Sampaguitas
commented
1 year ago Hey,
I tried to contact the developers two years back to report a prototype pollution vulnerability in your mockjs npm package but never got any feed back.
here is: the link to the report published on huntr.com platform, and here is the Github gist
Thanks for validating the report, I have also submitted a fix to patch the vulnerability.
With best regards,
Timothee
(google translated)
嘿,
两年前,我试图联系开发人员,报告您的 mockjs npm 包中的原型污染漏洞,但从未得到任何反馈。
这里是:huntr.com平台发布的报告链接
感谢您验证报告,我还提交了修复程序来修补该漏洞。
最诚挚的问候,
蒂莫西
sharywkd
Hey there!
I belong to an open source security research community, and a member (@sampaguitas) has found an issue, but doesn’t know the best way to disclose it.
If not a hassle, might you kindly add a
SECURITY.mdfile with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)