New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: CVE-2020-8116 (High) detected in dot-prop-3.0.0.tgz, dot-prop-4.2.0.tgz #2492
Comments
@TGTGamer Which version of lerna resolves this issue.? |
None, latest is relying on dot-props 4.2.0. We need at least v5.1.1 |
@jsomsanith-tlnd -Is it already merged to lerna repo?. Any Idea when the next release is coming out .? |
@jsomsanith-tlnd nothing is merged. The Merge Link is a other repository. |
@Vishesh30 read my last comment |
Bump, as of today |
Any update on when we can expect this CVE to be fixed? It is a high, and impacts all projects using lerna. There is already a PR (#2680) that looks good to merge. |
Hi Folks 👋 You may or may not know that lerna is now under the stewardship of Nrwl (announcement here #3121), a company with a long history of not just producing valuable open-source software (OSS), but also backing others (at the time of writing, Nrwl has donated over $50,000 to OSS it hasn't created, see https://opencollective.com/nx for full details). Quite simply, Nrwl ❤️ OSS, and is committed to making lerna the best it can be. We use it ourselves. We hope you will continue to be a part of this community as we look to take things forward from here! Please see #3140 for more details on our plans for 2022. In the case of this specific issue, the relevant packages have been updated and you will no longer see any If you run into any issues on the latest version of lerna, please feel free to open a new issue and follow the instructions: Many thanks 🙏 |
CVE-2020-8116 - High Severity Vulnerability
Vulnerable Libraries - dot-prop-3.0.0.tgz, dot-prop-4.2.0.tgz
dot-prop-3.0.0.tgz
Get, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-3.0.0.tgz
Dependency Hierarchy:
dot-prop-4.2.0.tgz
Get, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz
Dependency Hierarchy:
Found in HEAD commit: b483137ea2c7cbcaa86df00f25e739082463f082
Vulnerability Details
Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Publish Date: 2020-02-04
URL: CVE-2020-8116
CVSS 2 Score Details (7.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116
Release Date: 2020-02-04
Fix Resolution: dot-prop - 5.1.1
The text was updated successfully, but these errors were encountered: