audit vulnerability - Prototype Pollution

[zacharytyhacz]

hello @gunn

I am using pure-store in my project and when i run:

$ yarn audit

I get this output:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ immer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=8.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ pure-store                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ pure-store > immer                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1603                        │
└───────────────┴──────────────────────────────────────────────────────────────┘

my package.json:

...
      "pure-store": "^1.1.0",
...

[zacharytyhacz]

Update, the npm audit now says "Severe"

Im assuming there's really not much to do to fix this audit besides removing immer as dependency or submitting issue on their github. But immer has been updated to 9, maybe an upgrade to version 9 can fix?

> npm audit
# npm audit report

immer  <8.0.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1603
No fix available
node_modules/pure-store/node_modules/immer
  pure-store  *
  Depends on vulnerable versions of immer
  node_modules/pure-store

2 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

[zacharytyhacz]

Made a fork package:

https://www.npmjs.com/package/pure-store-updated