[Security] Bump dset from 3.1.3 to 3.1.4 in /ui (!1668) · Merge requests · Données et territoires / insitu

Ronan Amicel requested to merge dependabot-npm_and_yarn-ui-dset-3.1.4 into main Sep 12, 2024

Bumps dset from 3.1.3 to 3.1.4. This update includes a security fix.

Vulnerabilities fixed

dset Prototype Pollution vulnerability
Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property proto, which is recursively assigned to all the objects in the program.

Patched versions: 3.1.4
Affected versions: < 3.1.4

Commits

05b1ec0 3.1.4
16d6154 fix: prevent proto assignment via implicit string
See full diff in compare view

[Security] Bump dset from 3.1.3 to 3.1.4 in /ui

Merge request reports