fix: possible prototype pollution within merge

lukeed / dset

A tiny (194B) utility for safely writing deep Object values~!

MIT License

754 stars 22 forks source link

fix: possible prototype pollution within merge #34

Closed n1ru4l closed 2 years ago

n1ru4l commented 2 years ago

Rather than everyone abandoning dset, why not just fix the security vulnerability... 😓

Hey @lukeed, can you review and release this? ☺️

https://github.com/graphql/graphiql/issues/2256

maraisr commented 2 years ago

Probably you can filter this in the user code?

spratt commented 2 years ago

While you probably can filter this in the user code, this function is flagged by security scans for a dangerous prototype pollution vulnerability. I have to justify how I'm not creating a liability to my security team every time dset gets pulled in by a dependency. Please fix this function so I can keep using dset.

n1ru4l commented 2 years ago

Since this is already properly addressed within dset:

https://github.com/lukeed/dset/blob/56923feb8095e275eb3ef853a53cd9b3476f8260/src/index.js#L6 https://github.com/lukeed/dset/blob/56923feb8095e275eb3ef853a53cd9b3476f8260/src/merge.js#L22

I don't see why it should not be addressed within the merge function 🤔