Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: address prototype pollution issue #108

Merged
merged 1 commit into from
Oct 25, 2020
Merged

fix: address prototype pollution issue #108

merged 1 commit into from
Oct 25, 2020

Conversation

bcoe
Copy link
Member

@bcoe bcoe commented Oct 25, 2020

@po6ix @joaogmauricio I appreciate the vulnerability report, I believe this addresses the problem (_let me know if you can confirm). Also let me know if you can think of any additional regression tests.


@JamieSlome, @alromh87, I like the idea of huntr, I'd rather have a company submit a patch than simply notify me of a CVE. #107 was just not inline with how I've been addressing this issue elsewhere in the yargs codebase.

CC: @ljharb
Fixes: #96

@JamieSlome
Copy link

@bcoe - that is great to hear - we'd love to work with you to get fixes into the repository in the future. Would you be available to discuss this further together?

@bcoe bcoe merged commit a9ac604 into master Oct 25, 2020
@bcoe bcoe deleted the fix-96 branch October 25, 2020 15:00
@bcoe
Copy link
Member Author

bcoe commented Oct 25, 2020

@JamieSlome happy to discuss more, email is a good place to start as I'm pretty full of meetings over the next few weeks.

@JamieSlome
Copy link

@bcoe - I will shoot over an e-mail to you today!

@stof
Copy link

stof commented Nov 19, 2020

@bcoe will this be backported in the older major version ?

  • webpack 4 depends on a version of cacache (through the terser-webpack-plugin) which uses y18n 4.x
  • webpack-dev-server and webpack-cli are using yargs 13 which uses y18n 4.x
  • gulp-cli is using yargs 7 which uses y18n 3.x

billyvg pushed a commit to getsentry/sentry that referenced this pull request Mar 30, 2021
Bumps [y18n](https://github.com/yargs/y18n) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/yargs/y18n/releases)
- [Changelog](https://github.com/yargs/y18n/blob/master/CHANGELOG.md)
- [Commits](https://github.com/yargs/y18n/commits)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

There's no changelog entry for this version, but based on the publish date of `4.0.1`, I think the release addresses this issue: yargs/y18n#108
@fungiboletus fungiboletus mentioned this pull request Mar 31, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Prototype pollution
4 participants