Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security vulnerability due to outdated nested dependency (dot-prop)

See original GitHub issue

npm audit output:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ dot-prop                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ clinic [dev]                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ clinic > insight > conf > dot-prop                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1213                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Issue Analytics

State:
Created 3 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

mcollinacommented, Jul 31, 2020

There is literally nothing to worry about that vulnerability, you are safe.

0reactions

marian-rcommented, Jul 30, 2020

I’ve opened an issue for that too https://github.com/yeoman/insight/issues/71. Let’s hope it won’t take long, although I’m a bit fearful it’s gonna take a while as that package hasn’t seen an update for over a year 😟

Top Results From Across the Web

Fixing security vulnerabilities in npm dependencies in less ...

In my case mocha(7.1.0) -> mkdirp(0.5.1) -> minimist(0.0.8) — the vulnerable version. For npm users, we need one more step for that resolutions...

dot-prop - Snyk Vulnerability Database

version published direct vulnerabilities 7.2.0 16 Feb, 2022 0. C. 0. H. 0. M. 0. L 7.1.1 22 Jan, 2022 0. C. 0. H. 0....

Security vulnerability found in dot-prop · Issue #592 - GitHub

dot-prop is a package to get, set, or delete a property from a nested object using a dot path. Affected versions of this...

Facing vulnerability security issue for dot-prop when updating ...

After updating npm to the latest, I ran npm audit and got two vulnerabilities for the dot-prop package dependency which is showing under...

How to Fix Your Security Vulnerabilities with NPM Overrides

My nested dependency still has the version with the security issues because I've already had npm module installed. Deleting your package-lock.json and node ......