CVE-2019-10746 (High) detected in mixin-deep-1.3.1.tgz

[mend-bolt-for-github]

CVE-2019-10746 - High Severity Vulnerability

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /angular-shopping/package.json

Path to vulnerable library: /tmp/git/angular-shopping/node_modules/mixin-deep/package.json

Dependency Hierarchy:

• cli-1.7.1.tgz (Root Library)
  • webpack-dev-server-2.11.1.tgz
    • chokidar-2.0.2.tgz
      • braces-2.3.1.tgz
        • snapdragon-0.8.1.tgz
          • base-0.11.2.tgz
            • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 05f8ec41c0b265a6e8aa6f823c14f68fffdf268e

Vulnerability Details

mixin-deep before 1.3.2 is vulnerable to Prototype Pollution.

Publish Date: 2019-07-11

URL: CVE-2019-10746

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/mixin-deep@8f464c8

Release Date: 2019-07-11

Fix Resolution: 1.3.2

---

Step up your Open Source Security Game with WhiteSource here