Fix: Prototype Pollution upstream vulnerability

notifme / notifme-sdk

A Node.js library to send all kinds of transactional notifications.

https://notifme.github.io/www/

MIT License

1.94k stars 149 forks source link

Fix: Prototype Pollution upstream vulnerability #84

Closed flo-sch closed 3 years ago

flo-sch commented 3 years ago

fix(vulnerabilities): bump node-pushnotification 1.5.0
- fixes upstream node-forge Prototype Pollution in node-forge https://www.npmjs.com/advisories/1561

Fix #83

PabloPerezAguilo commented 3 years ago

any news about this PR? 🙄

mjlescano commented 3 years ago

This now also fixes a critical audit error on nodemailer: https://www.npmjs.com/advisories/1708

mjlescano commented 3 years ago

If it helps someone until we can update the main package, I just published the mjlescano-notifme-sdk package updating nodemailer & node-pushnotifications so it doesn't throw audit errors anymore.

You can review the release here: https://github.com/mjlescano/notifme-sdk/releases/tag/v1.10.1

Just run:

npm uninstall notifme-sdk
npm install mjlescano-notifme-sdk@1.10.1

Or, put on your package.json:

  "notifme-sdk": "npm:mjlescano-notifme-sdk@1.10.1",

BDav24 commented 3 years ago

I'm catching up, sorry for the delay: https://github.com/notifme/notifme-sdk/releases/tag/1.11.0