There is an issue in my node package "uglify-js": "3.16.3" Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS via the name variable in ast.js. You can see more on this link here
How is this related to Node-RED?
If it is connected to a NR node, it would help if you identified the node and provided information such as
platform you are running on
OS you are using and version
If this is related to the core of node-red, then reporting any possible security issue via the public forum is not the way to do it.
Our responsible disclosure policy is documented here: node-red/SECURITY.md at master · node-red/node-red · GitHub
FWIW, uglify is not used / never loaded into memory.
The Dependency (should probably be removed) : node-red/package.json at 946def022fa94e9998d5c6095838841a1c94e2da · node-red/node-red · GitHub
Only reference: node-red/registry.js at 946def022fa94e9998d5c6095838841a1c94e2da · node-red/node-red · GitHub
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.