Prototype pollution vulnerability in function DEFNODE

There is an issue in my node package "uglify-js": "3.16.3" Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS via the name variable in ast.js. You can see more on this link here

How is this related to Node-RED?
If it is connected to a NR node, it would help if you identified the node and provided information such as
Node-RED version
node.js version
npm version
platform you are running on
OS you are using and version

If this is related to the core of node-red, then reporting any possible security issue via the public forum is not the way to do it.

Our responsible disclosure policy is documented here: node-red/SECURITY.md at master · node-red/node-red · GitHub

FWIW, uglify is not used / never loaded into memory.

The Dependency (should probably be removed) : node-red/package.json at 946def022fa94e9998d5c6095838841a1c94e2da · node-red/node-red · GitHub

Only reference: node-red/registry.js at 946def022fa94e9998d5c6095838841a1c94e2da · node-red/node-red · GitHub

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.