search

facebook / facebook-nodejs-business-sdk

Node.js SDK for Meta Marketing APIs
https://developers.facebook.com/docs/business-sdk
Other
504 stars 228 forks source link

Incorrectly closed Issue #192 - Prototype Pollution in mout #241

Open Dezzymei opened 1 year ago

Dezzymei commented 1 year ago

It appears that issue #192 was incorrectly closed as there is still currently an issue with said dependency.

Please can this be resolved to remove this vulnerability?

Which SDK version are you using?

15.0.0

What's the issue?

npm audit shows a security vulnerability

Steps/Sample code to reproduce the issue

npm install facebook-nodejs-business-sdk
npm audit

Observed Results:

# npm audit report

mout  <=1.2.3
Severity: high
Prototype Pollution in mout - https://github.com/advisories/GHSA-pc58-wgmc-hfjr
Prototype Pollution in mout - https://github.com/advisories/GHSA-vvv8-xw5f-3f88
fix available via `npm audit fix --force`
Will install facebook-nodejs-business-sdk@6.0.0, which is a breaking change
node_modules/mout
  iso-3166-1-alpha-2  *
  Depends on vulnerable versions of mout
  node_modules/iso-3166-1-alpha-2
    facebook-nodejs-business-sdk  >=6.0.1
    Depends on vulnerable versions of iso-3166-1-alpha-2
    node_modules/facebook-nodejs-business-sdk

3 high severity vulnerabilities

Expected Results:

No Prototype Pollution in mout

Dezzymei commented 1 year ago

Or perhaps a new version needs to be released as this reference to alpha should no longer exist in the code so perhaps it has not been released!?