Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability Prototype Pollution #142

Open
DaviLhlapak opened this issue May 6, 2021 · 2 comments
Open

Vulnerability Prototype Pollution #142

DaviLhlapak opened this issue May 6, 2021 · 2 comments

Comments

@DaviLhlapak
Copy link

A few days ago I went to install my project's packages and npm pointed out 4 critical security errors, but I couldn't understand the solution for it, I didn't find issues that matched the current problem, can you help me?

When running the command npm audit it shows the following text:

# npm audit report

merge  <2.1.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1666
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/merge
  find-node-modules  <=2.1.0
  Depends on vulnerable versions of merge
  node_modules/find-node-modules
    commitizen  >=2.0.0
    Depends on vulnerable versions of cz-conventional-changelog
    Depends on vulnerable versions of find-node-modules
    node_modules/commitizen
      cz-conventional-changelog  >=3.0.2
      Depends on vulnerable versions of commitizen
      node_modules/commitizen/node_modules/cz-conventional-changelog
      node_modules/cz-conventional-changelog

4 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

These are the versions that I have installed
[email protected]
[email protected]

Thanks in advance for your help.

About this Vulnerability: https://www.npmjs.com/advisories/1666

@ezrafree
Copy link

I just ran into this issue as well.

If you're using yarn, I was able to resolve this issue by adding a resolutions object to my package.json:

"resolutions": {
  "merge": "^2.1.1"
}

@aiKrice
Copy link

aiKrice commented Apr 7, 2022

Please up

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants