safer: https://github.com/ztoben/assets-webpack-plugin/commit/9632e0c3324147957a6a13ab6e7252ffdc64f006 (Is it?)

championswimmer commented 5 years ago

Gonna check if latest lodash.merge resolves this issue

On Sun 5 May, 2019, 7:49 PM Anand Chowdhary, notifications@github.com wrote:

The dependency lodash.merge has a high severity vulnerability.

Source: https://app.snyk.io/vuln/SNYK-JS-LODASHMERGE-173732

Seems like using lodash instead of lodash.merge is safer: ztoben/assets-webpack-plugin@9632e0c https://github.com/ztoben/assets-webpack-plugin/commit/9632e0c3324147957a6a13ab6e7252ffdc64f006 (Is it?)

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/championswimmer/vuex-persist/issues/114, or mute the thread https://github.com/notifications/unsubscribe-auth/AAKD7STTGIUE26FW5F4KT6TPT3UHBANCNFSM4HK3LL5Q .

bufke commented 5 years ago

lodash.merge doesn't seem to be getting updated anymore. Using lodash instead would have a big impact on bundle size. :cry:

bufke commented 5 years ago

@championswimmer the issue you had with deepmerge was arrays were concat'ed right? That seems like a fixable issue.

Did you have any other issues? I'm helping maintain ngrx-store-localstorage and facing the same issue. I went with lodash specifically because I saw you had trouble with deepmerge.

championswimmer commented 5 years ago

Yes it was the array concat issue

On Sat 25 May, 2019, 7:53 PM David Burke, notifications@github.com wrote:

@championswimmer https://github.com/championswimmer the issue you had with deepmerge was arrays were concat'ed right? That seems like a fixable issue https://github.com/TehShrike/deepmerge#overwrite-array.

Did you have any other issues? I'm helping maintain ngrx-store-localstorage and facing the same issue. I went with lodash specifically because I saw you had trouble with deepmerge.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/championswimmer/vuex-persist/issues/114?email_source=notifications&email_token=AAKD7SSCRWCA66IYYCHTRALPXFDXBA5CNFSM4HK3LL52YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWHSYOA#issuecomment-495922232, or mute the thread https://github.com/notifications/unsubscribe-auth/AAKD7SSTXTOITZF267HLU3TPXFDXBANCNFSM4HK3LL5Q .