Description
Dependabot cannot update immer to a non-vulnerable version
The latest possible version that can be installed is 1.10.0 because of the following conflicting dependencies:
@docusaurus/core@2.0.0-alpha.70 requires immer@1.10.0 via a transitive dependency on react-dev-utils@10.2.1
@docusaurus/preset-classic@2.0.0-alpha.70 requires immer@1.10.0 via a transitive dependency on react-dev-utils@10.2.1
The earliest fixed version is 8.0.1.
View logs or learn more about troubleshooting Dependabot errors.
1 immer vulnerability found in yarn.lock 14 days ago
Remediation
Upgrade immer to version 8.0.1 or later. For example:
immer@^8.0.1:
version "8.0.1"
Always verify the validity and compatibility of suggestions with your codebase.
Details
CVE-2020-28477
high severity
Vulnerable versions: < 8.0.1
Patched version: 8.0.1
Overview
Affected versions of immer are vulnerable to Prototype Pollution.
Proof of exploit
const {applyPatches, enablePatches} = require("immer");
enablePatches();
let obj = {};
console.log("Before : " + obj.polluted);
applyPatches({}, [ { op: 'add', path: [ "proto", "polluted" ], value: "yes" } ]);
// applyPatches({}, [ { op: 'replace', path: [ "proto", "polluted" ], value: "yes" } ]);
console.log("After : " + obj.polluted);
Remediation
Version 8.0.1 contains a fix for this vulnerability, updating is recommended.