Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

CVE-2021-23440 found in set-value dependency #22

Closed
pavanjava opened this issue Sep 14, 2021 · 4 comments
Closed

CVE-2021-23440 found in set-value dependency #22

pavanjava opened this issue Sep 14, 2021 · 4 comments

Comments

@pavanjava
Copy link

#CVE-2021-23440: the cache-base library internally uses set-value, and set value version below 4.0.1 are vulnarable. is there any plan to fix this issue and release a new version.
@joshuanapoli
Copy link

Note that set-value@4 changes the behavior when the set value is undefined. In set-value@3, it sets a property with value undefined. In set-value@4 it deletes the property.

jonschlinkert/set-value@c4eb609#diff-e727e4bdf3657fd1d798edcd6b099d6e092f8573cba266154583a746bba0f346R101

@KevinMike
Copy link

@jonschlinkert We have a PR updating the version of set-value.
PR: #23

@tamas-kiss-resideo tamas-kiss-resideo mentioned this issue Sep 17, 2021
Open
@JustinGrote JustinGrote mentioned this issue Sep 17, 2021
Closed
@joshuanapoli joshuanapoli mentioned this issue Sep 21, 2021
Merged
@BernhardMaier BernhardMaier mentioned this issue Oct 5, 2021
Open
This was referenced Oct 5, 2021
Merged
Merged
Merged
@Jose-Matsuda Jose-Matsuda mentioned this issue Oct 7, 2021
Closed
@gabssnake
Copy link

Any news on this one?
We have a set-value vulnerability 12 levels deep into the dependencies, and this is the culprit.

@jonschlinkert isn't set-value your own package ?

@iamarpitpatidar iamarpitpatidar mentioned this issue Nov 6, 2021
Closed
@jonschlinkert
Copy link
Owner

closed by #23

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@joshuanapoli @jonschlinkert @gabssnake @KevinMike @pavanjava