Security: CVE-2020-8116 (High) detected in dot-prop-3.0.0.tgz, dot-prop-4.2.0.tgz

[TGTGamer]

CVE-2020-8116 - High Severity Vulnerability

Vulnerable Libraries - dot-prop-3.0.0.tgz, dot-prop-4.2.0.tgz

dot-prop-3.0.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-3.0.0.tgz

Dependency Hierarchy:

• lerna-3.20.2.tgz (Root Library)
  • version-3.20.2.tgz
    • conventional-commits-3.18.5.tgz
      • conventional-changelog-angular-5.0.6.tgz
        • compare-func-1.3.2.tgz
          • ❌ dot-prop-3.0.0.tgz (Vulnerable Library)

dot-prop-4.2.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz

Dependency Hierarchy:

• lerna-3.20.2.tgz (Root Library)
  • add-3.20.0.tgz
    • command-3.18.5.tgz
      • project-3.18.0.tgz
        • ❌ dot-prop-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: b483137ea2c7cbcaa86df00f25e739082463f082

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution: dot-prop - 5.1.1

[Vishesh30]

CVE-2020-8116 - High Severity Vulnerability

Vulnerable Libraries - dot-prop-3.0.0.tgz, dot-prop-4.2.0.tgz
Vulnerability Details
CVSS 2 Score Details (7.5)
Suggested Fix

I am also facing the same security issue with lerna 3.20.0.? Any idea on how to solve them?

[Vishesh30]

@TGTGamer Which version of lerna resolves this issue.?

[jsomsanith-tlnd]

None, latest is relying on dot-props 4.2.0. We need at least v5.1.1
To maintainers: Is it something that is scheduled or under consideration please ?
(BTW thank you for your work, lerna is great)

[Vishesh30]

@jsomsanith-tlnd -Is it already merged to lerna repo?. Any Idea when the next release is coming out .?

[deleonio]

@jsomsanith-tlnd nothing is merged. The Merge Link is a other repository.

[deleonio]

@Vishesh30 read my last comment

[avatarneil]

Bump, as of today yarn audit started catching this in a project I work on.

[fabb]

https://www.npmjs.com/advisories/1213

[rikoe]

Any update on when we can expect this CVE to be fixed? It is a high, and impacts all projects using lerna. There is already a PR (#2680) that looks good to merge.

[JamesHenry]

Hi Folks 👋

You may or may not know that lerna is now under the stewardship of Nrwl (announcement here #3121), a company with a long history of not just producing valuable open-source software (OSS), but also backing others (at the time of writing, Nrwl has donated over $50,000 to OSS it hasn't created, see https://opencollective.com/nx for full details).

Quite simply, Nrwl ❤️ OSS, and is committed to making lerna the best it can be. We use it ourselves.

We hope you will continue to be a part of this community as we look to take things forward from here!

Please see #3140 for more details on our plans for 2022.

In the case of this specific issue, the relevant packages have been updated and you will no longer see any npm audit issues when using the v5 releases of lerna we have cut since we took over.

If you run into any issues on the latest version of lerna, please feel free to open a new issue and follow the instructions:
https://github.com/lerna/lerna/issues/new/choose

Many thanks 🙏