ini 1.3.5 dependency has prototype pollution

jonschlinkert / global-prefix

Get the npm global path prefix. Same code used internally by npm.

MIT License

28 stars 12 forks source link

ini 1.3.5 dependency has prototype pollution #28

Closed adityapant1286 closed 2 weeks ago

adityapant1286 commented 3 years ago

There is low-level vulnerability for ini 1.3.5 dependency. Unfortunately, this version has seen the end of life and the current version is 2.0.0. Is it possible to update the dependency to the latest version?

stieben commented 3 years ago

This looks like a duplicate of #26.

phated commented 3 years ago

The caret (^) in the semver range actually means you will already get that bugfix patch! You just need to remove your lockfile and reinstall your dependencies.

phated commented 2 weeks ago

The v4.0.0 release is now using ^4.1.3 of ini