Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

High severity security vulnerability in dot-prop

See original GitHub issue

Seeing the following:

                       === npm audit security report ===


                                 Manual Review

             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance
High            Prototype Pollution

  Package         dot-prop


  Patched in      >=5.1.1

  Dependency of   gatsby

  Path            gatsby > devcert > configstore > dot-prop

  More info       https://npmjs.com/advisories/1213

  High            Prototype Pollution

  Package         dot-prop

  Patched in      >=5.1.1

  Dependency of   gatsby

  Path            gatsby > gatsby-cli > update-notifier > configstore >
                  dot-prop

  More info       https://npmjs.com/advisories/1213

How do we go about getting dot-prop updated for these components of gatsby?

Issue Analytics

State:
Created 3 years ago
Reactions:7
Comments:17 (6 by maintainers)

Top GitHub Comments

6reactions

herecydevcommented, Aug 4, 2020

gatsbybot got a little hasty there, still needs devcert to be patched

3reactions

mobidev111commented, Jul 30, 2020

Fixing this is important & urgent.

right now most gatsby-cli versions fail ‘npm audit’ (nam security audit)
this immediately breaks the CI pipelines of everybody using gatsby-cli
there are workarounds, but exceptions from the security audit are seldomly/hard to administer for obvious reasons

Top Results From Across the Web

Facing vulnerability security issue for dot-prop when updating ...

After updating npm to the latest, I ran npm audit and got two vulnerabilities for the dot-prop package dependency which is showing under...

dot-prop - Snyk Vulnerability Database

version published direct vulnerabilities 7.2.0 16 Feb, 2022 0. C. 0. H. 0. M. 0. L 7.1.1 22 Jan, 2022 0. C. 0. H. 0....

CVE-2020-8116 Detail - NVD

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 ... CVSS 3.x Severity and Metrics: ... Base Score: 7.3 HIGH.

Resolve NPM security vulnerabilities - Payam Mousavi - Medium

No sign of those found N high severity vulnerabilities in scanned packages ... It says, the dot-prop package has a security issue which...

dot-prop Prototype Pollution vulnerability - Vulners

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 ... Security Bulletin: Multiple Vulnerabilities in Node.js affect IBM Cloud ...