search

vigour-io / unflatten

Opposite of flatten-obj
ISC License
2 stars 2 forks source link

Got npm audit warning, please fix. #3

Open alinex opened 4 years ago

alinex commented 4 years ago

I get the following warning for the unflatten package:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ unflatten                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ unflatten                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ unflatten                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1329                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

As I don't use prototype extension but calling unflatten directly that makes no problem for me. Is it possible to make a new major version which fixes it?

miketheprogrammer commented 3 years ago

Commented on the PR, I will look into it further.

alinex commented 3 years ago

As my own package got problems with npm audit because of this package I had to switch to another library. It looks as if this will not be fixed in the near future, here.

karladler commented 3 years ago

any recommendations for alternatives?

miketheprogrammer commented 3 years ago

I will check in on this, apologies.

On Wed, Sep 15, 2021 at 2:43 AM Karl Adler @.***> wrote:

any recommendations for alternatives?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/vigour-io/unflatten/issues/3#issuecomment-919744255, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAKMLO5SHKWUDNA647GEPB3UCA57PANCNFSM4SUSVYNQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

miketheprogrammer commented 3 years ago

Actually I forgot, somehow vigour-io stole this repo from me. As such it is on them to resolve.

On Wed, Sep 15, 2021 at 6:30 AM Michael Hernandez < @.***> wrote:

I will check in on this, apologies.

On Wed, Sep 15, 2021 at 2:43 AM Karl Adler @.***> wrote:

any recommendations for alternatives?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/vigour-io/unflatten/issues/3#issuecomment-919744255, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAKMLO5SHKWUDNA647GEPB3UCA57PANCNFSM4SUSVYNQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.