Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

fast-json-patch version is susceptible to a vulnerability #237

Open
DrakeEsdon opened this issue Oct 31, 2023 · 3 comments
Open

fast-json-patch version is susceptible to a vulnerability #237

DrakeEsdon opened this issue Oct 31, 2023 · 3 comments

Comments

@DrakeEsdon
Copy link

The current version of fast-json-patch is vulnerable to prototype pollution attacks. We should update to fast-json-patch@3.1.1 or higher in our dependancies
@jhonnycordova
Copy link

Any updates on this? Are you planning to update the fast-json-patch version?

@nantiferov
Copy link

Not the best solution, but it's possible to override dependency in package.json with fixed version like this:

{
...
  "overrides": {
    "ajv-cli": {
      "fast-json-patch": "^3.1.1"
    }
...
  }

@luke-hill
Copy link

Echo'ing this that it's causing a lot of notifications on larger repos that are flagging this as a security vulnerability

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jhonnycordova @luke-hill @DrakeEsdon @nantiferov