Prototype pollution in immer dependency

the-dr-lazy / deox

Functional Type-safe Flux Standard Utilities

https://deox.js.org

MIT License

206 stars 12 forks source link

Prototype pollution in immer dependency #164

Closed Michael-1 closed 3 years ago

Michael-1 commented 3 years ago

Deox currently depends on redux-starter-kit, which depends on a version of immer for which a high-severity security issue was reported (see Github advisory).

The solution is to switch to the latest version of @reduxjs/toolkit (the successor of redux-starter-kit).

the-dr-lazy commented 3 years ago

As noted in https://github.com/the-dr-lazy/deox/issues/151#issuecomment-687367481 I decided to drop the dependency on redux-starter-kit. PRs welcome.

the-dr-lazy commented 3 years ago

:tada: This issue has been resolved in version 4.0.0 :tada:

The release is available on:

GitHub release
npm package (@next dist-tag)

Your semantic-release bot :package::rocket: