Hi, @ben-lin
When I use this package in my nodejs application, I encounter a Snyk Scan issue.
Snyk points the origin of the issue is node.flow's dependency node.extend@1.0.8.
Affected versions of this package are vulnerable to Prototype Pollution. An attacker could inject arbitrary properties onto Object.prototype
And then, I found the hard-code in package.json.
Snyk also shows that the issue has already fixed in node.extend@1.1.7 and node.extend@2.0.1.
I compare the code between node.extend@1.0.8 and node.extend@1.1.7.
I think it's not much difference from the functional point of view, right?
So could help remove the lock of version in node.flow@1.2.3 and define node.extend to a right version and put it into npm, at the same time, it will not affect node.flow@1.2.3.
Thanks!
Hi, @ben-lin
When I use this package in my nodejs application, I encounter a Snyk Scan issue.
Snyk points the origin of the issue is node.flow's dependency node.extend@1.0.8.
And then, I found the hard-code in package.json.
Snyk also shows that the issue has already fixed in node.extend@1.1.7 and node.extend@2.0.1.
I compare the code between node.extend@1.0.8 and node.extend@1.1.7.
I think it's not much difference from the functional point of view, right?
So could help remove the lock of version in node.flow@1.2.3 and define node.extend to a right version and put it into npm, at the same time, it will not affect node.flow@1.2.3.
Thanks!