Unmaintained and vulnerable dependency #3447
Comments
|
Please fix it as soon as possible or give any alternative so that it doesn't produce security errors. |
|
any update on this?? |
|
If this is important for you, please send a pull request. Since karma is a test engine and not part of a online product the risk of prototype injection is very low. That said it would be great to see these fixed. |
|
It is quite important as security scans started showing vulnerabilities in projects that use karma. The security team will allow exception here as this is a package required for tests only but It makes the release process very painful. |
|
|
Would be fixed by #3451 |
|
Hey folks! Is there any other workaround to handle this vulnerability whilst the PR is merged? |
|
Very happy to see the fix looks merged now. Is there a rough idea of when it would make it into a release? (@johnjbarton) |
|
I'm really glad to see that this is already completed, I'll keep an eye out for the next release. Good work everyone! |
karma@4.4.1 has a dependency on optimist which is no longer maintained and has a child dependency of minimist@0.0.10. Minimist is has a known vulnerability prior to version 1.2.2 that allows adding and modifying properties of Object.prototype.
https://nvd.nist.gov/vuln/detail/CVE-2020-7598
It appears that some work has been started on this in #2473.
The text was updated successfully, but these errors were encountered: