mcollina / msgpack5

A msgpack v5 implementation for node.js, with extension points / msgpack.org[Node]
MIT License
493 stars 76 forks source link

object prototype poisoning issue not resolved in dist folder msgpack5.js and msgpack5.min.js #107

Closed samarpanB closed 2 years ago

samarpanB commented 2 years ago

Even though the security vulnerability was fixed in the release version 4.5.1 correctly by this PR https://github.com/mcollina/msgpack5/pull/99. But the dist folder was unchanged. As a result, the code is still old in dist folder. The vulnerability scanning tools like Jfrog Xray, parses each and every file. As a result, msgpack5 version 4.5.1 when used in a nodejs app, is still detected as vulnerable.

Even though it doesn't posses any real threat, but it's a good practice to keep dist folder updated as well. This is to ensure compliance with most security tools.

Can someone please fix this ?

Screenshot from 2022-06-03 17-45-06