search

serverless-operations / serverless-step-functions

AWS Step Functions plugin for Serverless Framework ⚡️
Other
1.03k stars 206 forks source link

nom security advisory for `dot-prop` dependency #354

Open grempe opened 4 years ago

grempe commented 4 years ago

This is a Bug Report

The following dependency is causing npm audit to inform on a high security vulnerability. It doesn't resolve with nom audit fix.

Security advisory link:

https://npmjs.com/advisories/1213

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ dot-prop                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless-step-functions [dev]                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ serverless-step-functions > serverless > update-notifier >   │
│               │ configstore > dot-prop                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1213                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
theburningmonk commented 4 years ago

@grempe thanks, will take a look