Nuxt.js: Vulnerability package dependency "defaults-deep"
Version
Reproduction link
https://www.npmjs.com/advisories/778
Steps to reproduce
Please fix this vulnerability in your dependency tree:
nuxt > @nuxt/core > @nuxt/server > serve-placeholder > defaults-deep
What is expected ?
0 vulnerabilities found when audit packages.
As no patch is currently available for this vulnerability it is our recommendation to select another module that can provide this functionality.
What is actually happening?
All versions of defaults-deep are vulnerable to prototype pollution. Provided certain input defaults-deep can add or modify properties of the Object prototype. These properties will be present on all objects.
Additional comments?
i62navpm
All 4 comments
Hi. Thanks for the report. This is being addressed fast.
- jonschlinkert/defaults-deep#5
- https://github.com/jsless/defu
pi0
on 7 Feb 2019
@pi0 Can you please explain shortly how you fixed that? (I followed the 2 links but ...)
begueradj
on 7 Feb 2019
For clarification as also described in CVE-2018-16486 the impact is _possibly more depending on the application._ and no nuxt users are affected for sure because options to the middleware are not from user input but only from nuxt.config.
For general:
I submitted the fix to prevent accepting contructor.prototype key on defaults-deep but as it is unlikely to fast merge and publish, I created an alternative package that only does what we want.
pi0
on 7 Feb 2019
Thanks for your contribution to Nuxt.js!
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
If you would like this issue to remain open:
- Verify that you can still reproduce the issue in the latest version of nuxt-edge
- Comment the steps to reproduce it
Issues that are labeled as 馃晲Pending will not be automatically marked as stale.
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 28 Feb 2019
Related issues
mattdharmon
路
3Comments
vadimsg
路
3Comments
surmon-china
路
3Comments
VincentLoy
路
3Comments
shyamchandranmec
路
3Comments
Most helpful comment
For clarification as also described in CVE-2018-16486 the impact is _possibly more depending on the application._ and no nuxt users are affected for sure because options to the middleware are not from user input but only from
nuxt.config.For general:
I submitted the fix to prevent accepting
contructor.prototypekey ondefaults-deepbut as it is unlikely to fast merge and publish, I created an alternative package that only does what we want.