New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent prototype pollution while parsing query strings on V1 #2523
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you make that one tweak to the changelog? That's my only nit.
Co-Authored-By: Isiah Meadows <contact@isiahmeadows.com>
@isiahmeadows Great! All set on that, let me know if if there is anything else. |
Sorry for the delay! Been a bit packed with stuff lately. |
Heads up, this change has been released in v1.1.7 alongside a small IE fix, but I'm still working on catching up the docs, putting together a quick announcement, and notifying npm to change their advisory. |
Description
This PR ports the changes made in #2494 for Mithril 2.x and above to Mithril 1.1.x.
Motivation and Context
It fixes a vulnerability in the query string parser that led to direct prototype pollution (https://npmjs.com/advisories/1094).
It resolves Fix high severity parseQueryString vulnerability in v1.1 too #2519
How Has This Been Tested?
npm run test
and they passed in the following env:Types of changes
Checklist:
docs/change-log.md