search

micromatch / nanomatch

Fast, minimal glob matcher for node.js. Similar to micromatch, minimatch and multimatch, but without support for extended globs (extglobs), posix brackets or braces, and with complete Bash 4.3 wildcard support: ("*", "**", and "?").
https://github.com/micromatch
MIT License
95 stars 20 forks source link

Vulnerability in dependency "set-value" (High Severity) #23

Closed LinguineCode closed 4 years ago

LinguineCode commented 4 years ago

Hello, can you please cut a new version tag?

There is a vulnerability in a dependent package, see below for details. Good news: Your master branch already contains the fix: https://github.com/micromatch/nanomatch/blob/master/package.json#L38.

Details on vuln:

https://nvd.nist.gov/vuln/detail/CVE-2019-10747 CVE-2019-10747 More information high severity Vulnerable versions: < 2.0.1 Patched version: 2.0.1 set-value is vulnerable to Prototype Pollution in versions before 2.0.1 and version 3.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

doowb commented 4 years ago

This is a duplicate of #22. Check out this guide on how to update your dependencies to ensure you get the latest patched version.

LinguineCode commented 4 years ago

👍 Thanks for the prompt reply