New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability: Prototype Pollution via the main (merge) function #963
Comments
Happy to merge the PR on find-node-modules but wanted to raise something here first - commitizen is as far as I can tell the only significant project using find-node-modules, and I'm not using it anymore either. Would the maintainers of commitizen be happy / willing to take ownership of the module? Happy to transfer ownership on both github and npm if so! Alternatively, I believe from looking in the past that it should be pretty easy to rewrite out the dependency, and then I can archive the project :) |
Description
Found by vulnerability check
OWASP:UsingComponentWithKnownVulnerability
Filename: merge:2.1.1 | Reference: CVE-2021-23397 | CVSS Score: 9.8 | Category: CWE-1321 | All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead.
dependency tree:
caused by callumacrae/find-node-modules#18
awaiting fix to upgrade to
[email protected]
Steps to reproduce
npm i
Environment
Wrongly raised in commitizen-tools/commitizen#654
The text was updated successfully, but these errors were encountered: