cache-base icon indicating copy to clipboard operation
cache-base copied to clipboard
verified publisher icon jonschlinkert

Unset-value Vulnerability

Open dhivyalaxmi-murugesan opened this issue 3 years ago • 2 comments

We have found vulnerability in unset-value, the cache-base library internally uses unset-value, and unset value version below 2.0.1 are vulnarable. is there any plan to fix this issue and release a new version. Please refer https://security.snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660 @jonschlinkert

dhivyalaxmi-murugesan avatar Feb 15 '22 08:02 dhivyalaxmi-murugesan

I too am running into this -- scary part is that most folks are on version 1.0.1 of this lib. It doesn't look like the change made to unset value should be breaking unless one was relying on the prototype pollution to break things.

Three options exist in my eyes

Fix in userland Effort to fix heavily relied on upstream packages. For me this is https://github.com/base/base 0.11.2 -- which exists nowhere in git history. Publish a semver fix as 1.0.2.

I was able to fix in userland by adding a yarn resolution.

{
   // ...package.json
  "resolutions": {
    "unset-value": "^2.0.1"
  }
}

rjerue avatar Feb 21 '22 20:02 rjerue

Any chance of getting the PR in that fixes this in @jonschlinkert?

benjamindally avatar Oct 20 '22 15:10 benjamindally