phated
commented
5 years ago (Shamelessly stolen from @jonschlinkert)
- Semver already solves this. Patch the root library once, and all downstream libraries get the patch. Thus, any library that depends on the module will automatically get the patched version by simply reinstalling. If you are not getting the latest version, you are probably using a lockfile that is preventing semver from doing its job.
- Don't create issues on dependent libraries when you see a vulnerability message. ALWAYS, AND ONLY create issues on the library that has the vulnerability so that it can be patched. ONLY WHEN AND IF that library has not been fixed in a timely manner does it make sense to create issue on dependent libraries.
brandon1024
A security vulnerability alert for 'extend' was issued for versions >= 3.0.0, < 3.0.2. The vulnerability allows arbitrary properties to be attached onto the Object prototype. This pull request addresses this by bumping the version number of 'extend' to 3.0.2.
CVE Details:
CVE ID: CVE-2018-16492 Vulnerable Versions: >= 3.0.0, < 3.0.2 Pactched Version: 3.0.2 Description: A prototype pollution vulnerability was found that allows an attacker to inject arbitrary properties onto Object.prototype.