Whitesource scan show dot-prop@4.2.0 as prototype pollution vulnerability


A white source scan has identified dot-prop@4.2.0 as having a prototype pollution vulnerability. This is within update-notifier@2.5.0 which is a component you use within the serverless framework.

Here is a link from synk.io: https://snyk.io/test/github/serverless/serverless


I believe the required action is for serverless to upgrade ‘update-notifier’ to version 4.0.0, then this vulnerability should be fixed.

Can this get sorted please?


You may have more luck filing an issue over at https://github.com/serverless/serverless/issues