Prototype pollution in plist

[Sujay-shetty]

Hi,

There is new critical Prototype Pollution vulnerability found in plist according to below CVE.
GHSA-4cpg-3vgw-4877

which is fixed in plist version 3.0.5 (TooTallNate/plist.js#114).

Could you please update branch-sdk package.json to use latest version of plist.

Thanks,
Sujay

[Sujay-shetty]

@gdeluna-branch or @echo-branch could you please update this minor version of plist?

[echo-branch]

@Sujay-shetty
If I'm not mistaken, you can clear the cached version in node_modules and reinstall. That should pick up the fixed version.

"plist": "^3.0.4"
https://github.com/BranchMetrics/cordova-ionic-phonegap-branch-deep-linking-attribution/blob/master/package.json#L62

npm package.json docs
https://github.com/npm/node-semver#caret-ranges-123-025-004

We will be working on a new release as well.

[gdeluna-branch]

Yes we'll aim to update this week. Thanks for the heads up @Sujay-shetty

[JagadeeshKaricherla-branch]

@Sujay-shetty : Our caret range should cover plist patch version.
2 ways to fix :

1. npm update plist
2. rm -rf the version in node_modules and re-install

[Sujay-shetty]

Hi @JagadeeshKaricherla-branch , I tried above way but it is referring to version 3.0.4 only, so latest version it is not picking.
Due to which I have created this issue.

[echo-branch]

@Sujay-shetty
Sorry for the delay, but 5.1.0 is now released.