I'm confused about that as well; there were a spate of CVEs about it a year or two ago (2 or 3 of my libraries were "affected"), but just like the minimist/mkdirp ones, they were only actually vulnerabilities for a minority of the use cases. Have there been any recent vulnerabilities you're aware of?
On Fri, May 1, 2020 at 9:22 AM Bob Myers <[email protected]> wrote: > Can you explain or support your assertion of "increased prevalence"? > > On Fri, May 1, 2020, 05:51 Mike Sherov <[email protected]> wrote: > >> Given the increased prevalence of prototype pollution vulnerabilities in >> many popular javascript libraries, is it time to reconsider the fact that >> Object.assign allows for prototype pollution by default? >> >> I see two options: >> 1. Change Object.assign to disallow PP by default. Look at real world >> usages and see what would break if prototype pollution was disabled? Almost >> certainly this is not a viable option, but wanted to raise it here just in >> case there was appetite to do so. >> 2. Introduce something like Object.safeAssign (bikeshedding aside), that >> is the same as Object.assign except is safe from prototype pollution. >> >> The reason I think this is important is that the common advice of >> freezing Object.prototype is something only the end user can do, and not >> something a library can do. >> >> Yes, a library can also know to do its own PP fixes, but having a reified >> way to avoid PP allows us to have a secure-by-default method in the >> language. >> >> Thoughts? >> >> Mike Sherov >> _______________________________________________ >> es-discuss mailing list >> [email protected] >> https://mail.mozilla.org/listinfo/es-discuss >> > _______________________________________________ > es-discuss mailing list > [email protected] > https://mail.mozilla.org/listinfo/es-discuss >
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
