search

notifme / notifme-sdk

A Node.js library to send all kinds of transactional notifications.
https://notifme.github.io/www/
MIT License
1.94k stars 150 forks source link

node-forge Prototype Pollution vulnerability #83

Closed flo-sch closed 5 months ago

flo-sch commented 3 years ago

This package has a dependency towards node-pushnotifications@1.4.1 which has an upstream vulnerability towards node-forge: https://www.npmjs.com/advisories/1561

The vulnerability has been fixed upstream by node-pushnotifications@1.4.3 (latest release being node-pushnotifications@1.5.0)

Would it be possible to release a new version of this package bumping that dependency, to fix this vulnerability issue?

I have no experience with that dependency myself, but it is not a major release so I am expecting such a bump to be straightforward...?

kevalone commented 3 years ago

Any update on this. Any issues in merging suggested PR - https://github.com/notifme/notifme-sdk/pull/84?

flo-sch commented 3 years ago

I am not quite certain this package is still actively maintained to be honest. That would be sad since I do not know a lot of alternatives, but this is the Open Source life 🤷‍♂