Skip to content

Hardcoded dependency version in package.json #9

New issue
New issue
Open
Open
Hardcoded dependency version in package.json#9
@ghost

Description

@ghost
ghost
opened on Jun 29, 2022

Hi, @ben-lin

When I use this package in my nodejs application, I encounter a Snyk Scan issue.

Snyk points the origin of the issue is node.flow's dependency node.extend@1.0.8.

Affected versions of this package are vulnerable to Prototype Pollution. An attacker could inject arbitrary properties onto Object.prototype

And then, I found the hard-code in package.json.

"node.extend": "1.0.8"

Snyk also shows that the issue has already fixed in node.extend@1.1.7 and node.extend@2.0.1.

I compare the code between node.extend@1.0.8 and node.extend@1.1.7.
I think it's not much difference from the functional point of view, right?

So could help remove the lock of version in node.flow@1.2.3 and define node.extend to a right version and put it into npm, at the same time, it will not affect node.flow@1.2.3.

Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions