popsicle is vulnerable to Prototype Pollution

serviejs / popsicle

Simple HTTP requests for node and the browser

MIT License

246 stars 19 forks source link

popsicle is vulnerable to Prototype Pollution #156

Closed Bhavesh-Ahalani closed 11 months ago

Bhavesh-Ahalani commented 1 year ago

popsicle is using popsicle-cookie-jar 1.0.0 which is vulnerable to Prototype Pollution

Reference: https://github.com/advisories/GHSA-72xf-g2v4-qvf3

SimeonC commented 1 year ago

Once popsicle-cookie-jar has updated we can just run npm update popsicle-cookie-jar and it should fix the vulnerability (and as long as it's just a 1.0.0 -> 1.0.1 release)

https://github.com/serviejs/popsicle-cookie-jar/issues/11

https://github.com/serviejs/popsicle-cookie-jar/pull/12

└─ popsicle@12.1.0
└─ popsicle-cookie-jar@1.0.0
  └─  tough-cookie@3.0.1

blakeembrey commented 11 months ago

The latest release includes the updated popsicle-cookie-jar. This was only a vulnerability if you happened to be using a custom CookieJar with rejectPublicSuffixes=false.