Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
UserALE.js 2.0.2
-
None
Description
Prototype Pollution is the new hot way to exploit JS, and its wrecking havoc in the larger NPMJS community:
https://medium.com/@daniakash/what-is-prototype-pollution-and-why-is-it-such-a-big-deal-2dd8d89a93c
Its a latent exploit at the core of JS that most of you already know about. If not read the above article. Packages like jquery and other massive projects are affected.
Should we be scared for UserALE.js? No, probably not at all. Our scripts are accessible to the page only through limited APIs, they live elsewhere, and likely more difficult or impossible exploit in general.
However, our build pipeline has deep dependencies that rely on affected packages: set-value, mixin, lodash (these are like depth=10+). The immediate dependencies that are affected include babel, gulp, nodemon. I have already issued bug reports or bumped issues in these projects to make sure they're getting attention. In some cases like set-value, the gulp community has pressured them and npm to update their registry and include fixes in old versions of set-value.
Low risk for our users, i think, however, we should adopt any pactches ASAP.
found 282 high severity vulnerabilities in 11741 scanned packages
run `npm audit fix` to fix 281 of them.
1 vulnerability requires manual review. See the full report for details.
Attachments
Issue Links
- is a parent of
-
FLAGON-423 Update Package File to Fix Down Stream Dependencies
- Closed