In fact, there's a second PR open which will also fix the issue, and which is also being ignored! https://github.com/lodash/lodash/pull/4759 … Both PRs are around two months old at this stage
Show this thread
`lodash` has a prototype pollution vulnerability, there is a nearly-trivial PR open which will fix it, and the maintainer is just... ignoring it?https://github.com/lodash/lodash/pull/4745#issuecomment-622477124 …
-
-
-
I respect the right of a programmer to not be compelled to do free work for other people, which is why one of the possible resolutions we've discussed at work is to just find the guy and bribe him to push the button
Show this thread
End of conversation
New conversation -
-
-
tbf he doesn't want to ruin his week or his plans
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
To be fair: I imagine most of the projects "blocked" on it don't even use the function in question and they're just taking the vuln tester at its word. And it's not even a vuln if you aren't using it on untrusted objects.
-
And on the flip side, given that it DOES have security implications, and given that Lodash is among of the most commonly used packages in the ecosystem, I would very much prefer that it not be merged without very careful review.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.