-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unmaintained and vulnerable dependency #3447
Comments
Please fix it as soon as possible or give any alternative so that it doesn't produce security errors. |
any update on this?? |
If this is important for you, please send a pull request. Since karma is a test engine and not part of a online product the risk of prototype injection is very low. That said it would be great to see these fixed. |
It is quite important as security scans started showing vulnerabilities in projects that use karma. The security team will allow exception here as this is a package required for tests only but It makes the release process very painful. |
|
Would be fixed by #3451 |
Hey folks! Is there any other workaround to handle this vulnerability whilst the PR is merged? |
Very happy to see the fix looks merged now. Is there a rough idea of when it would make it into a release? (@johnjbarton) |
I'm really glad to see that this is already completed, I'll keep an eye out for the next release. Good work everyone! |
karma@4.4.1 has a dependency on optimist which is no longer maintained and has a child dependency of minimist@0.0.10. Minimist is has a known vulnerability prior to version 1.2.2 that allows adding and modifying properties of Object.prototype.
https://nvd.nist.gov/vuln/detail/CVE-2020-7598
It appears that some work has been started on this in #2473.
The text was updated successfully, but these errors were encountered: