CVE-2019-10746 (High) detected in mixin-deep-1.3.1.tgz
mend-bolt-for-github opened this issue · comments
CVE-2019-10746 - High Severity Vulnerability
Vulnerable Library - mixin-deep-1.3.1.tgz
Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.
Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz
Path to dependency file: /gulp-fontiran/package.json
Path to vulnerable library: /tmp/git/gulp-fontiran/node_modules/mixin-deep/package.json
Dependency Hierarchy:
- gulp-4.0.2.tgz (Root Library)
- glob-watcher-5.0.3.tgz
- anymatch-2.0.0.tgz
- micromatch-3.1.10.tgz
- snapdragon-0.8.2.tgz
- base-0.11.2.tgz
- ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)
- base-0.11.2.tgz
- snapdragon-0.8.2.tgz
- micromatch-3.1.10.tgz
- anymatch-2.0.0.tgz
- glob-watcher-5.0.3.tgz
Found in HEAD commit: 45a9363e77de1c95aefcf89aa3e8db9d14878358
Vulnerability Details
mixin-deep before 1.3.2 is vulnerable to Prototype Pollution.
Publish Date: 2019-07-11
URL: CVE-2019-10746
Suggested Fix
Type: Upgrade version
Origin: jonschlinkert/mixin-deep@8f464c8
Release Date: 2019-07-11
Fix Resolution: 1.3.2
Step up your Open Source Security Game with WhiteSource here