You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cordova.apache.org by GitBox <gi...@apache.org> on 2021/01/12 17:30:50 UTC

[GitHub] [cordova-android] breautek edited a comment on issue #935: Prototype pollution in dot-prop

breautek edited a comment on issue #935:
URL: https://github.com/apache/cordova-android/issues/935#issuecomment-758817056


   > Hi, sorry for excavating the issue, but I recently started working on a cordova deployment for an app and got the warning from GitHub for the `dot-prop` package being a security vulnerability (< 4.2.1). I created the package with `cordova create`, following the tutorial on the cordova website. Should I raise that as a new issue? Cordova CLI reports version `9.0.0`
   
   Cordova-android doesn't use the package that uses `dot-prop` anymore:
   
   Cordova-android@8.1.0
   
   ```
   io.cordova.hellocordova@1.0.0 /development/cordova/tests/dotproptest
   └─┬ cordova-android@8.1.0
     └─┬ compare-func@1.3.4
       └── dot-prop@3.0.0
   ```
   
   Cordova-android@9
   
   ```
   npm ls dot-prop
   io.cordova.hellocordova@1.0.0 /development/cordova/tests/dotproptest
   └── (empty)
   ```
   
   Here is the commit that removes `compare-func` (which has the `dot-prop` dependency).
   
   https://github.com/apache/cordova-android/commit/8ab1dbc373eefd55e912e29d6bfb2a9c67e95b6e#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org