search

textlint-rule / textlint-rule-alex

textlint rule for alex
MIT License
11 stars 3 forks source link

Upgrade dot-prop to version 5.1.1 or higher #4

Closed jeff-cook closed 4 years ago

jeff-cook commented 4 years ago

MEDIUM SEVERITY NEW Vulnerability Prototype Pollution Vulnerable module: dot-prop Introduced through: alex@5.1.0

Detailed paths

Introduced through: textlint-rule-alex@1.3.1 › alex@5.1.0 › update-notifier@2.5.0 › configstore@3.1.2 › dot-prop@4.2.0 Overview dot-prop is a package to get, set, or delete a property from a nested object using a dot path.

Affected versions of this package are vulnerable to Prototype Pollution. It is possible for a user to modify the prototype of a base object.

https://app.snyk.io/vuln/SNYK-JS-DOTPROP-543489 https://app.snyk.io/test/npm/textlint-rule-alex/1.3.1

I know this is a sub dependency, but maybe you can put a little pressure on the alex project.

azu commented 4 years ago

Welcome to Pull Request!

Related: https://github.com/get-alex/alex/issues/272

jeff-cook commented 4 years ago

Alex is going to wait for their next major release to update this module.