Security Vulnerability

[chirag-rakholiya]

From the use of the simple-plist , we have analyze the security vulnerability in simple-plist v1.3.0 and v1.3.1 .
is there new version is coming soon ?
Hopefully new version removes the security vulnerability which current version have it right now.

for more information regarding found security vulnerabilities ,
https://snyk.io/test/npm/simple-plist/1.3.0
https://snyk.io/test/npm/simple-plist/1.3.1

[maschad]

Duplicate of #60 but this should be patched #60 (comment) in 1.3.1 especially since this vulnerability was introduced in a dependency TooTallNate/plist.js#114 and patched there TooTallNate/plist.js#114 (comment)

[gruckionvit]

Any updates on this on? If it's fixed then this issue can be closed.

[wollardj]

Running yarn npm audit doesn't produce any issues from within the project itself, and since the vulnerability was originally discovered and repaired upstream before being tested and released here, I'd be at a loss to explain why Snyk might still think the vulnerability still exists in 1.3.1.

That being said, I've just published 1.4.0 under the next tag - I'm curious if Snyk will re-evaluate the issue with a minor release instead of a patch release. I'd be disappointed if that were the case, but hey 🤷

Closing for now since I believe this is Snyk's db being out of date. At me if someone finds a legit security concern that might still apply.

[gbero]

Looks like this is still an issue :

Issues with no direct upgrade or patch:
  ✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-SIMPLEPLIST-2413671] in simple-plist@1.4.0
    introduced by react-native@0.68.2 > @react-native-community/cli-platform-ios@7.0.1 > xcode@3.0.1 > simple-plist@1.4.0
  No upgrade or patch available