Package: node-deep-extend Version: 0.4.1-1 Severity: important Dear Maintainer,
As per the ubuntu bug report: from https://snyk.io/vuln/npm:deep-extend:20180409 : deep-extend "all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control part of the structure passed to these function." This is verifiably true on at least buster, given the PoC listed in the above URL, but since it's the same deep-extend in sid, it's probably the same there. The following commit apparently fixes this: (though I haven't verified that) https://github.com/unclechu/node-deep-extend/commit/433ee51ed606f4e1867ece57b6ff5a47bebb492f -- System Information: Debian Release: buster/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages node-deep-extend depends on: ii nodejs 10.15.2~dfsg-1 node-deep-extend recommends no packages. node-deep-extend suggests no packages. -- debconf-show failed
