Whitesource scan show dot-prop@4.2.0 as prototype pollution vulnerability

timold · June 30, 2020, 7:38am

Hi,

A white source scan has identified dot-prop@4.2.0 as having a prototype pollution vulnerability. This is within update-notifier@2.5.0 which is a component you use within the serverless framework.

Here is a link from synk.io: https://snyk.io/test/github/serverless/serverless

.

I believe the required action is for serverless to upgrade ‘update-notifier’ to version 4.0.0, then this vulnerability should be fixed.

Can this get sorted please?

Thanks

bfieber · June 30, 2020, 3:21pm

You may have more luck filing an issue over at https://github.com/serverless/serverless/issues

Topic		Replies	Views
Audit error on serverless install (npm audit) Serverless Framework	1	1938	June 11, 2018
How to use latest version without deprecation warnings and explicit flags Serverless Framework	0	1868	March 18, 2021
Error: CLI options definitions were upgraded with "type" property - ServerlessWebpack for "webpack-use-polling" Serverless Framework lambda	0	660	August 4, 2022
Versioning Serverless deployments Serverless Framework	0	797	January 9, 2017
Can't use serverless command v4 Serverless Framework aws , lambda , cloudformation	17	230	October 5, 2024

Whitesource scan show dot-prop@4.2.0 as prototype pollution vulnerability

Related topics