Closed chirag-rakholiya closed 2 years ago
maschad
commented
2 years ago Duplicate of https://github.com/wollardj/simple-plist/issues/60 but this should be patched https://github.com/wollardj/simple-plist/issues/60#issuecomment-1086659497 in 1.3.1 especially since this vulnerability was introduced in a dependency https://github.com/TooTallNate/plist.js/issues/114 and patched there https://github.com/TooTallNate/plist.js/issues/114#issuecomment-1076512230
gruckionvit
commented
2 years ago Any updates on this on? If it's fixed then this issue can be closed.
wollardj
commented
2 years ago Running yarn npm audit doesn't produce any issues from within the project itself, and since the vulnerability was originally discovered and repaired upstream before being tested and released here, I'd be at a loss to explain why Snyk might still think the vulnerability still exists in 1.3.1.
That being said, I've just published 1.4.0 under the next tag - I'm curious if Snyk will re-evaluate the issue with a minor release instead of a patch release. I'd be disappointed if that were the case, but hey 🤷
Closing for now since I believe this is Snyk's db being out of date. At me if someone finds a legit security concern that might still apply.
gbero
commented
2 years ago Looks like this is still an issue :
Issues with no direct upgrade or patch:
✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-SIMPLEPLIST-2413671] in simple-plist@1.4.0
introduced by react-native@0.68.2 > @react-native-community/cli-platform-ios@7.0.1 > xcode@3.0.1 > simple-plist@1.4.0
No upgrade or patch available
From the use of the simple-plist , we have analyze the security vulnerability in simple-plist v1.3.0 and v1.3.1 . is there new version is coming soon ? Hopefully new version removes the security vulnerability which current version have it right now.
for more information regarding found security vulnerabilities , https://snyk.io/test/npm/simple-plist/1.3.0 https://snyk.io/test/npm/simple-plist/1.3.1