Vulnerability: Prototype Pollution via the main (merge) function #963
Comments
|
Happy to merge the PR on find-node-modules but wanted to raise something here first - commitizen is as far as I can tell the only significant project using find-node-modules, and I'm not using it anymore either. Would the maintainers of commitizen be happy / willing to take ownership of the module? Happy to transfer ownership on both github and npm if so! Alternatively, I believe from looking in the past that it should be pretty easy to rewrite out the dependency, and then I can archive the project :) |
This comment was marked as off-topic.
This comment was marked as off-topic.
|
commitizen still uses find-node-modules what uses vulnerable merge package, any plans on fixing it ? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Found by vulnerability check
OWASP:UsingComponentWithKnownVulnerabilityFilename: merge:2.1.1 | Reference: CVE-2021-23397 | CVSS Score: 9.8 | Category: CWE-1321 | All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead.
dependency tree:
caused by callumacrae/find-node-modules#18
awaiting fix to upgrade to
[email protected]Steps to reproduce
npm iEnvironment
Wrongly raised in commitizen-tools/commitizen#654
The text was updated successfully, but these errors were encountered: