Known vulnerabilities in 3rd-party dependency chart.js

[magicHatOfTYPO3]

Hi. We have received a PenTest result which complains about using a vulnerable version of charts.js as dependency from luxletter.

As far I can see the chart.js from Luxletter is vulnerable against a Prototype Pollution Attack, see https://security.snyk.io/package/npm/chart.js/2.7.1

Is there any chance to use a current version of chart.js or at least a minor update to a version with no known security issues?

Or: is it possible to deactivate the chart.js support completely (with then no charts in the backend, of course)?

[einpraegsam]

Merged. Will be release asap.

[magicHatOfTYPO3]

Thanks a lot :)