You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Reading through the code and the paper, it seems like there is a check to mitigate prototype pollution in the dset function that uses merge, but not in merge itself. Would the merge function benefit from such a check? Or would that break something?
Thanks,
Simon
The text was updated successfully, but these errors were encountered:
A vulnerability detection tool I use is flagging the merge function, and particularly this line: https://github.com/lukeed/dset/blob/master/src/merge.js#L9
The tool says that the function is vulnerable to prototype pollution as per this paper: https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf
Reading through the code and the paper, it seems like there is a check to mitigate prototype pollution in the dset function that uses merge, but not in merge itself. Would the merge function benefit from such a check? Or would that break something?
Thanks,
Simon
The text was updated successfully, but these errors were encountered: