[Pkg-javascript-devel] Bug#926616: Bug#926616: CVE-2018-3750: Prototype Pollution
Paolo Greppi
paolo.greppi at libpf.com
Mon Apr 8 07:44:45 BST 2019
Quick research:
https://www.npmjs.com/advisories/612
node-deep-extend popcon = ~1900
apt-cache rdepends node-deep-extend
node-deep-extend
Reverse Depends:
node-rc
the watch file for node-rc is not picking up new releases because upstream uses the commit message to tag them instead of a real tag...
anyway the new version of deep-extend has been included in rc 1.2.7 released on 2018-04-29:
https://github.com/dominictarr/rc/commit/b63377974f60bc5207c15bc8f465e28d2c7e1945
so the bottom line is, to fix this we should:
- update node-deep-extend to 0.5.1
- update node-rc from 1.1.6 to 1.2.8
P.
More information about the Pkg-javascript-devel
mailing list