dset @3.1.2
A tiny (194B) utility for safely writing deep Object values~!
Maintainers
Keywords
Dev Dependencies (3)
| Package | Constraint | Registry Status |
|---|---|---|
| esm | 3.2.25 | auto_approved |
| uvu | 0.5.1 | auto_approved |
| bundt | 1.1.2 | Not imported |
Changes from v1.0.1
Dependency Changes
Script Changes
- pretestFile Changes
Risk Dispositions (1 applicable to this version, 1 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-f6v4-cf5j-vf3w |
osv | reject | AI | AI (osv): Prototype pollution vulnerability affecting all versions < 3.1.4; fix is available. Verdict generalizes to all affected versions. |
Show 1 disposition(s) that do not match any finding on this version
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-23wx-cgxq-vpwx |
osv | reject | AI | AI (osv): Prototype pollution via merge mode affecting all versions < 3.1.2; fix is available. Verdict generalizes to all affected versions. |
SAST Findings (2)
[Always reject] CVSS 8.2 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 43. Findings: 1 critical (+40), 1 low (+3).
Commit: 740b3aeec52b Browse source
Published to npm: