jonschlinkert / cache-base

Basic object store with methods like get/set/extend/omit

MIT License

56 stars 19 forks source link

CVE-2021-23440 found in set-value dependency #22

Closed pavanjava closed 2 years ago

pavanjava commented 3 years ago

CVE-2021-23440: the cache-base library internally uses set-value, and set value version below 4.0.1 are vulnarable. is there any plan to fix this issue and release a new version.

joshuanapoli commented 3 years ago

Note that set-value@4 changes the behavior when the set value is undefined. In set-value@3, it sets a property with value undefined. In set-value@4 it deletes the property.

https://github.com/jonschlinkert/set-value/commit/c4eb60997688bfd6609de8c09091f8e05f5e5195#diff-e727e4bdf3657fd1d798edcd6b099d6e092f8573cba266154583a746bba0f346R101

KevinMike commented 3 years ago

@jonschlinkert We have a PR updating the version of set-value. PR: https://github.com/jonschlinkert/cache-base/pull/23

gabssnake commented 3 years ago

Any news on this one? We have a set-value vulnerability 12 levels deep into the dependencies, and this is the culprit.

@jonschlinkert isn't set-value your own package ?

jonschlinkert commented 2 years ago

closed by https://github.com/jonschlinkert/cache-base/pull/23