[Security] Bump dset from 3.1.2 to 3.1.4 (!445) · Merge requests · Données et territoires / Générateur de fiches territoriales

DependabotFichesTerritoriales requested to merge dependabot-npm_and_yarn-dset-3.1.4 into main Sep 12, 2024

Bumps dset from 3.1.2 to 3.1.4. This update includes a security fix.

Vulnerabilities fixed

dset Prototype Pollution vulnerability Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property proto, which is recursively assigned to all the objects in the program.

Patched versions: 3.1.4 Affected versions: < 3.1.4

Release notes

Sourced from dset's releases.

v3.1.3

Patches

Add "types" export conditions for TypeScript "nodenext"/"node16" resolution: #40 Thank you @Akkuma

Full Changelog: https://github.com/lukeed/dset/compare/v3.1.2...v3.1.3

Commits

05b1ec0 3.1.4
16d6154 fix: prevent proto assignment via implicit string
48f14a1 3.1.3
aca90fb chore: add "types" conditions for TS "nodenext" resolution (#40)
See full diff in compare view

[Security] Bump dset from 3.1.2 to 3.1.4

v3.1.3

Patches

Merge request reports