Closed n1ru4l closed 2 years ago
Probably you can filter this in the user code?
While you probably can filter this in the user code, this function is flagged by security scans for a dangerous prototype pollution vulnerability. I have to justify how I'm not creating a liability to my security team every time dset gets pulled in by a dependency. Please fix this function so I can keep using dset.
Since this is already properly addressed within dset
:
https://github.com/lukeed/dset/blob/56923feb8095e275eb3ef853a53cd9b3476f8260/src/index.js#L6 https://github.com/lukeed/dset/blob/56923feb8095e275eb3ef853a53cd9b3476f8260/src/merge.js#L22
I don't see why it should not be addressed within the merge
function 🤔
Rather than everyone abandoning
dset
, why not just fix the security vulnerability... 😓Hey @lukeed, can you review and release this? ☺️
Related: