CVE-2019-10746 (High) detected in mixin-deep-1.3.1.tgz
mend-bolt-for-github opened this issue · comments
CVE-2019-10746 - High Severity Vulnerability
Vulnerable Library - mixin-deep-1.3.1.tgz
Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.
Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz
Path to dependency file: /amiddy/package.json
Path to vulnerable library: /tmp/git/amiddy/node_modules/mixin-deep/package.json
Dependency Hierarchy:
- cli-7.5.5.tgz (Root Library)
- chokidar-2.1.5.tgz
- braces-2.3.2.tgz
- snapdragon-0.8.2.tgz
- base-0.11.2.tgz
- ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)
- base-0.11.2.tgz
- snapdragon-0.8.2.tgz
- braces-2.3.2.tgz
- chokidar-2.1.5.tgz
Found in HEAD commit: 54dafb39366800b1ab747f337e45f437986e1785
Vulnerability Details
mixin-deep before 1.3.2 is vulnerable to Prototype Pollution.
Publish Date: 2019-07-11
URL: CVE-2019-10746
CVSS 2 Score Details (7.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: jonschlinkert/mixin-deep@8f464c8
Release Date: 2019-07-11
Fix Resolution: 1.3.2
Step up your Open Source Security Game with WhiteSource here